GDPR Violations and Sanctions.csv

ID;Authority;AuthorityCountry;Date;Fine;OrganizationPublished;Specific;OrganizationMatched;OrganizationCountry;OrganizationSector;OrganizationRevenue;OrganizationEmployees;OrganizationStatus;OrganizationDomestic;Articles;Type;Summary;Source
1;Austrian Data Protection Authority (dsb);Austria;09.12.18;4800;Betting place;No;NA;NA;Sports, Fitness & Recreation;NA;NA;NA;Yes;Art. 13 GDPR;Insufficient fulfilment of information obligations;Video surveillance was not sufficiently marked and a large part of the sidewalk of the facility was recorded. Surveillance of the public space in this way, i.e. on a large scale by private individuals, is not permitted.;https://www.dsb.gv.at/documents/22758/116802/Straferkenntnis+DSB-D550.038+0003-DSB+2018.pdf/fb0bb313-8651-44ac-a713-c286d83e3f19
2;Austrian Data Protection Authority (dsb);Austria;NA;1800;Kebab restaurant;No;NA;NA;Restaurants, Cafes & Bars;NA;NA;NA;Yes;Art. 5 GDPR, Art. 13 GDPR, Art. 14 GDPR;Insufficient legal basis for data processing;CCTV was unlawfully used. Sufficient information about the video surveillance was missing. In addition, the storage period of 14 days was too long and therefore against the principle of data minimization. Addendum: Fine has been reduced to EUR 1500 by court, see link;https://www.dsb.gv.at/documents/22758/115212/Newsletter_DSB_1_2020.pdf/a640bbb8-9297-4230-86e4-163bc9ccb844
5;Belgian Data Protection Authority (APD);Belgium;28.05.19;2000;Mayor;No;NA;NA;Politics & Government;NA;NA;Other;Yes;Art. 5 (1) b) GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;The administrative fine was imposed for the misuse of personal data by a mayor for campaign purposes.;https://www.autoriteprotectiondonnees.be/news/lautorite-de-protection-des-donnees-prononce-une-sanction-dans-le-cadre-dune-campagne
6;Bulgarian Commission for Personal Data Protection (KZLD);Bulgaria;04.12.18;500;Bank;No;NA;NA;Banks;NA;NA;NA;Yes;Art. 5 (1) b) GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;"A fine of 1000 BGN (or roughly 500 EUR) was imposed on a bank for calling a client for the unresolved bills of his neighbor. This provoked the client to evoke his right to be forgotten. After not receiving any answer from the bank he filed another motion, for which the bank did take action in the statutory period. Nonetheless, the client filed a complaint to KZLD.

The infringement for which the bank was fined was for the processing of the client?s personal data was not linked to his consumer credit agreement. Since the purpose for which the data were processed was different from that communicated at the time of conclusion of the contract, the bank had, in the point of view of KZLD, to request additional consent from its client.";https://gdprtoolkit.eu/first-gdpr-fine-in-bulgaria/
7;Bulgarian Commission for Personal Data Protection (KZLD);Bulgaria;26.02.19;27100;Telecommunication service provider;No;NA;NA;Telecommunications;NA;NA;NA;Yes;Art. 6 GDPR, Art. 5 (1) a) GDPR;Insufficient legal basis for data processing;"Repeated registration of prepaid services without the knowledge and consent of the data subject

Employees of the telecommunications provider have used personal data and registered the complainant with the company's prepaid service. The data subject had not signed the application and had not consented to the processing of his personal data for the stated purpose. There was also no other legal basis applicable. The signature of the application and the complainant own genuine application were not identical and the persons personal identification number was indicated, but the identity card number was not the complainants one.";https://www.cpdp.bg/?p=element_view&aid=2180
8;Bulgarian Commission for Personal Data Protection (KZLD);Bulgaria;17.01.19;500;Bank;No;NA;NA;Banks;NA;NA;NA;Yes;Art. 6 GDPR, Art. 5 (1) a) GDPR;Insufficient legal basis for data processing;A bank gained personal data concernign a student wihtout a legal basis.;https://www.cpdp.bg/?p=element&aid=1195
9;Bulgarian Commission for Personal Data Protection (KZLD);Bulgaria;22.02.19;500;Employer;No;NA;NA;NA;NA;NA;NA;Yes;Art. 15 GDPR;Insufficient fulfilment of data subjects rights;An employee sent a request to his employer for access to personal data concerning him. The request was not answered in time and not in a complete way.;https://www.cpdp.bg/?p=element_view&aid=2177
10;Cypriot Data Protection Commissioner;Cyprus;NA;5000;State Hospital;No;NA;NA;Hospitals;NA;NA;NA;Yes;Art. 15 GDPR;Insufficient fulfilment of data subjects rights;A patient complained to the Commissioner that the request for access to her medical file was not satisfied by the hospital because the dossier could not be identified/located by the controller. After investigating the case, an administrative fine of ?5,000 was imposed on the hospital.;https://www.agplaw.com/cyprus-gdpr-commissioner-fines-newspaper-and-hospital/
11;Cypriot Data Protection Commissioner;Cyprus;NA;10000;Newspaper;No;NA;NA;Newspapers & Publishing;NA;NA;NA;Yes;Art. 6 GDPR;Insufficient legal basis for data processing;"The publication of the newspaper, both in hard copy and in electronic form, allegedly involved inconvenience, unnecessary and unlawful detention of a citizen, and revealed the names and pictures of the two police investigators involved, as well as the photograph of a third police investigator.

The Commissioner considered that the aim could be achieved by referring only to the initials of their name and/or their faces being blurred and/or publishing photographs drawn from a distant distance so that it was impossible to identify the persons, and these actions would not bring any change in the nature of the case.";https://www.agplaw.com/cyprus-gdpr-commissioner-fines-newspaper-and-hospital/
12;Czech Data Protection Auhtority (UOOU);Czech Republic;10.01.19;388;Employer;No;NA;NA;NA;NA;NA;NA;Yes;Art. 6 GDPR;Insufficient legal basis for data processing;A former employee of a company requested the deletion of information relating to him/her which was published on the Facebook website of the employer and which was still available long after the termination of the employment relationship. The fine was imposed because the employer did not delete the information relating to the former employee.;https://www.uoou.cz/assets/File.ashx?id_org=200144&id_dokumenty=34464
13;Czech Data Protection Auhtority (UOOU);Czech Republic;04.02.19;1165;Car renting company;No;NA;NA;Services;NA;NA;NA;Yes;Art. 5 (1) a) GDPR;Insufficient fulfilment of information obligations;A person who rented a car found out that the car was tracked via GPS by the renting company even though there was no information provided on the fact that the car is being tracked. The Czech Data Protection Authority found that there was no information provided in terms of Art. 13 GDPR and that Art. 6 (1) f) GDPR could not be the legal basis under the concrete circumstances. Due to that the UOOU found that there was a violation of Art. 5 (1) a) GDPR for which it imposed the fine.;https://www.uoou.cz/assets/File.ashx?id_org=200144&id_dokumenty=34465
15;Czech Data Protection Auhtority (UOOU);Czech Republic;04.02.19;1165;Credit brokerage;No;NA;NA;Finance & Insurance;NA;NA;NA;Yes;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;Data was not processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality').;https://www.uoou.cz/assets/File.ashx?id_org=200144&id_dokumenty=34467
19;Czech Data Protection Auhtority (UOOU);Czech Republic;NA;3140;UniCredit Bank Czech Republic and Slovakia, a.s.;Yes;UniCredit SpA;Italy;Banks;28800000000;97775;Public;No;Art. 6 GDPR;Insufficient legal basis for data processing;The bank established a personal bank account for a data subject without his consent or knowledge. The bank supposedly had his personal data available because the subject had disposed of his employer?s company account. The bank was not able to provide The Office for Personal Data Protection with the necessary documentation to prove entering into contract with the data subject.;https://www.uoou.cz/kontrola-zpracovani-osobnich-udaju-bankou-unicredit-bank-czech-republic-and-slovakia-a-s/ds-5705/archiv=0&p1=5653
21;Danish Data Protection Authority (Datatilsynet);Denmark;NA;160000;Taxa 4x35;Yes;Sammenslutningen Taxa 4X35;Denmark;Transportation & Logistics;4000000;75;Private;Yes;Art. 5(1) e) GDPR;Non-compliance with general data processing principles;"The Danish DPA reported the taxi company to the police and recommended a fine (of 1.2M DKK) for non-adherence to the data-minimization principle. While the company deleted the names of its passengers from all its records after two years, the deletion did not include the rest of the ride records (about 8,873,333 taxi trips). Hence, the company continued to hold onto individual's phone numbers. 

Please note: Since Danish law does not provide for administrative fines as in the GDPR (unless it is an uncomplicated case and the accused person consented), fines will be imposed by courts.";https://www.datatilsynet.dk/presse-og-nyheder/nyhedsarkiv/2019/mar/datatilsynet-indstiller-taxaselskab-til-boede-paa-1-2-mio-kr/
22;Danish Data Protection Authority (Datatilsynet);Denmark;12.02.21;13450;IDdesign A / S;Yes;NA;Denmark;Wholesale;NA;NA;Private;Yes;Art. 5 (1) e) GDPR, Art. 5 (2) GDPR;Non-compliance with general data processing principles;"Original summary: On June 3, 2019, the Danish DPA (Datatilsynet) reported IDdesign to the police and demanded payment of a fine in the amount of EUR 200,850 for the processing of personal data of approximately 385,000 customers for a longer period than necessary for the purposes for which they were processed.  Additionally, the company had not established and documented deadlines for deletion of personal data in their new CRM system. The deadlines set for the old system were not deleted after the deadline for the information had been reached. Also, the controller had not adequately documented its personal data deletion procedures. 

Please note: Since Danish law does not provide for administrative fines as in the GDPR (unless it is an uncomplicated case and the accused person consented), fines will be imposed by courts. 

Update: On February 12, 2021 the Aarhus District Court decided to impose a fine against IDdesign in the amount of EUR 13,450. With regard to the calculation of the fine, the court disagreed with the proposed amount of the fine. It concluded that the amount should be calculated on the basis of the company's own turnover and not that of the entire group. In addition, the court considered that the mitigating circumstances under Art. 83 (2) GDPR should be taken into account when calculating the fine. Such as that the company had not previously breached the GDPR, as well as that the breach concerned only general personal data. In addition, no data subject suffered damages as a result of the breach. Finally, the court considers that the negligent nature of the breach should be taken into account.";https://www.datatilsynet.dk/tilsyn-og-afgoerelser/afgoerelser/2019/jun/tilsyn-med-iddesigns-behandling-af-personoplysninger/
23;French Data Protection Authority (CNIL);France;21.01.19;50000000;Google LLC;Yes;Google LLC;United States;IT Services;66000000000;139995;Public;No;Art. 13 GDPR, Art. 14 GDPR, Art. 6 GDPR, Art. 5 GDPR;Insufficient legal basis for data processing;The fine was imposed on the basis of complaints from the Austrian organisation 'None Of Your Business' and the French NGO 'La Quadrature du Net'. The complaints were filed on 25th and 28th of May 2018 - immediately after the GDPR became applicable. The complaints concerned the creation of a Google account during the configuration of a mobile phone using the Android operating system. The CNIL imposed a fine of 50 million euros for lack of transparency (Art. 5 GDPR), insufficient information (Art. 13 / 14 GDPR) and lack of legal basis (Art. 6 GDPR). The obtained consents had not been given 'specific' and not 'unambigous' (Art. 4 nr. 11 GDPR).;https://www.cnil.fr/en/cnils-restricted-committee-imposes-financial-penalty-50-million-euros-against-google-llc
24;French Data Protection Authority (CNIL);France;28.05.19;400000;SERGIC (Real Estate);Yes;Sergic Residences Services;France;Real Estate;25800000;44;Private;Yes;Art. 5 (1) e) GDPR;Insufficient technical and organisational measures to ensure information security;The CNIL based the penalty on two grounds: Lack of basic security measures and excessive data storage. As to the first, sensitive user documents uploaded by rental candidates (including ID cards, health cards, tax notices, certificates issued by the family allowance fund, divorce judgments, account statements) were accessible online without any authentication procedure in place. Although the vulnerability was known to the company since March 2018, it was not finally resolved until September 2018. In addition, the company stored the documentation provided by candidates for longer than necessary. The CNIL took into account i.a. the seriousness of the breach (lack of due care in addressing vulnerability and the fact that the documents revealed very intimate aspects of users' lives), the size of the company and its financial standing.;https://www.legifrance.gouv.fr/affichCnil.do?oldAction=rechExpCnil&id=CNILTEXT000038552658&fastReqId=119744754&fastPos=1
25;Data Protection Authority of Baden-Wuerttemberg;Germany;21.11.18;20000;Knuddels.de;Yes;Knuddels GmbH & Co. KG;Germany;IT Services;2700000;34;Private;Yes;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;After a hacker attack in July personal data of approx. 330.000 users, including passwords and email addresses had been revealed.;https://www.baden-wuerttemberg.datenschutz.de/lfdi-baden-wuerttemberg-verhaengt-sein-erstes-bussgeld-in-deutschland-nach-der-ds-gvo/
26;Data Protection Authority of Hamburg;Germany;17.12.18;5000;Kolibri Image Regina und Dirk Maass GbR;Yes;Kolibri Image Regina und Dirk Maass GbR;Germany;Services;NA;NA;NA;Yes;Art. 28 (3) GDPR;Insufficient data processing agreement;"Please note: According to our information this fine has been withdrawn in the meantime. 

Kolibri Image had send a request to the Data Protection Authority of Hessen asking how to deal with a service provider who does not want to sign a processing agreement. After not answering Kolibri Image in more detail, the case was forwarded to the locally responsible Data Protection Authority of Hamburg. This Authority then fined Kolibri Image as controller for not having a processing agreement with the service provider. Kolibri Image has stated that they will challenge the decision in front of court since they are of the opinion that the service provider does not act as a processor.";https://www.heise.de/newsticker/meldung/DSGVO-5000-Euro-Bussgeld-fuer-fehlenden-Auftragsverarbeitungsvertrag-4282737.html
27;Data Protection Authority of Baden-Wuerttemberg;Germany;12.04.19;80000;Company in the financial sector;No;NA;NA;NA;NA;NA;NA;Yes;Art. 5 GDPR, Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;In an administrative decision dated 12 April 2019, the authority imposed a fine of 80,000 euros on a medium-sized financial services company. This company had failed to take the necessary care to preserve the integrity and confidentiality of information within the meaning of Art. 5 para. 1 lit. f GDPR when disposing of documents containing personal data of two customers. Thus, without prior anonymisation, the papers were disposed of in the general waste paper recycling system, where the documents were found by a neighbour.;https://www.baden-wuerttemberg.datenschutz.de/wp-content/uploads/2019/07/PM-Datenschutzverletzungen-bereiten-zunehmend-Sorge-30.07.2019.pdf
32;Data Protection Authority of Berlin;Germany;01.03.19;50000;N26;Yes;N26 GmbH;Germany;Banks;12600000;1500;Private;Yes;Art. 6 GDPR;Insufficient legal basis for data processing;The fine was imposed against against a bank (according to a newspaper N26) that had processed 'personal data of all former customers' without permission.The Bank has acknowledged that it had retained data relating to former customers in order to maintain a blacklist, a kind of warning file, so that it would not make a new account available to these persons. The bank initially justified this by stating that it was obliged under the German Banking Act to take security measures against customers suspected of money laundering. The Berlin supervisory authority judged this to be illegal. The authority argues that in order to prevent a new bank account from being opened, only those affected may be included in a comparison file who are actually suspected of money laundering or for whom there are other valid reasons for refusing a new bank account. The authority told a newspaper that the fine proceedings initiated against the bank had 'not yet been legally concluded'.;https://www.zaftda.de/tb-bundeslaender/berlin/695-tb-lfd-berlin-2018-ohne-drs-nr-vom-28-03-2019/file
33;Hungarian National Authority for Data Protection and the Freedom of Information (NAIH);Hungary;08.02.19;1560;Bank;No;NA;NA;Banks;NA;NA;NA;Yes;Art. 5 (1) d) GDPR;Non-compliance with general data processing principles;A bank mistakenly sent SMS messages about a subject's credit card debt to the telephone number of another person. After receiving an incorrect telephone number from the client at the time of contracting, the bank did not comply with the data subject's request to erase the data and continued to send SMS message to the incorrect telephone number. The fine represents 0.0016% of the annual profit of the bank.;http://www.cms-lawnow.com/ealerts/2019/03/hungary-fines-two-companies-for-gdpr-infringement?cc_lang=en
34;Hungarian National Authority for Data Protection and the Freedom of Information (NAIH);Hungary;20.02.19;1560;Debt collector;No;NA;NA;Finance & Insurance;NA;NA;NA;Yes;Art. 5 (1) a) GDPR, Art. 5 (1) c) GDPR;Non-compliance with general data processing principles;A data subject requested information about and erasure of the data processed, which the debt collector refused stating that it could not identify the subject. For identification purposes he requested place of birth, mother?s maiden name and further details from the data subject. After the controller succeeded to identify the data subjects he refused to comply with the deletion request, arguing he is legally obliged to retain backup copies according to the Accountancy Act and internal policies. Since he did not properly inform about these policies, the NAIH held the controller breached the principle of transparency. The fine constitutes 0.0025% of the annual profit of the controller.;http://www.cms-lawnow.com/ealerts/2019/03/hungary-fines-two-companies-for-gdpr-infringement?cc_lang=en
36;Hungarian National Authority for Data Protection and the Freedom of Information (NAIH);Hungary;28.02.19;3200;Mayor's Office of the city of Kecdkemet;Yes;NA;NA;Politics & Government;NA;NA;Other;Yes;Art. 5 (1) a) GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;The fine was imposed on the Mayor?s Office of the city of Kecskemet for unlawful disclosure of the personal information of a whistleblower.NAIH imposed the fine after an employee of an organisation that it supervised reported a public interest complaint directly to it against his employer. After the organisation learned of the complaint, it requested details in order to investigate, and the local government accidentally revealed the complainant's name. The NAIH considered it an aggravating factor that as a result of the data breach, the organisation fired the person who made the report.;https://www.naih.hu/files/NAIH-2019-596-hatarozat.pdf
37;Hungarian National Authority for Data Protection and the Freedom of Information (NAIH);Hungary;04.03.19;3200;Unnamed financial institution;No;NA;NA;Finance & Insurance;NA;NA;NA;Yes;Art. 5 (1) b) GDPR, Art. 5 (1) c) GDPR, Art. 13 (3) GDPR, Art. 17 (1) GDPR, Art. 6 (4) GDPR;Insufficient fulfilment of data subjects rights;The fine was imposed in relation to a data subject's request for data correction and erasure. NAIH levied a fine against an unnamed financial institution for unlawfully rejecting a customer?s request to have his phone number erased after arguing that it was in the company's legitimate interest to process this data in order to enforce a debt claim against the customer. In its decision, the NAIH emphasised that the customer?s phone number is not necessary for the purpose of debt collection because the creditor can also communicate with the debtor by post. Consequently, keeping the phone number of the debtor was against the principles of data minimisation and purpose limitation. As per the law, the assessed fine was based on 0.025% of the company's annual net revenue.;https://www.naih.hu/files/NAIH-2019-2526-2-H-hatarozat.pdf
38;Hungarian National Authority for Data Protection and the Freedom of Information (NAIH);Hungary;05.04.19;34375;Hungarian political party;No;NA;NA;Politics & Government;NA;NA;Other;Yes;Art. 33 (1) GDPR, Art. 33 (5) GDPR, Art. 34 (1) GDPR;Insufficient fulfilment of data breach notification obligations;"NAIH imposed a fine of HUF 11,000,000 (EUR 34,375) on an undisclosed Hungarian political party for failing to notify the NAIH and relevant individuals about a data breach, and failing to document the breach according to GDPR Article 33.5. As mandated by law, the fine was based on 4% of the party's annual turnover and 2.65 % of its anticipated turnover for the coming year.

The breach was the result of a cyber attack by an anonymous hacker who accessed and disclosed information on the vulnerability of the organisation?s system ? a database of more than 6,000 individuals ? and the command used for the attack. The system was vulnerable to attack because of a redirection problem with the organisation's webpage. After the attacker published the command, even people with low IT knowledge were able to retrieve information from the database.";http://www.cms-lawnow.com/ealerts/2019/04/hungarian-data-authority-investigates-two-cases-of-privacy-breaches?cc_lang=en
39;Italian Data Protection Authority (Garante);Italy;17.04.19;50000;Italian political party Movimento 5 Stelle;Yes;NA;NA;Politics & Government;NA;NA;Other;Yes;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;A number of websites affiliated to the Italian political party Movimento 5 Stelle are run, by means of a data processor, through the platform named Rousseau. The platform had suffered a data breach during the summer 2017 that led the Italian data protection authority, the Garante, to require the implementation of a number of security measures, in addition to the obligation to update the privacy information notice in order to give additional transparency to the data processing activities performed.While the update of the privacy information notice was timely completed, the Italian data protection authority, raised its concerns as to the lack of implementation on the Rousseau platform of some of GDPR related security measures. It is worth it to mention that the proceeding initiated before May 2018, but the Italian data protection authority issued a fine under the GDPR since the Rousseau platform had not adopted security measures required by means of an order issued after the 25th of May 2018. Interestingly, the fine was not issued against the Movimento 5 Stelle that is the data controller of the platform, but against the Rousseau association that is the data processor.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9101974
40;Lithuanian Data Protection Authority (VDAI);Lithuania;16.05.19;61500;Payment service provider UAB MisterTango;Yes;NA;NA;Finance & Insurance;NA;NA;NA;Yes;Art. 5 GDPR, Art. 32 GDPR, Art. 33 GDPR;Insufficient fulfilment of data breach notification obligations;During an inspection, the Lithuanian Data Protection Supervisory Authority found that the controller processed more data than necessary to achieve the purposes for which he was a controller. In addition, it became known that from 09 - 10 July 2018 payment data were publicly available on the internet due to inadequate technical and organisational measures. 9,000 payments with 12 banks from different countries were affected. According to the supervisory authority, a data breach notification pursuant to Art. 33 GDPR would have been necessary. The controller did not report the Data Breach.;https://www.ada.lt/go.php/lit/Imones-atsakomybes-neisvengs--lietuvoje-skirta-zenkli-bauda-uz-bendrojo-duomenu-apsaugos-reglamento-pazeidimus-/1
41;Data Protection Commissioner of Malta;Malta;18.02.19;5000;Lands Authority;No;NA;NA;Politics & Government;NA;NA;Other;Yes;Art. 5 GDPR, Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;As a result of the lack of appropriate security measures on the Lands Authority website, over 10 gigabytes of personal data became easily accessible to the public via a simple google search. The majority of the leaked data contained highly-sensitive information and correspondence between individuals and the Authority itself. The Lands Authority chose not to appeal. In Malta, in the case of a breach by a public authority or body, the Data Protection Commissioner may impose an administrative fine of up to ?25,000 for each violation and may additionally impose a daily fine of ?25 for each day such violation persists.;https://www.gvzh.com.mt/malta-news/idpc-fines-lands-authority-data-breach/
42;Norwegian Supervisory Authority (Datatilsynet);Norway;01.03.19;170000;Bergen Municipality;Yes;NA;NA;Politics & Government;NA;NA;Other;Yes;Art. 5 (1) f) GDPR, Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;"The incident relates to computer files with usernames and passwords to over 35000 user accounts in the municipality?s computer system. The user accounts related to both pupils in the municipality?s primary schools, and to the employees of the same schools. Due to insufficient security measures, these files have been unprotected and openly accessible. The lack of security measures in the system made it possible for anyone to log in to the school?s various information systems, and thereby to access various categories of personal data relating to the pupils and employees of the schools.

The fact that the security breach encompasses personal data to over 35 000 individuals, and that the majority of these are children, were considered to be aggravating factors. The municipality had also been warned several times, both by the authority and an internal whistleblower, that the data security was inadequate.";https://www.datatilsynet.no/en/about-privacy/reports-on-specific-subjects/administrative-fine-of-170.000--imposed-on-bergen-municipality/
43;Polish National Personal Data Protection Office (UODO);Poland;26.03.19;220000;Private company working with data from publicly available sources;No;NA;NA;NA;NA;NA;NA;Yes;Art. 14 GDPR;Insufficient fulfilment of information obligations;"The fine concerned the proceedings related to the activity of a company which processed the data subjects? data obtained from publicly available sources, inter alia from the Central Electronic Register and Information on Economic Activity, and processed the data for commercial purposes. The authority verified incompliance with the information obligation in relation to natural persons conducting business activity ? entrepreneurs who are currently conducting such activity or have suspended it, as well as entrepreneurs who conducted such activity in the past. The controller fulfilled the information obligation by providing the information required under Art. 14 (1) ? (3) of the GDPR only in relation to the persons whose e-mail addresses it had at its disposal. In case of the remaining persons the controller failed to comply with the information obligation ? as it explained in the course of the proceedings ? due to high operational costs. Therefore, it presented the information clause only on its website. According to the UODO this is not sufficient.

Addendum: In the meantime, the court has cancelled the fine due to procedural errors. The amount of the fine has to be determined by the concrete number of data records concerned. However, the Office had not submitted any verifiable evidence in this regard, but had simply assumed that 6 million data sets were involved, which the data controller had denied. Therefore, important statements were missing. In particular, it was incorrect to justify the amount of the fine on the basis of general preventive considerations. Art. 58 GDPR expressly states that a fine imposed must be related to the specific facts of the case. The Polish data protection authority has already announced that the fine will be revised in a new administrative procedure.";https://uodo.gov.pl/en/553/1009
45;Portuguese Data Protection Authority (CNPD);Portugal;17.07.18;400000;Public Hospital;No;NA;NA;Hospitals;NA;NA;NA;Yes;Art. 5 (1) f) GDPR, Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;Investigation revealed that the hospital?s staff, psychologists, dietitians and other professionals had access to patient data through false profiles.  The profile management system appeared deficient ? the hospital had 985 registered doctor profiles while only having 296 doctors.  Moreover, doctors had unrestricted access to all patient files, regardless of the doctor?s specialty.;https://www.cnpd.pt/bin/decisoes/Delib/20_984_2018.pdf
46;Spanish Data Protection Authority (aepd);Spain;NA;5000;Vodafone Espana, S.A.U.;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 5 (1) d) GDPR;Non-compliance with general data processing principles;The spanish telecommunications and informations agancy (SETSI) decided Vodafone had to reimburse a customer for costs he was wrongfully charged for. Nevertheless, Vodafone reported personal data of this respective customer to a solvency registry (BADEXCUG). The AEPD found this behaviour violated the principle of accuracy.;https://www.aepd.es/resoluciones/PS-00331-2018_ORI.pdf
48;Spanish Data Protection Authority (aepd);Spain;NA;60000;Debt collecting agancy (GESTION DE COBROS, YO COBRO SL);Yes;NA;NA;Finance & Insurance;NA;NA;NA;Yes;Art. 5 (1) f) GDPR;Insufficient legal basis for data processing;After the claimant did alledgedly not pay back a microcredit to an online credit agany, the claim was assigned to the debt collecting agancy. Subsequently, the latter startet sending emails not only to email addresses provided by the claimant but also to an institutional email address of his workplace accessible by any co-worker which was never provided by the claimant.;https://www.aepd.es/resoluciones/PS-00121-2019_ORI.pdf
49;Spanish Data Protection Authority (aepd);Spain;NA;27000;Vodafone Espana, S.A.U.;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 5 (1) d) GDPR;Insufficient fulfilment of data subjects rights;Although the complainant (a former Vodafone customer) had requested Vodafone to delete his data in 2015 and this request had been confirmed by the company, he received more than 200 SMS from the company from 2018 onwards. Following Vodafone's statement, this happened because the complainant's mobile phone number was erroneously used for testing purposes and accidentally appeared in various customer files belonging to other customers than the complainant. Since the company agreed to both payment and admission of responsibility the fine was reduced in accordance with Spanish administrative law to EUR 27k.;https://www.aepd.es/resoluciones/PS-00411-2018_ORI.pdf
51;French Data Protection Authority (CNIL);France;13.06.19;20000;Employer UNIONTRAD COMPANY;Yes;Uniontrade Spa;Italy;Wholesale;66900000;52;Private;No;Art. 5 (1) c) GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 32 GDPR;Insufficient legal basis for data processing;Between 2013 and 2017, the CNIL received complaints from several employees of the company who were filmed at their workstation. On two occasions, it alerted the company to the rules to be observed when installing cameras in the workplace, in particular, that employees should not be filmed continuously and that information about the data processing has to be provided. In the absence of satisfactory measures at the end of the deadline set in the formal notice, the CNIL carried out a second audit in October 2018 which confirmed that the employer was still breaching data protection laws when recording employees with CCTV. When determening the amount of the fine, the CNIL took into account the size (9 employees) and the financial situation of the company, which presented a negative net result in 2017 (turnover of 885,739 EUR in 2017 and a negative net result of 110,844 EUR), to retain a dissuasive but proportionate administrative fine.;https://www.legifrance.gouv.fr/affichCnil.do?oldAction=rechExpCnil&id=CNILTEXT000038629823&fastReqId=946473298&fastPos=1
54;Data Protection Commision of Bulgaria (KZLD);Bulgaria;08.04.19;510;Medical centers;No;NA;NA;Hospitals;NA;NA;NA;Yes;Art. 5 (1) a) GDPR, Art. 9 (1) GDPR, Art. 9 (2) GDPR, Art. 6 (1) GDPR;Insufficient legal basis for data processing;The sanction of 510 EUR was imposed on each medical center for unlawful processing of the personal data of data subject G.B. by a medical centre for the purpose of changing his GP. The medical centre used a software to generate a registration form for change of GP which was submitted to the Regional Health Insurance Fund and then to another medical centre, which subsequently also unlawfully processed the personal data of G.B.;https://www.cpdp.bg/?p=element_view&aid=2192
55;Data Protection Commision of Bulgaria (KZLD);Bulgaria;26.03.19;5100;A.P. EOOD;Yes;NA;NA;NA;NA;NA;NA;Yes;Art. 5 (1) a) GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;The sanction was imposed on personal data administrator A.P. EOOD for unlawful processing of personal data. The personal data of data subject D.D. was used by A.P. EOOD for preparing an Employment Contract, while he was in prison.;https://www.cpdp.bg/?p=element_view&aid=2191
56;Spanish Data Protection Authority (aepd);Spain;NA;60000;ENDESA (energy supplyer);Yes;Endesa SA;Spain;Energy;18400000000;9591;Public;Yes;Art. 5 (1) f) GDPR;Insufficient legal basis for data processing;The complainant's bank account was charged by ENDESA, the beneficiary of which was a third party, who had been convicted under criminal law and imposed with a two-year restraining order regarding the claimant, her domicile and work. Instead amending the contract details as requested by the claimant ENDESA deleted her data erroneously and fillid in the data of the third party. The AEPD found the disclosure of the claimant's data to the third party was a severe violation of the principle of confidentiality.;https://www.aepd.es/resoluciones/PS-00074-2019_ORI.pdf
57;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;27.06.19;130000;UNICREDIT BANK SA;Yes;UniCredit SpA;Italy;Banks;28800000000;97775;Public;No;Art. 25 (1) GDPR, Art. 5 (1) c) GDPR;Insufficient technical and organisational measures to ensure information security;The fine was issued as a result of the failure to implement appropriate technical and organisational measures (related to (1) the determination of the processing means/operations, and (2) the integration the necessary safeguards) resulting in the online-disclosure of IDs and addresses (interla/external transactions) of 337,042 data subjects to their respective beneficiary (between 25.05.2018 -10.12.2018).;https://www.dataprotection.ro/?page=Comunicat_Amenda_Unicredit&lang=ro
58;Information Commissioner (ICO);United Kingdom;16.10.20;22046000;British Airways;Yes;British Airways Plc (West Drayton);United Kingdom;Aviation;15000000000;42322;Private;Yes;Art. 5 (1) f) GDPR, Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;"In July 2019, the ICO issued a notice of its intention to fine British Airways L183.39M for GDPR infringements which likely involve a breach of Art. 32 GDPR. The proposed fine relates to a cyber incident notified to the ICO by British Airways in September 2018. This incident in part involved user traffic to the British Airways website being diverted to a fraudulent site. Through this false site, customer details were harvested by the attackers. Personal data of approximately 500,000 customers were compromised in this incident, which is believed to have begun in June 2018. The ICO?s investigation has found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.

In the meantime, the final fine imposed on the airline has been set at L20 million (approximately EUR 22,046,000). The ICO emphasized that when setting the amount of the fine, it also took into account the economic impact of the COVID-19 ('Coronavirus') pandemic on the airline industry.";https://ico.org.uk/action-weve-taken/enforcement/british-airways/
59;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;02.07.19;15000;WORLD TRADE CENTER BUCHAREST SA;Yes;NA;Romania;Wholesale;NA;NA;NA;Yes;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;The breach of data security was that a printed paper list used to check breakfast customers and containing personal data of 46 clients who stayed at the hotel's WORLD TRADE CENTER BUCHAREST SA was photographed by unauthorized people outside the company, which led to the disclosure of the personal data of some clients through online publication. The operator of WORLD TRADE CENTER BUCHAREST SA has been sanctioned because it has not taken steps to ensure that data is not disclosed to unauthorized parties.;https://www.dataprotection.ro/index.jsp?page=O_noua_amenda_GDPR&lang=ro
60;Information Commissioner (ICO);United Kingdom;30.10.20;20450000;Marriott International, Inc;Yes;Marriott International, Inc.;United States;Accommodation;9300000000;121000;Public;No;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;"Original Summary: The ICO issued a notice of its intention to fine Marriott International Inc due to a cyber incident which was notified to the ICO by Marriott in November 2018. A variety of personal data contained in approximately 339 million guest records globally were exposed by the incident, of which around 30 million related to residents of 31 countries in the European Economic Area (EEA). Seven million related to UK residents.

It is believed the vulnerability began when the systems of the Starwood hotels group were compromised in 2014. Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until 2018. The ICO?s investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.

--> Update: On 2020/10/30, the ICO announced its final decision to impose a fine of L 18.4 million (approximately EUR 20.4 million) on Marriott International Inc. In its decision, the ICO set forth its considerations for the calculation of the fine, which included Marriott's absence of prior violations or omissions and the fact that Marriott had fully cooperated with the investigation and had taken steps to notify the individuals concerned. In addition, the ICO noted that it had also made an alignment with other fines already imposed on other companies - in particular also of other European data protection authorities.";https://ico.org.uk/media/action-weve-taken/mpns/2618524/marriott-international-inc-mpn-20201030.pdf
61;Hungarian National Authority for Data Protection and the Freedom of Information (NAIH);Hungary;23.05.19;92146;Organizer of SZIGET festival and VOLT festival;Yes;NA;NA;Sports, Fitness & Recreation;NA;NA;NA;Yes;Art. 6 GDPR, Art. 5 (1) b) GDPR, Art. 13 GDPR;Insufficient legal basis for data processing;The NAIH found that there were inappropriate legal bases is use and that the controller did not comply with the principle of purpose limitation. Also, information on the data processing was not fully provided to data subjects.;http://www.naih.hu/files/NAIH-2019-55_hatarozat.pdf
62;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;05.07.19;3000;LEGAL COMPANY & TAX HUB SRL;No;NA;NA;Services;NA;NA;Private;Yes;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;"The fine was imposed because adequate technical and organizational measures to ensure a level of security appropriate to the risk of processing were not implemented. This has led to unauthorized disclosure and unauthorized access to the personal data of people who have made transactions received by the avocatoo.ro website (name, surname, mailing address, email, phone, job, details of transactions made), due to publicly accessible documents between 10th of December 2018 and 1st of February 2019.

The National Supervisory Authority applied the sanction following a notification dated 12th of October 2018 indicating that a set of files regarding the details of the transactions received by the avocatoo.ro website which contained the name, surname, address correspondence, email, telephone, job and details of transactions made, was publicly accessible through two links.";https://www.dataprotection.ro/?page=2019%20A%20treia%20amenda%20in%20aplicarea%20RGPD&lang=ro
63;Dutch Supervisory Authority for Data Protection (AP);Netherlands;18.06.19;460000;Haga Hospital;No;NA;NA;Hospitals;NA;NA;NA;Yes;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;The Haga Hospital does not have a proper internal security of patient records in place. This is the conclusion of an investigation by the Dutch Data Protection Authority. This investigation followed when it appeared that dozens of hospital staff had unnecessarily checked the medical records of a well-known Dutch person. To force the hospital to improve the security of patient records, the AP simultaneously imposes an order subject to a penalty. If the Haga Hospital has not improved security before 2nd of October 2019, the hospital must pay 100,000 EUR every two weeks, with a maximum of 300,000 EUR. The Haga Hospital has meanwhile indicated to take measures.;https://autoriteitpersoonsgegevens.nl/nl/nieuws/haga-beboet-voor-onvoldoende-interne-beveiliging-pati%C3%ABntendossiers
64;French Data Protection Authority (CNIL);France;25.07.19;180000;ACTIVE ASSURANCES (car insurer);Yes;NA;NA;Finance & Insurance;NA;NA;NA;Yes;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;Large amount of customer accounts, clients' documents (including copies of driver's licences, vehicle registration, bank statements and documents to determine whether a person had been the subject of a licence withdrawal) and data were easily accesible online. The CNIL, between others, critizised the password management (unauthorized access was possible without any authentication).;https://www.legifrance.gouv.fr/affichCnil.do?id=CNILTEXT000038810992
65;Hellenic Data Protection Authority (HDPA);Greece;30.07.19;150000;PWC Business Solutions;Yes;PWC;United Kingdom;Services;45100000000;295000;Private;No;Art. 5 (1) GDPR, Art. 5 (2) GDPR, Art. 6 (1) GDPR, Art. 13 (1) c) GDPR, Art. 14 (1) c) GDPR;Insufficient legal basis for data processing;The processing of employee personal data was based on consent. The HDPA found that consent as legal basis was inappropriate, as the processing of personal data was intended to carry out acts directly linked to the performance of employment contracts, compliance with a legal obligation to which the controller is subject and the smooth and effective operation of the company, as its legitimate interest. In addition, the company gave employees the false impression that it was processing their personal data under the legal basis of consent, while in reality it was processing their data under a different legal basis.  This was in violation of the principle of transparency and thus in breach of the obligation to provide information under Articles 13(1)(c) and 14(1)(c) of the GDPR. Lastly, in violation of the accountability principle, the company failed to provide the HDPA with evidence that it had carried out a prior assessment of the appropriate legal bases for processing employee personal data;https://www.dpa.gr/pls/portal/docs/PAGE/APDPX/ENGLISH_INDEX/DECISIONS/SUMMARY%20OF%20DECISION%2026_2019%20(EN).PDF
66;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;17.10.19;2500;UTTIS INDUSTRIES SRL;Yes;Uttis Industries Srl;Romania;Industrial;5700000;87;Private;Yes;Art. 12 GDPR, Art. 13 GDPR, Art. 5 (1) c) GDPR, Art. 6 GDPR;Insufficient fulfilment of information obligations;The sanctions were applied to the controller because he could not prove that the data subjects were informed about the processing of personal data / images through the video surveillance system, which they have been operating since 2016. And because he made the disclosure of the CNP of the employees, by displaying the Report for the training of the authorized ISCIR personnel for the year 2018 to the company notifier and could not prove the legality of the processing of the CNP, by disclosure, according to Art. 6 GDPR.;https://www.dataprotection.ro/?page=A_patra_amenda&lang=ro
67;Data Protection Authority of Sweden;Sweden;20.08.19;18630;School in Skelleftea;No;NA;NA;Education;NA;NA;NA;Yes;Art. 5 (1) c) GDPR, Art. 9 GDPR, Art. 35 GDPR, Art. 36 GDPR;Insufficient legal basis for data processing;A school in Skelleftea made a trial to use facial recognition technology. The fine was imposed against the school which had used facial recognition technology to monitor the attendance of students. Even though, in general, data processing for the purpose of monitoring attendance is possible doing so with facial recognition is disproportioned to the goal to monitor attendance.  The supervisory authority is of the opinion that biometric data of students was processed which is why Art. 9 GDPR is applicable. Additionally, the authority argued that consent can not be applied since students and their guardians cannot freely decide if they/their children want to be monitored for attendance purposes. When examining if the school board can rely on any of the exemptions listed in Art. 9 (2), the supervisory authority found that this was not the case. The supervisory authority also found that there was a case of a processing activity with high risks since new technology was used to process sensitive personal data concerning children who are in a dependency position to the high school board and due to camera surveillance being used in the students everyday environment. In the view of the authority, the school board was not able to demonstrate compliance with Art. 35 GDPR and that the school board was required to consult the authority in accordance with Art. 36 (1) GDPR.;https://www.datainspektionen.se/globalassets/dokument/beslut/facial-recognition-used-to-monitor-the-attendance-of-students.pdf
68;Austrian Data Protection Authority (dsb);Austria;01.08.19;50000;Company in the medical sector;No;NA;NA;Healthcare;NA;NA;NA;Yes;Art. 13 GDPR, Art. 37 GDPR;Insufficient fulfilment of information obligations;The (none-final) fine was imposed on a company in the medical sector for non-compliance with information obligations and for not appointing a data protection officer.;https://www.ris.bka.gv.at/Dokumente/Dsk/DSBT_20181116_DSB_D213_692_0001_DSB_2018_00/DSBT_20181116_DSB_D213_692_0001_DSB_2018_00.html
70;Spanish Data Protection Authority (aepd);Spain;16.08.19;60000;AVON COSMETICS;Yes;Avon Cosmetics Limited (Northampton);United Kingdom;Retail & Trade;618900000;1385;Private;No;Art. 6 GDPR;Insufficient legal basis for data processing;A consumer claimed that AVON COSMETICS had unlawfully processed his data without adequately verifying his identity, which led to his data being erroneously entered in a register of claims, preventing him from working with his bank. As a result, a third party fraudulently used the consumers personal data.;https://www.aepd.es/resoluciones/PS-00159-2019_ORI.pdf
71;Data Protection Commision of Bulgaria (KZLD);Bulgaria;28.08.19;2600000;National Revenue Agency;Yes;National Revenue Agency;Bulgaria;Politics & Government;203200000;1759;Other;Yes;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;Leakage of personal data in a hacking attack due to inadequate technical and organisational measures to ensure the protection of information security. It was found that personal data concerning about 6 million persons was illegally accessible.;https://www.cpdp.bg/index.php?p=news_view&aid=1519
72;Data Protection Commision of Bulgaria (KZLD);Bulgaria;28.08.19;511000;DSK Bank;Yes;Dsk Bank Ad;Bulgaria;Finance & Insurance;616700000;5380;Private;Yes;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;Leakage of personal data due to inadequate technical and organisational measures to ensure the protection of information security. Third parties had access to over 23000 credit records relating to over 33000 bank customers including personal data such as names, citizenships, identification numbers, adresses, copies of identity cards and biometric data.;https://www.cpdp.bg/index.php?p=news_view&aid=1514
73;Data State Inspectorate (DSI);Latvia;26.08.19;7000;Online Services;No;NA;NA;Services;NA;NA;NA;Yes;Art. 17 GDPR;Insufficient fulfilment of data subjects rights;A merchant who provides services in an online store has infringed the 'right to be forgotten' pursuant to Art. 17 GDPR when he was repeatedly requested by a data subject to delete all his personal data, in particular his/her mobile phone number, which the merchant had received as part of an order. Nevertheless, the merchant repeatedly sent advertising messages by SMS to the data subjects mobile phone number.;https://www.dvi.gov.lv/lv/zinas/datu-valsts-inspekcija-piemero-7000-eiro-lielu-naudas-sodu-internetveikalam-par-personas-datu-apstrades-parkapumiem/
75;Norwegian Supervisory Authority (Datatilsynet);Norway;29.04.19;120000;Oslo Municipal Education Department;No;NA;NA;Politics & Government;NA;NA;Other;Yes;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;Fine for security vulnerabilities in a mobile messaging app developed for use in an Oslo school. The app allows parents and students to send messages to school staff. Due to insufficient technical and organizational measures to protect information security, unauthorized persons were able to log in as authorized users and gain access to personal data about students, legal representatives and employees. The fine has meanwhile been reduced to EUR 120.000, see link;https://www.datatilsynet.no/contentassets/f7246f38ff394d32bef6895bc65a4b4f/varsel-om-gebyr---oslo-kommune.pdf
78;Data Protection Authority of Berlin;Germany;19.09.19;195407;Delivery Hero;Yes;Delivery Hero SE;Germany;IT Services;2400000000;35528;Public;Yes;Art. 15 GDPR, Art. 17 GDPR, Art. 21 GDPR;Insufficient fulfilment of data subjects rights;According to the findings of the Berlin data protection officer, Delivery Hero Germany GmbH had not deleted accounts of former customers in ten cases, even though those data subjects had not been active on the company's delivery service platform for years - in one case even since 2008. In addition, eight former customers had complained about unsolicited advertising e-mails from the company. A data subject who had expressly objected to the use of his data for advertising purposes nevertheless received further 15 advertising e-mails from the delivery service. In further five cases, the company did not provide the data subjects with the required information or only after the Berlin data protection officer had intervened.;https://www.datenschutz-berlin.de/fileadmin/user_upload/pdf/pressemitteilungen/2019/20190919-PM-Bussgelder.pdf
79;Polish National Personal Data Protection Office (UODO);Poland;10.09.19;660000;Morele.net;Yes;Morele Net Sp Z O O;Poland;E-Commerce;183800000;230;Private;Yes;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;The Polish data protection authority imposed a fine of over PLN 2.8 million (approx. ?644,780) on Morele.net for insufficient organisational and technical safeguards, which led to unauthorised access to the personal data of 2.2 million people.;https://uodo.gov.pl/decyzje/ZSPR.421.2.2019
80;Belgian Data Protection Authority (APD);Belgium;17.09.19;10000;Merchant;No;NA;NA;Wholesale;NA;NA;NA;Yes;Art. 5 (1) c) GDPR;Non-compliance with general data processing principles;The Belgian data protection authority has imposed a fine of 10,000 euros on a merchant who wanted to use an electronic identity card (eID) to create a customer card. The DPA's investigation revealed that the merchant required access to personal data located on the eID, including the photo and barcode which is linked to the data subject's identification number. In the meantime, the decision of the data protection authority has been anNAed by a court: link;https://www.sudinfo.be/id141981/article/2019-09-19/un-commercant-recu-une-amende-de-10000-euros-pour-avoir-voulu-creer-une-carte-de
81;Spanish Data Protection Authority (aepd);Spain;NA;9600;Restaurant (SANTI 3000, S.L.);No;NA;NA;Restaurants, Cafes & Bars;NA;NA;NA;Yes;Art. 5 (1) a) GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;A restaurant wanted to impose disciplinary sanctions on an employee using images from a mobile phone video which was recorded by another employee in the restaurant for evidence purposes. The initial fine of EUR 12.000 was reduced to EUR 9.600.;https://theword.iuslaboris.com/hrlaw/insights/spain-video-surveillance-and-data-protection-in-the-workplace
82;Hellenic Data Protection Authority (HDPA);Greece;07.10.19;200000;Telecommunication Service Provider;No;NA;NA;Telecommunications;NA;NA;NA;Yes;Art. 5 (1) c) GDPR, Art. 25 GDPR;Non-compliance with general data processing principles;A large number of customers were subject to telemarketing calls, although they had declared an opt-out for this. This was ignored due to technical errors.;http://www.dpa.gr/APDPXPortlets/htdocs/documentSDisplay.jsp?docid=3,241,32,146,79,143,149,112
83;Hellenic Data Protection Authority (HDPA);Greece;07.10.19;200000;Telecommunication Service Provider;No;NA;NA;Telecommunications;NA;NA;NA;Yes;Art. 21 (3) GDPR, Art. 25 GDPR;Non-compliance with general data processing principles;Inappropriate technical measures resulted in the data of 8,000 customers not being deleted upon request.;http://www.dpa.gr/APDPXPortlets/htdocs/documentSDisplay.jsp?docid=3,241,32,146,79,143,149,112
84;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;09.10.19;150000;Raiffeisen Bank SA;Yes;Raiffeisen Bank Sa;Romania;Banks;831800000;6800;Private;Yes;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;Raiffeisen Bank Romania carried out scoring assessments on the basis of personal data of individuals registered on the Vreau Credit platform provided by the platform's staff via WhatsApp and then returned the result to Vreau Credit using the same means of communication.;https://www.dataprotection.ro/?page=Comunicat_Presa_09_10_2019&lang=ro
85;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;09.10.19;20000;Vreau Credit SRL;Yes;NA;NA;Finance & Insurance;NA;NA;NA;Yes;Art. 32 GDPR, Art. 33 GDPR;Insufficient technical and organisational measures to ensure information security;Raiffeisen Bank Romania carried out scoring assessments on the basis of personal data of individuals registered on the Vreau Credit platform provided by the platform's staff via WhatsApp and then returned the result to Vreau Credit using the same means of communication.;https://www.dataprotection.ro/?page=Comunicat_Presa_09_10_2019&lang=ro
86;Spanish Data Protection Authority (aepd);Spain;01.10.19;30000;Vueling Airlines;Yes;Vueling Airlines, Sa;Spain;Aviation;2400000000;4438;Private;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;The Spanish Data Protection Agency (AEPD) has sanctioned Vueling Airlines with 30,000 euros for not giving users the ability to refuse their cookies and force them to use them if they want to browse its website. In other words, it was not possible to browse the Vueling page without accepting their cookies. AEDP issued a sanctioning resolution for the amount of 30,000 euros, which could be reduced to 18,000 for immediate payment.;https://www.aepd.es/resoluciones/PS-00300-2019_ORI.pdf
87;Cypriot Data Protection Commissioner;Cyprus;NA;14000;Doctor;No;NA;NA;NA;NA;NA;NA;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;A patient complained to the Commissioner that the request for access to her medical file was not satisfied by the hospital because the dossier could not be identified/located by the controller. After investigating the case, an administrative fine of ?5,000 was imposed on the hospital.;https://cyprus-mail.com/2019/10/11/doctor-fined-e14000-for-violating-patient-data-on-instagram/
88;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;26.09.19;9000;Inteligo Media SA;Yes;Inteligo Media SA;Romania;Newspapers & Publishing;NA;25;NA;Yes;Art. 5 (1) a) GDPR, Art. 6 (1) a) GDPR;Insufficient legal basis for data processing;As part of the registration process on the webseite avocatnet.ro, the operator used an unfilled checkbox, by means of which users could declare that they did not wish to receive information letters via e-mail (opt-out). Without any action, the user was automatically sent information letters via e-mail. This did not fulfil the requirements for a GDPR-compliant consent.;https://www.dataprotection.ro/?page=Alta_sanctiune_RGPD&lang=ro
93;Spanish Data Protection Authority (aepd);Spain;16.10.19;60000;Xfera Moviles S.A.;Yes;Xfera Moviles Sau;Spain;Telecommunications;1500000000;473;Private;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;Xfera Movile has used personal data without a legal basis for the conclusion of a telephone contract and has continued to process personal data even when the data subject requested that the processing be discontinued.;https://www.aepd.es/resoluciones/PS-00262-2019_ORI.pdf
94;Spanish Data Protection Authority (aepd);Spain;16.10.19;8000;Iberdrola Clientes;Yes;Iberdrola Clientes Sociedad Anonima.;Spain;Energy;8000000000;623;Private;Yes;Art. 31 GDPR;Insufficient cooperation with supervisory authority;Iberdrola Clientes, an electricity company, had refused to make a request to a person to change its electricity supplier because it claimed that its data would be included in the solvency list. As a result, the AEPD requested that Iberdola Clientes provide information about the possibility of adding the person's data to the solvency list to which the company did not respond. This lack of cooperation with the AEPD was a violation of Article 31 of the GDPR.;https://www.aepd.es/resoluciones/PS-00304-2019_ORI.pdf
95;Slovak Data Protection Office;Slovakia;NA;40000;Slovak Telekom;Yes;Deutsche Telekom AG;Germany;Telecommunications;97600000000;226291;Public;No;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;The controller did not take adequate security measures when processing personal data, thereby breaching the obligation to protect the processed personal data.;https://www.etrend.sk/ekonomika/gdpr-zacina-hryzt-telekomunikacny-operator-dostal-pokutu-40-tisic-eur.html
96;Austrian Data Protection Authority (dsb);Austria;29.10.19;0;Austrian Post;Yes;Österreichische Post AG;Austria;Transportation & Logistics;2100000000;24747;Public;Yes;Art. 5 (1) a) GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;Originial fine summary: Sending election advertising to citizens without sufficient legal basis. Update: On January 27th, 2021, the Brussels Court of Appeal overturned the fine of EUR 5,000.;https://wien.orf.at/stories/3019396/
97;Polish National Personal Data Protection Office (UODO);Poland;18.10.19;9380;Major of Aleksandrow Kujawski;No;NA;NA;NA;NA;NA;NA;Yes;Art. 28 GDPR;Insufficient data processing agreement;No data processing agreement has been concluded with the company whose servers contained the resources of the Public Information Bulletin (BIP) of the Municipal Office in Aleksandrow Kujawski. For this reason, a fine of 40.000 PLN (9400 EUR) was imposed on the mayor of the city.;https://uodo.gov.pl/decyzje/ZSPU.421.3.2019
98;Data Protection Authority of Berlin;Germany;23.02.21;0;Deutsche Wohnen SE;Yes;Deutsche Wohnen SE;Germany;Real Estate;2700000000;1280;Public;Yes;Art. 5 GDPR, Art. 25 GDPR;Non-compliance with general data processing principles;Originally, a fine in the amount of EUR 14.500.000 was issued against Deutsche Wohnen SE for using an archiving system for the storage of personal data of tenants that, according to the data protection authority, did not provide for the possibility of removing data that was no longer required. According to the data protection authority, personal data of tenants were stored without checking whether storage was permissible or even necessary and it was therefore possible to access personal data of affected tenants which had been stored for years without this data still serving the purpose of its original collection. This involved data on the personal and financial circumstances of tenants, such as salary statements, self-disclosure forms, extracts from employment and training contracts, tax, social security and health insurance data as well as bank statements. In addition to sanctioning this structural violation, the Berlin data protection commissioner imposed further fines of between 6,000 and 17,000 euros on the company for the inadmissible storage of personal data of tenants in 15 specific individual cases. See the separate entry. *** UPDATE *** On 24 February 2021 the Berlin Regional Court has dismissed the fine against Deutsche Wohnen SE due to procedural errors, see link and link;https://www.datenschutz-berlin.de/fileadmin/user_upload/pdf/pressemitteilungen/2019/20191105-PM-Bussgeld_DW.pdf
99;Data Protection Authority of Berlin;Germany;30.10.19;NA;Deutsche Wohnen SE;Yes;Deutsche Wohnen SE;Germany;Real Estate;2700000000;1280;Public;Yes;Art. 5 GDPR;Non-compliance with general data processing principles;In addition to sanctioning violations of privacy by design principles (Art. 5 GDPR, Art. 25 GDPR - see separate entry), the Berlin data protection commissioner imposed further fines of between 6,000 and 17,000 euros on the company for the inadmissible storage of personal data of tenants in 15 specific individual cases.;https://www.datenschutz-berlin.de/fileadmin/user_upload/pdf/pressemitteilungen/2019/20191105-PM-Bussgeld_DW.pdf
100;Spanish Data Protection Authority (aepd);Spain;25.10.19;36000;Vodafone Espana, S.A.U.;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;The claimant, whose data had been provided to the company by his daughter, as authorised by him, received a call from the company offering its services, which he refused. However, Vodafone Espana proceeded to providing him services and seeking payment from him, so Vodafone Espana had processed the claimant's personal data without his consent.;https://www.aepd.es/resoluciones/PS-00301-2019_ORI.pdf
102;Polish National Personal Data Protection Office (UODO);Poland;16.10.19;47000;ClickQuickNow;Yes;ClickQuickNow Sp. z o.o;Poland;Advertising & Marketing;NA;25;Private;Yes;Art. 5 GDPR;Non-compliance with general data processing principles;The UODO imposed a fine of EUR 47000 for obstructing the exercise of the right of withdrawal for the processing of personal data. The company has not taken appropriate technical and organisational measures that allow the simple and effective withdrawal of consent to the processing of personal data and the exercise of the right to request the erasure of personal data.;https://uodo.gov.pl/decyzje/ZSPR.421.7.2019
103;Spanish Data Protection Authority (aepd);Spain;07.11.19;900;TODOTECNICOS24H S.L.;Yes;NA;Spain;Services;NA;NA;NA;Yes;Art. 13 GDPR;Insufficient fulfilment of information obligations;TODOTECNICOS24H had collected personal data without providing accurate information about data collection in its data protection declaration pursuant to Article 13 of the GDPR.;https://www.aepd.es/resoluciones/PS-00268-2019_ORI.pdf
104;Spanish Data Protection Authority (aepd);Spain;NA;12000;Madrilena Red de Gas;Yes;Madrileña Red De Gas Sau;Spain;Energy;178500000;158;Private;Yes;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;The gas company did not have appropriate measures in place to verify the identity of the data subject. The person who filed the complaint alleges that the company e-mailed his information to a third party in response to a request.;https://www.aepd.es/resoluciones/PS-00188-2019_ORI.pdf
105;Spanish Data Protection Authority (aepd);Spain;06.11.19;900;Cerrajero Online;Yes;NA;Spain;Services;NA;NA;NA;Yes;Art. 13 GDPR;Insufficient fulfilment of information obligations;The company had collected personal data without providing accurate information about data collection in its data protection declaration pursuant to Article 13 of the GDPR.;https://www.aepd.es/resoluciones/PS-00266-2019_ORI.pdf
106;Spanish Data Protection Authority (aepd);Spain;31.10.19;6000;Jocker Premium Invex;Yes;NA;Spain;Advertising & Marketing;NA;NA;NA;Yes;Art. 6 GDPR;Insufficient legal basis for data processing;After registering for a local census, Jocker Premium Invex had sent the applicant postal advertisements and commercial offers, although data such as first name, surname and postal address were only communicated to the public administration.;https://www.aepd.es/resoluciones/PS-00291-2019_ORI.pdf
107;Dutch Supervisory Authority for Data Protection (AP);Netherlands;31.10.19;900000;UWV (Dutch employee insurance service provider);Yes;Stichting Pensioenfonds Uwv;Netherlands;Finance & Insurance;10000000;17;Private;Yes;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;As the UWV (the Dutch employee insurance service provider - 'Uitvoeringsinstituut Werknemersverzekeringen') did not use multi-factor authentication when accessing the online employer portal, security was inadequate. Employers and health and safety services were able to collect and display health data from employees in an absence system.;https://autoriteitpersoonsgegevens.nl/nl/nieuws/ap-dwingt-uwv-met-sanctie-gegevens-beter-te-beveiligen
109;Slovak Data Protection Office;Slovakia;NA;50000;Social Insurance Agency;No;NA;NA;Finance & Insurance;NA;NA;NA;Yes;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;Applications for social benefits from Slovak citizens were sent by post to foreign authorities. These were lost by post, with the result that the whereabouts of these personal data could not be clarified.;https://www.etrend.sk/ekonomika/socialna-poistovna-porusila-gdpr-pokutu-50-tisic-eur-nechce-zaplatit.html
110;Spanish Data Protection Authority (aepd);Spain;13.11.19;3000;General Confederation of Labour ('CGT');Yes;NA;NA;Politics & Government;NA;NA;Other;Yes;Art. 6 GDPR;Insufficient legal basis for data processing;The CGT, with the aim of convening a meeting, e-mailed personal data of the complainant, including her home address, family relationship, pregnancy status and the date of an ongoing verbal abuse and harassment case, to 400 union members without her consent.;https://www.aepd.es/resoluciones/PS-00174-2019_ORI.pdf
111;Czech Data Protection Auhtority (UOOU);Czech Republic;NA;588;Alza.cz a.s.;Yes;Alza.Cz A.S.;Czech Republic;E-Commerce;1100000000;1048;Private;Yes;Art. 6 GDPR, Art. 7 GDPR;Insufficient legal basis for data processing;The company obtained a copy of photographic ID of the personal data subject with his consent, however did not react to his consent withdrawal and continued in processing of his personal data.;https://www.uoou.cz/kontrola-zpracovani-osobnich-udaju-po-odvolani-souhlasu-spolecnost-alza-cz-a-s/ds-5717/archiv=0&p1=5653
113;Spanish Data Protection Authority (aepd);Spain;19.11.19;60000;Corporacion radiotelevision espanola;Yes;Corporacion De Radio Y Television Española Sa Sme.;Spain;TV, Film & Radio;52000000;6542;Private;Yes;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;CORPORACION RADIOTELEVISION ESPANOLA and the trade union have reported a security breach to the AEPD after six unencrypted USB sticks containing personal data were lost. The violation affected about 11,000 people, including identification data, employment data, data about criminal convictions and health data.;https://www.aepd.es/resoluciones/PS-00305-2019_ORI.pdf
114;Spanish Data Protection Authority (aepd);Spain;21.11.19;60000;Viaqua Xestion Integral Augas de Galicia;Yes;Viaqua Gestion Integral De Aguas De Galicia Sa;Spain;Industrial;57800000;535;Private;Yes;Art. 6 GDPR;Insufficient legal basis for data processing;Processing (modification) of the personal data of a customer included in a contract by a third party without the consent of the customer.;https://www.aepd.es/resoluciones/PS-00233-2019_ORI.pdf
115;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;25.11.19;11000;Courier Services Company;No;NA;NA;NA;NA;NA;NA;Yes;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;The fine was imposed because the controller failed to take appropriate technical and organisational measures leading to the loss and unauthorised access to personal data (name, bank card number, CVV code, cardholder's address, personal identification number, serial and identity card number, bank account number, authorised credit limit) of approximately 1,100 data subjects.;https://www.dataprotection.ro/index.jsp?page=O_noua_amenda_in_baza_RGPD&lang=ro
116;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;22.11.19;2000;BNP Paribas Personal Finance S.A.;Yes;BNP Paribas SA;France;Banks;87100000000;194976;Public;No;Art. 12 GDPR, Art. 17 GDPR;Insufficient fulfilment of data subjects rights;BNP Paribas Personal Finance did not react to a request for erasure within the period set by the GDPR.;https://www.dataprotection.ro/index.jsp?page=Amenda_pentru_incalcarea_RGPD&lang=ro
117;Spanish Data Protection Authority (aepd);Spain;14.11.19;30000;Telefonica SA;Yes;Telefónica SA;Spain;Telecommunications;41600000000;112797;Public;Yes;Art. 5 GDPR;Non-compliance with general data processing principles;Telefonica had charged the complainant various fees in connection with the operation of a telephone line which the complainant had never owned. The reason for this was that the complainant's bank account was linked to another Telefonica customer, which led to the charges being debited from the complainant's account. According to the AEPD, this is contrary to the principle of accuracy as required by Article 5(1)(d) GDPR.;https://www.aepd.es/resoluciones/PS-00251-2019_ORI.pdf
118;French Data Protection Authority (CNIL);France;21.11.19;500000;Futura Internationale;Yes;NA;NA;NA;NA;NA;NA;Yes;Art. 5 GDPR, Art. 6 GDPR, Art. 13 GDPR, Art. 14 GDPR, Art. 21 GDPR, Art. 31 GDPR, Art. 44 GDPR;Insufficient fulfilment of data subjects rights;Futura Internationale was fined for cold calls after several complainants obtained cold calls, despite having declared directly to the caller and by post that this was not wanted. In particular, the decision pointed out that the CNIL's on-site investigation of Futura Internationale revealed, inter alia, that Futura Internationale had received several letters objecting to cold calling, that it had stored excessive information about customers and their health and that Futura Internationale had not informed individuals about the processing of their personal data or the recording of telephone conversations.;https://www.legifrance.gouv.fr/affichCnil.do?oldAction=rechExpCnil&id=CNILTEXT000039419459&fastReqId=461698027&fastPos=1
119;Spanish Data Protection Authority (aepd);Spain;19.11.19;60000;Xfera Moviles S.A.;Yes;Xfera Moviles Sau;Spain;Telecommunications;1500000000;473;Private;Yes;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;An individual complainant had received an SMS from Xfera Moviles which was to be addressed to a third party and which allowed him to access the account and personal data of this third party on the Xfera Moviles website via the telephone number and password received by SMS.;https://www.aepd.es/resoluciones/PS-00237-2019_ORI.pdf
121;Spanish Data Protection Authority (aepd);Spain;NA;10000;Ikea Iberica;Yes;INGKA Holding B.V.;Netherlands;Retail & Trade;39600000000;217000;Private;No;Art. 6 GDPR;Insufficient legal basis for data processing;The company installed cookies on an end users terminal device without prior consent of the data subject.;https://www.aepd.es/resoluciones/PS-00127-2019_ORI.pdf
122;Data Protection Authority of Rheinland-Pfalz;Germany;03.12.19;105000;Hospital;No;NA;NA;Hospitals;NA;NA;NA;Yes;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;The fine is based on several breaches of the GDPR in connection with a patient mix-up at the admission of the patient. This resulted in incorrect invoicing and revealed structural technical and organisational deficits in the hospital's patient management.;https://www.datenschutz.rlp.de/de/aktuelles/detail/news/detail/News/geldbusse-gegen-krankenhaus-aufgrund-von-datenschutz-defiziten-beim-patientenmanagement/
123;Belgian Data Protection Authority (APD);Belgium;28.11.19;5000;Mayor;No;NA;NA;NA;NA;NA;NA;Yes;Art. 6 GDPR;Insufficient legal basis for data processing;Fine for sending election mailings without a sufficient legal basis. The e-mail addresses used have not been collected for this purpose.;https://www.autoriteprotectiondonnees.be/news/la-chambre-contentieuse-sanctionne-deux-candidats-aux-elections-communales-de-2018
124;Belgian Data Protection Authority (APD);Belgium;28.11.19;5000;Municipal alderman;Yes;NA;NA;Politics & Government;NA;NA;Other;Yes;Art. 6 GDPR;Insufficient legal basis for data processing;Fine for sending election mailings without a sufficient legal basis. The e-mail addresses used have not been collected for this purpose.;https://www.autoriteprotectiondonnees.be/news/la-chambre-contentieuse-sanctionne-deux-candidats-aux-elections-communales-de-2018
125;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;04.12.19;20000;S CNTAR TAROM SA (Airline);Yes;Compania Nationala De Transporturi Aeriene Romane Tarom Sa;Romania;Aviation;274400000;1361;Private;Yes;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;The Romanian data protection authority imposed a sanction on an airline because it has not taken appropriate measures to ensure that any natural person acting under its supervision processes personal data in accordance with its instructions (Article 32(4) of the GDPR). This resulted in an employee having unauthorized access to the booking application and being able to photograph a list with the personal data of 22 passengers/customers to disclose this list on the Internet.;https://www.dataprotection.ro/?page=Sanctiune_CN_TAROM&lang=ro
126;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;28.11.19;80000;ING Bank N.V.;Yes;ING Groep NV;Netherlands;Banks;27300000000;91411;Public;No;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;ING Bank has not taken appropriate technical and organisational measures for an automated data processing system during the settlement process of card transactions affecting 225,525 customers, resulting in double transactions being executed between 8 and 10 October.;https://www.dataprotection.ro/?page=Amenda_ING_RGPD&lang=ro
127;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;29.11.19;2500;Royal President S.R.L.;Yes;Royal President S.R.L.;Romania;Restaurants, Cafes & Bars;181995;12;Private;Yes;Art. 15 GDPR, Art. 6 GDPR, Art. 32 GDPR;Insufficient fulfilment of data subjects rights;Royal President refused a request for access to personal data pursuant to Article 15 of the GDPR and disclosed personal data without the consent of the data subjects. In addition, Royal President has not taken appropriate technical or organisational measures to ensure the security of the data processed.;https://www.dataprotection.ro/index.jsp?page=alta_sanctiune_Royal_President&lang=ro
128;The Federal Commissioner for Data Protection and Freedom of Information (BfDI);Germany;11.11.20;900000;Telecoms provider (1&1 Telecom GmbH);Yes;1&1 AG;Germany;Telecommunications;3700000000;3191;Public;Yes;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;Original Fine Summary: The Controller is a company offering telecommunication services. A caller could obtain extensive information on personal customer data from the company's customer service department simply by entering a customer's name and date of birth. In this authentication procedure, the BfDI aws a violation of Article 32 GDPR, according to which a company is obliged to take appropriate technical and organisational measures to systematically protect the processing of personal data. Due to the company's cooperation with the data protection authority, the fine imposed was at the lower end of the scale. -- Update: On November 11th, 2020, after an appeal against the fine, the Bonn District Court decided that although the fine is justified in principle, it is unreasonably high. The chamber has therefore reduced the fine from originally EUR 9,55 million to EUR 900,000. One of the reasons for the reduction was that the company's procedure for authenticating customers used for its telephone hotline (requesting only the name and date of birth of the caller) had remained unobjected for a long time and therefore the company lacked a concrete awareness of the problem which leads to the fact that the concrete culpability in this case had to be classified as rather low. Furthermore, according to the court, the violation was also rather minor, as it could not lead to a massive data leakage.;https://www.bfdi.bund.de/DE/Infothek/Pressemitteilungen/2019/30_BfDIverh%C3%A4ngtGeldbu%C3%9Fe1u1.html
129;The Federal Commissioner for Data Protection and Freedom of Information (BfDI);Germany;09.12.19;10000;Rapidata GmbH;Yes;Rapidata GmbH;Germany;Telecommunications;643600; NA;Private;Yes;Art. 37 GDPR;Insufficient involvement of data protection officer;Despite repeated requests of the BfDI the company (an internet provider) did not comply with its legal obligation under Article 37 GDPR to appoint a data protection officer.;https://www.bfdi.bund.de/DE/Infothek/Pressemitteilungen/2019/30_BfDIverh%C3%A4ngtGeldbu%C3%9Fe1u1.html
130;Spanish Data Protection Authority (aepd);Spain;NA;21000;Vodafone Espana, S.A.U.;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 6 (1) GDPR;Insufficient legal basis for data processing;Vodafone had processed personal data of the claimant (bank details, name, surname and national identification number) years after the contractual relationsid had ended. The fine of EUR 35.000 was reduced to EUR 21.000.;https://www.aepd.es/resoluciones/PS-00087-2019_ORI.pdf
131;Spanish Data Protection Authority (aepd);Spain;NA;36000;VODAFONE ONO, S.A.U.;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 5 (1) f) GDPR;Non-compliance with general data processing principles;The company sent a marketing email to a large number of recipients (clients) without using the blind copy feature. The initial fine of EUR 60.000 was reduced to EUR 36.000.;https://www.aepd.es/resoluciones/PS-00092-2019_ORI.pdf
132;Spanish Data Protection Authority (aepd);Spain;NA;48000;VODAFONE ONO, S.A.U.;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;Customers could access personal data of other customers in the customer area. The initial fine of EUR 60.000 was reduced to EUR 48.000.;https://www.aepd.es/resoluciones/PS-00212-2019_ORI.pdf
133;Spanish Data Protection Authority (aepd);Spain;NA;48000;TELEFONICA MOVILES ESPANA, S.A.U.;Yes;Telefónica SA;Spain;Telecommunications;41600000000;112797;Public;Yes;Art. 5 (1) a) GDPR;Non-compliance with general data processing principles;The claimant's bank account was charged by the company with two invoices for the services he had contracted, however, displaying personal data of another customer. The initial fine of EUR 60.000 was reduced to EUR 48.000.;https://www.aepd.es/resoluciones/PS-00173-2019_ORI.pdf
134;Spanish Data Protection Authority (aepd);Spain;NA;30000;Vodafone Espana, S.A.U.;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 5 (1) f) GDPR, Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;Disclosure of customer personal data (i.a. purchase history) via an SMS to another customer. The initial fine of EUR 50.000 was reduced to EUR 30.000.;https://www.aepd.es/resoluciones/PS-00205-2019_ORI.pdf
135;Spanish Data Protection Authority (aepd);Spain;NA;40000;Vodafone Espana, S.A.U.;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 6 GDPR;Insufficient legal basis for data processing;The company had charged a Netflix service that had not been solicited by the claimant. The claimant could prove that the service had been used by another household which allegedly had received the claimant's bank account and phone number from Vodafone. Since Vodafone could not prove that the claimant had consented to the conclusion of the contract concerning the Netflix services, the AEPD imposed a fine of EUR 40.000.;https://www.aepd.es/resoluciones/PS-00064-2019_ORI.pdf
136;Spanish Data Protection Authority (aepd);Spain;NA;20000;Employer;No;NA;NA;NA;NA;NA;NA;Yes;Art. 5 (1) c) GDPR;Non-compliance with general data processing principles;Video surveillance cameras have not only been used to protect property, but have also monitored employees (violation of principle of data minimisation).;https://www.aepd.es/resoluciones/PS-00150-2019_ORI.pdf
137;Spanish Data Protection Authority (aepd);Spain;NA;9000;Employer;No;NA;NA;NA;NA;NA;NA;Yes;Art. 5 (1) c) GDPR;Non-compliance with general data processing principles;Video surveillance cameras have not only been used to protect property, but have also monitored employees (violation of principle of data minimisation).;https://www.aepd.es/resoluciones/PS-00050-2019_ORI.pdf
138;Spanish Data Protection Authority (aepd);Spain;NA;3600;AMADOR RECREATIVOS, S.L;Yes;Tiki Taka Games, Sociedad Limitada.;Spain;Sports, Fitness & Recreation;15400000;45;Private;Yes;Art. 5 (1) c) GDPR;Non-compliance with general data processing principles;Surveillance of the public space by video surveillance cameras against violation of the principles of data minimisation.;https://www.aepd.es/resoluciones/PS-00135-2019_ORI.pdf
139;Hungarian National Authority for Data Protection and the Freedom of Information (NAIH);Hungary;01.10.19;15100;Town of Kerepes;No;NA;Hungaria;Politics & Government;NA;NA;Other;No;Art. 6 (1) GDPR;Insufficient legal basis for data processing;The city based its video surveillance practice on its legitimate interests (Art. 6 (1) f GDPR). However, accordingt to Art. 6 (1) subparagraph 2 this legal basis shall not apply to processing carried out by public authorities in the performance of their tasks. The processing could not be based on another legal basis.;https://www.naih.hu/files/NAIH-2019-2076-hatarozat.pdf
140;Data Protection Commision of Bulgaria (KZLD);Bulgaria;03.09.19;28100;National Revenue Agency;Yes;National Revenue Agency;Bulgaria;Politics & Government;203200000;1759;Other;Yes;Art. 6 (1) GDPR, Art. 58 (2) e) GDPR;Insufficient legal basis for data processing;The pecuniary sanction of EUR 28, 121 was imposed on the National Revenue Agency for unlawful processing of the personal data of data subject G.B.I. The personal data of G.B.I. was unlawfully collected and subsequently used to form an enforcement case against her for recovery of the sum of EUR ca. 86, 569. In relation to the enforcement case formed, additional data concerning the bank accounts of G.B.I was collected by the National Revenue Agency from the register of the Bulgarian National Bank. The additional collected data was also unlawfully processed by the National Revenue Agency in sending distraint orders to the banks with which G.B.I. had bank accounts.;https://www.cpdp.bg/?p=element_view&aid=2226
141;Spanish Data Protection Authority (aepd);Spain;28.11.19;75000;Curenergia Comercializador de ultimo recurso;Yes;Curenergia Comercializador De Ultimo Recurso Sociedad Anonima.;Spain;Energy;1340000000;NA;Private;Yes;Art. 6 GDPR;Insufficient legal basis for data processing;An individual filed a complaint against the company alleging that the company had used its personal data as a former customer, such as first and last name, VAT identification number and address, to enter into an electricity supply contract.;https://www.aepd.es/resoluciones/PS-00140-2019_ORI.pdf
142;Spanish Data Protection Authority (aepd);Spain;03.12.19;1500;Cerrajeria Verin S.L.;Yes;NA;Spain;Services;NA;NA;Private;Yes;Art. 13 GDPR;Insufficient fulfilment of information obligations;The company collected personal data without providing accurate information on their data processing activities in their privacy policy published on their website.;https://www.aepd.es/resoluciones/PS-00265-2019_ORI.pdf
144;Data Protection Authority of Sweden (Integritetsskyddsmyndigheten);Sweden;16.12.19;35000;Nusvar AB;Yes;Nusvar AB;Sweden;Services;880000;NA;Private;Yes;Art. 6 GDPR;Insufficient legal basis for data processing;Nusvar AB, operator of the website Mrkoll.se, which provides information on all Swedes over 16 years of age, had published information on people who are overdue.;https://www.datainspektionen.se/globalassets/dokument/beslut/beslut-tillsyn-mrkoll.pdf
145;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;16.12.19;2000;Globus Score SRL;Yes;Globus Score SRL;Romania;Services;NA;NA;Private;Yes;Art. 58 GDPR;Insufficient cooperation with supervisory authority;The company did not comply with measures ordered by the National Supervisory Authority.;https://www.dataprotection.ro/?page=Alta_amenda_pentru_incalcarea_GDPR&lang=en
146;Spanish Data Protection Authority (aepd);Spain;03.12.19;5000;Linea Directa Aseguradora;Yes;Línea Directa Aseguradora SA;Spain;Finance & Insurance;887000000;2400;Public;Yes;Art. 6 GDPR;Insufficient legal basis for data processing;The insurance company has sent advertising e-mails for the 'Reto Nuez' platform without the required consent.;https://www.aepd.es/resoluciones/PS-00250-2019_ORI.pdf
147;Spanish Data Protection Authority (aepd);Spain;10.12.19;1600;Megastar SL;Yes;Megastar SL;Spain;Services;1820000;8;Private;Yes;Art. 5 (1) c) GDPR, Art. 13 GDPR;Non-compliance with general data processing principles;The company operated a video surveillance system in which the observation angle of the cameras extended unnecessarily far into the public traffic area. Furthermore, no sign with data protection notices was affixed.;
148;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;26.11.19;3000;Modern Barber;No;NA;NA;NA;NA;NA;NA;Yes;Art. 58 GDPR;Insufficient cooperation with supervisory authority;The company did not comply with measures ordered by the National Supervisory Authority.;https://www.dataprotection.ro/index.jsp?page=Noi_amenzi_in_aplicarea_RGPD&lang=ro
149;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;02.12.19;2000;Nicola Medical Team 17 SRL;Yes;NA;Romania;Healthcare;NA;NA;Private;Yes;Art. 58 GDPR;Insufficient cooperation with supervisory authority;The company did not comply with measures ordered by the National Supervisory Authority.;https://www.dataprotection.ro/index.jsp?page=Noi_amenzi_in_aplicarea_RGPD&lang=ro
150;Hungarian National Authority for Data Protection and the Freedom of Information (NAIH);Hungary;24.10.19;7400;Military Hospital;No;NA;NA;NA;NA;NA;NA;Yes;Art. 32 GDPR, Art. 33 GDPR;Insufficient fulfilment of data breach notification obligations;A military hospital did not meet the reporting deadline for data breaches. Another part of the fine relates to a lack of technical and organisational measures.;https://www.naih.hu/files/NAIH-2019-2485-hatarozat.pdf
151;Spanish Data Protection Authority (aepd);Spain;19.11.19;6000;Sports Bar;No;NA;NA;NA;NA;NA;NA;Yes;Art. 5 (1) c) GDPR;Non-compliance with general data processing principles;The sports bar operated a video surveillance system in which the observation angle of the cameras extended into the public traffic area.;https://www.aepd.es/resoluciones/PS-00236-2019_ORI.pdf
152;Spanish Data Protection Authority (aepd);Spain;06.11.19;60000;Vodafone Espana, S.A.U.;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 6 GDPR;Insufficient legal basis for data processing;Vodafone has sent the customer's invoice data to unauthorised third parties following a customer invoice complaint. Originally, a fine of EUR 75,000 was threatened, but was reduced to EUR 60,000 against immediate payment and waiver of appeal.;https://www.aepd.es/resoluciones/PS-00140-2019_ORI.pdf
153;Spanish Data Protection Authority (aepd);Spain;23.10.19;60000;Vodafone Espana, S.A.U.;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 5 (1) f) GDPR;Non-compliance with general data processing principles;Vodafone sent an invoice history to the subscriber as part of the invoice complaint by the subscriber. The history also contained invoice data of an NA third party.;https://www.aepd.es/resoluciones/PS-00249-2019_ORI.pdf
154;Dutch Supervisory Authority for Data Protection (AP);Netherlands;31.10.19;50000;Menzis (Health Insurance Company);Yes;Coöperatie Menzis U.A.;Netherlands;Finance & Insurance;675500000;1861;Private;Yes;Art. 5 GDPR;Non-compliance with general data processing principles;Marketing staff had access to patient data. Among other things, this violated the purpose limitation principle.;https://autoriteitpersoonsgegevens.nl/nl/nieuws/sancties-voor-menzis-en-vgz-voor-overtreding-van-de-privacywet
155;Hellenic Data Protection Authority (HDPA);Greece;18.10.19;20000;Wind Hellas Telecommunications;Yes;Wind Hellas Telecommunications Single Member S.A.;Greece;Telecommunications;515400000;900;Private;Yes;Art. 21 GDPR;Insufficient fulfilment of data subjects rights;Among other things, the company has ignored objections raised by affected parties against advertising calls.;http://www.dpa.gr/APDPXPortlets/htdocs/documentDisplay.jsp?docid=146,94,80,247,188,211,182,68
156;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;18.12.19;2000;Telekom Romania Mobile Communications SA;Yes;Deutsche Telekom AG;Germany;Telecommunications;97600000000;226291;Public;No;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;The company has failed to ensure the accuracy of the processing of personal data which resulted in a disclosure of a clients personal data to another client.;https://www.dataprotection.ro/?page=O_noua_amenda_pentru_incalcarea_RGPD_comunicat_decembrie&lang=ro
157;Hungarian National Authority for Data Protection and the Freedom of Information (NAIH);Hungary;11.12.19;1430;NA Company;No;NA;NA;NA;NA;NA;NA;Yes;Art. 5 GDPR, Art. 6 GDPR, Art. 13 GDPR, Art. 24 GDPR, Art. 25 GDPR;Non-compliance with general data processing principles;"The employer restored the mailbox of a director who had left the company a year before and found an email containing a work-related document. The director received no warning that his former inbox would be activated and did not have a chance to copy / delete his private data (passwords and financial information). According to NAIH, an employee or a representative should be present when the employee's data is being accessed, even if the employment has been terminated. Employees should be able to request a copy or the deletion of their private data. Employers must record the access with minutes and photos; when the employee cannot be present, then in the presence of independent witnesses. Employers must adopt internal policies on archiving and the use of IT assets and e-mail accounts, including procedural rules such as the steps of an inspection and the officials authorised to carry it out.";https://naih.hu/files/NAIH-2019-51-hatarozat.pdf
158;Information Commissioner (ICO);United Kingdom;17.12.19;320000;Doorstep Dispensaree Ltd. (Pharmacy);Yes;Doorstep Dispensaree Ltd.;United Kingdom;Healthcare;NA;9;Private;Yes;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;The company had stored some 500,000 documents containing names, addresses, dates of birth, NHS numbers and medical information and prescriptions in unsealed containers at the back of the building and failed to protect these documents from the elements, resulting in water damage to the documents.;https://ico.org.uk/media/action-weve-taken/enforcement-notices/2616741/doorstop-en-20191217.pdf
159;Belgian Data Protection Authority (APD);Belgium;17.12.19;2000;Nursing Care Organisation;No;NA;NA;NA;NA;NA;NA;Yes;Art. 12 GDPR, Art. 15 GDPR, Art. 17 GDPR;Insufficient fulfilment of data subjects rights;The company failed to act on requests from the data subject to get access to his data and to have his data erased.;https://www.autoriteprotectiondonnees.be/sites/privacycommission/files/documents/DEQF_13-2019_FR_ANO.pdf
160;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;29.11.19;500;Homeowners Association;No;NA;NA;NA;NA;NA;NA;Yes;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;The association used video surveillance systems without proper information according to Art. 13 GDPR and without adequate security measures regarding the persons having access to the system.;https://www.dataprotection.ro/?page=Amenda_asociatie_proprietari&lang=ro
161;Spanish Data Protection Authority (aepd);Spain;10.12.19;5000;Shop Macoyn, S.L.;Yes;NA;Spain;NA;NA;NA;NA;Yes;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;The company has sent advertising e-mails to several recipients where the e-mail addresses of all other recipients were visible to all recipients, because the recipient addresses were inserted as CC and not as BCC.;https://www.aepd.es/es/documento/ps-00320-2019.pdf
162;Commission for Personal Data Protection (KZLD);Bulgaria;03.09.19;1022;Telecommunication service provide;No;NA;NA;NA;NA;NA;NA;Yes;Art. 6 (1) GDPR, Art. 25 (1) GDPR;Insufficient legal basis for data processing;The pecuniary sanctions of EUR 1, 022 and EUR 5, 113 were imposed on a telecommunications service provider and its commercial representative in Bulgaria for unlawful processing of the personal data of a data subject. The personal data of the data subject was unlawfully processed for the conclusion of service contracts without his knowledge or consent.;https://www.cpdp.bg/index.php?p=element&aid=1219
163;Commission for Personal Data Protection (KZLD);Bulgaria;03.09.19;5113;Telecommunication service provide;No;NA;NA;NA;NA;NA;NA;Yes;Art. 6 (1) GDPR, Art. 25 (1) GDPR;Insufficient legal basis for data processing;The pecuniary sanctions of EUR 1, 022 and EUR 5, 113 were imposed on a telecommunications service provider and its commercial representative in Bulgaria for unlawful processing of the personal data of a data subject. The personal data of the data subject was unlawfully processed for the conclusion of service contracts without his knowledge or consent.;https://www.cpdp.bg/index.php?p=element&aid=1219
164;Commission for Personal Data Protection (KZLD);Bulgaria;03.09.19;11760;Commercial representative of telecommunication service provider;No;NA;NA;NA;NA;NA;NA;Yes;Art. 6 (1) GDPR;Insufficient legal basis for data processing;The pecuniary sanction of EUR 11, 760 was imposed on the commercial representative of telecommunications service provider for unlawful processing of the personal data of a data subject. The personal data of the data subject was unlawfully processed for the conclusion of a contract for mobile services and leasing contracts.;https://www.cpdp.bg/index.php?p=element&aid=1219
165;Commission for Personal Data Protection (KZLD);Bulgaria;03.09.19;1121;Private enforcement agent;No;NA;NA;NA;NA;NA;NA;Yes;Art. 12 (4) GDPR, Art. 15 GDPR;Insufficient fulfilment of data subjects rights;The fine of EUR 1, 121 was imposed on a private enforcement agent for processing of the personal data of data subject through recording by technical means for video surveillance and for refusal to grant access to the collected data. The data subject submitted an application for access to his personal data to the private enforcement agent, who failed to inform him of the reasons for the rejection of his request.;https://www.cpdp.bg/index.php?p=element&aid=1219
166;Commission for Personal Data Protection (KZLD);Bulgaria;28.10.19;511;Employer;No;NA;NA;NA;NA;NA;NA;Yes;Art. 12 (3) GDPR, Art. 15 (1) GDPR;Insufficient fulfilment of data subjects rights;The pecuniary sanction of EUR 511 was imposed on an employer for refusal to grant access to the personal data of a data subject who submitted an application for access to his personal data to his former employer.;https://www.cpdp.bg/index.php?p=element&aid=1219
167;Commission for Personal Data Protection (KZLD);Bulgaria;07.10.19;511;B.D.;Yes;Becton, Dickinson & Co.;United States;Industrial;17700000000;75000;Public;No;Art. 31 GDPR;Insufficient cooperation with supervisory authority;The fine of EUR 511 was imposed on B.D. for failure to provide access to information which the Commission for Personal Data Protection needed for performance of its tasks and execution of a disposition.;https://www.cpdp.bg/index.php?p=element&aid=1219
168;Commission for Personal Data Protection (KZLD);Bulgaria;08.10.19;5112;The Ministry of Interior Affairs;Yes;NA;NA;NA;NA;NA;NA;Yes;Art. 5 (1) GDPR, Art. 6 (1) GDPR;Insufficient legal basis for data processing;The fine of EUR 5,112 was imposed on the Ministry of Interior Affairs for unlawfully processing the personal data of data subject A.K.  The Ministry of Interior sent the personal data of A.K. to the Togolese Republic (Togo).;https://www.cpdp.bg/index.php?p=element&aid=1219
169;Belgian Data Protection Authority (APD);Belgium;17.12.19;15000;Website providing legal information;No;NA;NA;NA;NA;NA;NA;Yes;Art. 6 GDPR, Art. 12 GDPR, Art. 13 GDPR;Insufficient fulfilment of information obligations;An operator of a website for legal news had the privacy statement only available in English, although it was also addressed to a Dutch and French speaking audience. In addition, the first version of the privacy statement was not easily accessible and did not mention the legal basis for data processing under the GDPR. Furthermore, with reference to the ECJ ruling on Planet 49, it was determined that effective consent was required for the use of Google Analytics.;https://www.gegevensbeschermingsautoriteit.be/sites/privacycommission/files/documents/BETG_12-2019_NL.PDF
171;Spanish Data Protection Authority (aepd);Spain;07.01.20;44000;Vodafone Espana, S.A.U.;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 5 (1) f) GDPR;Non-compliance with general data processing principles;The company had sent a contract with personal data, including the applicant's name, address and telephone number, to the wrong recipient.;https://www.aepd.es/es/documento/ps-00093-2019.pdf
172;Spanish Data Protection Authority (aepd);Spain;09.01.20;3000;Vodafone Espana, S.A.U.;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 58 GDPR;Insufficient cooperation with supervisory authority;Failure to provide information to the AEPD within the required timeframe in violation of Article 58;https://www.aepd.es/es/documento/ps-00445-2019.pdf
173;Spanish Data Protection Authority (aepd);Spain;07.01.20;75000;EDP Espana S.A.U.;Yes;EDP-Energias de Portugal SA;Portugal;Energy;12200000000;11610;Public;No;Art. 6 GDPR;Insufficient legal basis for data processing;The company processed personal data such as first and last name, tax number, address and mobile phone number without the consent of the data subject;https://www.aepd.es/es/documento/ps-00109-2019.pdf
174;Spanish Data Protection Authority (aepd);Spain;07.01.20;75000;EDP Comercializadora, S.A.U.;Yes;EDP-Energias de Portugal SA;Portugal;Energy;12200000000;11610;Public;No;Art. 6 GDPR;Insufficient legal basis for data processing;The company processed personal data in connection with a gas contract without the consent of the applicant. The decision finds that the applicant received an invoice for a gas contract which he did not sign and that EDP Comercializadora claims that the applicant is party to a contract with another energy company which has a supply contract with EDP Comercializadora and that the processing of data is therefore justified. The AEPD stated that EDP Comercializadora had to prove that the plaintiff had agreed to a contract with a second entity and not only with its direct energy supplier.;https://www.aepd.es/es/documento/ps-00025-2019.pdf
175;Spanish Data Protection Authority (aepd);Spain;07.01.20;10000;Asociacion de Medicos Democratas;Yes;NA;Spain;Politics & Government;NA;NA;Other;Yes;Art. 6 GDPR;Insufficient legal basis for data processing;The Asociacion de Medicos Democratas has processed personal data of its members, despite having been warned by the AEPD that it carried out the processing without the consent of the data subjects.;https://www.aepd.es/es/documento/ps-00231-2019.pdf
176;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;10.12.19;14000;Hora Credit IFN SA;Yes;Hora Credit Ifn S.A.;Romania;Services;3200000;34;Private;Yes;Art. 5 GDPR, Art. 25 GDPR, Art. 32 GDPR, Art. 33 GDPR;Insufficient technical and organisational measures to ensure information security;The sanctions were applied as a result of a complaint alleging that Hora Credit IFN SA transmitted documents containing personal data of another person to a wrong e-mail address. Following the investigation it was found that Hora Credit IFN SA processed the data without providing effective mechanisms for verifying and validating the accuracy of the data collected processed according to the principles set out in art. 5 of the GDPR. It was also found that the operator did not take sufficient security measures for personal data, according to art. 25 and 32 of the GDPR, so as to avoid unauthorized and accessible disclosure of personal data to third parties. At the same time, Hora Credit IFN SA did not notify the Supervisory Authority of the security incident that was brought to its notice, according to art. 33 of the GDPR, within 72 hours from the date it became aware of it. The fine consists of three partial fines of EUR 3000, EUR 10000 and EUR 1000.;https://www.dataprotection.ro/?page=Alta_amenda_pentru_incalcarea_RGPD_2020_1&lang=ro
177;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;16.12.19;6000;SC Enel Energie S.A. (Electricity Distributor);Yes;Enel SpA;Italy;Energy;60500000000;66717;Public;No;Art. 5 GDPR, Art. 6 GDPR, Art. 7 GDPR, Art. 21 GDPR;Insufficient legal basis for data processing;The sanctions were imposed following a complaint alleging that Enel Energie had unlawfully processed an individual's personal data and was unable to prove that it had obtained the individual's consent to send e-mail notifications. In addition, the ANSPDCP pointed out that the operator had not taken the necessary measures to stop the transmission of notifications, despite the fact that the person had repeatedly exercised his right to object. The operator of SC Enel Energie SRL was sanctioned contraventionally with two fines, each amounting to 14,334.30 lei, the equivalent of the amount of 3000 EUR.;https://www.dataprotection.ro/?page=sanctiune_pentru_incalcarea_RGPD_2020_2&lang=ro
178;Cypriot Data Protection Commissioner;Cyprus;13.01.20;9000;Social Insurance Services of the Ministry of Labor, Welfare and Social Insurance;Yes;NA;NA;Politics & Government;NA;NA;Other;Yes;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;Granting the police access to personal data and failing to take adequate measures to secure the data, despite the warnings of the Supervisor, constituted a breach of Article 32 of the GPPR.;http://www.dataprotection.gov.cy/dataprotection/dataprotection.nsf/All/ACDFDC478581BEE1C22584EE002EE9C2?OpenDocument
179;Cypriot Data Protection Commissioner;Cyprus;25.10.19;70000;LGS Handling Ltd, Louis Travel Ltd, and Louis Aviation Ltd;Yes;LGS Handling Ltd;Cyprus;Services;5240000;33;Private;Yes;Art. 6 GDPR, Art. 9 GDPR;Insufficient legal basis for data processing;The decision found that the use of the Bradford factor for profiling and monitoring sick leave constituted unlawful processing of personal data in breach of Article 6 and Article 9 of the GDPR. Three fines of EUR 70,000, EUR 10,000 and EUR 2,000 were imposed for this infringement. The decision was announced on 2020/10/13.;http://www.dataprotection.gov.cy/dataprotection/dataprotection.nsf/all/ACDFDC478581BEE1C22584EE002EE9C2/$file/2019-apofasi%20bradford%20system%20%CE%91%CE%9D%CE%A9%CE%9D%CE%A5%CE%9C%CE%9F%CE%A0.pdf?openelement
180;Cypriot Data Protection Commissioner;Cyprus;25.10.19;10000;LGS Handling Ltd, Louis Travel Ltd, and Louis Aviation Ltd;Yes;LGS Handling Ltd;Cyprus;Services;5240000;33;Private;Yes;Art. 6 GDPR, Art. 9 GDPR;Insufficient legal basis for data processing;The decision found that the use of the Bradford factor for profiling and monitoring sick leave constituted unlawful processing of personal data in breach of Article 6 and Article 9 of the GDPR. Three fines of EUR 70,000, EUR 10,000 and EUR 2,000 were imposed for this infringement. The decision was announced on 2020/10/13.;http://www.dataprotection.gov.cy/dataprotection/dataprotection.nsf/all/ACDFDC478581BEE1C22584EE002EE9C2/$file/2019-apofasi%20bradford%20system%20%CE%91%CE%9D%CE%A9%CE%9D%CE%A5%CE%9C%CE%9F%CE%A0.pdf?openelement
181;Cypriot Data Protection Commissioner;Cyprus;25.10.19;2000;LGS Handling Ltd, Louis Travel Ltd, and Louis Aviation Ltd;Yes;LGS Handling Ltd;Cyprus;Services;5240000;33;Private;Yes;Art. 6 GDPR, Art. 9 GDPR;Insufficient legal basis for data processing;The decision found that the use of the Bradford factor for profiling and monitoring sick leave constituted unlawful processing of personal data in breach of Article 6 and Article 9 of the GDPR. Three fines of EUR 70,000, EUR 10,000 and EUR 2,000 were imposed for this infringement. The decision was announced on 2020/10/13.;http://www.dataprotection.gov.cy/dataprotection/dataprotection.nsf/all/ACDFDC478581BEE1C22584EE002EE9C2/$file/2019-apofasi%20bradford%20system%20%CE%91%CE%9D%CE%A9%CE%9D%CE%A5%CE%9C%CE%9F%CE%A0.pdf?openelement
182;Cypriot Data Protection Commissioner;Cyprus;13.01.20;1000;eShop for Sports (M.L. PRO.FIT SOLUTIONS LTD);Yes;M.L. PRO.FIT SOLUTIONS LTD;Cyprus;Wholesale;4360000;26;Private;Yes;Art. 6 GDPR;Insufficient legal basis for data processing;Sending SMS marketing messages without consent. In particular, no appropriate measures were taken, such as the possibility for telephone users to block marketing messages from the eShop for Sports by opting out of receiving SMS marketing messages.;http://www.dataprotection.gov.cy/dataprotection/dataprotection.nsf/All/ACDFDC478581BEE1C22584EE002EE9C2?OpenDocument
183;Hellenic Data Protection Authority (HDPA);Greece;13.01.20;15000;Allseas Marine S.A.;Yes;Allseas Marine S.A. (Voula);Greece;Transportation & Logistics;6700000;45;Private;Yes;Art. 5 (1) a), (2) GDPR;Non-compliance with general data processing principles;The data protection supervisory authority has fined the extent to which employee data are processed by a video surveillance system in the workplace, the fact that the introduction of the video surveillance system was unlawful and the fact that the company did not sufficiently inform its employees about it.;http://www.dpa.gr/APDPXPortlets/htdocs/documentDisplay.jsp?docid=126,92,211,86,111,236,222,151
184;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;13.12.19;5000;Entirely Shipping & Trading S.R.L.;Yes;Entirely Shipping & Trading S.R.L.;Romania;Transportation & Logistics;734995;38;Private;Yes;Art. 5 (1) GDPR, Art. 6 GDPR, Art. 7 GDPR;Non-compliance with general data processing principles;The company has excessively processed the personal data of his employees through the video cameras installed in the offices and in the places where there are cabinets where the employees store their spare clothes (changing rooms) (violation of principle of 'data minimization');https://www.dataprotection.ro/index.jsp?page=O_noua_sanctiune_pentru_incalcarea_RGPD_2020_3&lang=ro
185;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;13.12.19;5000;Entirely Shipping & Trading S.R.L.;Yes;Entirely Shipping & Trading S.R.L.;Romania;Transportation & Logistics;734995;38;Private;Yes;Art. 5 (1) GDPR, Art. 6 GDPR, Art. 7 GDPR, Art. 9 GDPR;Non-compliance with general data processing principles;The company processed biometric data (fingerprints) of the employees for access to certain rooms tough less intrusive means for the privacy of the data subjects could be used (violation of principle of 'data minimization');https://www.dataprotection.ro/index.jsp?page=O_noua_sanctiune_pentru_incalcarea_RGPD_2020_3&lang=ro
186;Italian Data Protection Authority (Garante);Italy;11.12.19;8500000;Eni Gas e Luce;Yes;Eni Gas E Luce Spa Societa' Benefit;Italy;Energy;4400000000;1536;Private;Yes;Art. 5 GDPR, Art. 6 GDPR, Art. 17 GDPR, Art. 21 GDPR;Insufficient legal basis for data processing;"The Italian supervisory authority imposed two fines totalling EUR 11,5 million on Eni Gas and Luce (Egl) for unlawful processing of personal data in the context of advertising activities and activation of unsolicited contracts. The first fine of EUR 8.5 million relates to the unlawful processing in connection with telemarketing and telesales activities. Amongst others, promotional calls were made without the consent of the person contacted or despite that person's refusal to receive promotional calls, or without triggering the special procedures for checking the public opt-out register. In addition, there was lack of technical and organisational measures to take account of the information provided by users; data was processed longer than the permitted data retention periods; and data on potential customers was collected from entities (list providers) who had not obtained consent to the disclosure of such data.";https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/9244365
187;Italian Data Protection Authority (Garante);Italy;11.12.19;3000000;Eni Gas e Luce;Yes;Eni Gas E Luce Spa Societa' Benefit;Italy;Energy;4400000000;1536;Private;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;The Italian supervisory authority imposed two fines totalling EUR 11,5 million on Eni Gas and Luce (Egl) for unlawful processing of personal data in the context of advertising activities and activation of unsolicited contracts. The second fine of EUR 3 million concerns infringements resulting from the conclusion of unsolicited contracts for the supply of electricity and gas under 'market economy' conditions. Many persons complained to the Authority that they only learned of the conclusion of a new contract after receiving the letter of termination of the contract with the previous supplier or the first Egl invoices. In some cases, the complaints reported false information in the contracts and forged signatures.;https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/9244358
188;Hellenic Data Protection Authority (HDPA);Greece;19.12.19;150000;Aegean Marine Petroleum Network Inc.;Yes;Minerva Bunkering;Switzerland;Energy;NA;NA;NA;No;Art. 5 GDPR, Art. 6 GDPR, Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;Companies outside the Aegean Marine Petroleum Group had access to its servers containing personal data and copied the contents of the servers, since Aegean Marine Petroleum failed to take the necessary technical measures to secure the processing of large amounts of data and to keep the relevant software separate from the personal data stored on the servers. Furthermore, Aegean Marine Petroleum had not informed the data subjects of the processing of their personal data stored on the servers.;http://www.dpa.gr/APDPXPortlets/htdocs/documentDisplay.jsp?docid=205,136,113,56,60,108,243,88
189;Italian Data Protection Authority (Garante);Italy;15.01.20;27800000;TIM (telecommunications operator);Yes;TIM S.p.A.;Italy;Telecommunications;17980000000;55198;Public;Yes;Art. 5 GDPR, Art. 6 GDPR, Art. 17 GDPR, Art. 21 GDPR, Art. 32 GDPR;Insufficient legal basis for data processing;"Between January 2017 and 2019, the data protection authority received hundreds of notifications, in particular concerning the receipt of unsolicited commercial communications made without the consent of the data subjects or despite their registration in the public register of objections. Furthermore, irregularities in data processing in connection with competitions were also complained about. In addition, incorrect and non-transparent information on data processing was provided in Apps provided by the Company and invalid methods of consent were used. In some cases, paper forms requesting one single consent were used for various purposes, including marketing. Furthermore, data was kept longer than necessary and thus violated deletion periods. 

For these violations, the telecommunications company received a fine of EUR 27.8 million. Among other things, the fine was imposed for: lack of consent for marketing activities (telemarketing and cold calling), addressing of data subjects who asked not to be contacted with marketing offers, invalid consents collected in TIM apps, lack of appropriate security measures to protect personal data (including incorrect exchange of blacklists with call centres), lack of clear data retention periods. The supervisory authority also imposed 20 corrective measures on TIM, prohibiting the use of personal data for marketing purposes from those who had refused to receive promotional calls from the call centres.";https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9256486
190;Data Protection Authority of Baden-Wuerttemberg;Germany;24.10.19;100000;Food company;No;NA;NA;NA;NA;NA;NA;Yes;Art. 5 GDPR, Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;The company had set up an applicant portal on its website where interested parties could submit their application documents online. However, the company did not offer an encrypted transmission of the data, nor did it store the applicant data in an encrypted or password-protected manner. In addition, the unsecured applicant data was linked to Google, so that anyone searching for the respective applicant names on Google could find their application documents and retrieve them without access restrictions.;https://www.baden-wuerttemberg.datenschutz.de/wp-content/uploads/2020/01/35.-T%C3%A4tigkeitsbericht-f%C3%BCr-den-Datenschutz-Web.pdf#page=44&zoom=100,0,0
191;Spanish Data Protection Authority (aepd);Spain;14.01.20;3600;Zhang Bordeta 2006, S.L. (Store and Restaurant);Yes;Zhang Bordeta 2006, S.L.;Spain;Food & Beverage;NA;NA;NA;Yes;Art. 5 GDPR;Non-compliance with general data processing principles;The store and restaurant owner installed a video surveillance system which, among others, also took pictures of the sidewalk and thus of the public space, which violates the fundamental principle of data minimization.;https://www.aepd.es/es/documento/ps-00397-2019.pdf
192;Spanish Data Protection Authority (aepd);Spain;03.02.20;60000;Xfera Moviles S.A.;Yes;Xfera Moviles Sau;Spain;Telecommunications;1500000000;473;Private;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;According to the data protection authority, XFERA MOVILES has violated Article 6(1) of the GDPR, as the company has unlawfully processed data, including bank details, customer address and name of the data subjects.;https://www.aepd.es/es/documento/ps-00227-2019.pdf
193;Spanish Data Protection Authority (aepd);Spain;03.02.20;75000;Vodafone Espana, S.A.U.;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;The fine preceded the complaint by the data subject, who argued that Vodafone Espana had signed a contract for the transfer of a telephone subscription with a third party without the data subject's knowledge or consent and that, as a result, he, the data subject, had received an e-mail from the third party for a purchase made by him.;https://www.aepd.es/es/documento/ps-00270-2019.pdf
194;Spanish Data Protection Authority (aepd);Spain;03.02.20;60000;Vodafone Espana, S.A.U.;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;The fine was preceded by a complaint from the data subject, who argued that he had received an e-mail from Vodafone Espana, which contained the billing of a telephone line that the data subject had never requested, which led to his personal data being processed without his consent. As a result, the data subject's personal data were incorporated into the information systems of Vodafone Espana without Vodafone being able to show that the data subject had consented to the collection and subsequent processing of his personal data. The fine of 100,000 EUR was reduced to 60,000 EUR due to a voluntary payment.;https://www.aepd.es/es/documento/ps-00405-2019.pdf
195;Spanish Data Protection Authority (aepd);Spain;03.02.20;50000;Vodafone Espana, S.A.U.;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 5 GDPR;Non-compliance with general data processing principles;The fine was preceded by a complaint from a data subject who argued that Vodafone Espana had sent invoices containing his personal data, such as name, identity card and address, to its neighbour.;https://www.aepd.es/es/documento/ps-00275-2019.pdf
196;Spanish Data Protection Authority (aepd);Spain;03.02.20;20000;Iberia Lineas Aereas de Espana, S.A. Operadora Unipersonal;Yes;Iberia Lineas Aereas De España Sociedad Anonima Operadora;Spain;Aviation;5000000000;15755;Private;Yes;Art. 5 GDPR, Art. 6 GDPR, Art. 21 GDPR;Insufficient legal basis for data processing;Iberia continued to send e-mails to the data subject, despite the data subject had requested the withdrawal of his consent and the erasure of his personal data and that the execution of these measures had already been confirmed to him.;https://www.aepd.es/es/documento/ps-00402-2019.pdf
197;Spanish Data Protection Authority (aepd);Spain;03.02.20;75000;Vodafone Espana, S.A.U.;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;The data subject, a former customer of the company, continued to receive invoice notifications, although at that time there was neither a contractual relationship nor any payment overdue from the expired contractual relationship. As a reason for the incorrect mailings Vodafone indicated a technical error.;https://www.aepd.es/es/documento/ps-00278-2019.pdf
198;Spanish Data Protection Authority (aepd);Spain;03.02.20;6670;Banco Bilbao Vizcaya Argentaria S.L.;Yes;Banco Bilbao Vizcaya Argentaria SA;Spain;Banks;31800000000;123174;Public;Yes;Art. 5 GDPR, Art. 6 GDPR, Art. 21 GDPR;Insufficient legal basis for data processing;The company repeatedly sent advertising messages to a data subject, although the data subject had objected to the processing of his data.;https://www.aepd.es/es/documento/ps-00400-2019.pdf
199;Spanish Data Protection Authority (aepd);Spain;03.02.20;5000;Queseria Artesenal Ameco S.L.;Yes;Queseria Artesanal Ameco S.L.;Spain;Food & Beverage;NA;100;Private;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;The company processed personal data of customers without required consent.;https://www.aepd.es/es/documento/ps-00259-2019.pdf
200;Spanish Data Protection Authority (aepd);Spain;03.02.20;800;Automocion;Yes;Gestamp Automoción SA;Spain;Industrial;7200000000;40811;Public;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;An employee created a fake profile about a female colleague on an erotic portal, which contained, among other things, her contact details, a photo of her and information about her sexual nature. Based on the profile, the data subject received several phone calls from people who wanted to contact her regarding the information provided on the website. As the private person was found to have a personality disorder, the fine was reduced from initial EUR 1000 to EUR 800.;https://www.aepd.es/es/documento/ps-00292-2019.pdf
201;Spanish Data Protection Authority (aepd);Spain;04.02.20;1500;Cafeteria Nagasaki;Yes;Cafeteria Nagasaki Cerveceria;Spain;Restaurants, Cafes & Bars;NA;NA;Private;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;The AEPD found that the Nagasaki Cafeteria did not comply with its obligations under the GDPR, as it placed its surveillance cameras in such a way as to monitor the public space outside its premises, which disproportionately affected pedestrians.;https://www.aepd.es/es/documento/ps-00427-2018.pdf
202;Italian Data Protection Authority (Garante);Italy;15.01.20;10000;Community of Francavilla Fontana;Yes;NA;Italy;Politics & Government;NA;NA;Other;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;The community published on its website information about a court trial, including personal data such as health data about a data subject.;https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/9261227
203;Data Protection Authority of Hamburg;Germany;NA;51000;Facebook Germany GmbH;Yes;Meta Platforms, Inc;United States;IT Services;103164000000;71970;Public;No;Art. 37 GDPR;Insufficient involvement of data protection officer;Whereas Facebook Ireland had appointed a data proteciton officer for all group companies located in the EU, this appontment was not notfied to the DPA Hamburg, competent for Facebook Germany GmbH. The fine was calculated on the basis of the turnover of the German branch (EUR 35 million). Relevant factors for the calculation were i.a. that the omitted notification was immediately made up for, Facebook acted negligently and did not violate the duty to appoint a data protection officer but only the notification obligation.;https://datenschutz-hamburg.de/assets/pdf/28._Taetigkeitsbericht_Datenschutz_2019_HmbBfDI.pdf
204;Data Protection Authority of Hamburg;Germany;NA;20000;Hamburger Verkehrsverbund GmbH (HVV GmbH);Yes;HVV Hamburger Verkehrsverbund GmbH;Germany;Transportation & Logistics;6100000;64;Private;Yes;Art. 33 GDPR, Art. 34 GDPR;Insufficient fulfilment of data breach notification obligations;On July 6, 2018, HVV GmbH was informed by a customer about a security gap on the website www.hvv.de, which was caused by an update on February 5, 2018 and concerned the so-called Customer E-Service (CES). The security gap consisted in the fact that customers logged in to the CES who had an HVV Card and linked their CES customer account to at least one active contractual relationship in background systems could, by changing the URL, display data of other customers who had an HVV Card. This data breach was not reported to the data protection authority in a timely manner.;https://datenschutz-hamburg.de/assets/pdf/28._Taetigkeitsbericht_Datenschutz_2019_HmbBfDI.pdf
205;Data Protection Authority of Hamburg;Germany;NA;NA;Hamburger Volksbank eG;Yes;Hamburger Volksbank eG;Germany;Banks;NA;440;Private;Yes;Art. 21 GDPR;Insufficient fulfilment of data subjects rights;The company had sent a customer a newsletter with advertising content by e-mail, although this customer had previously expressly objected to the sending of further advertising letters.;https://datenschutz-hamburg.de/assets/pdf/28._Taetigkeitsbericht_Datenschutz_2019_HmbBfDI.pdf
206;Spanish Data Protection Authority (aepd);Spain;14.02.20;2500;Grupo Valsor Y Losan, S.L.;Yes;NA;NA;NA;NA;NA;NA;Yes;Art. 5 (1) f) GDPR;Insufficient technical and organisational measures to ensure information security;The controller had disclosed personal data to a third party in a property purchase agreement (breach of principles of integrity and confidentiality of personal data);https://www.aepd.es/es/documento/ps-00298-2019.pdf
207;Spanish Data Protection Authority (aepd);Spain;14.02.20;3000;Colegio Arenales Carabanchel (School);Yes;Colegio Arenales Carabanchel;Spain;Education;NA;NA;NA;Yes;Art. 6 GDPR;Insufficient legal basis for data processing;The decision of the data protection authority states that the school transferred pictures (and therefore personal data) to third parties, who published them without legal basis.;https://www.aepd.es/es/documento/ps-00466-2019.pdf
208;Spanish Data Protection Authority (aepd);Spain;18.02.20;1500;Mymoviles Europa 2000, S.L.;Yes;NA;Spain;NA;NA;NA;NA;Yes;Art. 13 GDPR;Insufficient fulfilment of information obligations;The AEPD found that the company did not publish a privacy statement on its website and that its legal notice did not sufficiently identify itself.;https://www.aepd.es/es/documento/ps-00423-2019.pdf
209;Spanish Data Protection Authority (aepd);Spain;14.02.20;80000;Iberdrola Clientes;Yes;Iberdrola Clientes Sociedad Anonima.;Spain;Energy;8000000000;623;Private;Yes;Art. 6 GDPR;Insufficient legal basis for data processing;Iberdola Clientes, an electricity company, terminated the data subject's contract without its consent, concluded three new contracts with the data subject, processed his personal data unlawfully and transferred the plaintiff's personal data to a third party without legal basis. In addition to this fine the AEPD also imposed another fine in the amount of EUR 50.000 under the old Spanish Data Protection Law.;https://www.aepd.es/es/documento/ps-00181-2019.pdf
210;Spanish Data Protection Authority (aepd);Spain;14.02.20;42000;Vodafone Espana, S.A.U.;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 5 (1) f) GDPR, Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;The complainant had access to third party data in his personal Vodafone profile.;https://www.aepd.es/es/documento/ps-00471-2019.pdf
211;Spanish Data Protection Authority (aepd);Spain;14.02.20;30000;Xfera Moviles S.A.;Yes;Xfera Moviles Sau;Spain;Telecommunications;1500000000;473;Private;Yes;Art. 5 (1) f) GDPR, Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;The AEPD found that a third party had access to the name, telephone number and address of another customer.;https://www.aepd.es/es/documento/ps-00385-2019.pdf
212;Italian Data Protection Authority (Garante);Italy;23.01.20;30000;Azienda Ospedaliero Universitaria Integrata di Verona (Hospital);Yes;Azienda Ospedaliera Universitaria Integrata Verona;Italy;Hospitals;358800000;5000;Private;Yes;Art. 5 (1) f) GDPR, Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;The fine was preceded by access to health data by unauthorised persons, allowing a trainee and a radiologist to gain access to the health data of their colleagues. The investigations revealed that the technical and organisational measures taken by the hospital to protect health data had proved to be insufficient to ensure adequate protection of patients' personal data, resulting in unlawful data processing. According to the data protection authority, the breach could have been avoided if the hospital had simply followed the guidelines for health records issued by the data protection authority in 2015, which stipulate that access to health records must be restricted only to health personnel involved in patient care.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9269629
213;Italian Data Protection Authority (Garante);Italy;23.01.20;30000;Sapienza Universita di Roma;Yes;Universita' Degli Studi Di Roma La Sapienza;Italy;Education;1700000000;19631;Private;Yes;Art. 5 (1) f) GDPR, Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;The fine is based on the fact that, according to the data protection authority, the Sapienza Universita made available online identification data of two people who had reported possible illegal behaviour to the university. This was due to the lack of adequate technical access control measures within the whisleblowing management system, which had not limited access to such data to authorized personnel only.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9269618
214;Spanish Data Protection Authority (aepd);Spain;27.02.20;120000;Vodafone Espana, S.A.U.;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;Vodafone Espana was unable to prove to the data protection authority that the data subject had given his consent to the processing of his personal data for the provision of a telephone contract. Furthermore, the decision of the data protection authority emphasises that Vodafone Espana also unlawfully disclosed the personal data of the data subject to various credit agencies.;https://www.aepd.es/es/documento/ps-00235-2019.pdf
215;Spanish Data Protection Authority (aepd);Spain;28.02.20;48000;Vodafone ONO, S.A.U.;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;The decision was taken due to several deficiencies in information security. For example, two people were given the same security access key.;https://www.aepd.es/es/documento/ps-00212-2019.pdf
216;Spanish Data Protection Authority (aepd);Spain;25.02.20;48000;HM Hospitales;Yes;Hm Hospitales 1989 Sa.;Spain;Hospitals;279200000;1632;Private;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;The data subject stated that at the time of his admission to hospital he had to fill in a form containing a checkbox indicating that, if he did not tick it, he agreed to the transfer of his data to third parties. This form, provided by HM, was not compatible with the GDPR, since consent was to be obtained through the inactivity of the data subject.;https://www.aepd.es/es/documento/ps-00187-2019.pdf
217;Spanish Data Protection Authority (aepd);Spain;25.02.20;6000;Casa Gracio Operation;Yes;Casa Gracio Operation;Spain;Accommodation;NA;NA;Private;Yes;Art. 5 (1) c) GDPR;Non-compliance with general data processing principles;The company used CCTV cameras in the premises of a hotel which also captured the public roads outside the hotel resulting in a violation of the so called principle of data minimisation.;https://www.aepd.es/es/documento/ps-00369-2019.pdf
219;Spanish Data Protection Authority (aepd);Spain;28.02.20;3600;AEMA Hispanica;Yes;Aema Hispanica Sl;Spain;Services;9700000;500;Private;Yes;Art. 5 (1) f) GDPR;Non-compliance with general data processing principles;The company had sent the payroll of an employee to another employee and therefore disclosed personal data to an unauthorised party.;https://www.aepd.es/es/documento/ps-00455-2019.pdf
220;Spanish Data Protection Authority (aepd);Spain;03.03.20;1800;Solo Embrague;Yes;Solo Embrague;Spain;Services;NA;NA;NA;Yes;Art. 13 GDPR;Insufficient fulfilment of information obligations;The corporate website did not present a privacy policy or a cookie banner on its main page.;https://www.aepd.es/es/documento/ps-00469-2019.pdf
221;Spanish Data Protection Authority (aepd);Spain;03.03.20;42000;Vodafone Espana, S.A.U.;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 5 (1) f) GDPR, Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;According to the AEPD, the company had not been able to demonstrate adequate measures to ensure information security, leading to unauthorized access to personal data of a client.;https://www.aepd.es/es/documento/ps-00474-2019.pdf
222;Spanish Data Protection Authority (aepd);Spain;03.03.20;40000;Vodafone Espana, S.A.U.;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;According to the AEPD, the company sent an SMS to an clients mobile number confirming that a telephone contract with that number had been signed even though the client was not a Vodafone client, resulting in the processing of personal data without the data subjects consent or other legitimate interests of the company.;https://www.aepd.es/es/documento/ps-00421-2019.pdf
223;Spanish Data Protection Authority (aepd);Spain;03.03.20;24000;Vodafone Espana, S.A.U.;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;According to the AEPD, the company sent two SMS to an clients mobile number informing about a rate change in its contract and confirming the purchase of a new mobile phone, resulting in the processing of personal data without the data subjects consent or other legitimate interests of the company.;https://www.aepd.es/es/documento/ps-00426-2019.pdf
224;Polish National Personal Data Protection Office (UODO);Poland;04.03.20;0;School in Gdansk (Danzig) (fine imposed against town of Gdansk);No;NA;Poland;Education;NA;NA;NA;Yes;Art. 5 GDPR, Art. 9 GDPR;Insufficient legal basis for data processing;Original summary: A school in Gdansk used biometric fingerprint scanners to authenticate students for the payment process in the school canteen. Although the parents had given their written consent to such data processing, the data protection authority considered the processing of the student data to be unlawful, as the consent to data processing was not given voluntarily. Update: Update: On August 7, 2020, the Provincial Administrative Court in Warsaw overturned the decision of the Polish DPA imposing a fine of EUR 4,600.;https://uodo.gov.pl/decyzje/ZSZZS.440.768.2018,
225;Spanish Data Protection Authority (aepd);Spain;04.03.20;60000;Vodafone Espana, S.A.U.;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;According to the AEPD, the data subject has received several SMS from a separate operator indicating the activation of a new contract. The reason for this was that an employee of Vodafone Espana activated a contract with a third operator on behalf of the data subject. Vodafone could not demonstrate consent or sufficient legitimate interests for this processing of personal data.;https://www.aepd.es/es/documento/ps-00429-2019.pdf
226;Italian Data Protection Authority (Garante);Italy;06.03.20;4000;Liceo Artistico Statale di Napoli;Yes;Liceo Artistico Statale Di Napoli;Italy;Education;NA;NA;NA;Yes;Art. 5 GDPR, Art. 6 GDPR, Art. 9 GDPR;Insufficient legal basis for data processing;The AEPD's decision reveals that the high school unlawfully published health data and other information in the teacher rankings published on the Institute's website. This publication was made in violation of the principles of lawfulness, fairness, transparency and data minimization.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9283029
227;Italian Data Protection Authority (Garante);Italy;06.03.20;4000;Liceo Scientifico Nobel di Torre del Greco;Yes;Liceo Scientifico Alfred Nobel;Italy;Education;NA;NA;NA;Yes;Art. 5 GDPR, Art. 6 GDPR, Art. 9 GDPR;Insufficient legal basis for data processing;The AEPD's decision reveals that the high school unlawfully published health data and other information of more than 2000 teachers in the teacher rankings published on the Institute's website. This publication was made in violation of the principles of lawfulness, fairness, transparency and data minimization.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9283014
229;Spanish Data Protection Authority (aepd);Spain;09.03.20;15000;Gesthotel Activos Balagares;Yes;Gesthotel Activos Balagares Sociedad Limitada.;Spain;Accommodation;3000000;38;Private;Yes;Art. 5 (1) f) GDPR;Non-compliance with general data processing principles;The data subject argued that he had sent a private letter to the hotel management and union delegates containing information about an episode of harassment he had suffered, describing a specific medical condition. In violation of the principle of integrity and confidentiality, the hotel management and union delegates subsequently read the contents of this letter in a meeting with other employees.;https://www.aepd.es/es/documento/ps-00358-2019.pdf
230;Danish Data Protection Authority (Datatilsynet);Denmark;10.03.20;7000;Horsholm Municipality;Yes;Hørsholm Kommune;Denmark;Politics & Government;117200000;1000;Other;Yes;Art. 5 (1) f) GDPR, Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;A city government employee had his work computer stolen, which contained the personal data of about 1,600 city government employees, including sensitive information and information about social security numbers.;https://www.datatilsynet.dk/presse-og-nyheder/nyhedsarkiv/2020/mar/to-kommuner-indstillet-til-boede/
231;Danish Data Protection Authority (Datatilsynet);Denmark;10.03.20;14000;Gladsaxe Municipality;Yes;Gladsaxe Kommune;Denmark;Politics & Government;111700000;1000;Other;Yes;Art. 5 (1) f) GDPR, Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;A computer, containing personal data that was not protected by encryption, has been stolen, including sensitive information and personal identification numbers of 20,620 city residents.;https://www.datatilsynet.dk/presse-og-nyheder/nyhedsarkiv/2020/mar/to-kommuner-indstillet-til-boede/
232;Data Protection Authority of Sweden (Integritetsskyddsmyndigheten);Sweden;11.03.20;5000000;Google LLC;Yes;Google LLC;United States;IT Services;66000000000;139995;Public;No;Art. 5 GDPR, Art. 6 GDPR, Art. 17 GDPR;Insufficient fulfilment of data subjects rights;"Original Fine Summary: The Swedish data protection authority has fined Google LLC ? 7 million for failing to adequately comply with its obligations regarding the right of data subjects to have search results removed from the results list. Integritetsskyddsmyndigheten had already completed a review in 2017 of the way in which Google deals with the right of individuals to have search results removed from Google's search engine and that Integritetsskyddsmyndigheten had instructed Google to remove a number of search results. In addition, data inspections stated that it had initiated a further review of Google's practices in 2018 after it received indications that several of the results that should have been removed still appeared in search results. Integritetsskyddsmyndigheten also objected to Google's current practice of informing web site owners about which results Google is removing from search results, specifically which link has been removed and who is behind the request for removal from the list, as this is without legal basis.

Update: On November 23th, 2020, after an appeal against the fine, the The Administrative Court of Stockholm announced that it had rejected Google LLCs appeal.
However the court reduced the fine from a total of SEK 75 million (approx. EUR  7 million) to SEK 52 million (approx. EUR 5 million).";https://www.datainspektionen.se/globalassets/dokument/beslut/2020-03-11-beslut-google.pdf
233;Icelandic data protection authority ('Personuvernd');Iceland;10.03.20;20600;National Center of Addiction Medicine ('SAA');Yes;Samtök áhugafólks um áfengis- og vímuefnavandann (SÁÁ);Iceland;Politics & Government;8740000;NA;Other;Yes;Art. 5 (1) f) GDPR, Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;Personuvernd noted that a former employee of the SAA received boxes of allegedly personal belongings that he had left there, but which also contained patient data, including the health records of 252 former patients and documents with the names of about 3,000 people who had participated in rehabilitation for alcohol and drug abuse.;https://www.personuvernd.is/urlausnir/nr/2882
234;Icelandic data protection authority ('Personuvernd');Iceland;10.03.20;9000;BreiTHholt Upper Secondary School;No;Fjölbrautaskólinn í Breiðholti;Iceland;Education;NA;NA;NA;Yes;Art. 5 (1) f) GDPR, Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;In violation of Art. 32 GDPR, a teacher had sent an e-mail to his students and their parents with an attachment containing data on their well-being, academic performance and social conditions.;https://www.personuvernd.is/urlausnir/nr/2885
235;Norwegian Supervisory Authority (Datatilsynet);Norway;26.02.20;NA;Raelingen Municipality;No;Rælingen Kommune;Norway;Politics & Government;781960000;4432;Other;Yes;Art. 5 (1) f) GDPR, Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;On February 26, 2020, the Norwegian DPA (Datatilsynet) announced that it intents to fine Raelingen Municipality EUR 73,600  for violations of Art. 5 (1) f) GDPR and Art. 32 GDPR . This fine has been imposed in the meantime, see details at link;https://www.datatilsynet.no/contentassets/bc26a2a8b78b4b30b4b060a4cac80d90/varsel-ralingen.pdf
236;Data Protection Authority of Saarland;Germany;NA;2000;Restaurant;No;NA;NA;Restaurants, Cafes & Bars;NA;NA;NA;Yes;Art. 5 (1) c) GDPR;Non-compliance with general data processing principles;Video surveillance cameras have been used in violation of principle of data minimisation (monitoring also of customer areas in restaurants).;https://www.datenschutz.saarland.de/fileadmin/user_upload/uds/tberichte/tb28_2019.pdf
237;Norwegian Supervisory Authority (Datatilsynet);Norway;28.02.20;NA;Coop Finnmark SA;Yes;Coop Finnmark Sa;Norway;Food & Beverage;98000000;427;Private;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;On February 28, 2020, the Norwegian DPA (Datatilsynet) announced that it intents to fine Coop Finnmark SA EUR 38,600 for violations of Art. 5 GDPR and Art. 6 GDPR . This fine has been imposed in the meantime, see details at link;https://www.datatilsynet.no/contentassets/8dbf5b4b2a33471aacf375b1f0032347/varsel-om-overtredelsesgebyr.pdf
239;Croatian Data Protection Authority (azop);Croatia;13.03.20;NA;Bank (name not available at the moment);No;NA;NA;Banks;NA;NA;NA;Yes;Art. 15 (1), (3) GDPR;Insufficient fulfilment of data subjects rights;In the period from May 2018 to April 2019, the bank (name not available at the moment) refused to provide its customers with copies of credit documentation (e.g. repayment plan, loan agreement annex, interest rates changes review etc.). The bank insisted with the argument that the documentation is related to repaid loans and represents loan documentation that cannot be subject to the customers? right of access. During the procedure initiated based on data subject?s complaints, the DPA ordered the bank to enable the right of access and provide copies of the requested loan documentation. When imposing the fine, the DPA took into consideration especially that the bank failed to comply with the ordered measures, that it continued with such practice for almost a year and denied the right of access to more than 2500 of its customers. The amount of the fine is now known at the moment, but as the DPA qualified the breach as ?severe?, a high fine is expected.;https://azop.hr/aktualno/detaljnije/rjesenje-kojim-se-izrice-upravno-novcana
240;Spanish Data Protection Authority (aepd);Spain;18.03.20;30000;Telefonica;Yes;Telefónica SA;Spain;Telecommunications;41600000000;112797;Public;Yes;Art. 58 GDPR;Insufficient cooperation with supervisory authority;Telefonica had failed to comply with decision TD / 00127/2019 of the Director of the AEPD, which states that it had to reply to data subjects' request for right of access and erasure of data.;https://www.aepd.es/es/documento/ps-00351-2019.pdf
241;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;11.02.20;3000;Vodafone Romania;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 5 (1) f) GDPR, Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;Vodafone Romania had incorrectly processed personal data of an individual in order to process a complaint, which was subsequently sent to a wrong e-mail address. The reason for this was that there were insufficient security measures in place to prevent such erroneous data processing.;https://www.dataprotection.ro/?page=sanctiune_vodafone_februarie_2020&lang=ro
242;Hellenic Data Protection Authority (HDPA);Greece;21.02.20;5000;Public Power Corporation S.A.;Yes;Public Power Corporation S.A.;Greece;Energy;4200000000;14678;Private;Yes;Art. 15 GDPR;Insufficient fulfilment of data subjects rights;The Decision clarified that data subjects have a right of access to the processing of their personal data and that they must also be provided with a copy of the personal data processed. No reasons need to be given for the request.;http://www.dpa.gr/APDPXPortlets/htdocs/documentDisplay.jsp?docid=158,220,63,69,45,69,224,53
243;Spanish Data Protection Authority (aepd);Spain;16.03.20;5000;Centro De Estudio Dirigidos Delta, S.L.;Yes;NA;Spain;NA;NA;NA;NA;Yes;Art. 5 (1) f) GDPR;Non-compliance with general data processing principles;Centro De Estudio Dirigidos Delta sent a message containing personal data such as first and last name and ID numbers to a third party via WhatsApp without the consent of the data subjects. This constitutes a violation of the principles of integrity and confidentiality under Article 5(1)(f) GDPR.;https://www.aepd.es/es/documento/ps-00425-2019.pdf
245;Spanish Data Protection Authority (aepd);Spain;06.03.20;3200;Retailer;No;NA;NA;Retail & Trade;NA;NA;NA;Yes;Art. 13 GDPR, Art. 14 GDPR;Insufficient fulfilment of information obligations;Insufficient declaration of video surveillance.;https://www.aepd.es/es/documento/ps-00360-2019.pdf
246;Spanish Data Protection Authority (aepd);Spain;12.03.20;2000;Homeowners Association;No;NA;NA;NA;NA;NA;NA;Yes;Art. 5 GDPR, Art. 13 GDPR, Art. 14 GDPR;Non-compliance with general data processing principles;Video surveillance of public space and thus violation of the principle of data minimization. Furthermore: Violation of information obligations, as insufficient information has been provided about video surveillance.;https://www.aepd.es/es/documento/ps-00272-2019.pdf
247;Spanish Data Protection Authority (aepd);Spain;16.03.20;6000;Amalfi Servicios de Restauracion S.L.;Yes;NA;Spain;Accommodation;NA;NA;NA;Yes;Art. 5 GDPR, Art. 13 GDPR, Art. 14 GDPR;Non-compliance with general data processing principles;Video surveillance of public space and thus violation of the principle of data minimization. Furthermore: Violation of information obligations, as insufficient information has been provided about video surveillance.;https://www.aepd.es/es/documento/ps-00317-2019.pdf
248;Spanish Data Protection Authority (aepd);Spain;19.03.20;6000;Oliveros Ustrell, S.L.;Yes;Oliveros Ustrell S.L.;Spain;Retail & Trade;2500000;76;Private;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;The company forwarded an unsigned porting contract to the operator Vodafone. However, the data controller was unable to provide evidence of the order. For this reason, the personal data of the data subject has been processed without sufficient legal basis.;https://www.aepd.es/es/documento/ps-00008-2020.pdf
249;Italian Data Protection Authority (Garante);Italy;06.02.20;20000;RTI - Reti Televisive Italiane s.p.a.;Yes;Reti Televisive Italiane Spa;Italy;TV, Film & Radio;1400000000;3147;Private;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;The television station broadcasted a documentary about prostitution in Switzerland, in which the persons interviewed were not made sufficiently anonymous.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9283121
250;Hellenic Data Protection Authority (HDPA);Greece;20.03.20;8000;Speech and Special Education Centre - Mihou Dimitra;Yes;NA;Greece;Education;NA;NA;NA;Yes;Art. 15 GDPR, Art. 58 GDPR;Insufficient fulfilment of data subjects rights;The complainant had requested access to his child's data and to tax information. This request was rejected by the data controller. In addition, the data controller had violated an order of the data protection authority regarding access to the data. For this, a fine of EUR 8000 was imposed: EUR 3000 for not granting access to the data and EUR 5000 for violating orders of the data protection authority.;http://www.dpa.gr/APDPXPortlets/htdocs/documentDisplay.jsp?docid=89,253,106,96,141,223,198,107
251;Hungarian National Authority for Data Protection and the Freedom of Information (NAIH);Hungary;21.05.19;286;Directorate of Social and Child Welfare Institutions of the Ferencvaros District of Budapest;Yes;NA;Hungaria;Politics & Government;NA;NA;Other;No;Art. 33 GDPR;Insufficient fulfilment of data breach notification obligations;The employee of the Directorate sent by mistake 9 letters to the wrong recipient, which contained personal data of 18 data subjects (including data of children, criminal data and data related to the private life of the data subjects). The recipient informed the Directorate by telephone 5 days after the posting that it received certain letters by mistake. The Directorate notified NAIH on the data breach only weeks later.;https://www.naih.hu/files/NAIH-2019-3854_hatarozat.pdf
252;Hungarian National Authority for Data Protection and the Freedom of Information (NAIH);Hungary;31.05.19;2000;Local bank;No;NA;NA;Banks;NA;NA;NA;Yes;Art. 12 (3), (4), (5) GDPR, Art. 15 GDPR, Art. 18 GDPR;Insufficient fulfilment of data subjects rights;Customer of a local bank requested access to telephone conversation recordings as well as to CCTV recordings. The bank provided the copies of the recordings of telephone conversations and also provided the chance of reviewing the recordings at bank but rejected to provide copies of the CCTV recordings since the recordings also contained third parties personal data. The NAIH decided in this case that the bank failed to fulfil data subjects rights since it did not respond in due time and also failed to provide copies of the requested recordings. According to the NAIH, the controller could not refer the protection of third party data since the CCTV recordings affected public space open for every customer and the bank also could have anonymised certain parts of the recordings.;https://www.naih.hu/files/NAIH_2019_1859_hatarozat.pdf
253;Hungarian National Authority for Data Protection and the Freedom of Information (NAIH);Hungary;03.06.19;2850;Claim management company;No;NA;NA;Finance & Insurance;NA;NA;NA;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;The complainants stated during the case that they concluded a credit agreement with the bank, which sold its claim against the complainants and transferred their respective data to a third-party company (controller). NAIH determined in the case that the controller can neither rely on the consent of the data subjects nor the performance of the credit contract as the legal basis of the data processing, since the data subjects concluded such contract with the bank, not with the controller. The appropriate legal basis for processing could have been the legitimate interest of the controller.;https://www.naih.hu/files/NAIH_2019_1598_hatarozat.pdf
255;Hungarian National Authority for Data Protection and the Freedom of Information (NAIH);Hungary;26.06.19;2850;Financial Enterprise;No;NA;NA;Finance & Insurance;NA;NA;NA;Yes;Art. 5 GDPR, Art. 6 GDPR, Art. 21 GDPR;Insufficient legal basis for data processing;"A client of a financial enterprise complained that the financial enterprise transferred his data after he objected against the processing and did not provide information on the processing of his data at his request. According to the financial enterprise, it sold its claim stemming from the contract concluded with its client to a third party, therefore such transaction necessitated the transfer of the relevant client data. NAIH highlighted that the financial enterprise sold the concerning claim and transferred the respective data after the non-fulfilment of the concerning contract by the client; this also means that the financial enterprise cannot rely on the performance of the contract concluded with the client. The relevant legal basis would have been the legitimate interest of the controller, where a balancing test is also necessary, describing its interest in transferring the claim and the relevant data to a third party.";https://www.naih.hu/files/NAIH_2019_1837_hatarozat.pdf
256;Hungarian National Authority for Data Protection and the Freedom of Information (NAIH);Hungary;17.07.19;8575;Budapest Environs Regional Court;No;NA;Hungaria;Politics & Government;NA;NA;Other;No;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;The chairman of the Budapest Environs Regional Court organised a meeting for court officials, during which he stated that he quit from the Hungarian Association of Judges and requested the present court officials to persuade their colleagues to do so as well. The chairman also presented a list on the members of the Association in Pest county, which also included information on the amount of membership fees deducted from the salary of judges. The list consisted of data collected from the judges? payroll records. NAIH determined that the Budapest Environs Regional Court may only process such data for the purpose of deduction and payroll management. NAIH also determined that the Budapest Environs Regional Court lacked a legal basis for data processing, when it provided access to data of employees regarding their membership in an association, to other persons.;https://www.naih.hu/files/NAIH-2019-2472_hatarozat.pdf
257;Hungarian National Authority for Data Protection and the Freedom of Information (NAIH);Hungary;02.08.19;4290;Public area maintenance company;No;NA;NA;Services;NA;NA;NA;Yes;Art. 5 GDPR, Art. 6 GDPR, Art. 13 GDPR;Non-compliance with general data processing principles;An ex-employee complained that his employer unlawfully monitored his work by its CCTV. The employer argued that CCTV monitoring was necessary to assess, whether the employee fulfilled his employment related duties (i.e. monitoring certain public areas and signalling any unusual event to his colleagues) and that the monitoring also served the protection of its surveillance system from unlawful access or usage. NAIH found that monitoring of the employee by CCTV is not an appropriate way of assessing his work performance and the employer relied on an inappropriate legal basis (public interest, official authority) regarding the CCTV operations. The employer could have protected its public area surveillance system by other methods (e.g. by installing firewalls or other security upgrades to its systems). The employer also placed only a brief notice sheet at the entrance of the workstation of the employee regarding the CCTV monitoring, which NAIH deemed insufficient.;https://www.naih.hu/files/NAIH_2019_2466_hatarozat.pdf
258;Hungarian National Authority for Data Protection and the Freedom of Information (NAIH);Hungary;08.08.19;1715;Government Office Managing the Real Estate Register;No;NA;NA;Politics & Government;NA;NA;Other;Yes;Art. 5 GDPR, Art. 14 GDPR;Non-compliance with general data processing principles;The owners of a real estate complained that the government office posted its decision on the change in the person of the lessee (which concluded a lease agreement with real estate owners) to other owners of 40 real estates contracted by the same lessee. The decision contained personal data of all the owners, who had a lease agreement with the same lessee.;https://www.naih.hu/files/NAIH-2019-1590-hatarozat.pdf
259;Hungarian National Authority for Data Protection and the Freedom of Information (NAIH);Hungary;15.10.19;2860;NA Company;No;NA;NA;NA;NA;NA;NA;Yes;Art. 5 GDPR, Art. 6 GDPR, Art. 13 GDPR, Art. 24 GDPR, Art. 25 GDPR;Non-compliance with general data processing principles;An employee was on sick leave when his employer checked his desktop, laptop and emails to ensure that his work-related duties were being covered in his absence. The employer then suspended his account. The employee did not receive pre-notification and did not have the chance to copy / delete his private information (telephone numbers, messages). According to NAIH, employers must record the access with minutes and photos. Employment agreements must regulate whether employees can use work equipment for private purposes. Privacy notices must contain the reasons for employee monitoring (e.g. business continuity, internal investigation, disciplinary purposes, and the specific retention period of employee data - including the length and recurrence of backup copies. Employers must also prepare ?balancing tests? to prove their legitimate interests for general employee monitoring and specific cases.;https://www.naih.hu/files/NAIH-2019-769-hatarozat.pdf
260;Hungarian National Authority for Data Protection and the Freedom of Information (NAIH);Hungary;04.03.20;290;Representative of a local government;No;NA;NA;Politics & Government;NA;NA;Other;Yes;Art. 5 GDPR, Art. 6 GDPR, Art. 12 GDPR, Art. 15 GDPR, Art. 17 GDPR;Insufficient legal basis for data processing;A local representative took a photo of the director of a company fully owned by the local government depicting the director allegedly tearing off an election poster of the opposition in the company of his child. The local representative uploaded the photo to his Facebook page. The child?s image was blurred, yet it was hinted in the post that she was the daughter of the director. The director told the local representative at the scene that he does not consent to the taking of the photo. NAIH determined that the act of the director was not public information and the photo does not prove that the director torn off an election poster. NAIH also underpinned that only the name of the director of the company fully owned by the local government was public information.;https://www.naih.hu/files/NAIH-2020-32-4-hatarozat.pdf
261;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;25.03.20;2000;SOS Infertility Association;Yes;Asociatia SOS Infertilitatea;Romania;NA;NA;10;Private;Yes;Art. 58 GDPR;Insufficient cooperation with supervisory authority;The Association did not provide the data protection authority with the information requested by the latter after the Association had processed personal data without a sufficient legal basis.;https://www.dataprotection.ro/index.jsp?page=Comunicat_amenda_asociatia_sos_infertilitatea&lang=ro
262;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;25.03.20;3000;Enel Energie;Yes;Enel SpA;Italy;Energy;60500000000;66717;Public;No;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;The company has sent an email to a client which contained personal data of another client since the company failed to implement adequate technical and organisational measures to ensure an adequate level of information security.;https://www.dataprotection.ro/index.jsp?page=Comunicat_amenda_enel_martie_2020&lang=ro
263;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;25.03.20;4150;Vodafone Romania;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;The company has sent an email to a customer which contained personal data of another customer due to inadequate technical and organisational measures to ensure information security.;https://www.dataprotection.ro/index.jsp?page=Comunicat_noua_amenda_vodafone&lang=ro
264;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;25.03.20;3000;Dante International;Yes;Dante International Sa;Romania;Retail & Trade;923800000;2583;Private;Yes;Art. 6 GDPR, Art. 21 GDPR;Insufficient legal basis for data processing;The company has sent a commercial e-mail to a client though the client had previously unsubscribed from commercial communications.;https://www.dataprotection.ro/index.jsp?page=Comunicat_amenda_dante_international_martie_2020&lang=ro
265;Italian Data Protection Authority (Garante);Italy;13.02.20;4000;Comune di Urago;No;Urago d'Ogli Comune;Italy;Politics & Government;NA;NA;Other;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;The local council has published on its website information containing a person's personal data, including health information.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9285411
266;Spanish Data Protection Authority (aepd);Spain;25.03.20;5000;Xfera Moviles S.A.;Yes;Xfera Moviles Sau;Spain;Telecommunications;1500000000;473;Private;Yes;Art. 58 GDPR;Insufficient cooperation with supervisory authority;The company did not provide the data protection authority with the requested information in a timely manner. The AEPD's request was preceded by a request from a data subject for access to its personal data.;https://www.aepd.es/es/documento/ps-00436-2019.pdf
267;Polish National Personal Data Protection Office (UODO);Poland;09.03.20;4400;Vis Consulting Sp. z o.o.;Yes;Vis Consulting Sp. z o.o.;Poland;Advertising & Marketing;NA;NA;NA;Yes;Art. 31 GDPR, Art. 58 GDPR;Insufficient cooperation with supervisory authority;The company prevented an inspection by the data protection authority. As a result, the company has violated Article 31 in conjunction with Article 58(1)(e) and (f) of the GDPR.;https://uodo.gov.pl/decyzje/ZSPR.421.19.2019
268;Data Protection Commision of Bulgaria (KZLD);Bulgaria;20.02.20;2560;T.K. EOOD;Yes;TOKMET-TK EOOD;Bulgaria;Industrial;254641;7;Private;Yes;Art. 25 (1) GDPR, Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;The fine of ca. EUR 2,557 was imposed on T.K. EOOD for unlawful processing of personal data of data subject I.S. by failure to adopt technical and organizational measures to ensure the information security. T.K. EOOD processed the personal data of I.S. unlawfully nine times in duration of five months. The breaches caused damages to the data subject.;http://www.cpdp.bg/download.php?part=rubric_element&aid=4563
269;Data Protection Commision of Bulgaria (KZLD);Bulgaria;20.02.20;2560;L.E. EOOD;Yes;Hexagon Bulgaria (LE) EOOD;Bulgaria;Wholesale;882437;1;Private;Yes;Art. 25 (1) GDPR, Art. 32 GDPR, Art. 6 GDPR;Insufficient technical and organisational measures to ensure information security;The fine of ca EUR 2,557 was imposed on L.E. EOOD for unlawful processing of personal data of data subject I.S. without the knowing and the consent of the data subject and also without a valid contractual relationship between L.E. EOOD and I.S. The enterprise processed the personal data of I.S. unlawfully seven times in duration of 3 months by failure to adopt technical and organizational measures to ensure the information security. In addition to the fine, the Commission for Personal Data Protection (?KZLD?) instructed L.E. EOOD to do regular inspections of its data processing activities, to do risk analysis regarding customers and employees and to conduct periodic trainings of the employees. The KZLD also ordered L.E. EOOD to archive and keep the documents containing the personal data only for limited purposes and the timeframe as required by law.;http://www.cpdp.bg/download.php?part=rubric_element&aid=4563
270;Data Protection Commision of Bulgaria (KZLD);Bulgaria;06.01.20;5110;Utility Company;No;NA;NA;Energy;NA;NA;NA;Yes;Art. 6 (1) GDPR;Insufficient legal basis for data processing;The fine of EUR ca. 5,113 was imposed on a Bulgarian utility company for unlawful processing of the personal data of the data subject V.V. The personal data of V.V. was unlawfully processed and subsequently used for initiating an enforcement case against him for outstanding payment obligations. During the enforcement case, the bailiff seized the data subject?s salary, and the latter suffered damages as a result of the unlawful processing.;http://www.cpdp.bg/download.php?part=rubric_element&aid=4563
271;Data Protection Authority of Brandenburg;Germany;NA;50000;NA Company;No;NA;NA;NA;NA;NA;NA;Yes;Art. 15 GDPR, Art. 28 GDPR;Insufficient fulfilment of data subjects rights;The data controller had engaged an external company to carry out the duties of access to data according to Art. 15 GDPR. However, the engaged company conducted the correspondence with the data subjects under its own logo and in English language, so that it was not apparent to the data subjects who was responsible for the data processing. As a result, the data controller infringed the principle of transparency laid down in Art. 12 GDPR and did not sufficiently fulfil its obligations to provide information in accordance with Art. 15 GDPR. In addition, the data protection supervisory authority found that no written contract for data processing had been concluded between the data controller and the external company, thus constituting a further breach of Art. 28 (9) GDPR.;https://www.lda.brandenburg.de/media_fast/4055/TB_2019_Datenschutz.pdf
272;Belgian Data Protection Authority (APD);Belgium;28.04.20;50000;Proximus SA;Yes;Proximus SA;Belgium;Telecommunications;5300000000;11423;Public;Yes;Art. 31 GDPR, Art. 58 GDPR, Art. 37 GDPR;Insufficient involvement of data protection officer;According to the data protection authority, the company's data protection officer was not sufficiently involved in the processing of personal data breaches and the company did not have a system in place to prevent a conflict of interest of the DPO, who also held numerous other positions within the company (head of compliance and audit department), which led the DPA to the conclusion that the company's DPO was not able to work independently.;https://www.gegevensbeschermingsautoriteit.be/sites/privacycommission/files/documents/Beslissing_GK_18-2020_NL.pdf
273;Data Protection Authority of Sweden (Integritetsskyddsmyndigheten);Sweden;29.04.20;18700;National Government Service Centre (NGSC);Yes;National Government Service Centre (NGSC);Sweden;Politics & Government;NA;NA;Other;Yes;Art. 33 GDPR, Art. 34 GDPR;Insufficient fulfilment of data breach notification obligations;The DPA's decision shows that it took almost five months for the company to notify the data subjects of a data breach and almost three months for the DPA to receive a notification of a data breach concerning an security lack of IT systems of the company.;https://www.datainspektionen.se/globalassets/dokument/beslut/beslut-tillsyn-ssc-20200428.pdf
274;Dutch Supervisory Authority for Data Protection (AP);Netherlands;30.04.20;725000;NA Organisation;No;NA;NA;NA;NA;NA;NA;Yes;Art. 5 GDPR, Art. 9 GDPR;Insufficient legal basis for data processing;The organisation had required its staff to have their fingerprints scanned to record attendance. However, as the decision of the data protection authority stated, the organisation could not rely on exceptions to the processing of this special category of personal data and the company could also not provide any evidence that the employees had given their consent to this data processing.;https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/boetebesluit_vingerafdrukken_personeel.pdf
275;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;05.05.20;5000;Banca Comerciala Romana SA;Yes;Banca Comerciala Romana Sa;Romania;Finance & Insurance;824500000;8426;Private;Yes;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;The data protection authority finds that the company has not taken adequate technical and organisational measures to ensure an adequate level of information security. This applies in particular to the collection and transmission of copies of customers' identification documents via WhatsApp.;https://www.dataprotection.ro/?page=Sanctiune_pentru_incalcarea_RGPD_BCR&lang=ro
276;Data Protection Authority of Sweden (Integritetsskyddsmyndigheten);Sweden;12.05.20;11200;Health and Medical Board of the Region of Orebro County;Yes;Health and Medical Board of Örebro Län;Sweden;Politics & Government;NA;NA;Other;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;Publication of personal data of a patient without sufficient legal basis.;https://www.datainspektionen.se/globalassets/dokument/beslut/beslut-tillsyn-region-orebro-2020-05-11.pdf
277;Danish Data Protection Authority (Datatilsynet);Denmark;15.05.20;6700;JobTeam A/S DKK;Yes;"	Jobteam A/S";Denmark;Services;20200000;350;Private;Yes;Art. 15 GDPR;Insufficient fulfilment of data subjects rights;The company has deleted personal data affected by a request for access without legal reason.;https://www.datatilsynet.dk/presse-og-nyheder/nyhedsarkiv/2020/maj/jobteam-indstillet-til-boede/
278;Data Protection Authority of Ireland;Ireland;17.05.20;75000;Tusla Child and Family Agency;Yes;Tusla;Ireland;Politics & Government;750000000;4000;Other;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;The company has erroneously disclosed personal data, including information about children, to unauthorized persons. In one case, the contact and location data of a mother and a child were disclosed to an alleged offender, and in two other cases, data about children in foster care were improperly disclosed to blood relatives, including in one case to a father in prison.;https://www.irishtimes.com/news/crime-and-law/tusla-becomes-first-organisation-fined-for-gdpr-rule-breach-1.4255692?mode=amp
279;Deputy Data Protection Ombudsman;Finland;22.05.20;100000;Posti Group Oyj;Yes;Posti Group Oyj;Finland;Services;NA;NA;Private;Yes;Art. 12 GDPR, Art. 13 GDPR, Art. 14 GDPR, Art. 15 GDPR;Insufficient fulfilment of data subjects rights;The decision relates to complaints alleging that data subjects received direct marketing from the company although they had requested that their postal data be deleted. Investigations also revealed that the data protection information provided by the company was not transparent enough.;https://tietosuoja.fi/documents/6927448/22406974/Henkil%C3%B6tietojen+k%C3%A4sittelyn+l%C3%A4pin%C3%A4kyvyys+ja+rekister%C3%B6idylle+toimitettavat+tiedot.pdf/b869b7ba-1a05-572e-d97a-9c8a56998fc1/Henkil%C3%B6tietojen+k%C3%A4sittelyn+l%C3%A4pin%C3%A4kyvyys+ja+rekister%C3%B6idylle+toimitettavat+tiedot.pdf
280;Deputy Data Protection Ombudsman;Finland;22.05.20;16000;Kymen Vesi Oy;Yes;Kymen Vesi Oy;Finland;Industrial;19700000;63;Private;Yes;Art. 35 GDPR;Non-compliance with general data processing principles;Fine for failure to carry out a data protection impact assessment ('DPIA') for the processing of location data of employees with a vehicle information system;https://tietosuoja.fi/documents/6927448/22406974/Ty%C3%B6ntekij%C3%B6iden+sijaintitietojen+k%C3%A4sittely+ja+vaikutustenarviointi.pdf/2d04e545-d427-8a0d-3f4d-967de7b428ac/Ty%C3%B6ntekij%C3%B6iden+sijaintitietojen+k%C3%A4sittely+ja+vaikutustenarviointi.pdf
281;Deputy Data Protection Ombudsman;Finland;22.05.20;12500;NA Company;No;NA;NA;NA;NA;NA;NA;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;Processing of employee data without sufficient legal basis.;https://tietosuoja.fi/documents/6927448/22406974/Ty%C3%B6nhakijoiden+henkil%C3%B6tietojen+ker%C3%A4%C3%A4minen+tarpeettomasti.pdf/6cedce13-60cd-c6f9-60cf-b9c8e17db10a/Ty%C3%B6nhakijoiden+henkil%C3%B6tietojen+ker%C3%A4%C3%A4minen+tarpeettomasti.pdf
283;Deputy Data Protection Ombudsman;Finland;29.05.20;72000;Taksi Helsinki;Yes;Taksi Helsinki Oy;Finland;Transportation & Logistics;9100000;50;Private;Yes;Art. 5 GDPR, Art. 6 GDPR, Art. 35 GDPR;Non-compliance with general data processing principles;Among other things, the company had not assessed the risks and consequences of processing personal data before introducing a camera surveillance system that records audio and video in its taxis and had also failed to conduct data protection impact assessments of its processing activities, including the surveillance of security cameras, the processing of location data, automated decision making and profiling as part of its loyalty program. Furthermore, the processing of audio data was not in line with the GDPR principle of data minimization.;https://tietosuoja.fi/documents/6927448/22406974/P%C3%A4%C3%A4t%C3%B6s+henkil%C3%B6tietojen+k%C3%A4sittelyn+lainmukaisuudesta/60115710-2513-a359-6261-e821818b9ee1/P%C3%A4%C3%A4t%C3%B6s+henkil%C3%B6tietojen+k%C3%A4sittelyn+lainmukaisuudesta.pdf
284;Hungarian National Authority for Data Protection and the Freedom of Information (NAIH);Hungary;09.03.20;870;Creditor;No;NA;NA;Finance & Insurance;NA;NA;NA;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;Sending of SMS to a data subject as a reminder for a debt, even when the debt has already been paid.;https://www.naih.hu/files/NAIH-2020-2555-hatarozat.pdf
285;Spanish Data Protection Authority (aepd);Spain;09.06.20;5000;Consulting de Seguridad e Investigacion Mira Dp Madrid S.L.;Yes;Consulting de Seguridad e Investigacion Mira Dp Madrid S.L.;Spain;Services;NA;NA;NA;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;A data subject has received marketing messages without having consented.;https://www.aepd.es/es/documento/ps-00434-2019.pdf
286;Spanish Data Protection Authority (aepd);Spain;09.06.20;540;Chenming Ye (Bazar Real);Yes;NA;Spain;Retail & Trade;NA;NA;NA;Yes;Art. 13 GDPR, Art. 14 GDPR;Insufficient fulfilment of information obligations;Usage of CCTV camera in a shop without proper information.;https://www.aepd.es/es/documento/ps-00433-2019.pdf
288;Spanish Data Protection Authority (aepd);Spain;09.06.20;75000;Equifax Iberica, S.L.;Yes;Equifax Iberica Sl;Spain;Science & Research;37900000;173;Private;Yes;Art. 15 GDPR;Insufficient fulfilment of data subjects rights;The Data Subject has requested by e-mail the deletion of his data from the file of the National Association of Financial Credit Institutions ('ASNEF'). Equifax Iberica had replied that the exercise of the complainant's right was excessive due to an earlier request and that therefore the deletion would not be carried out. This was seen as a breach of data subjects rights for erasure under the GDPR as well as a breach of blocking obligations under national data protection laws.;https://www.aepd.es/es/documento/ps-00451-2019.pdf
289;Spanish Data Protection Authority (aepd);Spain;09.06.20;39000;Xfera Moviles S.A.;Yes;Xfera Moviles Sau;Spain;Telecommunications;1500000000;473;Private;Yes;Art. 5 (1) f) GDPR;Insufficient legal basis for data processing;A customer claimed to have received an SMS from Xfera Moviles informing about the non-payment and the resulting suspension of the service in relation to the account of another data subject.;https://www.aepd.es/es/documento/ps-00033-2020.pdf
290;Spanish Data Protection Authority (aepd);Spain;09.06.20;25000;Glovoapp23;Yes;Glovoapp23 Sl.;Spain;IT Services;52500000;250;Private;Yes;Art. 37 GDPR;Insufficient involvement of data protection officer;The company had not appointed a Data Protection Officer ('DPO') to whom requests from data subjects could be addressed, and the company's website did not contain information about an appointed DPO.;https://www.aepd.es/es/documento/ps-00417-2019.pdf
291;Spanish Data Protection Authority (aepd);Spain;04.06.20;4000;Iberdrola Clientes;Yes;Iberdrola Clientes Sociedad Anonima.;Spain;Energy;8000000000;623;Private;Yes;Art. 58 GDPR;Insufficient cooperation with supervisory authority;The company was asked to provide the AEPD with specific information in relation to a complaint. However, the company had not replied to the data protection authorities request for information within a certain time frame, in breach of Art. 58 of the GDPR.;https://www.aepd.es/es/documento/ps-00444-2019.pdf
292;Norwegian Supervisory Authority (Datatilsynet);Norway;03.09.20;276000;Bergen Municipality;Yes;Bergen Kommune;Norway;Politics & Government;3000000000;28008;Other;Yes;Art. 5 (1) f) GDPR, Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;In October 2019, the Data Protection Authority was informed by the Municipality of Bergen about a data breach in connection with the municipality's tool for communication between school and home called 'Vigilo'. This tool contained a module that allowed school and parents to communicate via a portal or app but that had not been secured properly to ensure the protection of personal data against security threats.;https://www.datatilsynet.no/contentassets/fd5c454b4eae4924af94943ba68002bf/20_02181-3-vedtak-om-overtredelsesgebyr---bergen-kommune.pdf
293;Spanish Data Protection Authority (aepd);Spain;09.06.20;40000;TELEFONICA MOVILES ESPANA, S.A.U.;Yes;Telefónica SA;Spain;Telecommunications;41600000000;112797;Public;Yes;Art. 6 GDPR;Insufficient legal basis for data processing;A sales representative failed to carefully check the identity of a claimant so that he could appear in the name of the data subject and order a telephone connection for four telephone lines in his name.;https://www.aepd.es/es/documento/ps-00453-2019.pdf
294;Norwegian Supervisory Authority (Datatilsynet);Norway;03.05.20;134000;Telenor Norge AS;Yes;Telenor Norge As;Norway;Telecommunications;2400000000;3383;Private;Yes;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;Fines for security breaches in a voice mailbox function.;https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2020/varsel-om-irettesettelse-mot-telenor-norge-as/
295;Data Protection Commision of Bulgaria (KZLD);Bulgaria;14.04.20;2000;Political Party;No;NA;NA;Politics & Government;NA;NA;Other;Yes;Art. 6 GDPR;Insufficient legal basis for data processing;Forging signatures on a voters' list.;https://www.cpdp.bg/?p=element&aid=1247
296;Belgian Data Protection Authority (APD);Belgium;14.05.20;50000;Social Media Provider;No;NA;NA;Services;NA;NA;NA;Yes;Art. 6 GDPR;Insufficient legal basis for data processing;The company has sent invitations to contacts uploaded by its users without their consent or any other legal basis.;https://www.dataprotectionauthority.be/sites/privacycommission/files/documents/Beslissing_GK_25-2020_EN.pdf
297;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;23.04.20;3000;Estee Lauder Romania;Yes;Estee Lauder;United States;Wholesale;12490000000;48000;Public;No;Art. 6 GDPR, Art. 7 GDPR, Art. 9 GDPR;Insufficient legal basis for data processing;Processing of personal data without sufficient legal basis including health data.;https://www.dataprotection.ro/?page=Amenda_pentru_incalcarea_RGPD_iunie_2020&lang=ro
298;Spanish Data Protection Authority (aepd);Spain;09.06.20;3000;Salad Market S.L. (Catering Company);Yes;Salad Market S.L.;Spain;Restaurants, Cafes & Bars;NA;NA;Private;Yes;Art. 13 GDPR, Art. 14 GDPR;Insufficient fulfilment of information obligations;Fines for lack of sufficient data processing information in relation to video surveillance on business premises and for insufficient information when cookies were used on its website.;https://www.aepd.es/es/documento/ps-00048-2020.pdf
299;Spanish Data Protection Authority (aepd);Spain;09.06.20;2000;Attorney;No;NA;NA;Services;NA;NA;NA;Yes;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;In the course of proceedings, an attorney submitted documents whose backs contained personal data of other parties.;https://www.aepd.es/es/documento/ps-00390-2019.pdf
301;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;23.04.20;3000;Telekom Romania Communications SA;Yes;Deutsche Telekom AG;Germany;Telecommunications;97600000000;226291;Public;No;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;The company had not taken sufficient technical and organizational measures to ensure the accuracy of personal data transmitted by telephone for the conclusion of contracts. This led to contracts being concluded by telephone on behalf of other data subjects;https://www.dataprotection.ro/?page=O_noua_sanctiune_pentru_incalcarea_RGPD_iunie_2020&lang=ro
302;Estonian Data Protection Authority (AKI);Estonia;30.04.20;500;Housing Association;No;NA;NA;NA;NA;NA;NA;Yes;Art. 6 GDPR;Insufficient legal basis for data processing;Fine of EUR 500 against a housing association for publishing photos showing members of the association without their consent.;https://www.aki.ee/sites/default/files/ettekirjutused/2019/ettekirjutus-hoiatus_isikuandmete_kaitse_asjas_30.04.2020_nr_2.1.-6-20-19_korteriuhistu_outokumpu_19.pdf
303;Hungarian National Authority for Data Protection and the Freedom of Information (NAIH);Hungary;26.03.20;2890;Bank;No;NA;NA;Banks;NA;NA;NA;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;Due to an administrative error, the personal data of the data subject were registered and transferred to the Central Credit Information System (CCI) in connection with a loan agreement, without the data subject being a party to the agreement.;https://www.naih.hu/files/NAIH-2020-32-4-hatarozat.pdf
304;Hungarian National Authority for Data Protection and the Freedom of Information (NAIH);Hungary;19.03.20;5800;NA Company;No;NA;NA;NA;NA;NA;NA;Yes;Art. 6 GDPR, Art. 15 GDPR;Insufficient fulfilment of data subjects rights;The data controller has not complied with its obligation regarding the right of access to video recordings and was also unable to demonstrate that his data processing activities had been in compliance with data protection laws.;https://www.naih.hu/files/NAIH-2020-200-hatarozat.pdf
305;Hungarian National Authority for Data Protection and the Freedom of Information (NAIH);Hungary;24.01.20;1450;Accounting firm;No;NA;NA;Finance & Insurance;NA;NA;NA;Yes;Art. 24 GDPR, Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;A printed customer list of an accounting firm, which also contained personal data, could be accessed by unauthorized persons.;https://www.naih.hu/files/NAIH-2020-1137-hatarozat.pdf
306;Data Protection Authority of Baden-Wuerttemberg;Germany;30.06.20;1240000;Allgemeine Ortskrankenkasse ('AOK') (health insurance company);Yes;Allgemeine Ortskrankenkasse (AOK);Germany;Finance & Insurance;NA;61500;NA;Yes;Art. 5 GDPR, Art. 6 GDPR, Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;From 2015 to 2019, AOK Baden-Wurttemberg (insurance organization) organized competitions on various occasions and collected personal data of the participants, including their contact details and health insurance affiliation. The AOK also wanted to use this data for advertising purposes, provided the participants had given their consent. With the help of technical and organizational measures, including internal guidelines and data protection training, the AOK wanted to ensure that only data of those contest participants who had previously given their effective consent would be used for advertising purposes. However, the measures defined by the AOK did not meet the legal requirements. As a result, the personal data of more than 500 lottery participants were used for advertising purposes without their consent. Immediately after this became known, the AOK Baden-Wurttemberg stopped all marketing measures in order to thoroughly examine all processes.;https://www.baden-wuerttemberg.datenschutz.de/lfdi-baden-wuerttemberg-verhaengt-bussgeld-gegen-aok-baden-wuerttemberg-wirksamer-datenschutz-erfordert-regelmaessige-kontrolle-und-anpassung/
307;Spanish Data Protection Authority (aepd);Spain;23.06.20;7500;Miraclia (telecommunications company);Yes;Miraclia Telecomunicaciones, S.L;Spain;Telecommunications;160035;2;Private;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;The recording of telephone jokes via an app constitutes processing of personal data in accordance with the applicable data protection law, as the voices of individuals may constitute personal data if they are associated with other information, such as the telephone number. The consent of the users at the end of the conversation was not sufficient in this case.;http://www.poderjudicial.es/cgpj/es/Poder-Judicial/Noticias-Judiciales/El-Tribunal-Supremo-confirma-la-multa-de-7-500-euros-a-una-empresa-de-bromas-telefonicas-por-infraccion-de-la-ley-de-Proteccion-Datos
308;Spanish Data Protection Authority (aepd);Spain;22.06.20;2000;Comunidad de propietarios demelza beach;Yes;Demelza Beach Comunidad;Spain;Politics & Government;NA;NA;Other;Yes;Art. 5 GDPR, Art. 6 GDPR, Art. 13 GDPR, Art. 14 GDPR;Non-compliance with general data processing principles;Illegal use of CCTV cameras due to coverage of public space and recording of passing pedestrians. Furthermore, insufficient fulfilment of information obligations.;https://www.aepd.es/es/documento/ps-00273-2019.pdf
309;Spanish Data Protection Authority (aepd);Spain;16.06.20;2000;Cafe Bar;No;NA;NA;Restaurants, Cafes & Bars;NA;NA;NA;Yes;Art. 5 GDPR, Art. 6 GDPR, Art. 13 GDPR, Art. 14 GDPR;Non-compliance with general data processing principles;Illegal use of CCTV cameras (recording of third parties) and insufficient fulfilment of information obligations.;https://www.aepd.es/es/documento/ps-00306-2019.pdf
310;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;18.06.20;4000;Enel Energie;Yes;Enel SpA;Italy;Energy;60500000000;66717;Public;No;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;Failure to take adequate measures to prevent unauthorised disclosure of personal data. The fine was preceded by a complaint about the disclosure of personal data of the data subject to another customer by e-mail.;https://www.dataprotection.ro/index.jsp?page=Amenda_pentru%20incalcarea_RGPD_Enel_iunie2020&lang=ro
311;Spanish Data Protection Authority (aepd);Spain;15.06.20;75000;Xfera Moviles S.A.;Yes;Xfera Moviles Sau;Spain;Telecommunications;1500000000;473;Private;Yes;Art. 6 GDPR;Insufficient legal basis for data processing;The data subject received a notice from a debt collection company demanding payments in connection with Xfera Moviles' services, even though the claimant had not been a customer of Xfera Moviles since September 2017. Furthermore, the resolution states that Xfera Moviles carried out the processing of the personal data of the plaintiff without his consent, which constitutes a violation of Article 6 of the GDPR.;https://www.aepd.es/es/documento/ps-00415-2019.pdf
312;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;11.06.20;3000;Telekom Romania;Yes;Deutsche Telekom AG;Germany;Telecommunications;97600000000;226291;Public;No;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;Inadequate security measures of the company had led to unlawful processing of personal data without verifying their accuracy. For this reason, a fine was imposed on Telekom Romania for violation of Article 32 of the GDPR, and the introduction of effective mechanisms to identify and protect data from unauthorised disclosure and unlawful processing is ordered to ensure compliance with the GDPR.;https://www.dataprotection.ro/?page=O_noua_sanctiune_pentru_incalcarea_RGPD_iunie_2020&lang=ro
313;Hungarian National Authority for Data Protection and the Freedom of Information (NAIH);Hungary;12.06.20;288000;Digi Tavkozlesi Szolgaltato Kft. ('Digi') (electronic communication service provider);Yes;Digi Távközlési És Szolgáltató Korlátolt Felelösségü Társaság;Hungaria;Telecommunications;140400000;2585;Private;No;Art. 5 (1) b), (e) GDPR, Art. 32 (1), (2) GDPR;Insufficient technical and organisational measures to ensure information security;The company had infringed the principles of purpose limitation and storage restriction because its database contained a large amount of customer data which were no longer relevant for the actual purpose of collection and for which no retention period had been set. Furthermore, the NAIH pointed out that the defendant had not taken proportionate measures to reduce the risks in the area of data management and data security, arguing, inter alia, that it had not used encryption mechanisms.;https://www.naih.hu/files/NAIH-2020-1160-10-hatarozat.pdf
314;Data Protection Authority of Sweden (Integritetsskyddsmyndigheten);Sweden;16.06.20;1900;Housing Association;No;NA;NA;NA;NA;NA;NA;Yes;Art. 5 GDPR, Art. 6 GDPR;Non-compliance with general data processing principles;Unlawful usage of surveillance cameras. In the decision, the data protection authority stressed that sound recordings have additional privacy implications, especially in a residential building, and that in this case there is nothing to justify sound recording. In addition, the decision orders the housing association to stop the cameras recording staircases and entrances, to stop sound recording and to improve the information on camera surveillance.;https://www.datainspektionen.se/globalassets/dokument/beslut/2020-06-16-kamerabevakning-hos-brf.pdf
317;Belgian Data Protection Authority (APD);Belgium;08.06.20;5000;Municipal employee;No;NA;NA;Politics & Government;NA;NA;Other;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;In the context of a municipal election in 2018, the data controller had sent election advertisements to a group of employees of the same municipal administration, unlawfully using a list of contact data to which he had no access.;https://www.autoriteprotectiondonnees.be/sites/privacycommission/files/documents/Decision_CC_30-2020_FR.pdf
318;Information Commissioner of Isle of Man;United Kingdom;25.06.20;13500;Department of Home Affairs;No;NA;NA;Politics & Government;NA;NA;Other;Yes;Art. 12 GDPR, Art. 15 GDPR;Insufficient fulfilment of data subjects rights;Fines for failure to comply with the right of access to personal data under Articles 12 and 15 GDPR. The Isle of Man has declared the GDPR - although it is not an EU state - to be applicable.;https://www.inforights.im/media/1840/dha_penaltynotice_20mar2020_website.pdf
319;Danish Data Protection Authority (Datatilsynet);Denmark;30.06.20;6700;Lejre Municipality;Yes;Lejre Kommune;Denmark;Politics & Government;97400000;1000;Other;Yes;Art. 5 GDPR, Art. 6 GDPR, Art. 33 GDPR, Art. 34 GDPR;Non-compliance with general data processing principles;The data protection authority had found that the Lejre Municipal Child and Youth Centre had regularly uploaded minutes of meetings with particularly sensitive and sensitive personal data, including on citizens under 18 years of age, to the Lejre Municipal Personnel Portal, which was accessible to employees of the Lejre Municipality, regardless of whether the employees in question were working with these cases. In addition, the data protection authority denied the failure to comply with the obligation to inform the persons concerned of the data breach.;https://www.datatilsynet.dk/presse-og-nyheder/nyhedsarkiv/2020/jun/lejre-kommune-indstilles-til-boede
320;Data Protection Authority of Ireland;Ireland;30.06.20;40000;Tusla Child and Family Agency;Yes;Tusla;Ireland;Politics & Government;750000000;4000;Other;Yes;Art. 33 GDPR;Insufficient fulfilment of data breach notification obligations;The organization sent a letter with abuse allegations to a third party who then uploaded it to social networks.;https://www.irishlegal.com/article/tusla-fined-40-000-in-second-gdpr-breach
321;Norwegian Supervisory Authority (Datatilsynet);Norway;22.06.20;112000;Ostfold HF Hospital;Yes;Sykehuset Østfold Hf;Norway;Hospitals;596700000;7449;Private;Yes;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;It was found that Ostfold HF Hospital had stored patient data, including sensitive data such as the reason for hospitalisation, during the period 2013-2019 without controlling access to the folders where the data was stored. Datatilsynet therefore decided that the hospital had not taken sufficient technical and organisational measures to protect personal data and was therefore in breach of the GDPR and the Patient Records Act.;https://www.datatilsynet.no/contentassets/a42cee6c37084047ac14489dcc318c75/varsel-om-palegg-og-overtredelsesgebyr-200653_13_1.pdf
322;Norwegian Supervisory Authority (Datatilsynet);Norway;19.06.20;NA;Aquateknikk AS;Yes;Aquateknikk AS;Norway;Industrial;NA;NA;Private;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;On June 19, 2020, the Norwegian DPA (Datatilsynet) announced that it intents to fine Aquateknikk AS  EUR 28,000 for violations of Art. 5 GDPR and Art. 6 GDPR . This fine has been imposed in the meantime, see details at link;https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2020/varsel-om-gebyr-aquateknikk/
323;Spanish Data Protection Authority (aepd);Spain;19.06.20;6000;National Police Brigade;Yes;NA;NA;Politics & Government;NA;NA;Other;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;Making copies of a company's business records in the context of investigations which contained data from third parties and for which there was no legal basis for processing.;https://www.aepd.es/es/documento/ps-00415-2019.pdf
324;Italian Data Protection Authority (Garante);Italy;30.01.20;4000;Comune di Colledara;Yes;Colledara Comune;Italy;Politics & Government;NA;NA;Other;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;Publication of documents relating to a public tender with personal data on a website;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9302897
325;Italian Data Protection Authority (Garante);Italy;05.03.20;3000;San Giorgio Jonico;Yes;San Giorgio Jonico Comune;Italy;Politics & Government;NA;NA;Other;Yes;Art. 5 GDPR, Art. 6 GDPR, Art. 17 GDPR;Insufficient legal basis for data processing;Publication of a citizen's personal data on a website and failure to comply with requests for deletion.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9361186
326;Spanish Data Protection Authority (aepd);Spain;02.07.20;24000;Iberdrola Clientes;Yes;Iberdrola Clientes Sociedad Anonima.;Spain;Energy;8000000000;623;Private;Yes;Art. 5 GDPR;Non-compliance with general data processing principles;A third person had received an electricity bill with personal details such as name, address and bank account of another customer. The reason for this was that Iberdola Clientes was not able to guarantee adequate security measures in the processing of the personal data of the data subject, in violation of the principles of data integrity and confidentiality. The fine of ?40,000 has been reduced to ?24,000 due to voluntary payment.;https://www.aepd.es/es/documento/ps-00102-2020.pdf
327;Spanish Data Protection Authority (aepd);Spain;02.07.20;4000;De Vere Spain S.L.;Yes;deVere Spain S.L;Spain;Finance & Insurance;3490000;26;Private;Yes;Art. 21 GDPR;Insufficient fulfilment of data subjects rights;The company did not respond to the data subject's request to stop processing his or her data, and therefore data subject continued to receive commercial calls.;https://www.aepd.es/es/documento/ps-00475-2019.pdf
328;Norwegian Supervisory Authority (Datatilsynet);Norway;02.07.20;NA;Odin Flissenter AS;Yes;Odin Flissenter As;Norway;Retail & Trade;2600000;8;Private;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;On July 2, 2020, the Norwegian DPA (Datatilsynet) announced that it intents to fine Odin Flissenter AS EUR 28,000 for violations of Art. 5 GDPR and Art. 6 GDPR. This fine has been imposed in the meantime, see details at link;https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2020/varsel-om-overtredelsesgebyr-til-odin-flissenter-as/
329;Spanish Data Protection Authority (aepd);Spain;02.07.20;3600;Saunier-Tec Mantenimientos de Calor y Frio, SL.;Yes;"	Saunier Tec Mantenimientos De Calor Y Frio Sl";Spain;Building Construction;12300000;130;Private;Yes;Art. 33 GDPR;Insufficient fulfilment of data breach notification obligations;Although the company had taken steps to remedy a data breach, it had not informed the AEPD sufficiently. As a result, the AEPD imposed a fine of EUR 4,800, which was reduced to EUR 3,600 due to voluntary payment.;https://www.aepd.es/es/documento/ps-00122-2020.pdf
330;Spanish Data Protection Authority (aepd);Spain;02.07.20;5000;Xfera Moviles S.A.;Yes;Xfera Moviles Sau;Spain;Telecommunications;1500000000;473;Private;Yes;Art. 31 GDPR, Art. 58 GDPR;Insufficient cooperation with supervisory authority;The company had not cooperated sufficiently with the data protection authority.;https://www.aepd.es/es/documento/ps-00090-2020.pdf
331;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;09.07.20;15000;Proleasing Motors SRL;Yes;Proleasing Motors Srl;Romania;Retail & Trade;42500000;151;Private;Yes;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;The company had failed to take adequate technical and organisational measures to ensure data security, which led to the publication on Facebook of a document containing a password for access to personal data of 436 customers.;https://www.dataprotection.ro/index.jsp?page=Comunicat_09_07_20&lang=ro
332;Polish National Personal Data Protection Office (UODO);Poland;10.07.20;3400;East Power Sp. z o.o.;Yes;NA;NA;NA;NA;NA;NA;Yes;Art. 31 GDPR, Art. 58 GDPR;Insufficient cooperation with supervisory authority;After three subpoenas to East Power, in which the latter failed to provide sufficient explanations on a direct marketing complaint, the data protection authority found that East Power had deliberately obstructed the course of the procedure or at least failed to comply with its obligations to cooperate with the supervisory authority.;https://uodo.gov.pl/decyzje/DKE.561.1.2020
333;Norwegian Supervisory Authority (Datatilsynet);Norway;10.07.20;46660;Municipality of Raelingen;Yes;Rælingen Kommune;Norway;Politics & Government;781960000;4432;Other;Yes;Art. 32 GDPR, Art. 35 GDPR;Insufficient technical and organisational measures to ensure information security;Fine for the processing of children's health data in connection with disability through the digital learning platform 'Showbie'. The Municipality had failed to carry out a Data Protection Impact Assessment ('DPIA') in accordance with Article 35 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') prior to the start of the processing and had not taken adequate technical and organisational measures in accordance with Article 32 of the GDPR, resulting in an increased risk of unauthorised access to the personal data of the pupils.;https://www.datatilsynet.no/contentassets/9d5792264c884f3a903d3981c38812ac/~-20_02191-1-vedtak-om-overtredelsesgebyr---ralingen-kommune-202444_10_1.pdf
334;Dutch Supervisory Authority for Data Protection (AP);Netherlands;06.07.20;830000;Bureau Krediet Registration ('BKR');Yes;Stichting Bureau Krediet Registratie (Bkr);Netherlands;Finance & Insurance;3600000;98;Private;Yes;Art. 12 GDPR, Art. 15 GDPR;Insufficient fulfilment of data subjects rights;BKR had required the payment of a fee when individuals requested access to their personal data and only provided access to their data once a year free of charge by post.;https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/besluit_bkr_30_juli_2019.pdf
335;Italian Data Protection Authority (Garante);Italy;13.07.20;200000;Merlini s.r.l.;Yes;Merlini Srl;Italy;Restaurants, Cafes & Bars;7100000;25;Private;Yes;Art. 5 GDPR, Art. 6 GDPR, Art. 7 GDPR, Art. 28 GDPR, Art. 29 GDPR;Insufficient legal basis for data processing;The company had carried out telemarketing activities on behalf of Wind Tre S.p.A. through a third party provider as data processor without sufficient legal basis fpr data processing (Art. 5-7 GDPR) and without sufficient contractual agreements (Art. 28, 29 GDPR) with the third party provider.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9435774
336;Italian Data Protection Authority (Garante);Italy;13.07.20;16700000;Wind Tre S.p.A.;Yes;Wind Tre Spa;Italy;Telecommunications;4500000000;6360;Private;Yes;Art. 5 GDPR, Art. 6 GDPR, Art. 12 GDPR, Art. 24 GDPR, Art. 25 GDPR;Insufficient legal basis for data processing;Fines for several unlawful data processing activities relating to direct marketing. Hundreds of data subjects claimed to have received unsolicited communications sent without their prior consent by SMS, e-mail, telephone calls and automated calls. The data subjects were not able to exercise their right to withdraw their consent and object to processing for direct marketing purposes because the information contained in the Data Protection Policy was incomplete in relation to the contact details. Furthermore, the data protection authority stated that the data of the data subjects were published on public telephone lists despite their objection. In addition, several apps distributed by the company were set up in such a way that the user had to give his consent to various processing activities each time he accessed them, with the possibility of withdrawing consent given only after 24 hours.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9435753
337;Italian Data Protection Authority (Garante);Italy;13.07.20;800000;Iliad Italia S.p.A.;Yes;Iliad Italia Spa;Italy;Telecommunications;378400000;582;Private;Yes;Art. 5 GDPR, Art. 25 GDPR;Non-compliance with general data processing principles;The fine relates to data protection infringements concerning the processing of customer data for the activation of SIM cards and the manner in which payment data was recorded. In addition, the data protection authority stated that the company had violated the principles of lawfulness, fairness and transparency as well as the integrity and confidentiality with regard to the processing of personal data for direct marketing purposes and the storage of customer data in the personal area of its website.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9435807
338;Spanish Data Protection Authority (aepd);Spain;10.07.20;1500;Auto Desguaces Iglesias S.L.;Yes;Auto Desguaces Iglesias S.L.;Spain;Services;4368500;30;Private;Yes;Art. 5 GDPR;Non-compliance with general data processing principles;The company had installed surveillance cameras that recorded the public road and therefore violated the principle of data minimization.;https://www.aepd.es/es/documento/ps-00004-2020.pdf
340;Spanish Data Protection Authority (aepd);Spain;10.07.20;12000;Vodafone Espana, SAU;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 5 GDPR;Non-compliance with general data processing principles;Fines for violation of Art. 5 (1) d) GDPR for changing the customer's master data into the name of a third party, the ex-spouse of the customer.;https://www.aepd.es/es/documento/ps-00139-2020.pdf
341;Spanish Data Protection Authority (aepd);Spain;10.07.20;5000;Global Business Travel Spain SLU;Yes;American Express Co.;United States;Finance & Insurance;30900000000;63700;Public;No;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;The fine was preceded by an employee's access to health data of a person concerned. In the course of its investigations, the Data Protection Authority found that Global Business Travel Spain, as data controller, had infringed Article 32(2) and (4) of the GDPR by failing to take adequate technical and organisational measures to protect the data from unauthorised disclosure.;https://www.aepd.es/es/documento/ps-00296-2020.pdf
342;Spanish Data Protection Authority (aepd);Spain;10.07.20;5000;School Fitness Holiday & Franchising S.L.;Yes;School Fitness Holiday & Franchising Sl;Spain;Sports, Fitness & Recreation;10300000;127;Private;Yes;Art. 5 GDPR;Non-compliance with general data processing principles;Breach of transparency principle. No further information available at the moment.;https://www.aepd.es/es/documento/ps-00135-2020.pdf
343;Spanish Data Protection Authority (aepd);Spain;10.07.20;55000;Xfera Moviles S.A.;Yes;Xfera Moviles Sau;Spain;Telecommunications;1500000000;473;Private;Yes;Art. 5 GDPR, Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;The company had changed a contract for a mobile phone connection to a new owner, whereby the personal data of a data subject such as his address and telephone numbers were freely accessible. This constituted a violation of the principles of confidentiality and integrity.;https://www.aepd.es/es/documento/ps-000104-2020.pdf
344;Belgian Data Protection Authority (APD);Belgium;14.07.20;600000;Google Belgium SA;Yes;Google LLC;United States;IT Services;66000000000;139995;Public;No;Art. 5 GDPR, Art. 6 GDPR, Art. 17 (1) a) GDPR, Art. 12 GDPR;Insufficient fulfilment of data subjects rights;The Belgian data protection authority has fined Google Belgium SA, a subsidiary of Google, 600,000 euros. The reasons for the fine were the rejection of an application by a data subject for dereferencing outdated articles that the data subject had considered to be damaging to its reputation, and lack of transparency in Google's form for dereferencing applications. The Belgian data protection authority found that articles relating to unfounded harassment complaints could have serious consequences for the data subjects, and natural persons were therefore entitled to have articles deleted/dereferenced. This also applies to persons who hold political office, even though these offices are generally less worthy of protection due to their public status and articles relating to political persons may therefore be stored for a longer period of time. Google's rejection of the application was therefore in breach of Article 17 of the GDPR (fine for this breach: ?500,000). In addition, a further ?100,000 was imposed for breach of the principle of transparency, as Google's rejection of the request for deletion was not sufficiently justified;https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-37-2020.pdf
345;Spanish Data Protection Authority (aepd);Spain;20.07.20;24000;Banco Bilbao Vizcaya Argentaria, SA;Yes;Banco Bilbao Vizcaya Argentaria SA;Spain;Banks;31800000000;123174;Public;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;BBVA had no legitimate basis for processing the data of the data subject and had therefore infringed Article 6(1) of the GDPR, since the company processed solvency and credit information files without a prior contractual relationship with the data subject.;https://www.aepd.es/es/documento/ps-00068-2020.pdf
346;Spanish Data Protection Authority (aepd);Spain;20.07.20;40000;Iberia Lae SA Operadora Unipersonal;Yes;Iberia Lineas Aereas De España Sociedad Anonima Operadora;Spain;Aviation;5000000000;15755;Private;Yes;Art. 58 GDPR;Insufficient cooperation with supervisory authority;The company did not grant the data subject access to telephone records. The applicant's request for access did not receive a reply, despite the prior order of the AEPD.;https://www.aepd.es/es/documento/ps-00060-2020.pdf
347;Spanish Data Protection Authority (aepd);Spain;20.07.20;1500;Comercial Vigobrandy, SL;Yes;Comercial Vigobrandy SL;Spain;Restaurants, Cafes & Bars;NA;NA;Private;Yes;Art. 12 GDPR, Art. 13 GDPR, Art. 14 GDPR;Insufficient fulfilment of information obligations;Installation of CCTV surveillance without adequate information by using a sign;https://www.aepd.es/es/documento/ps-00459-2019.pdf
348;Hellenic Data Protection Authority (HDPA);Greece;29.06.20;5000;New York College S.A.;Yes;"	Kolegio Nea Yorkh - New York College S.A.";Greece;Education;5500000;75;Private;Yes;Art. 5 GDPR;Non-compliance with general data processing principles;The College had contacted the complainant directly by telephone with regard to an educational programme and had processed personal data in a non-transparent manner.;http://www.dpa.gr/APDPXPortlets/htdocs/documentDisplay.jsp?docid=252,140,181,222,128,166,229,159
349;Spanish Data Protection Authority (aepd);Spain;20.07.20;80000;Orange Espagne S.A.U.;Yes;Orange SA;France;Telecommunications;37800000000;150711;Public;No;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;The company had unlawfully activated several telephone line contracts using the personal data of a data subject. This constituted an unlawful processing operation, since the data of the data subject was entered into the company's database and processed there without a legitimate legal basis.;https://www.aepd.es/es/documento/ps-00452-2019.pdf
350;Spanish Data Protection Authority (aepd);Spain;20.07.20;70000;Xfera Moviles S.A.;Yes;Xfera Moviles Sau;Spain;Telecommunications;1500000000;473;Private;Yes;Art. 5 GDPR;Non-compliance with general data processing principles;A data subject had received a call from another Xfera Moviles customer who stated that the company had charged his bank account with an invoice, disclosing the personal details of the other data subject. This was due to an error on the part of Xfera Moviles and was therefore a violation of the principles of integrity and confidentiality.;https://www.aepd.es/es/documento/ps-000450-2019.pdf
351;Spanish Data Protection Authority (aepd);Spain;23.07.20;10000;El Periodico de Catalunya, S.L.U.;Yes;El Periodico De Catalunya Sl.;Spain;Newspapers & Publishing;39600000;200;Private;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;Following a request for erasure addressed to the company, the data subject received another newsletter from the newspaper, although El Periodico de Catalunya claimed to have granted the request. This was due to a failure of an external service provider of the company.;https://www.aepd.es/es/documento/ps-000422-2019.pdf
352;Spanish Data Protection Authority (aepd);Spain;23.07.20;55000;Telefonica Moviles Espana, SAU;Yes;Telefónica SA;Spain;Telecommunications;41600000000;112797;Public;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;Telefonica Moviles Espana has processed the personal data of a data subject, such as first and last name and bank details, in order to activate three telephone lines that were never requested. This constitutes a breach of the principle of lawfulness of the processing.;https://www.aepd.es/es/documento/ps-000114-2019.pdf
353;Spanish Data Protection Authority (aepd);Spain;23.07.20;70000;Telefonica Moviles Espana, SAU;Yes;Telefónica SA;Spain;Telecommunications;41600000000;112797;Public;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;The data subject's account was debited for two telephone lines that he had never ordered or approved. This constituted unlawful processing of personal data, since the data subject's information was stored in the information systems of Telefonica Moviles Espana without a legal basis for invoicing.;https://www.aepd.es/es/documento/ps-00010-2020.pdf
354;Spanish Data Protection Authority (aepd);Spain;23.07.20;75000;Telefonica Moviles Espana, SAU;Yes;Telefónica SA;Spain;Telecommunications;41600000000;112797;Public;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;The company had carried out the number porting of his telephone line from his current company without his consent. Personal data was transferred from the former telephone operator to Telefonica Moviles Espana in order to change the ownership of the telephone line without sufficient legal basis.;https://www.aepd.es/es/documento/ps-00014-2020.pdf
355;Spanish Data Protection Authority (aepd);Spain;23.07.20;5000;Xfera Moviles S.A.;Yes;Xfera Moviles Sau;Spain;Telecommunications;1500000000;473;Private;Yes;Art. 58 GDPR;Insufficient cooperation with supervisory authority;Following a complaint, Xfera Moviles was requested by the AEPD to submit certain information and documents, but did not do so within the provided time limit.;https://www.aepd.es/es/documento/ps-00115-2020.pdf
357;Belgian Data Protection Authority (APD);Belgium;14.07.20;5000;Operator of CCTV of a residential building;No;NA;NA;Services;NA;NA;NA;Yes;Art. 6 GDPR, Art. 7 GDPR;Insufficient legal basis for data processing;The operator of video cameras on a residential property had installed cameras there to monitor the shared area of  two blocks of flats. The data controller argued that the owners had given their consent to this by signing the notarised purchase contracts. However, the data protection authority had denied this after checking the contracts.;https://www.gegevensbeschermingsautoriteit.be/publications/beslissing-ten-gronde-nr.-36-2020.pdf
358;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;30.07.20;2000;SC Viva Credit IFN SA;Yes;SC Viva Credit IFN SA;Romania;Finance & Insurance;NA;100;Private;Yes;Art. 17 GDPR;Insufficient fulfilment of data subjects rights;The company had not informed the data subject within one month (or up to three months if a reason for the delay is given) of the measures taken following the request for deletion of data.;https://www.dataprotection.ro/index.jsp?page=Amenda_pentru_incalcarea_RGPD_Viva_Credit_IFN&lang=ro
359;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;30.07.20;2000;Romanian Post National Company;Yes;Compania Nationala Posta Romana Sa;Romania;Transportation & Logistics;238700000;22630;Private;Yes;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;Processing of personal data, namely the telephone numbers and e-mail addresses of 81 data subjects, by the Romanian Post as data controller, failing appropriate technical and organisational measures, such as pseudonymisation.;https://www.dataprotection.ro/index.jsp?page=Sanctiune_pentru_incalcarea_RGPD_Posta_Romana&lang=ro
360;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;27.07.20;5000;SC Cntar Tarom SA;Yes;Compania Nationala De Transporturi Aeriene Romane Tarom Sa;Romania;Aviation;253800000;1361;Private;Yes;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;Unauthorised disclosure of the data of five Tarom passengers due to inadequate technical and organisational measures for secure data processing. Among other things, the company was required to take corrective action, including training its employees and conducting risk assessment procedures.;https://www.dataprotection.ro/index.jsp?page=Sanctiune%20pentru%20incalcare%20RGPD%2027_07_20&lang=ro
361;Danish Data Protection Authority (Datatilsynet);Denmark;28.07.20;147800;Arp Hansen Hotel Group A/S;Yes;Arp-Hansen Hotel Group A/S;Denmark;Accommodation;161000000;750;Private;Yes;Art. 5 (1) e) GDPR;Non-compliance with general data processing principles;During an inspection, the supervisory authority reviewed a number of IT systems to examine whether Arp-Hansen had sufficient procedures in place to ensure that personal data were not kept longer than necessary for the purposes of collection. It was found that one of the reservation systems contained a large amount of personal data that should already have been deleted in accordance with the deletion deadlines set by Arp-Hansen itself.;https://www.datatilsynet.dk/presse-og-nyheder/nyhedsarkiv/2020/jul/arp-hansen-hotel-group-a/s-indstilles-til-boede
362;French Data Protection Authority (CNIL);France;05.08.20;250000;Spartoo;Yes;Spartoo SAS;France;E-Commerce;132000000;392;Public;Yes;Art. 5 (1) GDPR, Art. 13 GDPR, Art. 14 GDPR;Non-compliance with general data processing principles;A fine of EUR 250000 was imposed on the online retailer Spartoo. The reason for this was that the company, which has its headquarters in France but supplies a large number of European countries, fully recorded all telephone hotline conversations (including personal data such as address and bank details of orders) and in addition stored bank details partially unencrypted. Among other things, this represents a violation of the principle of data minimization. Furthermore, the supervisory authority also found a violation of the information obligations according to Art. 13 GDPR, as the company's data protection information was partially incorrect.;https://www.cnil.fr/fr/spartoo-sanction-de-250-000-euros-et-injonction-sous-astreinte-de-se-conformer-au-rgpd
363;Danish Data Protection Authority (Datatilsynet);Denmark;04.08.20;20100;PrivatBo A.M.B.A.;Yes;Privatbo, A.M.B.A. Af 1993;Denmark;Real Estate;1800000;35;Private;Yes;Art. 5 GDPR, Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;The company had distributed USB sticks to tenants in the context of a sale of real estate, which contained not only non-personal information on the real estate objects in question but also personal data of other persons such as lease agreements and other documents containing confidential personal data.;https://www.datatilsynet.dk/presse-og-nyheder/nyhedsarkiv/2020/aug/datatilsynet-indstiller-privatbo-til-boede
364;Spanish Data Protection Authority (aepd);Spain;06.08.20;3000;GROW BEATS SL;Yes;GROW BEATS SL;Spain;E-Commerce;NA;NA;Private;Yes;Art. 12 GDPR, Art. 13 GDPR, Art. 14 GDPR;Insufficient fulfilment of information obligations;The company had published a cookie policy on its website, which on the one hand contained no information about the purpose of the use of cookies and on the other hand no information about the properties of the installed cookies and the time period for which they remain active in the end user's terminal equipment.;https://www.aepd.es/es/documento/ps-00092-2020.pdf
365;Spanish Data Protection Authority (aepd);Spain;04.08.20;60000;Vodafone Espana, SAU;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;The data subject received confirmation from Vodafone of a number porting, which the latter had never commissioned.;https://www.aepd.es/es/documento/ps-00009-2020.pdf
366;Italian Data Protection Authority (Garante);Italy;10.08.20;10000;Cavauto S.R.L.;Yes;Cavauto Srl;Italy;Retail & Trade;13300000;22;Private;Yes;Art. 5 GDPR, Art. 6 GDPR, Art. 7 GDPR;Insufficient legal basis for data processing;Access to personal data of a former employee (containing his browser history) on his work computer.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9446730
367;Italian Data Protection Authority (Garante);Italy;10.08.20;10000;Community of Baronissi;Yes;Baronissi Comune;Italy;Politics & Government;NA;NA;Other;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;The community published on its website personal data of data subjects including names, birth dates, place of birth, place of residence, etc.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9446659
368;Italian Data Protection Authority (Garante);Italy;06.08.20;3000;GTL S.R.L.;Yes;Gruppo Tessile Lombardo Gtl Srl;Italy;Industrial;1800000;9;Private;Yes;Art. 12 GDPR, Art. 15 GDPR;Insufficient fulfilment of data subjects rights;Failure to graint access to personal data of a data subject according to Art. 15 GDPR.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9445710
369;Spanish Data Protection Authority (aepd);Spain;06.08.20;3000;Just Landed S.L.;Yes;Just Landed S.L.;Spain;IT Services;NA;25;Private;Yes;Art. 13 GDPR;Insufficient fulfilment of information obligations;Just Landed was fined with EUR 3000 for insufficient cookie information according to national data protection laws and at the same time warned due to insufficient fulfilment of information obligations according to Art. 13 GDPR (privacy policy only in English language).;https://www.aepd.es/es/documento/ps-00036-2020.pdf
370;Deputy Data Protection Ombudsman;Finland;05.08.20;7000;Acc Consulting Varsinais-Suomi;Yes;"	Accountor Consulting Oy";Finland;Services;8400000;108;Private;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;Unsolicited marketing SMS without prior consent;https://tietosuoja.fi/-/yritykselle-seuraamusmaksu-sahkoisen-suoramarkkinoinnin-harjoittamisesta-ilman-ennalta-annettua-suostumusta-ja-rekisteroidyn-oikeuksien-laiminlyonnista
371;Spanish Data Protection Authority (aepd);Spain;05.08.20;3000;Restaurant;No;NA;NA;Restaurants, Cafes & Bars;NA;NA;NA;Yes;Art. 5 (1) c) GDPR, Art. 12 GDPR, Art. 13 GDPR;Non-compliance with general data processing principles;Installation of CCTV surveillance cameras that were also monitoring the public space and without proper information.;https://www.aepd.es/es/documento/ps-00479-2019.pdf
372;Austrian Data Protection Authority (dsb);Austria;05.08.20;100;Bank;No;NA;NA;Banks;NA;NA;NA;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;A bank employee made a copy of the identity card of a bank client who wanted to exchange EUR 100 in foreign currency and justified this with money laundering charges. However, these only apply to a sum of EUR 1000 and above.;https://www.dsb.gv.at/documents/22758/115212/Newsletter_DSB_3_2020.pdf/90579856-6cb5-4206-823a-cacc724cf94e
373;Italian Data Protection Authority (Garante);Italy;05.08.20;2000;School;No;NA;NA;Education;NA;NA;NA;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;Placing personal data of pupils on a public notice board.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9445324
374;Italian Data Protection Authority (Garante);Italy;04.08.20;15000;Mapei S.p.A.;Yes;Mapei Spa;Italy;Chemicals;489700000;1567;Private;Yes;Art. 5 GDPR, Art. 6 GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 15 GDPR, Art. 17 GDPR;Insufficient legal basis for data processing;The company had left the e-mail account of the data subject active even after the termination of his employment and had automatically forwarded incoming e-mails. The company did not provide sufficient information about this. In addition, the company did not react to claims for access and erasure.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9445180
375;Italian Data Protection Authority (Garante);Italy;04.08.20;5000;National Institute for Social Security - Department of the Province of Brescia;Yes;National Institute for Social Security - Department of the Province of Brescia;Italy;Politics & Government;NA;NA;Other;Yes;Art. 15 GDPR;Insufficient fulfilment of data subjects rights;Failure to graint access to personal health data of a data subject according to Art. 15 GDPR.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9445550
376;Italian Data Protection Authority (Garante);Italy;04.08.20;1000;Supermarket;No;NA;NA;Retail & Trade;NA;NA;NA;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;The operator of a supermarket displayed the letter of dismissal to the personnel manager on the publicly visible notice board of the supermarket.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9445567
377;Italian Data Protection Authority (Garante);Italy;30.07.20;2000;Community of Manduria;Yes;Comune Di Manduria;Italy;Politics & Government;5500000;96;Other;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;The community transmitted personal data of a community employee to the press without sufficient legal basis.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9440000
378;Italian Data Protection Authority (Garante);Italy;29.07.20;3000;Community of San Giorgio Jonico;Yes;San Giorgio Jonico Comune;Italy;Politics & Government;NA;NA;Other;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;Publication of personal data on the municipal website with regard to legal proceedings.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9361186
379;Italian Data Protection Authority (Garante);Italy;29.07.20;4000;Region of Campania;Yes;Consiglio Regionale Della Campania;Italy;Politics & Government;52000000;1000;Other;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;Publication of an enforcement order in civil proceedings on the Region's website. The document listed the names and place of residence and the amount of the claim.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9440075
380;Belgian Data Protection Authority (APD);Belgium;28.07.20;3000;Communal political association;No;NA;NA;Politics & Government;NA;NA;Other;Yes;Art. 5 GDPR, Art. 6 GDPR, Art. 14 GDPR;Insufficient legal basis for data processing;A local political association has sent out election advertisements to the residents of the municipality for the local elections in 2018. For this purpose, the association used the electoral roll from 2012 and compared it with that of 2018, without a sufficient legal basis and without appropriate information in accordance with Art. 14 GDPR.;https://www.gegevensbeschermingsautoriteit.be/publications/beslissing-ten-gronde-nr.-39-2020.pdf
381;Polish National Personal Data Protection Office (UODO);Poland;15.07.20;22300;Office for geodesy and cartography;No;NA;NA;Politics & Government;NA;NA;Other;Yes;Art. 31 GDPR, Art. 58 GDPR;Insufficient cooperation with supervisory authority;Refusal of access to the premises by the supervisory authority in the course of an audit.;https://uodo.gov.pl/decyzje/DKE.561.3.2020
382;Spanish Data Protection Authority (aepd);Spain;31.07.20;45000;Vodafone Espana SAU;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;Unlawfull processing of a telephone number for marketing purposes even after the data subject had exercised its right to erasure;https://www.aepd.es/es/documento/ps-00168-2020.pdf
383;Spanish Data Protection Authority (aepd);Spain;17.08.20;5000;Party of the Socialists of Catalonia;Yes;Partit dels Socialistes de Catalunya;Spain;Politics & Government;NA;NA;Other;Yes;Art. 5 (1) b) GDPR;Non-compliance with general data processing principles;The Socialist Party of Catalonia has used the personal data provided by a professional doctor to send a letter to the complainant's relative asking for political support. This constitutes a different purpose from the original purpose of the collection and therefore violates the principle of purpose limitation.;https://www.aepd.es/es/documento/ps-00449-2019.pdf
385;Spanish Data Protection Authority (aepd);Spain;28.08.20;50000;Bankia S.A.;Yes;Bankia SA;Spain;Banks;3500000000;15950;Public;Yes;Art. 5 (1) b) GDPR;Non-compliance with general data processing principles;The bank kept personal data of a data subject for several years, even after the data subject was no longer a customer. The data was also accessible to bank employees during this time. This constituted a violation of the principle of purpose limitation.;https://www.aepd.es/es/documento/ps-00076-2020.pdf
387;Polish National Personal Data Protection Office (UODO);Poland;31.08.20;22700;Surveyor General of Poland ('GKK');Yes;Surveyor General of Poland (GKK);Poland;Politics & Government;NA;NA;Other;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;Processing of personal data on the GEOPORTAL2 platform in the form of land and mortgage registers (including names, surnames and other personal data) without sufficient legal basis.;https://uodo.gov.pl/decyzje/DKN.5112.13.2020
388;Spanish Data Protection Authority (aepd);Spain;31.07.20;1500;Tour & People Max S.L.;Yes;Tour&People Max Sl.;Spain;Services;7800000;2;Private;Yes;Art. 21 GDPR;Insufficient fulfilment of data subjects rights;Unsolicited marketing calls though data subjects had expressed their objection to data processing. In addition to the GDPR, this was also seen as a violation of Article 48(1)(b) of General Law 9/2014 (Spanish national law).;https://www.aepd.es/es/documento/ps-00031-2020.pdf
389;Spanish Data Protection Authority (aepd);Spain;01.09.20;75000;Telefonica Moviles Espana, SAU;Yes;Telefónica SA;Spain;Telecommunications;41600000000;112797;Public;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;According to the supervisory authority, the company processed personal data without sufficient legal basis, with the result that the data subject received several hundred unsolicited calls and SMS messages.;https://www.aepd.es/es/documento/ps-00198-2020.pdf
390;Spanish Data Protection Authority (aepd);Spain;07.09.20;3000;Barcelona Airport Security Guard Association ('AVSAB');Yes;"	Aena S.M.E. SA";Spain;Aviation;1900000000;8771;Public;Yes;Art. 5 (1) f) GDPR;Non-compliance with general data processing principles;A member of the AVSAB security committee used WhatsApp to send messages to private phone numbers containing personal information about employees. This was a violation of the confidentiality principle that, according to the AEPD, must be respected not only by the data controller, but also by any other subject involved in any phase of the processing.;https://www.aepd.es/es/documento/ps-00188-2020.pdf
391;Italian Data Protection Authority (Garante);Italy;02.07.20;15000;Mapei S.p.A.;Yes;Mapei Spa;Italy;Chemicals;489700000;1567;Private;Yes;Art. 5 GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 15 GDPR;Insufficient fulfilment of data subjects rights;Mapei failed to respond to the request for access to personal data of the data subject. In addition, Mapei had left the e-mail account of the person concerned active even after the termination of the contract.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9445180
392;Polish National Personal Data Protection Office (UODO);Poland;08.09.20;11200;Warsaw University of Life Sciences;Yes;Szkola Glówna Gospodarstwa Wiejskiego W Warszawie;Poland;Education;90400000;2000;Private;Yes;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;Theft of a private notebook belonging to a university employee who also used this device for business purposes and on which personal data of candidates for study at SGGW was contained for recruitment activities.;https://www.uodo.gov.pl/decyzje/ZSO%C5%9AS.421.25.2019
393;Hellenic Data Protection Authority (HDPA);Greece;03.08.20;3000;Candidate for parliamentary elections;No;NA;NA;Politics & Government;NA;NA;Other;Yes;Art. 15 GDPR;Insufficient fulfilment of data subjects rights;The data subject received telephone calls regarding a candidacy for parliamentary elections. When the data subject made use of its right to access according to Art. 15 GDPR, it did not receive any such information.;https://www.dpa.gr/portal/page?_pageid=33,15048&_dad=portal&_schema=PORTAL
394;Hungarian National Authority for Data Protection and the Freedom of Information (NAIH);Hungary;23.07.20;560;Forbes Hungary;Yes;Macandrews & Forbes Incorporated;United States;Newspapers & Publishing;11400000000;60637;Private;No;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;Fine imposed on Forbes Hungary for publishing a list of the 50 wealthiest Hungarians and a list of the largest family businesses without a sufficient balance of interests (Art. 6 (1) f) GDPR).;https://www.naih.hu/files/NAIH-2020-1154-9-hatarozat.pdf
395;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;01.09.20;500;Apartment building owners association;No;NA;NA;NA;NA;NA;Other;Yes;Art. 5 GDPR, Art. 6 GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 25 GDPR, Art. 32 GDPR;Insufficient legal basis for data processing;Export of a still image from a video surveillance system and posting of the image on the billboard of the building without sufficient legal basis. In addition, violation of the information obligations under Art. 12, 13 GDPR and violation of Art. 25 and 32 GDPR, because no sufficient information about the CCTV was given and because no sufficient technical and organizational security measures were taken to protect the personal data collected by the video surveillance system.;https://www.dataprotection.ro/?page=Comunicat_Presa_01_09_2020&lang=ro
396;Spanish Data Protection Authority (aepd);Spain;17.09.20;60000;Vodafone Espana, SAU;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;A former customer had received e-mails containing electronic bills even after he had terminated his contract with the company resulting in a processing of personal data without sufficient legal basis.;https://www.aepd.es/es/documento/ps-00186-2020.pdf
397;Spanish Data Protection Authority (aepd);Spain;17.09.20;3000;Grupo Carolizan;Yes;Grupo Carolizan SL;Spain;Accommodation;NA;NA;Private;Yes;Art. 5 GDPR;Non-compliance with general data processing principles;Operation of CCTV camera systems in an arcade area in front of a building, i.e. also covering public space. This violated the principles of data minimization, as the surveillance cameras could have been operated in a way that would not have affected the public space.;https://www.aepd.es/es/documento/ps-00311-2019.pdf
398;Spanish Data Protection Authority (aepd);Spain;16.09.20;10000;Property owners community;No;NA;NA;NA;NA;NA;Other;Yes;Art. 5 GDPR;Non-compliance with general data processing principles;Publication of a document containing personal data (information about identity of the data subject as well as about debts) on a community notice billboard.;https://www.aepd.es/es/documento/ps-00034-2020.pdf
399;Spanish Data Protection Authority (aepd);Spain;11.09.20;1500;Political Party;No;NA;NA;Politics & Government;NA;NA;Other;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;Sending of an e-mail to a former party member who had since resigned, with the request to act as an election representative without sufficient legal basis to process the personal data required for this purpose;https://www.aepd.es/es/documento/ps-00051-2020.pdf
401;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;08.09.20;2000;Sanatatea Press Group S.R.L.;Yes;Sănătatea Press Group S.R.L.;Romania;Services;NA;25;Private;Yes;Art. 5 (1) f) GDPR, Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;Sending the personal data collected for the registration for an online course to other participants due to a technical failure.;https://www.dataprotection.ro/?page=Comunicat_Presa_08_/_09_/_20&lang=ro
402;Italian Data Protection Authority (Garante);Italy;07.09.20;2000;Istituto Comprensivo Statale Crucoli Torretta;Yes;Istituto Comprensivo Crucoli Torretta;Italy;Education;NA;NA;Other;Yes;Art. 5 (1) f) GDPR, Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;Publication of personal data of students on the website of the Institute with, inter alia, notes about health and progress in school due to technical failure.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9451734
403;Belgian Data Protection Authority (APD);Belgium;07.09.20;5000;Former mayor of a community;No;NA;NA;Politics & Government;NA;NA;Other;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;Originial fine summary: Sending election advertising to citizens without sufficient legal basis. Update: On January 27th, 2021, the Brussels Court of Appeal overturned the fine of EUR 5,000.;https://www.gegevensbeschermingsautoriteit.be/publications/beslissing-ten-gronde-nr.-53-2020.pdf
404;Spanish Data Protection Authority (aepd);Spain;22.09.20;60000;GLP Instalaciones 86, SL;Yes;GLP Instalaciones 86, SL;Spain;Building Construction;NA;NA;Private;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;In order to obtain assistance for the installation of an air conditioning system, the data subject had contacted Naturgy Energy Group S.A. Subsequently, he was contacted by two different companies, one of which was GLP Instalaciones 86, who pretended to be Naturgy employees. Naturgy denied this and claimed that the companies were neither authorized installers nor employees of Naturgy resulting in the processing of personal data of the data subject, including his/her name, surname, telephone number, bank details and e-mail, without a valid legal basis.;https://www.aepd.es/es/documento/ps-00079-2020.pdf
405;Data Protection Authority of Hamburg;Germany;01.10.20;35258708;H&M Hennes & Mauritz Online Shop A.B. & Co. KG;Yes;H & M Hennes & Mauritz Gbc Ab;Sweden;Wholesale;12400000000;5000;Private;No;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;The fashion company with seat in Hamburg operates a service center in Nuremberg. Here, according to the findings of the Hamburg data protection officer, since at least 2014 private life circumstances of some of the employees have been comprehensively recorded and this information stored on a network drive. For example, the company conducted a 'Welcome Back Talk' after employees returned to work after vacation or illness. The information that became known in this context - including information on the symptoms of illness and diagnoses of the employees - was recorded and stored. In addition, according to the Hamburg data protection authority, some supervisors also used the 'Flurfunk' [meaning to hear something through the grapevine] to acquire a broad knowledge of individual employees, for example about family problems and religious beliefs. The information stored on the network drive was accessible to up to 50 managers of the company and was used, among other things, to evaluate the work performance of the employees and to make employment decisions.The data collection became known due to a technical configuration error in October 2019, according to which the data stored on the network drive was accessible company-wide for several hours. After the violation became known, the management apologized to the employees and offered monetary compensation. In addition, also further protective measures were introduced together with the data protection authority. [Note: Concrete legal basis of the fine not yet published - we assume this will mainly be Art. 5 and 6 GDPR];https://datenschutz-hamburg.de/pressemitteilungen/2020/10/2020-10-01-h-m-verfahren
406;Italian Data Protection Authority (Garante);Italy;30.09.20;80000;Azienda Ospedaliera di Rilievo Nazionale 'Antonio Cardarelli' (Private Hospital);Yes;Azienda Ospedaliera Di Rilievo Nazionale Antonio Cardarelli;Italy;Hospitals;3200000;3920;Private;Yes;Art. 5 (1) a) GDPR, Art. 6 GDPR, Art. 13 GDPR, Art. 28 GDPR, Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;According to the data protection authority, personal information about participants in a public competition had been unlawfully disclosed online. The reason for this was that, due to a configuration error, a list of the codes assigned to the candidates was temporarily accessible on the platform, which allowed access to the documents submitted by the candidates with their personal data. This was a violation of the principle of protection of information security. In addition, the data protection authority found that the information obligations were also not complied with and that the hospital had also not provided a sufficient data processing agreement with the data processor [which was also fined, see fine for 'Scanshare'] in accordance with Art. 28 GDPR.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9461168
407;Italian Data Protection Authority (Garante);Italy;30.09.20;60000;Scanshare s.r.l.;Yes;Scanshare s.r.l.;Italy;IT Services;425451;9;Private;Yes;Art. 5 (1) a) GDPR, Art. 6 GDPR, Art. 9 GDPR, Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;According to the data protection authority, personal information about participants in a public competition had been unlawfully disclosed online. The reason for this was that, due to a configuration error, a list of the codes assigned to the candidates was temporarily accessible on the platform, which allowed access to the documents submitted by the candidates with their personal data. This was a violation of the principle of protection of information security for which Scanshare - which was the processor of the data on behalf of the controller 'Azienda Ospedaliera di Rilievo Nazionale 'Antonio Cardarelli'' (a private hospital) - had been fined with EUR 60.000. [Also see the main fine on the hospital!];https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9461321
408;Spanish Data Protection Authority (aepd);Spain;25.09.20;60000;Xfera Moviles S.A.;Yes;Xfera Moviles Sau;Spain;Telecommunications;1500000000;473;Private;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;Failure to remove the data subject's personal data at the time of cancellation of his/her telephone services contract and sending a warning to the data subject after cancellation resulting in the processing of his/her personal data without sufficient legal basis.;https://www.aepd.es/es/documento/ps-00024-2020.pdf
409;Hungarian National Authority for Data Protection and the Freedom of Information (NAIH);Hungary;16.07.20;28;Google Ireland Ltd.;Yes;Google LLC;United States;IT Services;66000000000;139995;Public;No;Art. 12 GDPR, Art. 15 GDPR;Insufficient fulfilment of data subjects rights;Failure to respond to a data subjects request to access information (Art. 15 GDPR - here: about data processed in the context of Google AdWords) in due time.;https://www.naih.hu/files/NAIH-2020-5553-hatarozat.pdf
411;Spanish Data Protection Authority (aepd);Spain;06.10.20;60000;Lycamobile;Yes;Lycamobile Uk Limited;United Kingdom;Telecommunications;176300000;60;Private;No;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;Fine for processing of personal data without sufficient legal basis due to incorrect information about the owners of prepaid phone cards (mismatch between the registered owners in the company's business register and the actual owners of the cards).;https://www.aepd.es/es/documento/ps-00069-2020.pdf
412;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;01.10.20;3000;Megareduceri TV S.R.L.;Yes;Megareduceri TV S.R.L.;Romania;E-Commerce;1045814;6;Private;Yes;Art. 31 GDPR, Art. 58 GDPR;Insufficient cooperation with supervisory authority;Fine for failure to comply with an order of the supervisory authority.;https://www.dataprotection.ro/?page=Comunicat_Presa_01_/_10_/_2020&lang=ro
413;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;01.10.20;2000;Asociatia de proprietari Militari R;Yes;NA;NA;NA;NA;NA;NA;Yes;Art. 31 GDPR, Art. 58 GDPR;Insufficient cooperation with supervisory authority;Fine for failure to comply with an order of the supervisory authority.;https://www.dataprotection.ro/?page=Comunicat_Presa_01_/_10_/_2020&lang=ro
414;Spanish Data Protection Authority (aepd);Spain;30.09.20;3000;Venu Sanz Chef, S.L.;Yes;Venu Sanz Chef, S.L.;Spain;Services;NA;2;Private;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;Use of personal data for advertising purposes without sufficient legal basis.;https://www.aepd.es/es/documento/ps-00249-2020.pdf
415;Spanish Data Protection Authority (aepd);Spain;09.10.20;900;Cafe Restaurante B.B.B;Yes;Cafe Restaurante B.B.B;Spain;Restaurants, Cafes & Bars;NA;NA;Private;Yes;Art. 5 (1) c) GDPR;Non-compliance with general data processing principles;The cafe used CCTV cameras which also captured the public space outside resulting in a violation of the so called principle of data minimisation.;https://www.aepd.es/es/documento/ps-00035-2020.pdf
416;Norwegian Supervisory Authority (Datatilsynet);Norway;25.09.20;13900;Odin Flissenter AS;Yes;Odin Flissenter As;Norway;Retail & Trade;2600000;8;Private;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;The company assessed the credibility of another company and thereby, according to Datatilsynet, processed personal data relating to a natural person (the owner of the company assessed) without there being a sufficient legal basis for doing so.;https://www.datatilsynet.no/contentassets/44c6c9df0ee64fdc9f704f8ca930d4ce/vedtak-om-otg-odin-flissenter.pdf
418;Spanish Data Protection Authority (aepd);Spain;09.10.20;50000;Centro de Investigacion y Estudio para la Obesidad, SL;Yes;Centro De Investigacion Y Estudio De La Obesidad Sl.;Spain;Science & Research;3200000;19;Private;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;Fines for the transfer of the data subject's personal data to Evo Finance EFC, SA in the course of processing a health insurance application, without a sufficient legal basis for the transfer of data, as the medical treatment in question has never been carried out.;https://www.aepd.es/es/documento/ps-00206-2019.pdf
419;Spanish Data Protection Authority (aepd);Spain;09.10.20;5000;Caja Rural San Jose de Nules S. Cooperativa de Credito;Yes;Coop De Credito Caja Rural San Jose De Nules;Spain;Banks;5100000;23;Private;Yes;Art. 5 (1) f) GDPR;Non-compliance with general data processing principles;The company published information with the names and surnames of its employees, which led to the disclosure of the data subject's financial situation.;https://www.aepd.es/es/documento/ps-00058-2019.pdf
420;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;15.10.20;3000;S.C. Marsorom S.R.L.;Yes;Marsorom Srl;Romania;Retail & Trade;25800000;91;Private;Yes;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;Disclosure of personal data of customers on the companies website due to inadequate technical and organisational measures to ensure information security.;https://www.dataprotection.ro/?page=Amenda_pentru_incalcarea_RGPD_15_/_10_/_2020&lang=ro
421;Cypriot Data Protection Commissioner;Cyprus;19.10.20;1000;Grant Ideas Ltd;Yes;Grant Ideas Ltd;Cyprus;NA;NA;NA;Private;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;Sending emails to data subjects without sufficient legal basis.;http://www.dataprotection.gov.cy/dataprotection/dataprotection.nsf/All/B64595978C98EFCEC2258606003EC47E?OpenDocument
422;Cypriot Data Protection Commissioner;Cyprus;19.10.20;15000;Bank of Cyprus Public Company Ltd;Yes;Bank of Cyprus;Cyprus;Banks;765110000;6334;Public;Yes;Art. 5 (1) f) GDPR, Art. 5 (2) GDPR, Art. 15 GDPR, Art. 32 GDPR, Art. 33 GDPR;Insufficient technical and organisational measures to ensure information security;The data subject made a claim for access to information according to Art. 15 GDPR, which could not be answered, since the insurance contract of the data subject could not be found and has been lost. This constituted a violation of the rights of the data subject under Art. 15 GDPR as well as a violation of the obligations to protect personal data according to Art. 5 (1) f) GDPR and Art. 32 GDPR. In addition, the Data Breach Notification Obligations pursuant to Art. 33 f. GDPR have also been violated, as the data subject was not informed about the security incident in due time.;http://www.dataprotection.gov.cy/dataprotection/dataprotection.nsf/All/B64595978C98EFCEC2258606003EC47E?OpenDocument
423;Spanish Data Protection Authority (aepd);Spain;03.10.20;3000;Avata Hispania, S.L.;Yes;Avata Hispania, S.L.;Spain;Services;50002;NA;Private;Yes;Art. 5 GDPR, Art. 6 GDPR, Art. 28 (3) g) GDPR;Insufficient legal basis for data processing;Infringement of Art. 28 (3) g) GDPR, since personal data were further processed after the controller had terminated the contractual relationship with the processor.;https://www.aepd.es/es/documento/ps-00245-2020.pdf
424;Spanish Data Protection Authority (aepd);Spain;06.10.20;4000;Callesgarcia, S.L.;Yes;Callesgarcia, S.L.;Spain;NA;NA;NA;Private;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;Usage of a photo of the data subjects for commercial purposes without sufficient legal basis.;https://www.aepd.es/es/documento/ps-00028-2020.pdf
425;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;20.10.20;2000;Globus Score SRL;Yes;Globus Score SRL;Romania;Advertising & Marketing;198066;2;Private;Yes;Art. 58 GDPR;Insufficient cooperation with supervisory authority;The company had not provided the ANSPDCP with requested information.;https://www.dataprotection.ro/index.jsp?page=Alta_amenda_pentru_incalcarea_RGPD_oct_2020&lang=ro
426;Spanish Data Protection Authority (aepd);Spain;22.09.20;7800;Iweb Internet Learning, S.L.;Yes;"	Iweb Internet Learning, SL";Spain;IT Services;NA;NA;Private;Yes;Art. 7 GDPR, Art. 12 GDPR, Art. 13 GDPR;Insufficient fulfilment of information obligations;Lack of information in the privacy policy (information on the data controller) as well as inadequate obtaining of consent, as only a general consent could be given without distinguishing between different data processing purposes.;https://www.aepd.es/es/documento/ps-00234-2020.pdf
427;Hungarian National Authority for Data Protection and the Freedom of Information (NAIH);Hungary;23.07.20;1700;Employer;No;NA;NA;NA;NA;NA;NA;Yes;Art. 12 GDPR, Art. 15 GDPR, Art. 17 GDPR;Insufficient fulfilment of data subjects rights;Failure to change the private address of an employee to his new address and to delete the old address as well as insufficient enabling of the employer to exercise his/her rights.;https://www.naih.hu/files/NAIH-2020-193-hatarozat.pdf
428;Italian Data Protection Authority (Garante);Italy;03.09.20;2000;Comune di Casaloldo;Yes;Casaloldo Comune;Italy;Politics & Government;NA;NA;Other;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;Publication of personal data on the website of the community.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9468523
429;Lithuanian Data Protection Authority (VDAI);Lithuania;21.10.20;15000;Vilnius City Municipality Administration;Yes;Vilnius City;Lithuania;Politics & Government;NA;NA;Other;Yes;Art. 5 (1) d) GDPR, Art. 5 (1) f) GDPR;Non-compliance with general data processing principles;During the data synchronization of the Population Information System of the Municipal Administration with the databases of the State Centre for Business Registers, the personal data of an applicant for the fostering of an adopted child was replaced, due to an error, with the personal data of the biological parents, which were subsequently accessible in the Population Register of the Republic of Lithuania. This constituted a violation of the principles of integrity and confidentiality of personal data processing (Art. 5 (1) f) GDPR) and a violation of the principle of accuracy.;https://vdai.lrv.lt/lt/naujienos/pagal-bendraji-duomenu-apsaugos-reglamenta-skirta-bauda-del-netinkamai-tvarkomu-ivaikinto-vaiko-tevu-asmens-duomenu
430;Hungarian National Authority for Data Protection and the Freedom of Information (NAIH);Hungary;23.10.20;54800;Deichmann Cipokereskedelmi Korlatolt Felelossegu Tarsasagnak;Yes;Deichmann SE;Germany;Retail & Trade;2200000000;5944;Private;No;Art. 12 GDPR, Art. 15 GDPR, Art. 18 (1) c) GDPR, Art. 25 GDPR;Insufficient fulfilment of data subjects rights;The data controller denied the data subject access to the video material recorded by CCTV in a local store, with which the data subject wanted to prove that he or she had not received any money back after paying in the store. The company not only denied the data subject access to the data according to Art. 15 GDPR (with the argument that this would require an official order), but also deleted the video recordings after a certain period of time, although the data subject had requested the company to not delete the data in advance according to Art. 18 (1) c) GDPR.;https://www.naih.hu/files/NAIH-2020-2204-8-hatarozat.pdf
431;Spanish Data Protection Authority (aepd);Spain;28.10.20;36000;Vodafone Espana, S.A.U.;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;Processing of personal data of a data subject without sufficient legal basis due to errors in the correct assignment of customer contracts.;https://www.aepd.es/es/documento/ps-00303-2020.pdf
432;Cypriot Data Protection Commissioner;Cyprus;22.10.20;6000;Cyprus Police;Yes;Cyprus Police;Cyprus;Politics & Government;NA;4927;Other;Yes;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;A police officer had unauthorized access to a database holding personal data about vehicle owners and used the database for non-official purposes to pass information from the database to a third party. In this respect, the organizational and technical measures taken by the police to prevent unauthorized access to the database were insufficient to prevent the unauthorized disclosure of personal data to third parties.;http://www.dataprotection.gov.cy/dataprotection/dataprotection.nsf/all/B64595978C98EFCEC2258606003EC47E/$file/%CE%A0%CE%95%CE%A1%CE%99%CE%9B%CE%97%CE%A8%CE%97%20%CE%91%CE%A0%CE%9F%CE%A6%CE%91%CE%A3%CE%97%CE%A3%20%CE%91%CE%A3%CE%A4%CE%A5%CE%9D%CE%9F%CE%9C%CE%99%CE%91%CE%A3%2068-2017.pdf?openelement
433;Italian Data Protection Authority (Garante);Italy;26.10.20;20000;Universita Campus Bio-medico di Roma (Polyclinic);Yes;Universita' Campus Bio-Medico Di Roma;Italy;Hospitals;83300000;1550;Other;Yes;Art. 5 (2) a), f) GDPR, Art. 9 GDPR;Non-compliance with general data processing principles;In a data breach notification pursuant to Art. 33 GDPR, the data protection authority found that patients accessing their online medical reports via their smartphones could also access personal health data of 74 other patients. According to the polyclinic, the reason for this was a human error in the integration of two IT systems.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9469345
434;Spanish Data Protection Authority (aepd);Spain;28.10.20;4000;Play Orenes, S.L.;Yes;"	Play Orenes Sl";Spain;Sports, Fitness & Recreation;113600000;492;Private;Yes;Art. 5 (1) c) GDPR;Non-compliance with general data processing principles;The company used CCTV cameras outside its premises which also captured the public space resulting in a violation of the principle of data minimisation.;https://www.aepd.es/es/documento/ps-00003-2020.pdf
435;Spanish Data Protection Authority (aepd);Spain;03.11.20;30000;Vodafone Espana, S.A.U.;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;Processing of personal data of a data subject without sufficient legal basis due to errors in the correct assignment of customer contracts. In this case, Vodafone demanded a debt from a data subject due to a mixing up of customers.;https://www.aepd.es/es/documento/ps-00341-2020.pdf
436;Spanish Data Protection Authority (aepd);Spain;05.11.20;75000;Telefonica Moviles Espana, S.A.U.;Yes;Telefónica SA;Spain;Telecommunications;41600000000;112797;Public;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;Processing of personal data of the data subject without sufficient legal basis. The company had issued several invoices to the data subject and collected invoice amounts from his bank account without him being a customer of the company. Complaints against the company by the data subject remained unsuccessful.;https://www.aepd.es/es/documento/ps-00182-2020.pdf
437;Spanish Data Protection Authority (aepd);Spain;19.11.20;36000;Vodafone Espana, S.A.U.;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;Processing of personal data of a data subject without sufficient legal basis. The company had sent an invoice to a data subject without being able to prove that it had a contract with the data subject.;https://www.aepd.es/es/documento/ps-00308-2020.pdf
438;Italian Data Protection Authority (Garante);Italy;12.11.20;12251601;Vodafone Italia S.p.A.;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 5 (1), (2) GDPR, Art. 6 (1) GDPR, Art. 7 GDPR, Art. 15 (1) GDPR, Art. 16 GDPR, Art. 21 GDPR, Art. 24 GDPR, Art. 25 (1) GDPR, Art. 32 GDPR, Art. 33 GDPR;Non-compliance with general data processing principles;The company was fined EUR 12,251,601 for unlawfully processing personal data of millions of customers for telemarketing purposes. The proceedings were preceded by hundreds of complaints from data subjects about unsolicited telephone calls, which led to an investigation by the data protection authority. This investigation revealed several violations of the data protection law, including the violation of consent requirements and the violation of general data protection obligations such as accountability. One of the main criticisms made by the Data Protection Agency was the use of fake numbers to make promotional calls by the contracted call centers (i.e. phone numbers not registered with the National Consolidated Registry of Communication Operators). Furthermore, further violations could be found in the handling of contact lists purchased from external providers. Finally, security measures for the management of customer data were also considered inadequate.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9485681
439;Spanish Data Protection Authority (aepd);Spain;06.11.20;20000;Xfera Moviles S.A.;Yes;Xfera Moviles Sau;Spain;Telecommunications;1500000000;473;Private;Yes;Art. 31 GDPR;Insufficient legal basis for data processing;Xfera Moviles had failed to cooperate with the AEPD in the investigation of privacy violations. Xfera Moviles had neither responded to the request for information nor provided any required documentation.;https://www.aepd.es/es/documento/ps-00365-2019.pdf
440;Information Commissioner (ICO);United Kingdom;13.11.20;1405000;Ticketmaster UK Limited;Yes;Ticketmaster Uk Limited;United Kingdom;E-Commerce;130000000;760;Private;Yes;Art. 5 (1) f) GDPR, Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;Ticketmaster UK Limited has been fined GBP 1.25 million (approximately EUR 1.405 million) for failing to protect the personal data of its customers with adequate security measures. Potentially 9.4 million European customers could have been affected by a cyber attack between February 2018 and June 23, 2018 due to the use of an insufficiently secured chat bot hosted by a third party in its online payment site which allowed an attacker to gain access to customers' financial information. According to the Data Protection Agency, personal data such as names, full payment card numbers, Ticketmaster usernames and passwords, expiration dates and Card Verification Value (CVV) numbers were affected. The DPA also found that 60,000 payment cards belonging to Barclays Bank customers were subject to fraud, and several international banks also reported fraudulent activity to Ticketmaster.;https://ico.org.uk/media/action-weve-taken/2618609/ticketmaster-uk-limited-mpn.pdf
441;Spanish Data Protection Authority (aepd);Spain;10.11.20;3000;Miguel Ibanez Bezanilla, S.L.;Yes;Miguel Ibanez Bezanilla, S.L.;Spain;IT Services;NA;NA;Private;Yes;Art. 13 GDPR, Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;The company's website (license plate seller) requested personal information such as first and last name, copy of ID card and driver's license, and the car's VIN number, but offered neither an encrypted transport protocol ('link instead of 'link nor an updated data processing policy in accordance with the GDPR.;https://www.aepd.es/es/documento/ps-00185-2020.pdf
442;Spanish Data Protection Authority (aepd);Spain;26.10.20;4000;Organic Natur 03 S.L.;Yes;Organic And Natur 03 Sl.;Spain;Retail & Trade;NA;NA;Private;Yes;Art. 13 GDPR;Insufficient fulfilment of information obligations;Use of a membership contract containing pre-defined privacy clauses, which prevents effective negotiation and the express consent of the signing client.;https://www.aepd.es/es/documento/ps-00247-2020.pdf
443;Spanish Data Protection Authority (aepd);Spain;26.10.20;50000;Conseguridad SL;Yes;Conseguridad SL;Spain;Services;NA;NA;Private;Yes;Art. 37 GDPR;Insufficient involvement of data protection officer;The company (private security company for video surveillance systems) did not have a data protection officer in breach of Art. 37 GDPR.;https://www.aepd.es/es/documento/ps-00251-2020.pdf
444;Spanish Data Protection Authority (aepd);Spain;11.11.20;42000;Vodafone Espana, S.A.U.;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;The company ported a telephone number of the data subject without their consent (missing signature on the porting contract).;https://www.aepd.es/es/documento/ps-00348-2020.pdf
445;Spanish Data Protection Authority (aepd);Spain;16.11.20;1600;Homeowners Association;No;NA;NA;NA;NA;NA;Other;Yes;Art. 5 (1) c) GDPR;Non-compliance with general data processing principles;Usage of CCTV camera systems that were also monitoring public space (breach of principle of data minimization).;https://www.aepd.es/es/documento/ps-00353-2019.pdf
446;Spanish Data Protection Authority (aepd);Spain;16.11.20;42000;Vodafone Espana, S.A.U.;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;In 2019, after an arbitration procedure, the company agreed to the early termination of a contract with the data subject and to the deletion of the personal data concerned. Nevertheless, the data subject continued to receive e-mails from the company, which constituted processing of personal data without a sufficient legal basis.;https://www.aepd.es/es/documento/ps-00356-2020.pdf
447;Italian Data Protection Authority (Garante);Italy;17.11.20;30000;Provincial Health Authority of Cosenza;Yes;"	Comune Di Cosenza";Italy;Politics & Government;66700000;1200;Other;Yes;Art. 9 GDPR;Insufficient legal basis for data processing;Publication of personal data (including first and last name, address, tax ID) on the website of the authority about persons who have claims for damages against the authority, without sufficient legal basis;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9483375
448;Italian Data Protection Authority (Garante);Italy;17.11.20;2000;Comune di Collegno;Yes;Comune Di Collegno;Italy;Politics & Government;19100000;298;Other;Yes;Art. 12 GDPR, Art. 13 GDPR, Art. 14 GDPR;Insufficient fulfilment of data subjects rights;Fine for non-compliance with the right of the data subject to access to information because the municipality refused the data subjects' request for access to data from a camera surveillance system.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9486531
449;Data Protection Authority of Ireland;Ireland;18.08.20;65000;Cork University Maternity Hospital;Yes;University College Cork;Ireland;Hospitals;161500000;2000;Other;Yes;Art. 5 GDPR, Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;The ?Data Protection Authority of Ireland? imposed a fine on Cork University Maternity Hospital (CUMH) after the personal data of 78 patients was discovered disposed of in a public recycling center. Among the documents disposed of, some contain special category personal data of six patients. It is believed that the breach at CUMH involves sensitive patient health data such as the medical history and future planned care programs.;https://www.irishexaminer.com/news/arid-40075673.html
450;Spanish Data Protection Authority (aepd);Spain;23.11.20;12000;Recambios Villalegre S.L.;Yes;Recambios Villalegre S.L.;Spain;Retail & Trade;NA;NA;Private;Yes;Art. 6 GDPR, Art. 13 GDPR;Insufficient legal basis for data processing;The Spanish DPA (AEPD) fined the company for posting photos of a person on Facebook and WhatsApp and accusing the individual of theft in related posts. The photos were obtained through the company's video surveillance system. The company further encouraged other users to share both the photos and the postings. The postings resulted in hundreds of humiliating, insulting and even threatening comments. The AEPD imposed a fine of  EUR 10,000 for publishing the photos and EUR 2,000 for not installing the sign required for video surveillance of the store.;https://www.aepd.es/es/documento/ps-00227-2020.pdf
451;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;23.11.20;4000;Vodafone Romania SA;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 12 GDPR, Art. 15 GDPR, Art. 17 GDPR;Insufficient fulfilment of data subjects rights;The Romanian DPA (ANSPDCP) imposed a fine in the amount of EUR 4,000 on Vodafone Romania SA. The fine was imposed as a result of complaints alleging that the operator failed to respond to requests for access and erasure of data. The operator could not provide any evidence for exonaration.;https://www.dataprotection.ro/?page=Comunicat_de_presa_23_/_11_/_2020&lang=ro
452;Spanish Data Protection Authority (aepd);Spain;18.11.20;2000;Anmavas 61, S.L.;Yes;Anmavas 61, S.L.;Spain;Real Estate;NA;NA;Private;Yes;Art. 58 GDPR;Insufficient cooperation with supervisory authority;The Spanish DPA (AEPD) imposed a fine on Anmavas 61, S.L. for neither granting nor justifiably denying the right to erasure to the data subject, even after receiving a warning issued by the AEPD.;https://www.aepd.es/es/documento/ps-00189-2020.pdf
453;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;24.11.20;5000;Dada Creation S.R.L.;Yes;Dada Creation S.R.L.;Romania;Retail & Trade;101532;1;Private;Yes;Art. 32 GDPR, Art. 33 GDPR;Insufficient technical and organisational measures to ensure information security;Due to inadequate technical and organizational measures, the company disclosed the order, delivery and personal data of over 1000 customers via its web store.  The data was displayed on a document in the web store that could be downloaded without access protection. In addition, the operator had failed to report the security leak to the data protection authority.;https://www.dataprotection.ro/?page=Comunicat_Presa_24_11_2020&lang=ro
454;French Data Protection Authority (CNIL);France;18.11.20;800000;Carrefour Banque;Yes;"	Carrefour SA";France;Retail & Trade;64500000000;322164;Public;Yes;Art. 5 GDPR;Non-compliance with general data processing principles;"The French DPA (CNIL) imposed a fine on Carrefour Banque for violation of its obligation to process data fairly (Article 5 (1) GDPR). 
If a person who subscribed to the Pass card (a credit card that can be attached to a loyalty account) also wanted to participate in the loyalty program, he or she had to tick a box in which he or she agreed to Carrefour Banque sending his or her surname, first name and e-mail address to 'Carrefour fidelite'. Carrefour Banque expressly indicated that no further data would be transmitted. However, the CNIL noted that other data such as postal address, telephone number and the number of children had been transmitted, although the company undertook not to transmit any further data.";https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000042564657
455;Data Protection Authority of Sweden (Integritetsskyddsmyndigheten);Sweden;24.11.20;394000;City of Stockholm;Yes;City of Stockholm;Sweden;Politics & Government;NA;NA;Other;Yes;Art. 5 GDPR, Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;The Swedish DPA imposed a fine on the City of Stockholm for data breaches on a school education platform. The platform consists of different subsystems, including a system for monitoring school attendance, a student administration system, an interface for parents and an administration interface for teachers. In one of the subsystems, a lack of ability to restrict user access to the data has allowed a significant number of staff to access information about students using a protected identity. In another sub-system, parents could access information about other students, such as grades relatively easily. Via Google's search engine, it was possible to find links to enter an administrative interface where information about teachers with a protected identity was accessible.;https://www.datainspektionen.se/globalassets/dokument/beslut/beslut-tillsyn-stockholms-stad.pdf
456;Data Protection Authority of Sweden (Integritetsskyddsmyndigheten);Sweden;25.11.20;19500;Gnosjo Municipality;Yes;Gnosjö Community;Sweden;Politics & Government;NA;NA;Other;Yes;Art. 5 GDPR, Art. 6 GDPR, Art. 13 GDPR, Art. 35 GDPR, Art. 36 GDPR;Insufficient legal basis for data processing;The Swedish DPA imposed a fine on the municipality of Gnosjo for illegal video surveillance in a care home for persons with certain functional disabilities.;https://www.datainspektionen.se/globalassets/dokument/beslut/beslut-tillsyn-gnosjo-2020-11-25.pdf
457;French Data Protection Authority (CNIL);France;18.11.20;2250000;Carrefour France;Yes;"	Carrefour SA";France;Retail & Trade;64500000000;322164;Public;Yes;Art. 5 GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 15 GDPR, Art. 17 GDPR, Art. 21 GDPR, Art. 32 GDPR, Art. 33 GDPR;Non-compliance with general data processing principles;"The French DPA (CNIL) fined Carrefour France EUR 2,250,000 for several violations of data protection regulations, including the GPDR.

During its investigation, the CNIL found that the information on personal data provided to users of the carrefour.fr websites and those wishing to join the loyalty program was neither easily accessible nor easily comprehensible. The CNIL also found that the information regarding the transfer of data to countries outside the EU and regarding the duration of data storage was incomplete.
The CNIL also notes that the company did not comply with the storage time limits.
Furthermore, the data of more than twenty-eight million customers who were inactive for five to ten years were stored for the purposes of the loyalty program. This was also the case for 750,000 users of the carrefour.fr site, who were inactive for five to ten years. 
The CNIL states that the company required proof of identity for almost every user request to exercise a right. However, this automatic requirement was not justified, as in most cases there was no doubt regarding the identity of the data subjects.
Furthermore, the company did not respond to several requests from individuals who wanted to access their personal data. 
Also, in numerous cases, the company did not carry out the erasure of data requested by individuals.  
Finally, the company has not responded to several requests from persons who did not agree to receive advertising by SMS or e-mail.";https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000042563756
458;Spanish Data Protection Authority (aepd);Spain;25.11.20;40000;Miraclia Telecomunicaciones S.L.;Yes;Miraclia Telecomunicaciones, S.L;Spain;Telecommunications;160035;2;Private;Yes;Art. 6 GDPR, Art. 13 GDPR, Art. 14 GDPR;Insufficient legal basis for data processing;"The Spanish DPA (AEPD) imposed a fine of EUR 40,000 on Miraclia Telecomunicaciones S.L. for violating Articles 6, 13 and 14 of the GDPR. Miraclia Telecomunicaciones S.L. is the operator of a phone prank app where you can select a 'prank' and enter the phone number of the recipient. The recipient is then called on a suppressed number and the prank is executed. 
The AEPD notes that the operator violated the obligation to provide information regarding the collection of personal data of the data subject. Furthermore, it notes that Miraclia, through this application, does not at any time inform the data subject (the person who answers the prank call and is recorded) of his or her right to consent in accordance with the provisions of the GDPR.";https://www.aepd.es/es/documento/ps-00416-2019.pdf
459;Italian Data Protection Authority (Garante);Italy;23.11.20;20000;Burgo Group S.p.A;Yes;Burgo Group Spa;Italy;Industrial;1000000000;1600;Private;Yes;Art. 5 GDPR, Art. 13 GDPR;Non-compliance with general data processing principles;The Italian DPA (Garante) imposed a fine of EUR 20,000 on the company for non-compliant practices. Thus, for example, the personnel director forwarded an e-mail conversation between the data subject and a work colleague containing personal data (information relating to physical and mental discomfort in the workplace) to four people in the company.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9474649
463;Spanish Data Protection Authority (aepd);Spain;02.12.20;6000;Servicio de Alojamientos Responsables, S.L.;Yes;Servicio de Alojamientos Responsables, S.L.;Spain;Accommodation;NA;NA;Private;Yes;Art. 6 (1) GDPR;Insufficient legal basis for data processing;The Spanish DPA (AEPD) imposed a fine in the amount of EUR 6,000 against the controller for unauthorized conclusion of a contract in the name of the data subject without his/her consent. The data subject only learned about this when a complaint for breach of the contract was filed against him or her. The AEPD decided that by this act the controller unlawfully processed the personal data of the data subject.;https://www.aepd.es/es/documento/ps-00320-2020.pdf
464;Spanish Data Protection Authority (aepd);Spain;02.12.20;3000;Comercio Online Levante, S.L.;Yes;Comercio Online Levante Sociedad Limitada;Spain;Wholesale;2300000000;11;Private;Yes;Art. 5 (1) f) GDPR, Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;A woman filed a complaint with the Spanish DPA (AEPD) against Comercio Online Levante, S.L. due to the fact that she was shown the personal data of another user when trying to access her user account of the online store perfumespremium.es operated by the controller.;https://www.aepd.es/es/documento/ps-00287-2020.pdf
466;Data Protection Authority of Sweden (Integritetsskyddsmyndigheten);Sweden;03.12.20;1463000;Aleris Sjukvard AB;Yes;Aleris Sjukvård Ab;Sweden;Hospitals;144800000;500;Private;Yes;"Art. 5 (1) f) GDPR,
Art. 5 (2) GDPR,
Art. 32 (1) GDPR, 
Art. 32 (2) GDPR";Insufficient technical and organisational measures to ensure information security;The Swedish DPA (Integritetsskyddsmyndigheten) fined Aleris Sjukvard AB SEK 15,000,000 (EUR 1,463,000) for failing to implement adequate technical and organizational measures to ensure information security. It was found that there was no risk analysis regarding the access to patient data. Authorizations for users of the hospital information system TakeCare were not assigned according to the principle of minimum access. This gave users full access to confidential patient data that they did not need for work purposes.;https://www.datainspektionen.se/globalassets/dokument/beslut/beslut-tillsyn-aleris-sjukvard-di-2019-3844.pdf
467;Data Protection Authority of Sweden (Integritetsskyddsmyndigheten);Sweden;03.12.20;1168000;Aleris Sjukvard AB;Yes;Aleris Sjukvård Ab;Sweden;Hospitals;144800000;500;Private;Yes;"Art. 5 (1) f) GDPR,
Art. 5 (2) GDPR,
Art. 32 (1) GDPR, 
Art. 32 (2) GDPR";Insufficient technical and organisational measures to ensure information security;The Swedish DPA (Integritetsskyddsmyndigheten) fined Aleris Sjukvard AB SEK 12,000,000 (EUR 1,168,000) for failing to implement adequate technical and organizational measures to ensure information security. It was found that there was no risk analysis regarding the access to patient data. Authorizations for users of the hospital information system Nationell patientoversikt (NPO) were not assigned according to the principle of minimum access. This gave users full access to confidential patient data that they did not need for work purposes.;https://www.datainspektionen.se/globalassets/dokument/beslut/beslut-tillsyn-aleris-narsjukvard-di-2019-3842.pdf
468;Spanish Data Protection Authority (aepd);Spain;03.12.20;2400;Dr Marin Cirugia Plastica, S.L.P.;Yes;Dr Marin Cirugia Plastica, S.L.P.;Spain;Healthcare;NA;NA;Private;Yes;Art. 13 GDPR;Insufficient fulfilment of information obligations;The Spanish DPA (aepd) imposed a fine of EUR 4,000 on the doctor due to the lack of a privacy policy on his website, thus violating Art. 13 GDPR. The original fine of EUR 4,000 was reduced for both immediate payment and acknowledgement of debt by each 20% to EUR 2,400.;https://www.aepd.es/es/documento/ps-00317-2020.pdf
469;Data Protection Authority of Sweden (Integritetsskyddsmyndigheten);Sweden;03.12.20;243800;Ostergotland Region;Yes;Östergötlands län;Sweden;Politics & Government;NA;NA;Other;Yes;"Art. 5 (1) f) GDPR,
Art. 5 (2) GDPR,
Art. 32 (1) GDPR, 
Art. 32 (2) GDPR";Insufficient technical and organisational measures to ensure information security;The Swedish DPA (Integritetsskyddsmyndigheten) fined Ostergotland Region SEK 2,500,000 (EUR 243,800) for failing to implement adequate technical and organizational measures to ensure information security. It was found that there was no risk analysis regarding the access to patient data. Authorizations for users of the hospital information system Cosmic were not assigned according to the principle of minimum access. This gave users full access to confidential patient data that they did not need for work purposes.;https://www.datainspektionen.se/globalassets/dokument/beslut/beslut-tillsyn-region-ostergotland-di-2019-3843.pdf
470;Data Protection Authority of Sweden (Integritetsskyddsmyndigheten);Sweden;03.12.20;243800;Vasterbotten Region;Yes;Vasterbotten län;Sweden;Politics & Government;NA;NA;Other;Yes;"Art. 5 (1) f) GDPR,
Art. 5 (2) GDPR,
Art. 32 (1) GDPR, 
Art. 32 (2) GDPR";Insufficient technical and organisational measures to ensure information security;The Swedish DPA (Integritetsskyddsmyndigheten) fined Vasterbotten Region SEK 2,500,000 (EUR 243,800) for failing to implement adequate technical and organizational measures to ensure information security. It was found that there was no risk analysis regarding the access to patient data. Authorizations for users of the medical record system NCS Cross were not assigned according to the principle of minimum access. This gave users full access to confidential patient data that they did not need for work purposes.;https://www.datainspektionen.se/globalassets/dokument/beslut/beslut-tillsyn-region-vasterbotten-di-2019-3841.pdf
471;Data Protection Authority of Sweden (Integritetsskyddsmyndigheten);Sweden;03.12.20;341300;Sahlgrenska University Hospital;Yes;Sahlgrenska University Hospital;Sweden;Hospitals;NA;NA;Private;Yes;"Art. 5 (1) f) GDPR,
Art. 5 (2) GDPR,
Art. 32 (1) GDPR, 
Art. 32 (2) GDPR";Insufficient technical and organisational measures to ensure information security;The Swedish DPA (Integritetsskyddsmyndigheten) fined Sahlgrenska University Hospital SEK 3,500,000 (EUR 341,300) for failing to implement adequate technical and organizational measures to ensure information security. It was found that there was no risk analysis regarding the access to patient data. Authorizations for users of the hospital information systems Melior and Nationell patientoversikt were not assigned according to the principle of minimum access. This gave users full access to confidential patient data that they did not need for work purposes. In addition, the Melior hospital information system did not keep records of when and for what purpose patient data was accessed.;https://www.datainspektionen.se/globalassets/dokument/beslut/beslut-tillsyn-sahlgrenska-universitetssjukhuset-di-2019-3840.pdf
472;Data Protection Authority of Sweden (Integritetsskyddsmyndigheten);Sweden;03.12.20;390100;Karolinska University Hospital of Solna;Yes;Karolinska University Hospital of Solna;Sweden;Hospitals;NA;16000;Private;Yes;"Art. 5 (1) f) GDPR,
Art. 5 (2) GDPR,
Art. 32 (1) GDPR, 
Art. 32 (2) GDPR";Insufficient technical and organisational measures to ensure information security;The Swedish DPA (Integritetsskyddsmyndigheten) fined Karolinska University Hospital of Solna SEK 4,000,000 (EUR 390,100) for failing to implement adequate technical and organizational measures to ensure information security. It was found that there was no risk analysis regarding the access to patient data. Authorizations for users of the hospital information system TakeCare were not assigned according to the principle of minimum access. This gave users full access to confidential patient data that they did not need for work purposes.;https://www.datainspektionen.se/globalassets/dokument/beslut/beslut-tillsyn-karolinska-universitetssjukhuset-di-2019-3839.pdf
473;Data Protection Authority of Sweden (Integritetsskyddsmyndigheten);Sweden;03.12.20;2900000;Capio St. Goran AB;Yes;Capio S:T Görans Sjukhus Ab;Sweden;Hospitals;220200000;2000;Private;Yes;"Art. 5 (1) f) GDPR,
Art. 5 (2) GDPR,
Art. 32 (1) GDPR, 
Art. 32 (2) GDPR";Insufficient technical and organisational measures to ensure information security;The Swedish DPA (Integritetsskyddsmyndigheten) fined Capio St. Goran AB SEK 30,000,000 (EUR 2,900,000) for failing to implement adequate technical and organizational measures to ensure information security. It was found that there was no risk analysis regarding the access to patient data. Authorizations for users of the hospital information systems Cosmic, Nationell patientoversikt and TakeCare were not assigned according to the principle of minimum access. This gave users full access to confidential patient data that they did not need for work purposes.;https://www.datainspektionen.se/globalassets/dokument/beslut/beslut-tillsyn-capio-st-gorans-sjukhus-di-2019-3846.pdf
474;Norwegian Supervisory Authority (Datatilsynet);Norway;03.12.20;18840;Municipality of Indre Ostfold;Yes;Indre Østfold Kommune;Norway;Politics & Government;506100000;4738;Other;Yes;Art. 6 GDPR, Art. 32 (1) b) GDPR;Insufficient technical and organisational measures to ensure information security;The Norwegian DPA (Datatilsynet) imposed a fine in the amount of NOK 200,000 (EUR 18,840) on the municipality of Indre Ostfold. Datatilsynet found that a student file containing personal data was published on the municipality's website.;https://www.datatilsynet.no/contentassets/1679986c04f54694b734ab883eebfde1/endelig-vedtak-til-indre-ostfold-kommune.pdf
476;Spanish Data Protection Authority (aepd);Spain;02.12.20;10000;Losada Advocats S.L.;Yes;Losada Advocats S.L.;Spain;Services;205238;1;Private;Yes;Art. 5 (1) f) GDPR, Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;The Spanish DPA (AEPD) imposed a fine on Losada Advocats S.L. for sending an e-mail to dozens of recipients without putting them on the Blind Carbon Copy (BCC) list, thus violating Art. 32 GDPR and Art. 5 (1) f) GDPR.;https://www.aepd.es/es/documento/ps-00322-2020.pdf
477;Spanish Data Protection Authority (aepd);Spain;09.12.20;40000;Xfera Moviles S.A.;Yes;Xfera Moviles Sau;Spain;Telecommunications;1500000000;473;Private;Yes;Art. 6 (1) GDPR;Insufficient legal basis for data processing;The Spanish DPA (AEPD) imposed a fine on Xfera Moviles, S.A. due to insufficient legal basis for data processing. The data subject states that two telephone and internet connections were registered in his/her name with a charge account. However, the data subject had never signed contracts with the company for any of these connections. In fact, the contracts in question were concluded by fraudsters using the personal data of the data subject. Nevertheless, the personal data were entered into the company's information systems without verifying whether the contracts had been lawfully and actually concluded by the data subject, whether he/she had given his/her consent to the collection and subsequent processing of his/her personal data or whether there was any other reason justifying the processing.;https://www.aepd.es/es/documento/ps-00262-2020.pdf
480;Spanish Data Protection Authority (aepd);Spain;10.12.20;4000;Borjamotor, S.A.;Yes;Borjamotor Sa;Spain;Retail & Trade;20700000;35;Private;Yes;Art. 7 GDPR;Insufficient legal basis for data processing;The Spanish DPA (AEPD) imposed a fine of EUR 4,000 on Borjamotor, S.A. The company kept sending commercial advertisements to the data subject via email and SMS, even though the data subject had previously revoked his/her consent to receive advertisements and submitted a request to delete his/her data. Although the company had confirmed this, the data subject continued to receive advertising.;https://www.aepd.es/es/documento/ps-00332-2020.pdf
481;Spanish Data Protection Authority (aepd);Spain;11.12.20;5000000;Banco Bilbao Vizcaya Argentaria, S.A.;Yes;Banco Bilbao Vizcaya Argentaria SA;Spain;Banks;31800000000;123174;Public;Yes;Art. 6 GDPR, Art. 13 GDPR;Insufficient fulfilment of information obligations;"The Spanish DPA (AEPD) fined Banco Bilbao Vizcaya Argentaria, S.A. EUR 5,000,000 for violating Art. 6 GDPR (EUR 3,000,000) and Art. 13 GDPR (EUR 2,000,000). 
The bank had not implemented a specific mechanism to obtain the consent of the customers to process their data. Furthermore, it did not use precise terminology in its privacy policy, nor did it provide adequate information about the type of personal data that might be processed. In particular the AEPD notes that the purpose and legal basis for data processing are not sufficiently identifiable in the privacy statement.";https://www.aepd.es/es/documento/ps-00070-2019.pdf
482;Data Protection Authority of Sweden (Integritetsskyddsmyndigheten);Sweden;11.12.20;54000;Umea University;Yes;Umeå Universitet;Sweden;Education;265900000;4000;Private;Yes;"Art. 5 (1) f) GDPR, 
Art. 32 (1), (2) GDPR";Insufficient technical and organisational measures to ensure information security;"The Swedish DPA (Integritetsskyddsmyndigheten) fined Umea University SEK 550,000 (EUR 54,000) as a result of its failure to apply appropriate technical and organizational measures to protect data.
As part of a research project on male rape, the university had stored several police reports on such related incidents in the cloud of a U.S. service provider. The reports contained the names, ID numbers and contact details of the data subjects, as well as information about their health and sex lives, alongside information about the suspected crime. The DPA notes that the storage in that cloud does not adequately protect such particularly sensitive data. 
In addition, one of the investigation reports was sent unencrypted to the Swedish police via email. However, the controller had neither documented the incident nor reported it to the DPA.";https://www.datainspektionen.se/globalassets/dokument/beslut/2020-12-10-beslut-tillsyn-umea-universitet.pdf
483;Polish National Personal Data Protection Office (UODO);Poland;14.12.20;443000;Virgin Mobile Polska;Yes;Virgin Mobile Polska Sp Z O O;Poland;Telecommunications;21300000;60;Private;Yes;Art. 5 (1) f), (2) GDPR, Art. 25 (1) GDPR, Art. 32 (1) b), d), (2) GDPR;Insufficient technical and organisational measures to ensure information security;The Polish DPA (UODO) fined Virgin Mobile Polska EUR 443,000 due to a data leak that allowed unauthorized third parties to access personal data stored by Virgin Mobile Polska as a result of inadequate security measures. The DPA notes that the company did not conduct regular and extensive tests on the effectiveness of the measures applied to ensure data security. Indeed, activities in this regard were conducted only in the event of a suspected security leak.;https://www.uodo.gov.pl/decyzje/DKN.5112.1.2020
484;Hellenic Data Protection Authority (HDPA);Greece;29.10.20;1000;American College of Greece;Yes;The American College Of Greece;Greece;Education;34400000;638;Private;Yes;Art. 12 (3), (4) GDPR;Insufficient fulfilment of information obligations;The Hellenic DPA (HDPA) imposed a fine of EUR 1,000 against the American College of Greece for violations of the right of access and the right to erasure of personal data.;http://www.dpa.gr/APDPXPortlets/htdocs/documentDisplay.jsp?docid=89,72,206,138,129,101,238,220
485;Data Protection Authority of Ireland;Ireland;15.12.20;450000;Twitter International Company;Yes;Twitter, Inc.;United States;IT Services;3000000000;5500;Public;No;Art. 33 (1), (5) GDPR;Insufficient fulfilment of data breach notification obligations;"The Irish DPA (DPC) fined Twitter International Company EUR 450,000 for violating Art. 33 (1) GDPR and Art. 33 (5) GDPR for failing to notify the DPA in a timely manner of a data breach and not adequately documenting that breach.  
The data breach concerned the privacy settings of user posts on the social media platform Twitter. There, users have the option to set the visibility of their posts to private or public. Private posts can only be seen by subscribers of the respective user profile, while public posts are visible to the public. A programming bug in Twitter's Android app resulted in some private posts being visible to the public. The DPA found that Twitter had not properly fulfilled its reporting and documentation obligations. Twitter's legal team became aware of the error on January 2nd, 2019, and it was not until January 8th that the company informed the DPC. Consequently, the company failed to inform the DPC within the 72-hour period required by Art. 33 (1) GDPR. Furthermore, it had failed to adequately document the incident in accordance with Art. 33 (5) GDPR.";https://edpb.europa.eu/sites/edpb/files/decisions/final_decision_-_in-19-1-1_9.12.2020.pdf
486;Data Protection Authority of Sweden (Integritetsskyddsmyndigheten);Sweden;15.12.20;29500;Uppsalahem AB;Yes;Uppsalahem Ab;Sweden;Real Estate;131900000;200;Private;Yes;"Art. 5 GDPR, 
Art. 6 (1) f) GDPR";Insufficient legal basis for data processing;The Swedish DPA (Integritetsskyddsmyndigheten) fined the housing company Uppsalahem AB SEK 300,000 (EUR 29,500). The housing company had installed surveillance cameras in an apartment building to monitor one floor after disturbances and security incidents occurred. The cameras not only monitored the staircase, but also the front door of a resident. Therefore, when the door was opened, the inside of the apartment was also captured by the video surveillance. While the company may have had a legitimate interest in the video surveillance, this is outweighed by the residents' right to privacy.;https://www.datainspektionen.se/globalassets/dokument/beslut/2020-12-14-beslut-tillsyn-uppsalahem.pdf
487;Data State Inspectorate (DSI);Latvia;15.12.20;15000;HH Invest SIA;Yes;HH Invest, SIA;Latvia;E-Commerce;NA;NA;Private;Yes;Art. 13 GDPR;Insufficient fulfilment of information obligations;The Latvian DPA (DSI) fined the online store HH Invest SIA EUR 15,000. The information provided on the company's website regarding the privacy policy was found not to be easily understandable. This constitutes a violation of Art. 13 GDPR.;https://www.dvi.gov.lv/lv/zinas/datu-valsts-inspekcija-internetveikalam-piemero-eur-15-000-naudas-sodu/
489;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;17.12.20;100000;Banca Transilvania SA;Yes;Banca Transilvania SA;Romania;Banks;1200000000;8359;Public;Yes;Art. 5 (1) f) GDPR, Art. 32 (1), (2) GDPR;Insufficient technical and organisational measures to ensure information security;The Romanian DPA (ANSPDCP) fined Banca Transilvania SA EUR 100,000 for violations of Art. 5 (1) f) GDPR, Art. 32 (1) GDPR and Art. 32 (2) GDPR. It was found that the bank requested a declaration from a customer about the intended use of a certain amount of money wished to withdraw from its account. This statement was submitted to the bank online and forwarded to several employees of the bank. One employee photographed the declaration with his cell phone and spread it via WhatsApp. Subsequently, the document was posted on the social network Facebook and on a website. This situation led to the disclosure and unauthorized access of certain personal data concerning four data subjects, despite the Bank's commitment to respect the principle of integrity and confidentiality of personal data as required by Art. 5 (1) f) GDPR. The DPA notes that the occurred disclosure of the data also proves the ineffectiveness of the internal training of the Bank's employees regarding compliance with the standards for data protection. These trainings are, however, an integral part of the technical and organizational measures that the Bank was obliged to implement, Art. 32 GDPR.;https://www.dataprotection.ro/?page=Comunicat_17_12_2020&lang=ro
490;French Data Protection Authority (CNIL);France;17.12.20;3000;Doctor;No;NA;NA;Healthcare;NA;NA;NA;Yes;Art. 32 GDPR, Art. 33 GDPR;Insufficient technical and organisational measures to ensure information security;The French DPA (CNIL) fined a doctor EUR 3,000 for violations of Art. 32 GDPR and Art. 33 GDPR. The controller had stored medical image data as MRI and X-ray images as well as personal data such as the names, dates of birth and treatment data of his patients on his computer. The controller had not taken appropriate technical measures to ensure the security of the data, and as a consequence, access to his patients' data was possible for anyone without access protection. The data protection authority notes that the data had been exposed for about four months.;https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000042675720
491;French Data Protection Authority (CNIL);France;17.12.20;6000;Doctor;No;NA;NA;Healthcare;NA;NA;NA;Yes;Art. 32 GDPR, Art. 33 GDPR;Insufficient technical and organisational measures to ensure information security;The French DPA (CNIL) fined a doctor EUR 6,000 for violations of Art. 32 GDPR and Art. 33 GDPR. The controller had stored medical image data such as MRI and X-ray images as well as personal data such as names, dates of birth and treatment data of his patients on a server in order to be able to access them from his home computer. A review of the controller's systems had revealed that access to the server was not properly secured. This would have allowed anyone to access his patients' data. Furthermore, the data leak had existed for about five years. The data protection authority therefore found that the doctor had failed to take adequate technical and organisational measures to ensure data security.;https://www.cnil.fr/fr/violations-de-donnees-de-sante-la-cnil-sanctionne-deux-medecinshttps://www.legifrance.gouv.fr/cnil/id/CNILTEXT000042676787
492;Spanish Data Protection Authority (aepd);Spain;15.12.20;10000;Online Services;No;NA;NA;IT Services;NA;NA;NA;Yes;Art. 13 GDPR, Art. 8 (1) GDPR, Art. 6 (1) a) GDPR;Insufficient fulfilment of information obligations;The Spanish DPA (AEPD) fined the operator of the online store banderacatalana.cat. EUR 10,000 for a violation of Art. 13 GDPR.  The operator stated on its website privacy notices that a minimum age of 13 or sufficient legal capacity was required to subscribe to the newsletter. It was also stated that filling out the newsletter subscription form would be considered as consent to the processing of personal data. This constitutes a violation of the GDPR, as according to Art. 8 GDPR, the processing of personal data of under-16-year-olds requires the consent of the holder of parental responsibility over the child.;https://www.aepd.es/es/documento/ps-00438-2019.pdf
494;Hungarian National Authority for Data Protection and the Freedom of Information (NAIH);Hungary;16.12.20;55400;Robinson Tours Ltd. (Robinson Tours Idegenforgalmi es Szolgaltato Kft.);Yes;Robinson Tours Idegenforgalmi es Szolgaltato Kft;Hungaria;Sports, Fitness & Recreation;NA;64;Private;No;Art. 25 (1), (2) GDPR, Art. 32 (1) b) GDPR, Art. 34 (1) GDPR;Insufficient technical and organisational measures to ensure information security;"The Hungarian DPA (NAIH) imposed a fine of HUF 20,500,000 (EUR 55,400) on Robinson Tours Idegenforgalmi es Szolgaltato Kft. (Robinson Tours Ltd.) The travel agent's reservation system contained unprotected data of customers, which could be viewed by anyone and found via Google. The data contained, among others, names, contact and address data, copies of personal IDs and passport numbers. During the DPA's investigation, it turned out that the data in question was from a test database created by Next Time Media Agency Ltd, the web agency contracted to develop and operate the database, which was supplemented not only with test data but also with real data of Robinson Tours' customers. In total, the data of 781 individuals was affected, which was accessible by anyone in the period from November 13, 2019 to February 4, 2020. 
The NAIH also notes that Robinson Tours did not conduct regular security risk screenings. Robinson Tours also failed to notify the data subjects about the data breach.";https://www.naih.hu/files/NAIH-2020-0066-21-hatarozat.pdf
495;Hungarian National Authority for Data Protection and the Freedom of Information (NAIH);Hungary;16.12.20;1385;Next Time Media Agency Ltd. (Next Time Media Ugynokseg Kft.);Yes;Next Time Media Ugynokseg Kft.;Hungaria;IT Services;NA;1;Private;No;Art. 32 (1) GDPR;Insufficient technical and organisational measures to ensure information security;The Hungarian DPA (NAIH) imposed a fine of HUF 50,000 (EUR 1,385) on Next Time Media Ugynokseg Kft. (Next Time Media Agency Ltd.). The web agency had been contracted by the travel agency Robinson Tours Idegenforgalmi es Szolgaltato Kft. (Robinson Tours Ltd.) to develop and operate the travel agency's online reservation system. However, the database was not only supplemented with test data, but also with real data of Robinson Tours' customers. In total, the data of 781 people was compromised. During the period from November 13, 2019, to February 4, 2020, these data were accessible to anyone and could be found via Google. The DPA found that Next Time Media Agency Ltd. did not take adequate technical and organizational measures to ensure the security of the personal data.;https://www.naih.hu/files/NAIH-2020-0066-21-hatarozat.pdff
496;Spanish Data Protection Authority (aepd);Spain;21.12.20;36000;Banco Bilbao Vizcaya Argentaria, S.A.;Yes;Banco Bilbao Vizcaya Argentaria SA;Spain;Banks;31800000000;123174;Public;Yes;Art. 5 (1) d) GDPR;Non-compliance with general data processing principles;The Spanish DPA (AEPD) fined the financial and credit institution Banco Bilbao Vizcaya Argentaria, S.A. (BBVA) with a fine in the amount of EUR 36,000. The BBVA asked the data subject to settle debts with the BBVA, although the data subject did not have any debts with the bank. As a result, BBVA had transmitted the personal data of the data subject to the debt collection company Multigestion Iberia, S.L., which, over a period of several months, contacted the data subject by telephone and e-mail on behalf of BBVA and requested the payment. The data subject then demanded the erasure of his/her data from BBVA. However, the controller refused to do so.;https://www.aepd.es/es/documento/ps-00219-2019.pdf
497;Spanish Data Protection Authority (aepd);Spain;22.12.20;6000;Iberdrola Clientes, SAU;Yes;Iberdrola Clientes Sociedad Anonima.;Spain;Energy;8000000000;623;Private;Yes;Art. 48 (1) b) LGT, Art. 21 GDPR, Art. 23 (4) LOPDGDD;Insufficient fulfilment of data subjects rights;The Spanish DPA (AEPD) fined Iberdrola Clientes, SAU EUR 6,000. The data subject had received promotional calls from two different telephone numbers of the controller although the data subject was registered in the Robinson list. The company attributes the incident to a human error, as the telephone numbers from which the data subject was called were not regularly used for advertising purposes.;https://www.aepd.es/es/documento/ps-00368-2020.pdf
498;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;22.12.20;2000;S.C. C&V Water Control S.A.;Yes;C&V Water Control S.A.;Romania;Industrial;NA;100;Private;Yes;Art. 58 (1) a), e) GDPR, Art. 58 (2) i) GDPR;Insufficient cooperation with supervisory authority;The Romanian DPA (ANSPDCP) fined S.C. C&V Water Control S.A. EUR 2,000 for failure to comply with the data protection authority's request for information in the course of an investigation, thus violating Art. 58 (1) a), e) GDPR and Art. 58 (2) i) GDPR.;https://www.dataprotection.ro/?page=Comunicat_Presa_22_12_2020&lang=ro
501;Polish National Personal Data Protection Office (UODO);Poland;28.12.20;18930;Towarzystwo Ubezpieczen i Reasekuracji WARTA S.A.;Yes;Towarzystwo Ubezpieczen I Reasekuracji Warta S A;Poland;Finance & Insurance;668100000;2230;Private;Yes;Art. 33 (1) GDPR, Art. 34 (1) GDPR;Insufficient fulfilment of data breach notification obligations;"The Polish DPA (UODO) fined Towarzystwo Ubezpieczen i Reasekuracji WARTA S.A. EUR 18,930 for a breach of Art. 33 (1) GDPR and Art. 34 (1) GDPR. 
In May 2020, the DPA received a notification from a third party about a personal data breach involving an insurance agent acting as a processing agent for Towarzystwo Ubezpieczen i Reasekuracji WARTA S.A. who sent an insurance policy to an unauthorized addressee by email. The document contained personal data concerning, among others, surnames, first names, residential addresses and information on the subject of the insurance policy. 
As a result, the supervisory authority asked the controller to clarify whether, regarding the sending of the electronic correspondence to an unauthorized addressee, a risk analysis on the data security of natural persons had been carried out, which is necessary to evaluate whether a data breach had occurred. Such a breach requires notification to the DPA and the individuals affected by the breach. In the letter, the supervisory authority advised the controller how to notify the breach and asked for explanations.
Despite the letter requesting explanations, the controller did not report the data breach nor did it inform the data subjects about the incident. The DPA therefore initiated administrative proceedings. Only as a result of the initiation of the procedure did the controller report the personal data breach and inform two individuals affected by the breach.";https://uodo.gov.pl/decyzje/DKN.5131.5.2020
502;Italian Data Protection Authority (Garante);Italy;26.11.20;10000;Reti Televisive Italiane S.p.a.;Yes;Reti Televisive Italiane Spa;Italy;TV, Film & Radio;1400000000;3147;Private;Yes;Art. 5 (1) a) GDPR;Non-compliance with general data processing principles;The television station broadcasted a documentary about the link between emissions from a local ceramics plant and health problems in the population, in which the person interviewed was not made sufficiently anonymous.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9509558
503;Italian Data Protection Authority (Garante);Italy;26.11.20;20000;Concentrix Cvg Italy s.r.l.;Yes;"	Concentrix Cvg Italy Srl";Italy;Services;11100000;302;Private;Yes;Art. 5 (1) a), c) GDPR, Art. 6 (1) b), c) GDPR, Art. 9 (1) b) GDPR;Insufficient legal basis for data processing;"The union UILCOM Sardegna filed a complaint with the Italian DPA (garante) against the call center operator Concentrix Cvg Italy s.r.l. regarding an internal regulation of the controller. 
Under the terms of a 'clean desk policy,' the company had prohibited employees from keeping certain items, such as smartphones, on their desks, which was intended to ensure confidentiality in the processing of customers' personal data. Exceptions were made for medication, which the data subjects proved they needed to take during their shift. These had to be placed visibly on the desk, making it indirectly possible for other employees to obtain information on the health status of the data subjects. The controller had indeed informed the data subjects about the rules of procedure and obtained their consents. However, this did not contain any information on the processing of their health data.";https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9509515
504;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;29.12.20;1000;Qualitance QBS SA;Yes;Qualitance Qbs S.A.;Romania;IT Services;9100000;160;Private;Yes;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;The Romanian DPA (ANSPDCP) fined Qualitance QBS SA EUR 1,000 for a violation of Art. 32 GDPR. The company had sent information by email to 295 individuals, disclosing the email addresses of the other recipients. The ANSPDCP noted that the company had not taken sufficient security measures to ensure the confidentiality of the personal data of the data subjects.;https://www.dataprotection.ro/?page=Comunicat_Presa_29_12_2020&lang=ro
505;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;30.12.20;3000;ING Bank N.V. Amsterdam - Bucharest office;Yes;ING Groep NV;Netherlands;Banks;27300000000;91411;Public;No;Art. 5 (1) a) - d) GDPR, Art. 6 (1) GDPR;Insufficient legal basis for data processing;The Romanian DPA (ANSPDCP) fined ING Bank N.V. Amsterdam - Bucharest office in the amount of EUR 3,000. The bank had contacted the data subject by e-mail for the purpose of updating his data. At that time, however, the data subject had already terminated his account with the bank, so that the contractual relationship had been terminated. As a result, the data controller had unlawfully processed personal data of the former customer without his consent such as the e-mail address and the name and of the data subject.;https://www.dataprotection.ro/?page=Comunicat_presa_30_12_2020&lang=ro
506;Spanish Data Protection Authority (aepd);Spain;04.01.21;54000;Vodafone Espana, S.A.U.;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 5 (1) d), f) GDPR;Non-compliance with general data processing principles;The data subject had concluded a contract with the controller (Vodafone Espana, S.A.U.). However, the products provided under this contract were not delivered in the name of the data subject, but in the name of a third party. Subsequently, the data subject contacted the company's data protection officer by e-mail in order to restore the accuracy of his/her data stored at Vodafone. However, no response was received to this request. When the data subject finally contacted the telecommunications company by telephone, he/she was addressed by the name of the third party. His/her inquiry was answered with a response that did not refer to his/her inquiry, but to the inquiry of the third party. According to the telecommunications company, the incident was caused by a defect in their system due to a system migration. The Spanish DPA (AEPD) initially fined Vodafone Espana, S.A.U. EUR 90,000, but the original fine was reduced to EUR 54,000 due to the timely payment and admission of guilt.;https://www.aepd.es/es/documento/ps-00415-2020.pdf
507;Norwegian Supervisory Authority (Datatilsynet);Norway;04.01.21;95500;Innovasjon Norge;Yes;Innovasjon Norge (Oslo);Norway;Finance & Insurance;166100000;658;Private;Yes;Art. 5 (1) GDPR, Art. 6 (1) GDPR;Insufficient legal basis for data processing;The Norwegian DPA (Datatilsynet) fined the national development bank Innovasjon Norge NOK 1,000,000 (EUR 95,500). The controller had carried out four credit checks on the data subject without any contractual basis for doing so. For this purpose, the bank had analyzed numerous financial data of the data subject over a period of three months without the data subject's consent.;https://www.datatilsynet.no/contentassets/004f43fe684445c29e4fc8393a9a714d/varsel-om-overtredelsesgebyr---innovasjon-norge.pdf
508;French Data Protection Authority (CNIL);France;07.12.20;7300;Perfomeclic;Yes;Perfomeclic;France;Advertising & Marketing;NA;NA;Private;Yes;Art. 5 (1) c), e) GDPR, Art. 14 GDPR, Art. 21 GDPR, Art. 28 GDPR;Insufficient legal basis for data processing;The French DPA (CNIL) imposed a fine of EUR 7,300 on the company Perfomeclic. The company had sent commercial advertising emails without a proof of prior consent and without sufficient information.;https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000042774286?isSuggest=true
509;Polish National Personal Data Protection Office (UODO);Poland;17.12.20;235300;ID Finance Poland Sp. z o.o.;Yes;"	Id Finance Poland Sp Z O O [ W Likwidacji ]";Poland;Finance & Insurance;3700000;50;Private;Yes;Art. 5 (1) f) GDPR, Art. 25 (1) GDPR, Art. 32 (1) b), d), (2) GDPR;Insufficient technical and organisational measures to ensure information security;The Polish DPA (UODO) imposed a fine of EUR 235,300 on ID Finance Poland Sp. z o.o. Due to an error while restarting a server, the settings of the software responsible for the server's security were reset, making the personal data of 140 699 customers publicly available. These data contained, for example, information about the first and last name, address, nationality or even marital status of the data subjects. The database located on this server was downloaded and deleted by an unspecified third party, who demanded a fee from the company for the return of the database. The DPA noted that the controller had taken insufficient technical and organizational measures to ensure the protection of the processing, even though there was a high risk for the data subjects due to the nature of the data processed.;https://uodo.gov.pl/decyzje/DKN.5130.1354.2020
510;Polish National Personal Data Protection Office (UODO);Poland;09.12.20;18850;TUiR Warta S.A.;Yes;Towarzystwo Ubezpieczen I Reasekuracji Warta S A;Poland;Finance & Insurance;668100000;2230;Private;Yes;Art. 33 (1) GDPR, Art. 34 (1) GDPR;Insufficient fulfilment of data breach notification obligations;An insurance agent hired by the controller had sent an email to unauthorized third parties in regard to insurance policies that contained personal data of two of the company's customers after they had mistakenly provided false email addresses. The leaked data included data such as the names, email adresses and postal addresses of the data subjects. The controller had not informed either the Polish DPA nor the data subjects about the data breach in a timely manner within 72 hours. The controller believed that there was no breach requiring notification because the data subjects themselves had mistakenly provided incorrect e-mail addresses. The Polish DPA states that this circumstance does not release the controller from its obligation to report this data breach in a timely manner.;https://uodo.gov.pl/decyzje/DKN.5131.5.20200
511;French Data Protection Authority (CNIL);France;05.01.21;20000;Nestor SAS;Yes;Nestor SAS;France;Services;NA;NA;Private;Yes;Art. 12 GDPR, Art. 13 GDPR;Insufficient fulfilment of information obligations;The French DPA (CNIL) fined the company Nestor EUR 20,000. The CNIL notes that the privacy policy provided during the registration process on the companys website did not contain the necessary information required by the GDPR. In addition, the controller provided insufficient information on data processing during app registration.;https://www.cnil.fr/fr/prospection-commerciale-sanction-de-20-000-euros-lencontre-de-la-societe-nestor
512;Polish National Personal Data Protection Office (UODO);Poland;01.11.19;1770;L. Sp. z o.o.;No;NA;NA;NA;NA;NA;NA;Yes;Art. 5 (1) a), f) GDPR;Non-compliance with general data processing principles;The Polish DPA (UODO) imposed a fine of EUR 1,770 on L. Sp. z o.o. for the video surveillance of a residential community, which was not in compliance with the provisions of the GDPR.;http://orzeczenia.nsa.gov.pl/doc/942DE6198F
514;Norwegian Supervisory Authority (Datatilsynet);Norway;06.01.21;9700;Lindstrand Trading AS;Yes;Lindstrand Trading AS;Norway;E-Commerce;NA;NA;Private;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;The Norwegian DPA (Datatilsynet) has fined Lindstrand Trading AS EUR 9,700. The controller had carried out four credit checks on individuals and individual companies, although there was no legal basis for doing so.;https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2021/lindstrand-trading-as-far-overtredelsesgebyr/
515;Norwegian Supervisory Authority (Datatilsynet);Norway;07.01.21;7250;Gveik AS;Yes;Gveik AS;Norway;E-Commerce;NA;NA;Private;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;The Norwegian DPA (Datatilsynet) fined Gveik AS EUR 7,250. The controller had carried out a credit check on an individual, although there was no legal basis for doing so.;https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2021/gveik-as-far-gebyr/
516;Estonian Data Protection Authority (AKI);Estonia;01.12.20;100000;Apotheka e-apteek;Yes;Apotheka e-apteek;Estonia;E-Commerce;NA;NA;Private;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;The Estonian DPA (Andmekaitse Inspektsioon) fined three online pharmacies EUR 100,000 each for processing personal data without the consent of the data subjects. The data in question are prescriptions for medicines of the data subjects. Third parties were able to view another person's current prescriptions in the e-pharmacy environment without their consent, based only on access to their personal identification code. The DPA highlighted that while it must be possible to purchase prescription drugs for other people, it is the responsibility of the company to ensure that the processing of the personal data required for this purpose only takes place with the consent of the data subjects. The confirmation of another person that they may access the data, however, does not correspond to the voluntary consent of the prescription holder, since the e-pharmacy cannot check whether and for what purpose the consent was given and whether it was given voluntarily.;https://www.aki.ee/et/uudised/andmekaitse-inspektsioon-kohustas-e-apteeke-lopetama-koheselt-ligipaas-teise-inimese
517;Estonian Data Protection Authority (AKI);Estonia;01.12.20;100000;Sudameapteegi e-apteek;Yes;Sudameapteegi e-apteek;Estonia;E-Commerce;NA;NA;Private;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;The Estonian DPA (Andmekaitse Inspektsioon) fined three online pharmacies EUR 100,000 each for processing personal data without the consent of the data subjects. The data in question are prescriptions for medicines of the data subjects. Third parties were able to view another person's current prescriptions in the e-pharmacy environment without their consent, based only on access to their personal identification code. The DPA highlighted that while it must be possible to purchase prescription drugs for other people, it is the responsibility of the company to ensure that the processing of the personal data required for this purpose only takes place with the consent of the data subjects. The confirmation of another person that they may access the data, however, does not correspond to the voluntary consent of the prescription holder, since the e-pharmacy cannot check whether and for what purpose the consent was given and whether it was given voluntarily.;https://www.aki.ee/et/uudised/andmekaitse-inspektsioon-kohustas-e-apteeke-lopetama-koheselt-ligipaas-teise-inimese
518;Estonian Data Protection Authority (AKI);Estonia;01.12.20;100000;Azeta.ee e-apteek;Yes;Azeta.ee e-apteek;Estonia;E-Commerce;NA;NA;Private;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;The Estonian DPA (Andmekaitse Inspektsioon) fined three online pharmacies EUR 100,000 each for processing personal data without the consent of the data subjects. The data in question are prescriptions for medicines of the data subjects. Third parties were able to view another person's current prescriptions in the e-pharmacy environment without their consent, based only on access to their personal identification code. The DPA highlighted that while it must be possible to purchase prescription drugs for other people, it is the responsibility of the company to ensure that the processing of the personal data required for this purpose only takes place with the consent of the data subjects. The confirmation of another person that they may access the data, however, does not correspond to the voluntary consent of the prescription holder, since the e-pharmacy cannot check whether and for what purpose the consent was given and whether it was given voluntarily.;https://www.aki.ee/et/uudised/andmekaitse-inspektsioon-kohustas-e-apteeke-lopetama-koheselt-ligipaas-teise-inimesee
519;Data Protection Authority of Niedersachsen;Germany;08.01.21;10400000;notebooksbilliger.de;Yes;notebooksbilliger.de AG;Germany;E-Commerce;736000000;370;Private;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;The DPA of Lower Saxony (LfD Niedersachsen) imposed a fine of EUR 10,4 million on the electronics retailer notebooksbilliger.de.The company had video-monitored its employees for at least two years without having a legal basis for doing so. Among others, the cameras covered workplaces, sales areas, warehouses and recreation areas. The company stated that the purpose of the installed video cameras was to prevent and investigate criminal acts and to track the movement of goods in the warehouses. However, to prevent theft, a company must first consider milder methods. Moreover, video surveillance to detect criminal acts is only permitted if there is a reasonable suspicion against specific persons. If this is the case, it may be permissible to monitor them with cameras for a limited period of time. At notebooksbilliger.de, however, the video surveillance was neither limited to a specific period nor to specific employees. In addition, the recordings were stored for 60 days in many cases, which was significantly longer than required. Customers of notebooksbilliger.de were also affected by the unlawful video surveillance, as some cameras were pointed at seating areas in the sales area. So far, the fine against notebooksbilliger.de is the highest fine that the LfD Niedersachen has issued under the GDPR.;https://lfd.niedersachsen.de/startseite/infothek/presseinformationen/lfd-niedersachsen-verhangt-bussgeld-uber-10-4-millionen-euro-gegen-notebooksbilliger-de-196019.html
520;Italian Data Protection Authority (Garante);Italy;29.10.20;20000;Gaypa s.r.l.;Yes;Gaypa Srl;Italy;Chemicals;9500000;50;Private;Yes;Art. 5 (1) a), c), e) GDPR, Art. 12 GDPR, Art. 13 GDPR;Non-compliance with general data processing principles;The Italian DPA (Garante) imposed a fine of EUR 20,000 on Gaypa s.r.l.. The controller had kept a former employee's email account active and had access to the data subject's correspondence, despite the termination of his/her employment. The data subject had not been informed about such a further use of his/her e-mail account, as well as about the storage of all incoming and outgoing e-mails on the company servers and the related processing of his/her personal data.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9518890
521;Italian Data Protection Authority (Garante);Italy;29.10.20;4000;Borgo Fonte Scura s.r.l.;Yes;Borgo Fonte Scura s.r.l.;Italy;Restaurants, Cafes & Bars;NA;NA;Private;Yes;Art. 5 (1) a) GDPR, Art. 13 GDPR;Insufficient legal basis for data processing;The Italian DPA (Garante) imposed a fine of EUR 4,000 on Borgo Fonte Scura s.r.l.. The controller had installed a video surveillance system which also recorded the three data subjects during their work. The data subjects were not sufficiently informed about the video surveillance and the resulting processing of their personal data.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9518849
522;Spanish Data Protection Authority (aepd);Spain;13.01.21;6000000;Caixabank S.A.;Yes;CaixaBank SA;Spain;Banks;10900000000;35434;Public;Yes;Art. 6 GDPR, Art. 13 GDPR, Art. 14 GDPR;Insufficient legal basis for data processing;"The Spanish DPA (AEPD) fined Caixabank S.A. EUR 6,000,000 for violations of Art. 6 GDPR, Art. 13 GDPR and Art. 14 GDPR.         
Customers of the bank were supposed to accept new privacy policies allowing the controller to transfer the customers' personal data to all companies within the CaixaBank Group. At the same time, the data subjects were not given the option of specifically not consenting to this transfer. Instead, if they wished to disagree with the transfer of their data, they were required to send a letter of disagreement to each individual company in the group.

The DPA concluded that the bank had violated its information obligations as set out in Art. 13 GDPR and Art. 14 GDPR, as the information provided to customers under the privacy policy was not consistent, contained imprecise terminology, and did not provide sufficient information on the type of personal data processed and the nature of the processing.  Also, the information on the rights of the data subjects as well as the contact information of the controller were not provided in a consistent manner. 

Furthermore, the DPA notes that the controller had processed its customers' data beyond its legitimate interests, partly without a legal basis, and that the consent it obtained from customers did not meet the requirements of an effective consent. In addition, deficiencies in the company's procedures allowed it to obtain the consent of customers to process their personal data. The DPA further concludes that, as a result, the data was unlawfully transferred to the companies of the CaixaBank Group. This constitutes a violation of Art. 6 GDPR.";https://www.aepd.es/es/documento/ps-00477-2019.pdf
525;Norwegian Supervisory Authority (Datatilsynet);Norway;14.01.21;38600;Coop Finnmark SA;Yes;Coop Finnmark Sa;Norway;Food & Beverage;106000000;427;Private;Yes;Art. 5 (1) a) GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;The Norwegian DPA (Datatilsynet) fined Coop Finnmark SA NOK 400,000 (EUR 38,600). The manager of the store in question recorded CCTV footage with a mobile phone and shared the video. The Norwegian DPA states that Coop Finnmark had no legal basis for sharing the CCTV footage. The DPA notes that the case is very serious as the footage showed children, which poses a potentially high risk to their privacy.;https://www.datatilsynet.no/contentassets/5cd2e76bd5d2481f9578ffe721b7e24d/vedtak-om-overtredelsesgebyr-til-coop-finnmark-sa.pdf
527;Polish National Personal Data Protection Office (UODO);Poland;05.01.21;5500;Slaski Uniwersytet Medyczny (Medical University of Silesia);Yes;Slaski Uniwersytet Medyczny W Katowicach;Poland;Education;64900000;3000;Other;Yes;Art. 33 (1) GDPR, Art. 34 (1) GDPR;Insufficient fulfilment of data breach notification obligations;The Polish DPA (UODO) imposed a fine of PLN 25,000 (EUR 5,500) on the Medical University of Silesia. In the course of exams held in the form of videoconferences at the end of May 2020, identification of students took place. Once the exam was completed, the recordings of the exams were available not only to the examinees, but also to other people with access to the system. In addition, any outsider could access the records of the examinations and the data of the examined students presented during identification via a direct link. The University failed to report the data breach to the DPA and notify the data subjects.;https://uodo.gov.pl/decyzje/DKN.5131.6.2020
529;Spanish Data Protection Authority (aepd);Spain;21.01.21;50000;Alterna Operador Integral S.L.;Yes;"	Alterna Operador Integral Sl.";Spain;Wholesale;58000000;36;Private;Yes;Art. 6 (1) b) GDPR;Insufficient legal basis for data processing;The Spanish DPA (AEPD) imposed a fine of EUR 50,000 on Alterna Operador Integral S.L.. A switch of the electricity supplier had taken place without the consent of the data subject. However, the personal data of the data subject were incorporated into the information systems of the controller (the new electricity supplier) without the controller having verified that a valid contract had been concluded. The processing of the data subjects' personal data thus took place without a legal basis.;https://www.aepd.es/es/documento/ps-00232-2020.pdf
530;Norwegian Supervisory Authority (Datatilsynet);Norway;19.01.21;9700;Aquateknikk AS;Yes;Aquateknikk AS;Norway;Industrial;NA;NA;Private;Yes;Art. 5 GPDR, Art. 6 GDPR;Insufficient legal basis for data processing;The Norwegian DPA (Datatilsynet)  fined Aquateknikk AS NOK 100,000 (EUR 9,700). The controller had carried out a credit rating on an individual without there being a customer relationship or other affiliation. The personal data of the data subject was thus processed without a legal basis.;https://www.datatilsynet.no/contentassets/c5f433a97050467497810b9e891d5b83/vedtak-om-palegg-og-overtredelsesgebyr---aquateknikk-as.pdf
531;Italian Data Protection Authority (Garante);Italy;17.12.20;500000;Roma Capitale (Rome Municipality);Yes;Roma Capitale;Italy;Politics & Government;198700000;3590;Other;Yes;Art. 5 (1) a) GDPR, Art. 13 GDPR, Art. 14 GDPR, Art. 28 (2), (3) GDPR, Art. 32 GDPR;Non-compliance with general data processing principles;The Italian DPA (Garante) fined the municipality of Rome EUR 500,000 for the unlawful processing of users' and employees' personal data. The municipality of Rome had been using the 'TuPassi' booking system to manage appointments and other services since 2015. In the course of a detailed investigation, the Italian DPA found that the controller had violated several data protection regulations with regard to the processing of personal data of customers and employees with whom they had made appointments. For example, the municipality had not properly informed the data subjects prior to processing their data, nor had it taken appropriate technical and organizational measures to protect the processing.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9524175
532;Italian Data Protection Authority (Garante);Italy;17.12.20;40000;Miropass S.r.l.;Yes;Miropass S.r.l.;Italy;IT Services;237792;3;Private;Yes;Art. 5 (1) a), e) GDPR, Art. 6 GDPR, Art. 9 GDPR, Art. 28 GDPR;Insufficient legal basis for data processing;The Italian DPA (Garante) fined Miropass S.r.l. EUR 40,000. Miropass is the provider of the TuPassi booking system, which among others has been used by the Municipality of Rome since 2015. The booking system enables the booking of appointments both on the website of the controller (www.tupassi.it) as well as via the corresponding app. For this purpose, the company collects and processes the personal data of the users. In the course of its investigation, the Italian DPA found that Miropass, particularly in the context of health data resulting from appointment bookings at health care facilities, had no legal basis for the processing and  violated the principle of storage limitation.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9525315
534;Spanish Data Protection Authority (aepd);Spain;21.01.21;75000;Telefonica Moviles Espana, SAU;Yes;Telefónica SA;Spain;Telecommunications;41600000000;112797;Public;Yes;Art. 6 (1) GDPR;Insufficient legal basis for data processing;The Spanish DPA (AEPD) imposed a fine of EUR 75,000 on Telefonica Moviles Espana, SAU. The controller had assigned five telephone lines with five numbers to the data subject as part of a mobile phone contract. One of the numbers was used by her son. When he was no longer able to use the mobile data, he contacted the controller. The controller informed him that the mobile data had been deactivated because the number was no longer in his possession. It turned out that unauthorized third parties had pretended to be the data subject and had the number transferred to a third party without the controller requiring authentication for this. Thereupon the unauthorized third parties had requested and received a replacement SIM card under the pretense of an alleged loss or theft. As a result, the son's SIM card was blocked.;https://www.aepd.es/es/documento/ps-00235-2020.pdf
537;Belgian Data Protection Authority (APD);Belgium;27.01.21;50000;Family Service / N.D.P.K. nv.;Yes;N.D.P.K. nv.;Netherlands;Advertising & Marketing;NA;NA;Private;No;Art. 5 GDPR, Art. 6 GDPR, Art. 7 GDPR, Art. 13 GDPR, Art. 24 GDPR, Art. 25 GDPR, Art. 28 GDPR;Insufficient legal basis for data processing;The Belgian DPA imposed a fine of EUR 50,000 on Family Service / N.D.P.K. nv. The controller is an advertising agency that, among other things, sends expectant mothers gift boxes containing various discount vouchers, product samples and information about pregnancy and birth. The box items are provided by third parties, to whom the controller subsequently transfers the recipients' contact data for marketing purposes. The consent of the recipients to this transfer and to subsequent advertising measures by the third parties is obtained in advance by the controller for this purpose. A data subject filed a complaint with the Belgian DPA because, although she had revoked her previously given consent, she nevertheless continued to receive advertising calls from third parties to whom the controller had transmitted her data.;https://www.gegevensbeschermingsautoriteit.be/publications/beslissing-ten-gronde-nr.-04-2021.pdf
538;Polish National Personal Data Protection Office (UODO);Poland;09.12.20;2850;Smart Cities Sp. z o.o.;Yes;Smart Cities Sp. z o.o.;Poland;IT Services;NA;NA;Private;Yes;Art. 31 GDPR, Art. 58 GDPR;Insufficient cooperation with supervisory authority;Fine for failure to comply with an order of the Polish DPA (UODO). The controller failed to provide personal data and other information requested by UODO for investigative purposes.;https://www.uodo.gov.pl/decyzje/DKE.561.13.2020%20
539;Italian Data Protection Authority (Garante);Italy;17.12.20;100000;Azienda Unita Sanitaria Locale Toscana Sud Est;Yes;Azienda Unita' Sanitaria Locale Toscana Sud Est;Italy;Healthcare;137700000;2000;Private;Yes;Art. 5 (1) f) GDPR, Art. 13 GDPR, Art. 14 GDPR, Art. 28 GDPR, Art. 30 GDPR, Art. 32 GDPR, Art. 35 GDPR;Non-compliance with general data processing principles;"The Italian DPA (Garante) imposed a fine of EUR 100,000 on Azienda USL Toscana Sud Est. The controller is a company in the healthcare sector that, among other things, launched the so-called 'Sanita di iniziativa' (Health Initiative) program. Within the framework of this program, participating healthcare companies transmit data on chronically ill patients to the controller. On the basis of this data, the controller then develops health plans for the patients.
The Italian DPA notes several violations of data protection provisions related to this program. 
For example, when giving consent to the processing of their data, the data subjects were not adequately informed about how long their data would be stored, what rights they had (in particular their rights of complaint and access), and how exactly their data would be processed and for what purpose. In addition, the controller had not kept a register of processing activities. Finally, the controller had neither implemented adequate technical and organizational measures to protect the processing nor conducted a data protection impact assessment, although this would have been necessary due to the nature of the data processed (health data).";https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9529527
540;Norwegian Supervisory Authority (Datatilsynet);Norway;03.02.21;19300;Cyberbook AS;Yes;Cyberbook AS;Norway;IT Services;NA;25;Private;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;The Norwegian DPA (Datatilsynet) fined Cyberbook AS NOK 200,000 (EUR 19,300) for the illegal automatic forwarding of e-mails from a former employee. The forwarding took place for several months without the data subject being informed.;https://www.datatilsynet.no/regelverk-og-verktoy/lover-og-regler/avgjorelser-fra-datatilsynet/2021/cyberbook-as-far-gebyr/
541;Spanish Data Protection Authority (aepd);Spain;01.02.21;24000;Xfera Moviles S.A.;Yes;Xfera Moviles Sau;Spain;Telecommunications;1500000000;473;Private;Yes;Art. 58 (2) GDPR;Insufficient cooperation with supervisory authority;The Spanish DPA (AEPD) imposed a fine of EUR 40,000 on Xfera Moviles S.A.. The data subject claimed a violation of its right to information to the AEPD. The AEPD then issued a request to the controller to comply with the data subject's request for information within a period of 10 days and to prove this to the AEPD. However, the controller did not comply with the request within the deadline. The original fine of EUR 40,000 was reduced to EUR 24,000 due to immediate payment and acknowledgement of debt by the controller.;https://www.aepd.es/es/documento/ps-00433-2020.pdf
542;Spanish Data Protection Authority (aepd);Spain;01.02.21;3000;IDFINANCE Spain, S.L.;Yes;Idfinance Spain Sa;Spain;Finance & Insurance;61300000;47;Private;Yes;Art. 5 (1) f) GDPR;Insufficient technical and organisational measures to ensure information security;The Spanish DPA (AEPD) imposed a fine of EUR 5,000 on IDFINANCE Spain S.L.. A person had received a debt collection email from IDFinance that contained a link for the payment of an invoice directly through the controller's website. Via the link, the person was able to view the personal data of another customer. The original fine of EUR 5,000 was reduced to EUR 3,000 due to immediate payment and acknowledgement of debt.;https://www.aepd.es/es/documento/ps-00335-2020.pdf
543;Italian Data Protection Authority (Garante);Italy;26.11.20;3000;Charly Mike s.r.l.;Yes;Charly Mike s.r.l.;Italy;Accommodation;567303;23;Private;Yes;Art. 5 (1) a) GDPR, Art. 13 GDPR;Insufficient legal basis for data processing;"The Italian DPA (Garante) imposed a fine of EUR 3,000 on Charly Mike s.r.l.. The controller is the hotel operator of the Hotel Olimpo in Alberobello. Garante received a complaint about the video surveillance system installed in the hotel. During the course of the investigation, it was found that the hotel facility had 17 fixed cameras and one with 360 recording, placed inside and outside the facility, recording both employees and customers. 
The system had been operated without the required signs indicating video surveillance.";https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9533587
544;Spanish Data Protection Authority (aepd);Spain;03.02.21;100000;Iberdrola Clientes;Yes;Iberdrola Clientes Sociedad Anonima.;Spain;Energy;8000000000;623;Private;Yes;Art. 5 (1) d) GDPR, Art. 17 GDPR;Insufficient fulfilment of data subjects rights;The Spanish DPA (AEPD) imposed a fine of EUR 100,000 on Iberdrola Clientes, SAU. The data subject had terminated an existing contract with the controller due to a move and therefore requested the deletion of his/her data. This request was rejected by the controller with reference to outstanding invoices. It turned out that the controller had sent the bills to the old address of the data subject. Even after the data subject informed the controller of the change of address, new notices regarding the deletion request and invoices were sent to the old address.;https://www.aepd.es/es/documento/ps-00220-2020.pdf
546;Spanish Data Protection Authority (aepd);Spain;08.02.21;3000;Patio Ancestral S.L.;Yes;Patio Ancestral S.L.;Spain;Retail & Trade;NA;NA;Private;Yes;Art. 6 GDPR;Insufficient legal basis for data processing;The Spanish DPA (AEPD) imposed a fine of EUR 5,000 on Patio Ancestral S.L.. The complainant worked for a construction company and had carried out some renovation work for the controller. During these works, damage had been caused to the controller's properties. The controller had then sent a letter with claims for damages not only to the complainant but also to the complainant's father, who had previously been employed by the same construction company. However, the father was an uninvolved third party in this case. The Spanish DPA found that the processing of the father's personal data for this reason had taken place without a legal basis. The original fine was reduced to EUR 3,000 due to immediate payment and acknowledgement of debt.;https://www.aepd.es/es/documento/ps-00440-2020.pdf
548;Spanish Data Protection Authority (aepd);Spain;09.02.21;5000;Predase Servicios Integrales S.L.;Yes;Predase Servicios Integrales S.L.;Spain;Services;NA;NA;Private;Yes;Art. 13 GDPR;Insufficient fulfilment of information obligations;The company website did not present a privacy policy on its main page, nor did it provide the information required by Art. 13 GDPR.;https://www.aepd.es/es/documento/ps-00062-2020.pdf
549;Spanish Data Protection Authority (aepd);Spain;11.02.21;24000;Vamavi Phone S.L.;Yes;Vamavi Phone S.L.;Spain;Services;322200;13;Private;Yes;Art. 48 (1) b) LGT, Art. 21 GDPR, Art. 23 LOPDGDD, Art. 28 GDPR;Insufficient fulfilment of data subjects rights;The Spanish DPA (AEPD) imposed a fine of EUR 40,000 on Vamavi Phone S.L.. The data subject had received an advertising call from the controller made on behalf of Vodafone Espana, S.A.U., although the data subject was registered in the Robinson advertising exclusion list. The original fine of EUR 40,000 was reduced to EUR 24,000 due to immediate payment and acknowledgement of debt.;https://www.aepd.es/es/documento/ps-00026-2021.pdf
550;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;10.02.21;1000;ING Bank N.V. Amsterdam - Bucharest office;Yes;ING Groep NV;Netherlands;Banks;27300000000;91411;Public;No;Art. 29 GDPR, Art. 32 (2), (4) GDPR;Insufficient technical and organisational measures to ensure information security;The Romanian DPA (ANSPDCP) imposed a fine of EUR 1,000 on ING Bank N.V. Amsterdam - Bucharest Branch. It was found that the controller had sent files to a contractual partner in order to issue insurance policies. The sent files contained outdated information, as employees of the insurance policy monitoring department had not checked and processed the insurance policies according to the work process, which affected 270 people. Considering these aspects, it was found that the technical and organizational measures taken by the controller were insufficient, which resulted in the breach of confidentiality of personal data.;https://www.dataprotection.ro/?page=Comunicat_Presa_10_/_02_/_21&lang=ro
552;Data Protection Authority of Ireland;Ireland;17.12.20;70000;University College Dublin;Yes;University College Dublin (Dublin);Ireland;Education;121500000;1361;Private;Yes;Art. 5 (1) e), f) GDPR, Art. 32 (1) GDPR, Art. 33 (1) GDPR;Insufficient technical and organisational measures to ensure information security;The Irish DPA (DPC) fined University College Dublin (UCD) EUR 70,000 due to seven personal data breaches. Unauthorized third parties were able to access UCD e-mail accounts, and login credentials for UCD e-mail accounts were posted online.  It was found that the controller did not take appropriate technical and organisational measures to protect data security when processing personal data in its email service.  In addition, the controller stored certain personal data in an email account in a form that allowed identification of the data subjects for longer than necessary for the purpose for which the personal data were processed. Also, the controller did not notify the DPC of a personal data breach in a timely manner.;https://www.dataprotection.ie/sites/default/files/uploads/2021-02/Inquiry%20University%20College%20Dublin_0.pdf
553;Data State Inspectorate (DSI);Latvia;09.02.21;65000;Lursoft IT SIA;Yes;Lursoft IT SIA;Latvia;IT Services;12334000;76;Private;Yes;Art. 6 (1) GDPR;Insufficient legal basis for data processing;The Latvian DPA (DSI) fined Lursoft IT SIA EUR 65,000 for the illegal processing of personal data by publishing documents containing personal data on its website 'www.lursoft.lv'. The DPA found that the controller made parts of the non-public company register, which contained, among other things personal data, publicly available.;https://www.dvi.gov.lv/lv/zinas/datu-valsts-inspekcija-internetveikalam-piemero-eur-15-000-naudas-sodu/
554;Spanish Data Protection Authority (aepd);Spain;12.02.21;120000;Vodafone Espana, SAU;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;The Spanish DPA (AEPD) imposed a fine of EUR 200,000 on Vodafone Espana, S.A.U. A former customer had received e-mails containing electronic bills even after he had terminated his contract with the controller resulting in a processing of personal data without sufficient legal basis. The data subject states that he still receives e-mails from the controller, although he has already objected to this several times and the controller has already received a fine twice for exactly these facts. The fine imposed this time is this high because the infringement was classified as very serious by the Spanish DPA. Among other things, because this was already the third violation in this matter. The original fine of EUR 200,000 was reduced for both immediate payment and acknowledgement of debt to EUR 120,000.;https://www.aepd.es/es/documento/ps-00430-2020.pdf
555;Dutch Supervisory Authority for Data Protection (AP);Netherlands;11.02.21;440000;OLVG;Yes;Stichting Olvg;Netherlands;Hospitals;611900000;5054;Private;Yes;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;The Dutch DPA (AP) imposed a fine of EUR 440,000 on the Amsterdam hospital OLVG. The controller had taken insufficient measures between 2018 and 2020 to prevent access by unauthorized employees to medical records. The controller did not check adequately who had access to which file nor did the controller ensure that the computer system presented sufficient security. This resulted, among others, in working students and other employees being able to access patient files without this being necessary for their work. Besides medical records, the patient files also contained, the social security numbers, addresses and telephone numbers of the data subjects.;https://autoriteitpersoonsgegevens.nl/nl/nieuws/ziekenhuis-olvg-beboet-om-onvoldoende-beveiliging-medische-dossiers
556;Italian Data Protection Authority (Garante);Italy;14.01.21;8000;Agenzia regionale protezione ambientale Campania (ARPAC);Yes;Agenzia regionale protezione ambientale Campania (ARPAC);Italy;Politics & Government;NA;NA;Other;Yes;Art. 5 (1) f) GDPR, Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;The Italian DPA (Garante) imposed a fine of EUR 8,000 on the Regional Environmental Protection Agency of Campania (ARPAC). An external hard drive containing personal data had been stolen from the controller. Among other things, it contained copies of identity documents, tax records and payroll records. During the investigation, the DPA discovered that the hard drive had been located in a room to which all of the controller's employees had access. In addition, the controller did not back up the affected data, so it was irrevocably lost. Consequently, the DPA concluded that the controller violated the duty to implement appropriate technical and organizational measures to ensure the security of data processing.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9538748
557;Spanish Data Protection Authority (aepd);Spain;16.02.21;1000;The Washpoint S.L.;Yes;The Washpoint S.L.;Spain;Services;NA;NA;Private;Yes;Art. 13 GDPR;Insufficient fulfilment of information obligations;The Spanish DPA (AEPD) imposed a fine of EUR 1,000 on The Washpoint S.L. for the lack of a privacy policy on its website, in violation of Art. 13 GDPR.;https://www.aepd.es/es/documento/ps-00469-2019.pdf
558;Italian Data Protection Authority (Garante);Italy;14.01.21;30000;Azienda sanitaria provinciale di Enna;Yes;Azienda Sanitaria Provinciale Di Enna;Italy;Healthcare;76100000;1500;Private;Yes;Art. 5 (1) a) GDPR, Art. 6 GDPR, Art. 9 GDPR;Insufficient legal basis for data processing;The Italian DPA (Garante) imposed a fine of EUR 30,000 on Azienda sanitaria provinciale di Enna. The controller processed biometric data of employees for the purpose of registering their attendance. Garante found that such processing was not proportionate and therefore constituted an unjustified infringement of the rights of the data subjects. Subsequently, Garante determined that the processing of biometric data had taken place without a legal basis.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9542071
559;Italian Data Protection Authority (Garante);Italy;27.01.21;50000;Azienda USL della Romagna;Yes;Azienda Unita' Sanitaria Locale Della Romagna;Italy;Healthcare;634700000;14407;Private;Yes;Art. 5 (1) a), d), f) GDPR, Art. 9 GDPR, Art. 32 (1) b) GDPR;Non-compliance with general data processing principles;The Italian DPA (Garante) imposed a fine of EUR 50,000 on Azienda USL della Romagna. Upon her arrival at the gynecology unit of a hospital operated by the controller (for the purpose of an abortion), a patient had explicitly asked the controller not to share her health data with third parties. She had separately left a telephone number for the purpose of being contacted. After the patient was discharged, a nurse tried to contact her in order to inform her about further therapy. However, the nurse did not use the telephone number provided by the patient  specifically for this purpose, but instead used her home telephone number, which she was able to obtain from her patient file. When her husband took the call instead of the patient, the nurse informed him about her treatment, contrary to the patients request.  Even though no further medical information was provided, it was clear from the conversation that the data subject had been admitted to this unit and was to receive further therapy.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9544504
560;Italian Data Protection Authority (Garante);Italy;27.01.21;50000;Azienda Ospedaliero Universitaria Senese;Yes;"	Azienda Ospedaliera Universitaria Senese";Italy;Hospitals;129000000;2500;Private;Yes;Art. 5 (1) f) GDPR, Art. 9 GDPR;Non-compliance with general data processing principles;The Italian DPA (Garante) fined Azienda Ospedaliero Universitaria Senese EUR 50,000. The controller, a hospital, had reported to the Italian DPA that a couple's medical report had been mistakenly sent to an uninvolved third party. The report contained information about a genetic consultation and the health status and sex life of the data subjects. The incident occurred due to an error in packaging the letter, according to a statement from the controller.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9544457
561;Italian Data Protection Authority (Garante);Italy;27.01.21;10000;Azienda Ospedaliero Universitaria di Parma;Yes;Azienda Ospedaliero-Universitaria Di Parma;Italy;Hospitals;165200000;3000;Private;Yes;Art. 5 (1) f) GDPR, Art. 9 GDPR;Non-compliance with general data processing principles;The Italian DPA (Garante) fined Azienda Ospedaliero Universitaria di Parma EUR 50,000. The controller, a hospital, had reported two data breaches to the Italian DPA in which patient data was mistakenly disclosed to third parties. In the first incident, parents found the report of a microbiological examination of another patient in the file of their minor child. The report revealed the data subjects name, tax number, address, birth date and various health data. In the second incident, the heir of a patient received the health report of another patient, which contained the name and birth date as well as data on the health status of the data subject.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9544092
562;Italian Data Protection Authority (Garante);Italy;14.01.21;2000;Poliambulatorio Talenti S.r.l.;Yes;Poliambulatorio Talenti S.r.l.;Italy;Healthcare;778959;4;Private;Yes;Art. 12 (3) GDPR, Art. 15 GDPR;Insufficient fulfilment of data subjects rights;The Italian DPA (Garante) fined Poliambulatorio Talenti S.r.l. EUR 2,000 for failing to respond to the data subject's request for access to his and his daughters' data in a timely manner.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9542096
563;Italian Data Protection Authority (Garante);Italy;14.01.21;18000;Azienda Usl di Bologna;Yes;Azienda Unita' Sanitaria Locale Di Bologna;Italy;Healthcare;554000000;8500;Private;Yes;Art. 5 (1) f) GDPR, Art. 9 GDPR;Non-compliance with general data processing principles;The Italian DPA (Garante) fined Azienda Usl di Bologna EUR 18,000. In a hospital operated by the controller, 49 patients in the oncology ward received discharge letters with detailed pharmacological therapy information that originated from other patients. Fourteen of these patients had already accessed this incorrect documentation before it was corrected. The breakdown had occurred due to a manual error by a technician.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9542155
564;Polish National Personal Data Protection Office (UODO);Poland;11.02.21;22200;Krajowa Szko?a Sadownictwa i Prokuratury;Yes;Krajowa Szkoła Sądownictwa i Prokuratury;Poland;Education;NA;NA;Other;Yes;Art. 5 (1) f) GDPR, Art. 25 (1) GDPR, Art. 28 (3) GDPR, Art. 32 (1), (2) GDPR;Insufficient technical and organisational measures to ensure information security;The Polish DPA (UODO) fined Krajowa Szko?a Sadownictwa i Prokuratury (National School of Justice and Prosecution) EUR 22,200. UODO launched an investigation against the controller after it reported a data breach on its training platform website. During a test migration to the new platform, the data of more than 50,000 individuals had been exposed on the Internet. Among other things, this included the names, user names, postal and e-mail addresses, telephone numbers, units and departments of the data subjects. UODO found that the controller had not taken adequate technical and organizational measures to ensure the confidentiality of the data processed. In addition, the contract that the controller had concluded with the company entrusted with the processing of the data did not comply with the legal requirements. For example, the contract did not contain information about which categories of data would be processed.;https://www.uodo.gov.pl/decyzje/DKN.5130.2024.2020
565;Spanish Data Protection Authority (aepd);Spain;12.02.21;1600;Ripobruna 207, S.L.;Yes;Ripobruna 207, S.L.;Spain;Restaurants, Cafes & Bars;419996;16;Private;Yes;Art. 5 (1) c) GDPR;Non-compliance with general data processing principles;The Spanish DPA (AEPD) imposed a fine of EUR 2,000 against Ripobruna 207, S.L. (restaurant) for the unauthorized use of two video surveillance cameras that also recorded parts of the public space without any justified cause. The original fine of EUR 2,000 was reduced for immediate payment to EUR 1,600.;https://www.aepd.es/es/documento/ps-00191-2020.pdf
566;Croatian Data Protection Authority (azop);Croatia;22.02.21;NA;Security company (name not available at the moment);No;NA;NA;Services;NA;NA;NA;Yes;Art. 32 (1) b), d) GDPR, Art. 32 (2), (4) GDPR;Insufficient technical and organisational measures to ensure information security;A data controller using the services of the security company reported the breach of personal data to the DPA, arising after an employee of the security company recorded the video surveillance footage with a phone and shared it with third party. The recording was ultimately made available on social media and in the media. The DPA found that the security company as a data processor enabled the breach by not maintaining adequate and sufficient technical and organizational measures for personal data security for more than two and a half years. Moreover, the processor has not foreseen or implemented adequate technical security measures following the incident to prevent or minimize the risks. One data subject was consequently exposed to insults and ridicule in the public and the security company has not taken any action to remove the recording from social networks and media. The amount of the fine is NA at the moment, but the DPA clarified which aggravating circumstances it has taken into consideration when determining the fine ? (i) the fact that the processor did not fulfil its obligation to inform the controller of the incident as required by the Art 33 (2) GDPR and (ii) the fact that the basic activity of the company is the provision of physical and technical protection, which includes the use of video surveillance. The DPA also noted that the fined security company is one of the leading companies in Croatia in that activity and as such should be the relevant entity in providing opinions, guidelines, advice and propose solutions to controllers on the use of the video surveillance system and give an example to its work and pay greater attention to it than others.;https://azop.hr/izdana-nova-upravna-novcana-kazna/
567;Spanish Data Protection Authority (aepd);Spain;24.02.21;12000;Avilon Center 2016 S.L.;Yes;Avilon Center 2016 S.L.;Spain;Services;NA;NA;Private;Yes;Art. 48 (1) b) LGT, Art. 21 GDPR, Art. 23 (4)  LOPDGDD;Insufficient fulfilment of data subjects rights;The Spanish DPA (AEPD) imposed a fine of EUR 20,000 on Avilon Center 2016 S.L. The data subject had received advertising calls from the controller, although the data subject was registered in the Robinson advertising exclusion list. The original fine of EUR 20,000 was reduced to EUR 12,000 due to immediate payment and acknowledgement of debt.;https://www.aepd.es/es/documento/ps-00502-2020.pdf
569;Hungarian National Authority for Data Protection and the Freedom of Information (NAIH);Hungary;10.12.20;22200;Budapesti Muszaki es Gazdasagtudomanyi Egyetem (Budapest University of Technology and Economics);Yes;Budapesti Muszaki es Gazdasagtudomanyi Egyetem;Hungaria;Education;NA;974;Other;No;Art. 5 (1) a), b), c) GDPR, Art. 6 (1) GDPR, Art. 9 (2) GDPR, Art. 12 GDPR, Art. 13 GDPR;Insufficient legal basis for data processing;The Hungarian DPA (NAIH) imposed a fine of EUR 22,200 against the Budapest University of Technology and Economics. NAIH finds that the controller unlawfully processed personal data in the course of audits of applications for social scholarships. Among other things, data was processed without a legal basis and in some cases particularly sensitive data was processed, although this was not necessary for the evaluation of the scholarship applications.;https://naih.hu/hatarozatok-vegzesek?download=325:1-rendszeres-szocialis-osztondijakkal-kapcsolatos-adatkezeles-a-budapesti-muszaki-es-gazdasagtudomanyi-egyetemen-modositasokkal-egyseges-szerkezetben
570;Data Protection Authority of Ireland;Ireland;12.08.20;85000;Tusla Child and Family Agency;Yes;Tusla;Ireland;Politics & Government;750000000;4000;Other;Yes;Art. 32 (1) GDPR;Insufficient technical and organisational measures to ensure information security;The Irish DPA (DPC) fined Tusla Child and Family Agency EUR 85,000. The controller had reported 71 data breaches to the Irish DPA that occurred between May 25 and November 16, 2018, and concerned the unauthorized access of personal data processed by the controller. After a broad investigation, the DPA concluded that the controller failed to implement adequate technical and organizational measures to protect the data processing and thus violated Art. 32 (1) of the GDPR.;https://www.dataprotection.ie/sites/default/files/uploads/2021-02/12.08.2020_Decision_Tusla_IN-18-11-04.pdf
571;Lithuanian Data Protection Authority (VDAI);Lithuania;26.02.21;12000;Nacionaliniam visuomenes sveikatos centrui (NVSC);Yes;Lietuvos Respublikos Sveikatos Apsaugos Ministerija;Lithuania;Politics & Government;14600000;252;Other;Yes;Art. 5 (1), (2) GDPR, Art. 13 GDPR, Art. 24 GDPR, Art. 32 GDPR, Art. 35 GDPR, Art. 58 (2) f) GDPR;Non-compliance with general data processing principles;"The Lithuanian DPA (VDAI) imposed a fine of EUR 12,000 on the Lithuanian National Health Service (NVSC). The DPA had opened an investigation regarding a quarantine app introduced in Lithuania during the COVID-19 pandemic in spring 2020. The IT company 'IT sprendimai sekmei' had developed the app, which was then used by the NVSC. 
In the course of the investigation, the DPA found that during the app's period of use, the data of a total of 677 individuals had been processed in varying degrees. The app was able to collect data such as the name, address and phone number of the data subjects. The DPA concluded that the controller had not taken sufficient technical and organizational measures to protect the data processing. Furthermore, a data protection impact assessment was not carried out, although this would have been necessary in particular because the app also processed special categories of personal data including health data. The DPA further stated that the controller had provided non-transparent and incorrect information in the app's privacy policy.";https://vdai.lrv.lt/lt/naujienos/skirta-bauda-del-bendrojo-duomenu-apsaugos-reglamento-pazeidimu-
572;Lithuanian Data Protection Authority (VDAI);Lithuania;26.02.21;3000;IT sprendimai sekmei;Yes;IT sprendimai sėkmei, UAB;Lithuania;IT Services;119755;4;Private;Yes;Art. 5 (1), (2) GDPR, Art. 13 GDPR, Art. 24 GDPR, Art. 32 GDPR, Art. 35 GDPR, Art. 58 (2) f) GDPR;Non-compliance with general data processing principles;"The Lithuanian DPA (VDAI) imposed a fine of EUR 3,000 on the company 'IT sprendimai sekmei'. The DPA had opened an investigation regarding a quarantine app introduced in Lithuania during the COVID-19 pandemic in spring 2020. The controller had developed the app, which was then used by the Lithuanian National Health Service. 
In the course of the investigation, the DPA found that during the app's period of use, the data of a total of 677 individuals had been processed in varying degrees. The app was able to collect data such as the name, address and phone number of the data subjects. The DPA concluded that the controller had not taken sufficient technical and organizational measures to protect the data processing. Furthermore, a data protection impact assessment was not carried out, although this would have been necessary in particular because the app also processed special categories of personal data including health data. The DPA further stated that the controller had provided non-transparent and incorrect information in the app's privacy policy.";https://vdai.lrv.lt/lt/naujienos/skirta-bauda-del-bendrojo-duomenu-apsaugos-reglamento-pazeidimu-programeleje-karantinas
576;Lithuanian Data Protection Authority (VDAI);Lithuania;02.03.21;15000;Registru Centras;Yes;Registru Centras Vi;Lithuania;Services;40400000;17;Private;Yes;Art. 32 (1) b), c) GDPR;Insufficient technical and organisational measures to ensure information security;The Lithuanian DPA (VDAI) imposed a fine of EUR 15,000 on Registru Centras. The controller is a company which manages several Lithuanian registers. The company suffered a data breach that affected 22 of these registers. During its investigation, the DPA found that the controller had not implemented adequate technical and organizational measures to protect the processing of personal data. The measures implemented by the controller were clearly not sufficient to ensure the continuous integrity, availability and resilience of the data, nor to restore the availability of the data after incidents.;https://vdai.lrv.lt/lt/naujienos/skirta-bauda-del-bendrojo-duomenu-apsaugos-reglamento-pazeidimu-registru-centre
577;Spanish Data Protection Authority (aepd);Spain;02.03.21;200000;I-DE Redes Electricas Inteligentes, S.A.U;Yes;I-De Redes Electricas Inteligentes Sociedad Anonima.;Spain;Energy;1900000000;4266;Private;Yes;Art. 5 (1) b), c) GDPR, Art. 6 (1) b) GDPR;Non-compliance with general data processing principles;"The Spanish DPA (AEPD) imposed a fine of EUR 200,000 on I-DE Redes Electricas Inteligentes, S.A.U. The DPA received complaints from Waitum, S.L. and Servicios Aby 2018, S.L. because their customers had received letters from the controller. Both companies had previously transferred their customers' personal data to the controller under a network access agreement entered into with the controller. Under this agreement, the two companies acted as representatives of their respective customers, who were supplied with electricity by the controller. In the letters sent, the controller mentioned, among other things, alleged breaches of contract and non-payment by the companies to the controller. 
In the course of its investigations, the DPA determined that the sending of these letters was neither related to nor necessary for the performance of the respective contract. The controller had therefore violated the principles of purpose limitation and data minimization, so that the sending of these letters constituted unlawful processing of the customers' personal data.";https://www.aepd.es/es/documento/ps-00197-2020.pdf
578;Cypriot Data Protection Commissioner;Cyprus;03.03.21;25000;Hellenic Bank;Yes;Hellenic Development Bank S.A.;Greece;Finance & Insurance;6900000;60;Private;No;Art. 5 (1) e), f) GDPR, Art. 32 (1) b), c) GDPR, Art. 33 (1) GDPR;Insufficient technical and organisational measures to ensure information security;The Cypriot DPA imposed a fine of EUR 25,000 on Hellenic Bank. The bank had closed one of its branches in the city of Nicosia in 2015. When moving out of the space, a safe containing old documents of still existing customers, installed in one of the walls, had been forgotten. As the building was vacant in the following years, the controller only learned about this incident when the property was rented out again for the first time in 2019. The new tenant had found the safe and informed the controller. Bank staff had then retrieved the documents and reported the data breach to the Cypriot DPA. The DPA ultimately concluded that the controller had violated Art. 5 (1) e), f) GDPR, Art. 32 (1) b), c) GDPR, and Art. 33 (1) GDPR.;http://www.dataprotection.gov.cy/dataprotection/dataprotection.nsf/All/B0CED3EDDC2EE5EDC225868D0037E7A4?OpenDocument
579;Cypriot Data Protection Commissioner;Cyprus;03.03.21;10000;Cypriot Real Estate Registration Authority;Yes;Business In Cyprus;Cyprus;Politics & Government;NA;NA;Other;Yes;Art. 12 GDPR, Art. 15 GDPR, Art. 31 GDPR, Art. 58 (1) e) GDPR;Insufficient fulfilment of information obligations;The Cypriot DPA imposed a fine of EUR 10,000 on the Cypriot Real Estate Registration Authority. The data subject submitted a written request to the controller requesting various information relating to him personally, exercising the right of access granted to him under Art. 15 GDPR. After the controller failed to respond to the request for information, the data subject filed a complaint with the DPA. In the course of the subsequent investigation by the DPA, the controller also failed to respond to requests by the DPA to comment on the allegation.;http://www.dataprotection.gov.cy/dataprotection/dataprotection.nsf/All/B0CED3EDDC2EE5EDC225868D0037E7A4?OpenDocument
580;Cypriot Data Protection Commissioner;Cyprus;03.03.21;6000;KEPIDES;Yes;Cyprus Asset Management Company Ltd;Cyprus;Real Estate;NA;NA;Other;Yes;Art. 32 (4);Insufficient technical and organisational measures to ensure information security;The Cypriot DPA imposed a fine of EUR 6,000 against KEPIDES (real estate company). The controller had submitted a list of buyers of the properties it manages to a parliamentary committee. However, the controller had failed to anonymize the list, as a result of which the names of the data subjects were transmitted.;http://www.dataprotection.gov.cy/dataprotection/dataprotection.nsf/All/B0CED3EDDC2EE5EDC225868D0037E7A4?OpenDocument
581;Cypriot Data Protection Commissioner;Cyprus;03.03.21;40000;Electricity Authority of Cyprus;Yes;Electricity Authority Of Cyprus;Cyprus;Energy;771400000;2088;Private;Yes;Art. 6 (1) GDPR, Art. 9 (2) GDPR;Insufficient legal basis for data processing;The Cypriot DPA imposed a fine of EUR 40,000 on the Electricity Authority of Cyprus. The controller used an automated system based on the so-called Brad-Factor to manage, monitor and control employee absences due to illness using a tool assessment. The DPA found that such an assessment mechanism was not covered by Cypriot labor law and had therefore been used unlawfully. Furthermore, an option for data subjects not to consent to such automated processing of their personal data should have been provided.;http://www.dataprotection.gov.cy/dataprotection/dataprotection.nsf/All/B0CED3EDDC2EE5EDC225868D0037E7A4?OpenDocument
582;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;04.03.21;500;Natural person holding the position of General Secretary for a political party in Bucharest;No;NA;Romania;Politics & Government;NA;NA;Other;Yes;Art. 32 (1), (2) GDPR, Art. 58 (1) a), e) GDPR;Insufficient technical and organisational measures to ensure information security;The Romanian DPA (ANSPDCP) imposed a fine in the amount of EUR 500 against a natural person holding the position of General Secretary for a political party in Bucharest. The controller had published a list on a social network, which contained personal data such as names, signatures, nationalities, dates of birth, postal addresses, of ten supporters of the party. The DPA found that the controller had failed to implement adequate technical and organizational measures to protect the processing of personal data. In addition, the controller had not sufficiently cooperated with the DPA in its investigation.;https://www.dataprotection.ro/?page=Comunicat_Presa_04_03_2021&lang=ro
583;Polish National Personal Data Protection Office (UODO);Poland;15.01.21;4600;Anwara Sp. z.o.o.;Yes;Anwara Sp. z.o.o.;Poland;Education;NA;NA;Private;Yes;Art. 31 GDPR, Art. 58 (1) a) GDPR;Insufficient cooperation with supervisory authority;The Polish DPA (UODO) fined the company Anwara Sp. z.o.o. EUR 4,600. The controller had not cooperated with the DPA and had not provided it with all the information necessary for an investigation. The controller twice ignored written requests for explanations regarding a procedure to investigate a complaint filed by an individual. Although the letters were properly sent, the company did not provide reasons for its failure to do so.;https://uodo.gov.pl/decyzje/DKE.561.16.2020
584;Polish National Personal Data Protection Office (UODO);Poland;11.01.21;30000;Enea S.A.;Yes;ENEA SA;Poland;Energy;3700000000;17241;Public;Yes;Art. 33 (1) GDPR;Insufficient fulfilment of data breach notification obligations;The Polish DPA (UODO) fined Enea S.A. EUR 30,000 for the controller's failure to report a personal data breach, in violation of Art. 33 (1) GDPR. The DPA received information about a personal data breach from a person who had become an unauthorized recipient of personal data. The breach consisted of sending an email with an unencrypted, non-password protected attachment that contained personal data of several hundred individuals. The sender of the email was an employee of the sanctioned controller.;https://www.uodo.gov.pl/decyzje/DKN.5131.7.2020
585;Spanish Data Protection Authority (aepd);Spain;09.03.21;15000;Homeowners Association;No;NA;NA;NA;NA;NA;NA;Yes;Art. 5 (1) f) GDPR;Non-compliance with general data processing principles;The Spanish DPA (AEPD) imposed a fine of EUR 15,000 on a homeowners' association. The controller had publicly displayed the record of a homeowners' meeting in the elevator of the building where the participants lived. From the records, the names, floors and apartment numbers of the meeting participants could be obtained, as well as the floors and apartment numbers of neighbors about whom the participants had complained during the meeting. The controller had justified the public notice with the fact that the results of this meeting concerned planned legal actions against some of the residential parties. They were to be informed about this so that they would not be able to claim later that they had not received the relevant notifications. The DPA considers this to be a violation of Art. 5 (1) f) GDPR, which refers to the principles of integrity and confidentiality of personal data.;https://www.aepd.es/es/documento/ps-00378-2019.pdf
587;Spanish Data Protection Authority (aepd);Spain;10.03.21;10000;Hospital Campogrande DE;Yes;Hospital Recoletas De Castilla Leon Sl;Spain;Hospitals;39600000;392;Private;Yes;Art. 5 (1) f) GDPR;Non-compliance with general data processing principles;"The Spanish DPA (AEPD) imposed a fine of EUR 10,000 on Hospital Campogrande DE. A patient filed a complaint against the controller with the DPA. The controller had performed an MRI on the patient on September 05, 2019 due to an injury of the right knee. The cost of the examination was covered by the patient's private health insurance. Due to a work-related injury, another MRI of the same knee had to be performed on September 27, 2019. Although the second MRI was performed at another hospital, albeit one belonging to the corporate group, the hospital system also linked the first, privately arranged MRI to the patient's record at the second hospital. The first MRI was provided through the hospital network without any medical justification. 
This turned out to be very unfavorable for the patient when, upon presentation of the second MRI, the company physician informed him that he would have to contact his private physician or the social insurance with this injury, since the incident could not be considered an occupational accident. He justified this with the existence of the first MRI, which had a non-occupational cause.";https://www.aepd.es/es/documento/ps-00074-2020.pdf
588;Spanish Data Protection Authority (aepd);Spain;10.03.21;8000;Filigrana Comunicacion S.L.U.;Yes;Filigrana Comunicacion S.L.U.;Spain;Services;NA;NA;Private;Yes;Art. 6 (1) GDPR, Art. 13 GPDR, Art. 14 GDPR;Insufficient fulfilment of information obligations;The Spanish DPA (AEPD) fined Filigrana Comunicacion S.L.U. EUR 8,000. The controller operates a website that provides information on internships offered by the Spanish Ministry of Education and Sports. In addition, the results of various competitions held by the Ministry are published on the site. The controller had compiled and published the data of the participants from publicly available sources without first obtaining the consent of the data subjects. Likewise, the controller had not fulfilled its information obligations to them in accordance with Art. 13 GDPR and Art. 14 GDPR.;https://www.aepd.es/es/documento/ps-00136-2020.pdf
589;Italian Data Protection Authority (Garante);Italy;17.12.20;4000;Comune di Santo Stefano Belbo;Yes;Comune Di Santo Stefano Belbo;Italy;Politics & Government;1100000;22;Other;Yes;Art. 5 (1) a), c) GDPR, Art. 6 (1) c), e) GDPR, Art. 6 (2) GDPR, Art. 6 (3) b) GDPR;Non-compliance with general data processing principles;The Italian DPA (Garante) imposed a fine of EUR 4,000 on the municipality of Santo Stefano Belbo. The reason for this was that the controller had published two documents on a legal settlement of the data subject on its website. The documents were not only freely accessible, but could also be downloaded.  The documents contained personal data and information about the data subject, including, in addition to his first and last name, a confirmation of the payment of legal costs, the IBAN code of his checking account, information about the lawsuit and the amounts paid in favor of the data subject.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9557753
590;Italian Data Protection Authority (Garante);Italy;17.12.20;10000;Comune di Luino;Yes;Comune Di Luino;Italy;Politics & Government;6900000;140;Other;Yes;Art. 5 (1) a), c) GDPR, Art. 6 (1) c), e) GDPR, Art. 6 (2) GDPR, Art. 6 (3) b) GDPR, Art. 37 (1) a) GDPR, Art. 37 (7) GDPR;Non-compliance with general data processing principles;The Italian DPA (Garante) imposed a fine of EUR 10,000 on the municipality of Luino. The controller had published a document containing personal data of a local council member. In addition to personal data, the document also contained information about a complaint procedure filed against him by the mayor. The freely accessible document could be downloaded without further authentication. Furthermore, the municipality had failed to name a data protection officer and to provide the DPA with his/her contact details.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9557593
591;Italian Data Protection Authority (Garante);Italy;25.02.21;300000;Istituto Nazionale Previdenza Sociale (INPS);Yes;Istituto Nazionale Della Previdenza Sociale;Italy;Finance & Insurance;1500000000;26706;Private;Yes;Art. 5 (1) a), c), d) GDPR, Art. 25 GDPR, Art. 35 GDPR;Non-compliance with general data processing principles;"The Italian DPA (Garante) imposed a fine of EUR 300,000 on the Istituto Nazionale Previdenza Sociale (INPS). The Italian National Institute for Social Security had been tasked with anti-fraud investigations related to COVID-19 relief funds. After press reports raised problems with the institute's data processing practices around the application review of politicians, the Italian DPA opened an investigation against INPS in August 2020. During that investigation, the DPA identified several violations. 

The controller had collected data on tens of thousands of politicians from public sources and cross-checked it with data from applicants. In doing so, however, the controller had failed to ensure that data was collected only from those politicians who were eligible to receive the assistance funds. In doing so, the controller violated the principles of lawfulness, fairness, and transparency as set out in the GDPR.

Furthermore, the controller had violated the principle of data minimization by initiating checks on reimbursements even for individuals whose applications had been rejected and who had therefore never received payments.

Furthermore, the controller had not adequately assessed the risks associated with a data processing operation as sensitive as that on applications for social benefits, since it had not carried out an impact assessment on the rights and freedoms of the data subjects.";https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9556958
592;Spanish Data Protection Authority (aepd);Spain;10.03.21;50000;Equifax Iberica S.L.;Yes;Equifax Iberica Sl;Spain;Science & Research;37900000;173;Private;Yes;Art. 6 (1) f) GDPR;Insufficient legal basis for data processing;"The Spanish DPA (AEPD) fined Equifax Iberica S.L. EUR 50,000 for a violation of Art. 6 (1) f) GDPR. The controller had added the data subject to a debtor register without informing her beforehand.  The data subject had outstanding payments of rent with her landlord, who had previously sent her corresponding requests for payment. The controller itself had also sent notices to the data subject requesting her to pay the debts. These, however, did not contain any information that the data subject would be entered in the debtors' register in the event of non-payment. 
Also, the rental contract of the data subject did not contain any provisions in this regard, which led the DPA to conclude that the controller did not have a legitimate interest within the terms of the GDPR and thus had processed the personal data of the data subject without a legal basis.";https://www.aepd.es/es/documento/ps-00406-2020.pdf
593;Spanish Data Protection Authority (aepd);Spain;10.03.21;90000;Xfera Moviles S.A.;Yes;Xfera Moviles Sau;Spain;Telecommunications;1500000000;473;Private;Yes;Art. 5 (1) f) GDPR, Art. 17 GDPR, Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;"The Spanish DPA (AEPD) imposed a fine of EUR 150,000 on Xfera Moviles S.A.. The DPA had received two complaints from a data subject. 
The first complaint concerned the sending of advertising SMS messages that the data subject received from the controller, although he had objected to this and requested that his data be deleted. According to the data subject, he received over 60 SMS messages within 30 days.
The second complaint was filed by the data subject because the controller repeatedly sent him messages containing confidential data of a third party. This concerned the login information of another customer to a company platform. On the portal, it was possible to view personal information as well as invoices, among other things. Although the data subject had informed the company of this, the incorrect mailing did not end. 
The original fine of EUR 150,000 was reduced to EUR 90,000 due to immediate payment and admission of guilt.";https://www.aepd.es/es/documento/ps-00448-2020.pdf
594;Spanish Data Protection Authority (aepd);Spain;11.03.21;8150000;Vodafone Espana, S.A.U.;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 28 GDPR, Art. 24 GDPR, Art. 44 GDPR, Art. 21 LSSI, Art. 48 (1) b) LGT, Art. 21 GDPR, Art. 23 LOPDGDD;Insufficient fulfilment of data subjects rights;"Since 2018, the Spanish DPA (AEPD) had received a total of 191 complaints against Vodafone Espana, S.A.U. The data subjects complained about advertising calls and messages (e-mail and SMS) made on behalf of Vodafone Espana as part of marketing campaigns. The contact was made without the prior consent of the data subjects and continued even after they had exercised their right to object. Furthermore, many data subjects were contacted even though their numbers were on the Robinson list.

The AEPD explains that aggravatingly, it took into account that Vodafone Espana had regularly received fines in more than 50 cases from January 2018 to February 2020, and the fact that there had been 162 complaints received by the AEPD in just under two years. 

The fine is composed as follows: EUR 4 million for a breach of Art. 28 GDPR and Art. 24 GDPR; EUR 2 million for a breach of Art. 44 GDPR; EUR 150,000 for a breach of Art. 21 LSSI; and EUR 2 million for a breach of Art. 48 (1) b) LGT, Art. 21 GDPR and Art. 23 LOPDGDD.";https://www.aepd.es/es/documento/ps-00059-2020.pdf
596;Spanish Data Protection Authority (aepd);Spain;12.03.21;12000;NBQ Technology, S.A.U.;Yes;Nbq Technology Sau;Spain;Finance & Insurance;6600000;32;Private;Yes;Art. 6 (1) GDPR;Insufficient legal basis for data processing;The Spanish DPA (AEPD) has fined NBQ Technology, S.A.U. EUR 20,000. An identity thief had obtained the data of a third party without authorization and applied for a microcredit from the controller under pretence of the data subject's identity. The controller then approved the loan. Since the data processed in the course of granting the loan did not belong to the loan recipient, but to the data subject, the AEPD determined that the controller did not have a legal basis for processing the data. The processing was therefore unlawful, and a breach of Art. 6 (1) GDPR was affirmed. The original fine of EUR 20,000 was reduced  to EUR 12,000 due to immediate payment and acknowledgement of debt.;https://www.aepd.es/es/documento/ps-00061-2021.pdf
597;Spanish Data Protection Authority (aepd);Spain;15.03.21;5000;Certime S.A.;Yes;Certime S.A.;Spain;Healthcare;366252;4;Private;Yes;Art. 5 (1) b) GDPR;Non-compliance with general data processing principles;The Spanish DPA (AEPD) has imposed a fine of EUR 5,000 on Certime S.A.. The data subject had renewed her driver's license with the controller in 2009. After her address had changed in 2018, in 2019 she received mail from the controller to her new address without having informed the controller of the adress change. In the letter, the controller informed the data subject that her driver's license would soon expire. In response to a inquiry from the data subject as to where her new contact information came from, the controller informed her that its database was regularly updated using data obtained from the Spanish transport authority DGT (Direccion General de Trafico). As the data subject had not given consent for such processing of her data, she filed a complaint against the controller with the Spanish DPA. An investigation by the DPA revealed that the company had indeed entered into a contract with DGT. However, DGT had clarified that the purpose of the processing of contact data under the contract was to ensure the accuracy of the address when renewing a driver's license or when issuing medical reports so that it could be sent to the correct address. Nevertheless, the data subjects must request and consequently consent to such a change of address. Since these criteria were not met in the specific case, the DPA found a violation of the purpose limitation principle.;https://www.aepd.es/es/documento/ps-00417-2020.pdf
598;Italian Data Protection Authority (Garante);Italy;17.12.20;2000;Ordine degli Assistenti Sociali della Regione Lazio;Yes;Consiglio Regionale Ordine Assistenti Sociali del Lazio;Italy;Politics & Government;NA;NA;Other;Yes;Art. 12 (3), (4) GDPR;Insufficient fulfilment of data subjects rights;The Italian DPA (Garante) has imposed a fine of EUR 2,000 on Ordine degli Assistenti Sociali della Regione Lazio. On November 27, 2019, a data subject had sent an email to the controller requesting what data was being processed regarding him and his daughters. After initially receiving no response to his request for information, on January 10, 2020, the data subject filed a complaint against the controller with the Italian DPA. His request for information was subsequentely complied with on June 17, 2020, but without explaining the delay and, in particular, the initial non-response to the request.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9557793
599;Italian Data Protection Authority (Garante);Italy;11.02.21;75000;Ministero dello Sviluppo Economico;Yes;Ministero Dello Sviluppo Economico;Italy;Politics & Government;186900000;1700;Other;Yes;Art. 5 (1) a), b), c) GDPR, Art. 6 (1) c), e) GDPR, Art. 6 (2) GDPR, Art. 6 (3) b) GDPR, Art. 37 (1), (7) GDPR;Non-compliance with general data processing principles;"The Italian DPA (Garante) has fined the Ministry of Economic Development (Ministero dello Sviluppo Economico) EUR 75,000 for failing to appoint a data protection officer by May 28, 2018, and for publishing personal data of more than five thousand managers on its website. 
In Italy, small and medium-sized companies that had previously received a relevant voucher could book advice on technological and digital processes from experienced business professionals, through the controller. The Italian DPA launched an investigation against the controller after it became known that personal data of more than five thousand managers who had made themselves available for corresponding consultations were freely accessible on its website. The personal data, such as name, tax number, e-mail, full CV and in some cases a copy of the identity card and health card of the data subjects, was publicly visible and could be freely downloaded.  On the website, it was also possible to download the directorate resolution that had approved the list, which included the data and information of all the directors. The DPA found that the processing was unlawful and that the directorate resolution referred to by the controller did not constitute an adequate legal basis for the disclosure of online data.";https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9556625
600;Italian Data Protection Authority (Garante);Italy;14.01.21;75000;Regione Lazio;Yes;Regione Lazio;Italy;Politics & Government;174200000;3000;Other;Yes;Art. 5 (2) GDPR, Art. 28 GDPR;Insufficient data processing agreement;The Italian DPA (Garante) has fined Regione Lazio (Lazio Region) EUR 75,000 for failing to designate Capodarco, the company it entrusted with the management of reservations for healthcare services in 1999, as a data processor. The controller had not entered into a contract with Capodarco that would have governed its role as data processor in accordance with the requirements of data protection law. Thus, a proper contract for commissioned processing had not been concluded until 2019, which meant that data had been processed unlawfully for a period of about 20 years.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9542113
601;Belgian Data Protection Authority (APD);Belgium;15.03.21;1000;School;No;NA;NA;Education;NA;NA;Other;Yes;Art. 5 (1) c) GDPR, Art. 6 (1) GDPR, Art. 8 GDPR;Insufficient legal basis for data processing;The Belgian DPA (APD) fined a school EUR 1,000. The controller had conducted a survey on student well-being via a smartschooling system. The DPA states that the controller did not obtain the consent of the parents of the minor students and violated the principle of data minimization. The original fine of EUR 2,000 was reduced to EUR 1,000 after the controller appealed the APD's decision.;https://www.gegevensbeschermingsautoriteit.be/publications/beslissing-ten-gronde-nr.-36-2021.pdf
603;Spanish Data Protection Authority (aepd);Spain;15.03.21;2000;Heredad de Uruena S.A.;Yes;Heredad de Urueña S.A.;Spain;Food & Beverage;214285;4;Private;Yes;Art. 13 GDPR;Insufficient fulfilment of information obligations;The Spanish DPA (AEPD) fined Heredad de Uruena S.A. EUR 2,000 because its personal data processing policy did not comply with the requirements of Art. 13 GDPR. In addition, the controller did not provide a privacy policy on its website informing users about the processing of their personal data.;https://www.aepd.es/es/documento/ps-00375-2020.pdf
604;Spanish Data Protection Authority (aepd);Spain;18.03.21;3000;Asesoria Alpi-Clua S.L.;Yes;Asesoria Alpi Clua SL;Spain;Services;NA;NA;Private;Yes;Art. 5 (1) f) GDPR, Art. 32 (1) GDPR;Non-compliance with general data processing principles;The Spanish DPA (AEPD) imposed a fine of EUR 3,000 on Asesoria Alpi-Clua S.L.. A client had requested documents from the controller to submit them to the tax authorities. The controller sent her an e-mail that, however, did not contain the documents she had requested, but documents from another client.;https://www.aepd.es/es/documento/ps-00483-2020.pdf
605;Spanish Data Protection Authority (aepd);Spain;16.03.21;60000;Vodafone Espana, S.A.U.;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 6 (1) GDPR;Insufficient legal basis for data processing;The Spanish DPA (AEPD) imposed a fine of EUR 60,000 on Vodafone Spain. The data subject had been a customer of the controller several years ago. After receiving payment reminders from the controller via SMS for services she had never booked, she informed the controller and asked for clarification and deletion of her data. Despite a positive response, she continued to receive the same SMS. The data subject then filed two complaints with the Spanish DPA against Vodafone Spain. Both times, the controller had assured that it had corrected the reason for the incorrect sending and deleted the data of the data subject. Nevertheless, the mailing continued, leading the data subject to file a third complaint. The original fine of EUR 100,000 was reduced to EUR 60,000 due to immediate payment and admission of guilt.;https://www.aepd.es/es/documento/ps-00484-2020.pdf
606;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;23.03.21;2000;S.C. Medicover S.R.L.;Yes;Medicover Srl;Romania;Healthcare;25550481;627;Private;Yes;Art. 32 (1) b), (2), (4) GDPR;Insufficient technical and organisational measures to ensure information security;In February, the Romanian DPA (ANSPDCP) closed an investigation against S.C. Medicover S.R.L. and found a violation of Art. 32 (1) b), (2), (4) GDPR.  The DPA imposed a fine of EUR 2,000 on the controller. The investigation was initiated following successive notifications by the controller regarding personal data breaches related to unauthorized disclosure and unauthorized access to personal data such as name, correspondence address, email and health data of the data subjects. On several occasions, documents containing personal data had been sent to the wrong recipients. The DPA found that the incidents occurred due to the controller's failure to implement appropriate technical and organizational measures to protect the processing of personal data.;https://www.dataprotection.ro/?page=Comunicat_Presa_23_/_03_/_2021&lang=ro
607;Spanish Data Protection Authority (aepd);Spain;23.03.21;1000;Laboratorio Octogon, S.L.;Yes;Laboratorio Octogon, S.L.;Spain;Services;1000000;5;Private;Yes;Art. 5 (1) c) GDPR;Non-compliance with general data processing principles;Usage of CCTV camera systems that were also monitoring public space (breach of principle of data minimization).;https://www.aepd.es/es/documento/ps-00295-2020.pdf
608;Norwegian Supervisory Authority (Datatilsynet);Norway;15.03.21;4900;Alesund Municipality;Yes;Alesund Community;Norway;Politics & Government;NA;NA;Other;Yes;Art. 32 (1) b) GDPR, Art. 24 (1) GDPR, Art. 35 GDPR;Insufficient technical and organisational measures to ensure information security;The Norwegian DPA (Datatilsynet) imposed a fine of EUR 4,900 on the municipality of Alesund. At two schools in Alesund, teachers asked students to download the training app Strava for physical education classes. The students were then given tasks that the teachers controlled via the tracking function. According to the Norwegian DPA's investigation, this resulted in data breaches because the municipality failed to provide standard procedures for privacy-compliant app use in schools. For example, a data protection impact assessment was not carried out, although this would have been necessary in view of the potential risk to the students. In addition, adequate technical and organizational security measures had not been implemented to ensure the protection of the processing.;https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2021/gebyr-til-alesund-kommune-for-bruk-av-strava/
609;Spanish Data Protection Authority (aepd);Spain;15.03.21;600000;Air Europa Lineas Aereas, SA.;Yes;Air Europa Lineas Aereas, Sociedad Anonima;Spain;Aviation;1800000000;25000;Private;Yes;Art. 32 (1) GDPR, Art. 33 GDPR;Insufficient technical and organisational measures to ensure information security;The Spanish DPA (AEPD) fined Air Europa Lineas Aereas, SA. EUR 600,000 after a serious data breach involving unauthorized access to contact details and bank accounts was reported to the AEPD. Approximately 489,000 individuals and 1,500,000 records were affected. The AEPD announced that it had fined the controller EUR 500,000 for a breach of Art. 32 (1) GDPR due to the failure to take appropriate technical and organizational measures to ensure an adequate level of security, and EUR 100,000 for a breach of Art. 33 GDPR for notifying the AEPD of the security breach 41 days late. In determining the amount of the fine, the fact that the incident was not limited to a local area, but affected a large number of people not only in Spain, but also worldwide, and that sensitive banking and financial data were affected, harming several thousand people, was taken into account as an aggravating factor.;https://www.aepd.es/es/documento/ps-00179-2020.pdf
610;Italian Data Protection Authority (Garante);Italy;25.02.21;2000;Comune di Conflenti;Yes;Comune di Conflenti;Italy;Politics & Government;NA;NA;Other;Yes;Art. 5 (1) a), c) GDPR, Art. 6 (1) c), e) GDPR, Art. 6 (2) GDPR, Art. 6 (3) b) GDPR;Insufficient legal basis for data processing;The Italian DPA (Garante) imposed a fine of EUR 2,000 on the municipality of Conflenti. A former employee of the municipality filed a complaint with the DPA because a document containing her personal data, including information about her employment with the municipality and an excerpt from the termination letter, was published on the municipality's website.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9565258
611;Norwegian Supervisory Authority (Datatilsynet);Norway;08.03.21;14900;Dragefossen AS;Yes;Dragefossen As;Norway;Energy;12800000;50;Private;Yes;Art. 5 (1) a) GPDR, Art. 6 (1) GDPR;Insufficient legal basis for data processing;"The Norwegian DPA (Datatilsynet) imposed a fine of EUR 14,900 on the energy company Dragefossen AS. The latter had installed a webcam on the roof of its office building in the center of Rognan which was in operation 24/7 and recorded the city center. These recordings could be viewed via a live video stream on Youtube and on the controller's homepage. In addition, the recordings could be rewound for up to twelve hours. 

The area covered by the camera surveillance included a public street, the parking lot and entrance of two grocery stores, a pharmacy, a liquor store, the local bank, city hall, and a number of other buildings.

It was not possible to make out facial details or read license plates on cars due to the image quality and distance from the camera. Nevertheless, the image quality was good enough to be able to identify what type of car the data subjects were driving, what type of clothing they were wearing, what hair color they had, and other personal characteristics. This was sufficient for those watching the live broadcast to identify and track co-workers, colleagues, friends, family, or other acquaintances.

The Norwegian DPA concluded that the live broadcast constitutes a breach of Art. 6 (1) GDPR and Art. 5 (1) a) GPDR.

The decision highlights that the illegal camera surveillance involved a significant number of employees and that many were monitored repeatedly, some on a daily basis. Those who were monitored were on their way to and from work, who needed to buy groceries, medications, or alcohol, or who were in the public area for other reasons. These are activities where the data subjects do not expect to be monitored, and even less they expect the monitoring to be broadcast live on the Internet.";https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2021/dragefossen-as-far-gebyr/
612;Dutch Supervisory Authority for Data Protection (AP);Netherlands;10.12.20;475000;Booking.com B.V.;Yes;Booking.Com B.V.;Netherlands;IT Services;8900000000;1261;Private;Yes;Art. 33 GDPR;Insufficient fulfilment of data breach notification obligations;The Dutch DPA (Autoriteit Persoonsgegevens) has fined Booking.com EUR 475,000 for not reporting a data breach to the DPA in a timely manner. In December 2018, criminals gained access to the data of 4,109 people who had booked a hotel room through the booking site. That included their names, addresses and phone numbers, as well as details about their booking. The criminals also accessed the credit card data of 283 people and managed to access the credit card's security code in 97 cases. Furthermore, they tried to get other victims' credit card details by pretending to be Booking.com employees via email or phone. Booking.com was notified of the data breach on January 13, 2019, but did not report it to the DPA until February 7, 2019. The controller was thus 22 days late in reporting the data breach, as it is required to report a data breach to the DPA within 72 hours.;https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/besluit_boete_booking.pdf
613;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;30.03.21;10000;Telekom Romania Mobile Communications S.A.;Yes;Deutsche Telekom AG;Germany;Telecommunications;97600000000;226291;Public;No;Art. 32 (1), (2) GDPR;Insufficient technical and organisational measures to ensure information security;The Romania DPA (ANSPDCP) has fined Telekom Romania Mobile Communications S.A. EUR 10,000 for failing to implement adequate security measures to ensure the security of personal data processing. In particular, the ANSPDCP's investigation revealed that the controllers' failure to implement adequate security measures resulted in the unauthorized disclosure of the data of 99,210 data subjects, including their customer number, gender and telephone number, as well as unauthorized access to the personal data stored in the accounts of 413 customers. On this basis, the ANSPDCP ruled that the controller violated Art. 32 (1) and (2) GDPR.;https://www.dataprotection.ro/?page=Comunicat_30_/_03_/_2021&lang=ro
614;Italian Data Protection Authority (Garante);Italy;25.02.21;6000;Comune di Commezzadura;Yes;Comune di Commezzadura;Italy;Politics & Government;NA;NA;Other;Yes;Art. 5 (1) a), c) GDPR, Art. 6 GDPR, Art. 9 GDPR;Insufficient legal basis for data processing;The Italian DPA (Garante) imposed a fine of EUR 6,000 on the municipality of Commezzadura. A former employee of the municipality filed a complaint with the DPA because a document containing his personal data was published on the municipality's website. The document contained the confirmation and acceptance of the employee's voluntary termination of employment and information about the employment relationship at that time, including evaluations of his work and information about his health. The data subject also complained that this information had been mentioned in an article in a newspaper. In particular, the article discussed the end of employment and quoted a statement by the mayor of the municipality referring to the fact that the data subject had asked for flexible working hours and had been absent from work during the Christmas vacations due to illness.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9567429
616;Italian Data Protection Authority (Garante);Italy;25.02.21;20000;Gedi Gruppo Editoriale S.p.A.;Yes;GEDI Gruppo Editoriale SpA;Italy;Newspapers & Publishing;547100000;2221;Public;Yes;Art. 5 (1) a) GDPR;Insufficient legal basis for data processing;The Italian DPA (Garante) has fined Gedi Gruppo Editoriale S.p.A. 20,000 euros. The controller had published photos in its newspaper of people who were in custody in connection with a murder. The photos showed the accused in handcuffs and had been taken without their consent. Although some of the photos had been pixelated around the handcuffs, the faces of the defendants remained visible, allowing them to still be identified. The DPA had ordered the controller in advance to refrain from further use of these photos. The DPA imposed the fine because the controller had not complied with this order.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9568244
617;Italian Data Protection Authority (Garante);Italy;11.02.21;350000;Roma Capitale;No;Roma Capitale;Italy;Politics & Government;198700000;3590;Other;Yes;Art. 5 GDPR, Art. 6 GDPR, Art. 28 GDPR, Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;The Italian DPA (Garante) fined the city of Rome EUR 350,000 for failing to take adequate technical and organizational measures regarding the data of citizens who had obtained permits to access restricted traffic areas. The permits were verified by scanning QR codes located on badges affixed to windshields. This allowed city staff to verify in real time whether the particular vehicle was allowed to be in the zone and to whom the permit had been issued. However, according to the DPA, not only city staff, but anyone could scan the codes and access the information, as it only required an ordinary QR scanner. The information stored in the system, included, for example, the name of the user or the license plate number of the vehicle. In addition, the DPA found that the city of Rome had used the services of a provider for the hosting and maintenance of databases without a proper agreement as required by Art. 28 GDPR.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9562852
618;Italian Data Protection Authority (Garante);Italy;11.02.21;60000;Roma Servizi per La Mobilita S.r.l.;Yes;"	Roma Servizi Per La Mobilita' Srl";Italy;Transportation & Logistics;29500000;310;Private;Yes;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;The Italian DPA (Garante) fined Roma Servizi per La Mobilita S.r.l. EUR 60,000 for failing to take adequate technical and organizational measures regarding the data of citizens who had obtained permits to access restricted traffic areas. The controller was acting as a processor for the city of Rome. As part of this activity, it processed the data of individuals who held permits for restricted traffic areas. The permits were verified by scanning QR codes located on badges affixed to windshields. This allowed city staff to verify in real time whether the particular vehicle was allowed to be in the zone and to whom the permit had been issued. However, according to the DPA, not only city staff, but anyone could scan the codes and access the information, as it only required an ordinary QR scanner. The information stored in the system, included, for example, the name of the user or the license plate number of the vehicle. The DPA notes that the controller did not analyze the risk associated with the data processing and, as a result, did not implement adequate measures to protect the processing.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9562831
619;Italian Data Protection Authority (Garante);Italy;25.02.21;4000;Ministero dell?Istruzione, Ufficio Scolastico Regionale per il Lazio;Yes;Ufficio Scolastico Regionale del Lazio;Italy;Politics & Government;NA;NA;Other;Yes;Art. 5 (1) a) GDPR, Art. 6 GDPR, Art. 9 GDPR;Insufficient legal basis for data processing;The Italian DPA (Garante) has imposed a fine of EUR 4,000 on the Lazio Region School Authority. A parent had filed a complaint against the school authority for forwarding data of his disabled son to the Office of Public Administration. The data forwarded included, among other things, information about the child's health condition. The parent had previously complained of irregularities in the allocation of support hours for students with disabilities at the school I.C.G. Pitocco of Castelnuovo di Porto. The school authority had then transmitted the data in order to clarify the allegation. The DPA, however, found that the transfer had taken place without a legal basis.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9565218
620;Italian Data Protection Authority (Garante);Italy;25.03.21;4500000;Fastweb S.p.A.;Yes;Fastweb Spa;Italy;Telecommunications;2000000000;2589;Private;Yes;Art. 5 GDPR, Art. 6 GDPR, Art. 7 GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 21 GDPR, Art. 24 GDPR, Art. 25 GDPR, Art. 32 GPDR, Art. 33 (1) GDPR, Art. 34 (1) GDPR;Non-compliance with general data processing principles;"The Italian DPA (Garante) has fined Fastweb S.p.A. EUR 4,500,000 for aggressive telemarketing. Following a complex preliminary investigation launched after hundreds of reports and complaints from users, the DPA finds that the controller illegally processed the personal data of millions of users for telemarketing purposes.

Namely, the call centers working for Fastweb largely acted in disregard of data protection regulations. They often used telephone numbers for their calls that were not registered in the Italian register for communications operators (Registro degli Operatori di Comunicazione). 
Moreover, they processed contact data for promotions Fastweb had received from external partners without the data subjects having given valid consent for their data to be shared. 

In addition, many users reported being contacted by 'self-proclaimed Fastweb operators' who attempted to obtain contractors' identity documents via WhatsApp, likely for the purpose of spamming, phishing and other fraudulent activities. 

Other breaches involved procedures for the 'call me back' service that made it impossible for users to give free, specific and informed consent and to deactivate the service in an automated manner.";https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9570997
621;Spanish Data Protection Authority (aepd);Spain;05.04.21;3000;Kukimbia S.L.;Yes;Kukimbia S.L.;Spain;Transportation & Logistics;NA;NA;Private;Yes;Art. 32 (1) GDPR;Insufficient technical and organisational measures to ensure information security;The Spanish DPA (AEPD) has fined Kukimbia S.L. EUR 3,000. The controller is a company that stores, transports and distributes goods. Documents containing personal data about the controller's customers and suppliers were found freely accessible next to a trash can near one of the controller's warehouses. The DPA determined that the controller had violated Art. 32 GDPR.;https://www.aepd.es/es/documento/ps-00464-2020.pdf
622;Spanish Data Protection Authority (aepd);Spain;05.04.21;3000;Electrotecnica Bastida S.L.;Yes;Electrotecnica Bastida S.L.;Spain;Building Construction;NA;25;Private;Yes;Art. 32 (1) GDPR;Insufficient technical and organisational measures to ensure information security;The Spanish DPA (AEPD) has fined Electrotecnica Bastida S.L. EUR 3,000. Police officers had found 29 envelopes addressed to the controllers' respective employees on a vacant lot in the local industrial area. Two envelopes had already been opened. The envelopes contained results of medical examinations. The AEPD considered this to be a breach of the controller's duty to implement adequate technical and organizational measures to protect the processing of personal data.;https://www.aepd.es/es/documento/ps-00054-2021.pdf
623;Spanish Data Protection Authority (aepd);Spain;05.04.21;4000;Stockhunters S.L.;Yes;Stockhunters S.L.;Spain;Services;NA;NA;Private;Yes;Art. 13 GDPR;Insufficient fulfilment of information obligations;The Spanish DPA (AEPD) has imposed a fine of EUR 4,000 on Stockhunters S.L.. The controller was not able to answer the data subject's requests regarding the use of his personal data. In addition, the data protection policy of the controller's website did not comply with the provisions of Art. 13 GDPR. The data subject was therefore unsure of how his personal data was being used.;https://www.aepd.es/es/documento/ps-00437-2020.pdf
624;Spanish Data Protection Authority (aepd);Spain;06.04.21;2400;Promotech Digital S.L.;Yes;Promotech Digital Sl.;Spain;Wholesale;8700000;39;Private;Yes;Art. 21 GDPR;Insufficient fulfilment of data subjects rights;The Spanish DPA (AEPD) has fined Promotech Digital S.L. EUR 2,400 for repeatedly sending the data subject advertising SMS, even though he never subscribed or agreed to receive SMS. Furthermore, the SMS did not offer a direct option to unsubscribe from the advertising. Instead, reference was made to the possibility of cancellation by e-mail. Even though the data subject had objected to receiving further SMS, he continued to receive SMS from the controller. The original fine of EUR 3,000 was reduced by 20% to EUR 2,400 due to immediate payment and acknowledgement of guilt.;https://www.aepd.es/es/documento/ps-00087-2021.pdf
625;Italian Data Protection Authority (Garante);Italy;11.02.21;45000;Istituti ospedalieri bergamaschi;Yes;Istituti Ospedalieri Bergamaschi Srl;Italy;Hospitals;169300000;1144;Private;Yes;Art. 5 (1) a), f) GDPR, Art. 9 GDPR, Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;The Italian DPA (Garante) has imposed a fine of EUR 45,000 on Istituti ospedalieri bergamaschi. The DPA initiated an investigation against the controller after it reported a data breach to the DPA. A patient had mistakenly received medical records and clinical documentation from seven other patients in his digital medical record.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9561792
626;Hellenic Data Protection Authority (HDPA);Greece;22.03.21;2000;Candidate for parliamentary elections;Yes;NA;NA;Politics & Government;NA;NA;Other;Yes;Art. 15 GDPR, Art. 11 Law 3471/2006;Insufficient fulfilment of data subjects rights;The Greek DPA (HDPA) has fined a parliamentary candidate EUR 2,000. The data subject had received a call from the controller on her private mobile number prior to the Greek parliamentary elections in July 2019. The call was made for the purpose of promoting the controller's candidacy. The data subject's inquiries regarding the use of her personal data were answered by the controller in a contradictory manner.;https://www.dpa.gr/sites/default/files/2021-04/7_2021anonym.pdf
627;Norwegian Supervisory Authority (Datatilsynet);Norway;15.03.21;100000;Asker Municipality;Yes;Asker Community;Norway;Politics & Government;NA;NA;Other;Yes;Art. 5 GDPR, Art. 6 GDPR, Art. 32 (1) b) GDPR, Art. 24 GDPR;Insufficient technical and organisational measures to ensure information security;The Norwegian DPA (Datatilsynet) has fined the municipality of Asker EUR 100,000. On May 20, 2020, the DPA received a notice that the municipality had unlawfully published personal data on its website. On the website, users could view the names of documents that had previously been sent via the municipality's email distribution list. In addition to the names of the actual document, they also contained the names and dates of birth of 127 people, including children. Although the distribution lists were proofread daily by two people, the municipality had failed to detect the discrepancies. The Norwegian DPA concludes that the data breach occurred partly due to a lack of required routines for handling email lists.;https://www.datatilsynet.no/contentassets/65e913da425949d985baf76849a5929b/vedtak-om-overtredelsesgebyr---asker-kommune.pdf
628;Norwegian Supervisory Authority (Datatilsynet);Norway;09.04.21;3400;Miljo- og Kvalitetsledelse AS;Yes;Miljø- og Kvalitetsledelse AS;Norway;Services;NA;NA;Private;Yes;Art. 5 (1) a) GDPR, Art. 6 (1) GDPR;Insufficient legal basis for data processing;The Norwegian DPA (Datatilsynet) has imposed a fine of EUR 3,400 on Miljo- og Kvalitetsledelse AS. At one of the carwashes operated by the controller, incidents of vandalism had occurred at the payment terminal. The controller thereupon sent footage of the incident from a surveillance camera to the employer of the alleged vandal. The Norwegian DPA concluded that the sharing of the video footage had taken place without a legal basis and the controller had thus violated Art. 6 (1) GDPR and Art. 5 (1) a) GDPR. Furthermore, the DPA emphasizes that the disclosure of the recordings was not necessary to clarify the incident, as the recordings had already been provided to the police.;https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2021/miljo--og-kvalitetsledelse-as-far-gebyr/
629;Italian Data Protection Authority (Garante);Italy;25.02.21;6000;Azienda Ospedaliera Universitaria Careggi;Yes;Azienda Ospedaliero Universitaria Careggi Di Firenze;Italy;Hospitals;308800000;5883;Private;Yes;Art. 5 GDPR, Art. 9 GDPR;Non-compliance with general data processing principles;The Italian DPA (Garante) has imposed a fine of EUR 6,000 on Azienda Ospedaliera Universitaria Careggi for a breach of Art. 5 GDPR and Art. 9 GDPR. Azienda Ospedaliera Universitaria Careggi had notified the DPA of a data breach under Art. 33 GDPR regarding the transfer of health data to the wrong person. Medical documents of a patient had been sent by mail both to the affected patient and to another patient. The controller states that the incident occurred due to an error in the printing process. The ward where the affected patient was treated was only equipped with two printers, and one doctor had unknowingly also taken a colleague's print job (the affected patient's documents) when taking out his print job (the documents of the wrong recipient).;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9574789
630;Spanish Data Protection Authority (aepd);Spain;08.04.21;60000;Kutxabank, S.A.;Yes;Kutxabank Sociedad Anonima.;Spain;Banks;207500000;5330;Private;Yes;Art. 17 GDPR;Insufficient fulfilment of data subjects rights;The Spanish DPA (AEPD) has imposed a fine of EUR 100,000 on Kutxabank, S.A.. Following a complaint from a former customer, claiming that the bank did not comply with his request to erasure of his data, the DPA started an investigation against the controller. The data subject had already been a customer of the bank in the past. At that time, he had exercised his right to erasure of his data. When he tried to open a new account with the controller, he was informed that this was not possible as his data was still blocked (due to his previous erasure request). The controller further informed the data subject that he would have to unblock the data if he wanted to open an account. For this purpose, a form was attached to the letter. The form stated that by signing it, the data subject was revoking his right to erasure and allowing his data to be used (again) by the controller. The DPA found that temporarily blocking the data, does not correspond to the right to erasure. The DPA also emphasized that deleted or blocked data may not be processed again when a new contractual relationship is entered into with the controller, even if the new processing purpose is the same as the previous one. The original fine of EUR 100,000 was reduced to EUR 60,000 euros due to the immediate payment and acknowledgement of guilt.;https://www.aepd.es/es/documento/ps-00473-2020.pdf
631;Czech Data Protection Auhtority (UOOU);Czech Republic;NA;2700;Mall.tv;Yes;Czech News Center a.s.;Czech Republic;IT Services;83826613;1250;Private;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;The Czech DPA (UOOU) fined Mall.tv EUR 2,700 for recording parts of the public space without a legal basis. The subject of the DPA's investigation was the operation of two cameras by a company. The cameras recorded parts of the public space and then broadcast the footage in real time on internet television. The footage was of such high resolution that people and vehicles passing by were clearly visible and identifiable.;https://www.uoou.cz/kamery-na-verejnem-prostranstvi-uoou-00811-20/ds-6532/archiv=1&p1=5649
632;Czech Data Protection Auhtority (UOOU);Czech Republic;NA;NA;Ski rental company;No;NA;NA;Services;NA;NA;NA;Yes;Art. 5 (1) c) GDPR, Art. 6 (1) GDPR, Art. 7 (1) GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 15 GDPR, Art. 16 GDPR, Art. 17 GDPR, Art. 18 GDPR, Art. 19 GDPR, Art. 20 GDPR, Art. 21 GDPR;Non-compliance with general data processing principles;The Czech DPA (UOOU) imposed a fine against a ski rental company. Due to the high value of the sports equipment, the controller required a financial deposit or a full copy of a valid ID when renting sports equipment. The consent to the copy of the ID was included in the sports equipment rental agreement itself. Thus, when the sports equipment rental agreement was signed, consent to the processing of the ID copy was obtained at the same time. The DPA considered this method of obtaining consent to be a violation against the lawfulness of the processing. In addition, it was found that the data subjects were not properly informed about the processing of their personal data.;https://www.uoou.cz/kontrola-zpracovani-osobnich-udaju-prostrednictvim-kopii-obcanskych-prukazu/ds-6267/archiv=1&p1=5649
633;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;15.04.21;5000;S.C. Tip Top Food Industry S.R.L;Yes;Tip Top Food Industry Srl;Romania;Food & Beverage;18900000;530;Private;Yes;Art. 5 (1) b), c) GDPR, Art. 5 (2) GDPR, Art. 6 GDPR, Art. 7 GDPR;Insufficient legal basis for data processing;The Romanian DPA (ANSPDCP) has fined S.C. Tip Top Food Industry S.R.L. EUR 5,000. The controller had installed several video cameras in the food areas and changing rooms to surveil its employees. The CCTV was intended to deter theft and protect the manufactured goods. The Romanian DPA stated that the controller violated the principle of data minimization, as such extensive surveillance was not necessary. The goods produced could had been protected by methods less intrusive to the privacy of the employees.;https://www.dataprotection.ro/?page=Comunicat_Presa_15_/_04_/_2021&lang=ro
636;Spanish Data Protection Authority (aepd);Spain;13.04.21;90000;Vodafone Espana, S.A.U.;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 6 (1) GDPR;Insufficient legal basis for data processing;The Spanish DPA (AEPD) has imposed a fine of EUR 150,000 on Vodafone Espana S.A.U.. Three data subjects had filed complaints with the AEPD against the controller. They complained about receiving unsolicited text messages from the controller informing them of new invoices, even though there was no longer a contractual relationship between them and the controller. Moreover, there were no outstanding invoices, as the amount to be paid was always zero euros. The data subjects had asked the controller several times to stop sending them text messages and to delete their data. The controller had explained that the messages had been sent due to a technical error and assured the data subjects that they would no longer receive such notifications in the future. However, the sending continued. The original fine of EUR 150,000 was reduced to EUR 90,000 due to immediate payment and admission of guilt.;https://www.aepd.es/es/documento/ps-00085-2021.pdf
637;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;19.04.21;1500;Lugera & Makler Broker S.R.L.;Yes;Lugera & Makler Srl;Romania;Services;62900000;3890;Private;Yes;Art. 29 GDPR, Art. 32 (2), (4) GDPR;Insufficient technical and organisational measures to ensure information security;The Romanian DPA (ANSPDCP) has imposed a fine of EUR 1,500 on Lugera & Makler Broker S.R.L.. The controller had accidentally destroyed data of customers of Raiffeisen Bank S.A., for which it acted as processor. The ANSPDCP states that the incident occurred due to the fact that the controller had not taken sufficient  technical and organizational measures to ensure an adequate level of protection of the data processing.;https://www.dataprotection.ro/?page=Comunicat_presa_19_/_04_/_2021&lang=ro
638;Spanish Data Protection Authority (aepd);Spain;19.04.21;1500;Pub owner;No;NA;NA;Restaurants, Cafes & Bars;NA;NA;Private;Yes;Art. 5 (1) c) GDPR;Non-compliance with general data processing principles;The Spanish DPA (AEPD) fined the owner of a pub EUR 1,500 due to the unauthorized use of two video surveillance cameras covering parts of the public space.;https://www.aepd.es/es/documento/ps-00293-2020.pdf
639;Czech Data Protection Auhtority (UOOU);Czech Republic;NA;387;Private healthcare provider;No;NA;NA;Healthcare;NA;NA;Private;Yes;Art. 24 GDPR, Art. 32 (1) GDPR;Insufficient technical and organisational measures to ensure information security;The Czech DPA (UOOU) conducted an investigation against the operator of a non-governmental medical facility following a security breach. The operator offers a range of diagnostic tests to patients. The results of the tests are subsequently communicated on its website to both patients and physicians who recommended the tests. The reported security breach involved an attack on the operator's website by an NA individual. Following this incident, the operator stopped operating the website in question and proposed technical measures to increase security. However, the DPA still found that other websites operated by the same operator had the same shortcomings. Yet, the operator did not restrict their operation nor did it take any new technical measures. As a consequence, the UOOU imposed a fine of EUR 387.;https://www.uoou.cz/kontrola-zabezpeceni-internetovych-stranek-v-souvislosti-s-predavanim-vysledku-zdravotnich-vysetreni/ds-6254/archiv=1&p1=5649
642;Spanish Data Protection Authority (aepd);Spain;20.04.21;8000;Highcliffe Estates Marbella S.L.;Yes;Highcliffe Estates Marbella S.L.;Spain;Building Construction;NA;NA;Private;Yes;Art. 6 (1) GDPR;Insufficient legal basis for data processing;The Spanish DPA (AEPD) has imposed a fine of EUR 8,000 on Highcliffe Estates Marbella S.L.. The controller had published a photo of the data subject on its website without his consent.;https://www.aepd.es/es/documento/ps-00491-2020.pdf
643;Norwegian Supervisory Authority (Datatilsynet);Norway;21.03.21;19900;Basaren Drift AS;Yes;Basaren Drift AS;Norway;Food & Beverage;1020887;27;Private;Yes;Art. 5 GDPR, Art. 6 GDPR, Art. 13 GDPR;Insufficient legal basis for data processing;The Norwegian DPA (Datatilsynet) has imposed a fine of EUR 19,900 on Basaren Drift AS. The controller had installed video cameras in its premises which recorded both its employees and customers. The Norwegian DPA concluded that the controller had no legal basis for the camera surveillance. In addition, the Norwegian DPA found that the controller did not provide sufficient information on the surveillance to the data subjects.;https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2021/gebyr-til-basaren-drift-as/
646;Hellenic Data Protection Authority (HDPA);Greece;16.04.21;2000;Candidate for parliamentary elections;Yes;NA;NA;Politics & Government;NA;NA;Other;Yes;Art. 15 GDPR, Art. 11 Law 3471/2006;Insufficient fulfilment of data subjects rights;The Greek DPA (HDPA) has fined a parliamentary candidate EUR 2,000. The data subject had received a call from the controller on her private mobile number prior to the Greek parliamentary elections in July 2019. The call was made for the purpose of promoting the controller's candidacy. The data subject's inquiries regarding the use of her personal data were answered by the controller in a contradictory manner.;https://www.dpa.gr/sites/default/files/2021-04/7_2021anonym_0.pdf
647;Italian Data Protection Authority (Garante);Italy;11.03.21;3000;Comune di San Marco in Lamis;Yes;Comune Di San Marco In Lamis;Italy;Politics & Government;3500000;59;Other;Yes;Art. 5 (1) a), c) GDPR, Art. 6 (1) c), e) GDPR, Art. 6 (2) GDPR, Art. 6 (3) b) GDPR;Insufficient legal basis for data processing;The Italian DPA (Garante) has imposed a fine of EUR 3,000 on the municipality of San Marco in Lamis. The municipality had uploaded documents containing personal data of the data subject and his family freely accessible on its website. The documents were two orders against the data subject. The documents were related to a proceeding against the data subject concerning construction activities without a building permit and contained the date of birth, place of birth, tax number and address of the data subject and his relatives. The data subject had already asked the municipality in advance to remove the documents from the website. However, the municipality did not comply.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9578258
648;Czech Data Protection Auhtority (UOOU);Czech Republic;NA;NA;Public university;No;NA;NA;Education;NA;NA;Other;Yes;Art. 6 (1) GDPR, Art. 13 GDPR;Insufficient legal basis for data processing;A public university required personal data from applying students without a sufficient legal basis.;https://www.uoou.cz/kontrola-zpracovani-osobnich-udaju-v-ramci-prijimaciho-rizeni-na-vysokou-skolu/ds-6252/archiv=0&p1=5649
649;Czech Data Protection Auhtority (UOOU);Czech Republic;NA;NA;Healthcare provider;No;NA;NA;Healthcare;NA;NA;NA;Yes;Art. 5 (1) a) GDPR, Art. 12 (1) GDPR, Art. 28 (2), (3) GDPR;Insufficient fulfilment of information obligations;A healthcare provider collected personal data through a software provided by an external body without informing the patients.;https://www.uoou.cz/kontrola-zpracovani-osobnich-udaju-v-ambulantnim-informacnim-systemu/ds-6277/archiv=0&p1=5649
650;Czech Data Protection Auhtority (UOOU);Czech Republic;NA;NA;Bank;No;NA;NA;Banks;NA;NA;NA;Yes;Art. 48 (1) b) LGT, Art. 21 GDPR, Art. 23 (4) LOPDGDD;Non-compliance with general data processing principles;A bank made the opening of an account conditional on the presentation of a copy of the identity card.;https://www.uoou.cz/kontrola-zpracovani-osobnich-udaju-potencialnich-klientu-spolecnosti-se-zvlastnim-zamerenim-na-overovani-jejich-totoznosti-a-porizovani-kopii-prukazu-totoznosti-pri-zrizovani-bankovniho-uctu-uoou-02511-19/ds-6487/archiv=0&p1=5649
652;Czech Data Protection Auhtority (UOOU);Czech Republic;NA;3850;Television broadcaster;No;NA;NA;TV, Film & Radio;NA;NA;NA;Yes;Art. 12 (1) GDPR;Insufficient fulfilment of information obligations;A TV broadcaster had provided information on its website about the processing of personal data, which was however hidden and inaccurate (links to outdated legal provisions).;https://www.uoou.cz/kontrola-pouzivani-cookies-uoou-00374-20/ds-6500/archiv=0&p1=5649
653;Czech Data Protection Auhtority (UOOU);Czech Republic;NA;NA;Municipality;No;NA;NA;Politics & Government;NA;NA;Other;Yes;Art. 5 (1) a) GDPR, Art. 6 (1) GDPR, Art. 13 GDPR, Art. 14 (3) GDPR;Insufficient legal basis for data processing;A public school shared personal information with a municipal mayor, who disclosed it through the city radio mobile application.;https://www.uoou.cz/kontrola-zpracovani-osobnich-udaju-v-aplikaci-mobilni-rozhlas-uoou-01419-20/ds-6478/archiv=0&p1=5649
656;Spanish Data Protection Authority (aepd);Spain;23.04.21;1000000;Equifax Iberica S.L.;Yes;Equifax Iberica Sl;Spain;Science & Research;37900000;173;Private;Yes;Art. 5 (1) a), b), c), d) GDPR, Art. 6 (1) GDPR, Art. 14 GDPR;Insufficient legal basis for data processing;The Spanish DPA (AEPD) has imposed a fine of EUR 1,000,000 on Equifax Iberica, SL. A total of 96 complaints were filed with the DPA against the controller because it had included personal data of individuals associated with alleged debts in the Judicial Claims and Public Entities File ('FIJ') without their consent. In some cases, these data were not even correct. According to the DPA, the processing of the data subjects' personal data involving the FIJ file had been unlawful and violated several data protection principles of data processing (lawfulness and transparency, purpose limitation, data minimization, and accuracy). In addition, the controller had not properly informed the data subjects about the processing of their data, thus violating its duty to inform them.;https://www.aepd.es/es/documento/ps-00240-2019.pdf
657;Spanish Data Protection Authority (aepd);Spain;27.04.21;3000;Pagamastarde S.L.;Yes;Pagamastarde Sl.;Spain;Finance & Insurance;3100000;4;Private;Yes;Art. 17 (1) GDPR, Art. 21 LSSI;Insufficient fulfilment of data subjects rights;The Spanish DPA (AEPD) has imposed a fine of EUR 5,000 on Pagamastarde S.L.. A data subject had filed a complaint with the AEPD against the controller due to the fact that the controller continued to send him SMS advertisements, despite the fact that he had requested the deletion of his data and the controller had confirmed the deletion. The controller stated that the data subject's request had not been fulfilled due to a human error. The fine is composed proportionately of EUR 3,000 for a violation of Art. 17 (1) GDPR and EUR 2,000 for a violation of Art. 21 LSSI. The original fine of EUR 5,000 was reduced to EUR 3,000 due to immediate payment and admission of guilt.;https://www.aepd.es/es/documento/ps-00107-2021.pdf
658;Spanish Data Protection Authority (aepd);Spain;27.04.21;15000;Anytime Fitness Iberia S.L.;Yes;Anytime Fitness Iberia Sl.;Spain;Sports, Fitness & Recreation;2800000;25;Private;Yes;Art. 17 GDPR, Art. 21 LSSI;Insufficient fulfilment of data subjects rights;The Spanish DPA (AEPD) has imposed a fine of EUR 15,000 on Anytime Fitness Iberia S.L.. A data subject had filed a complaint with the AEPD against the controller due to the fact that the controller continued to send him SMS advertisements, despite the fact that he had requested the deletion of his data and the controller had confirmed the deletion. The fine is composed proportionally of EUR 10,000 for a breach of Art. 17 GDPR and EUR 5,000 for a breach of Art. 21 LSSI.;https://www.aepd.es/es/documento/ps-00055-2021.pdf
659;Dutch Supervisory Authority for Data Protection (AP);Netherlands;11.03.21;600000;Municipality of Enschede;Yes;Enschede Community;Netherlands;Politics & Government;NA;NA;Other;Yes;Art. 5 (1) a) GDPR, Art. 6 (1) GDPR;Insufficient legal basis for data processing;The Dutch DPA (AP) has fined the municipality of Enschede EUR 600,000. In 2017, the municipality decided to install special measurement boxes to measure crowds in the city center of Enschede. Sensors in the measurement boxes detected the wifi signals from the cell phones of passers-by and registered them with a code. Based on the registered codes, it was possible to calculate how busy the city center was. However, this also made it possible to track which measurement box a particular cell phone passed by, making it possible to track the movement of passers-by. The municipality states that it was never its intention to track passers-by. However, the DPA finds that the wifi tracking (even if it was unintentional) constitutes a serious breach of the GDPR. The DPA concludes that the municipality tracked its passers-by without an effective legal basis and thus violated Art. 5 (1) a) GDPR and Art. 6 (1) GDPR.;https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/boetebesluit_ap_gemeente_enschede.pdf
660;Italian Data Protection Authority (Garante);Italy;11.03.21;15000;Mediacom s.r.l.;Yes;Mediacom Srl (Milano);Italy;Services;10400000;161;Private;Yes;Art. 5 (1) a) GDPR, Art. 6 (1) GDPR;Insufficient legal basis for data processing;The Italian DPA (Garante) has imposed a fine of EUR 15,000 on Mediacom s.r.l.. The controller carried out advertising calls on behalf of TIM s.p.a.. Several of the calls were made even though the data subjects had not consented, had objected to the advertising calls, or had their numbers on the Robinson list. Garante found that the controller failed to verify the legitimacy of the data in contact lists acquired from third-party companies, as well as to sufficiently ensure that valid consents had been given by the data subjects for corresponding promotional activities.;https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9577065
661;Italian Data Protection Authority (Garante);Italy;11.03.21;80000;Planet Group Spa;Yes;Planet Group Spa;Italy;Services;NA;NA;Private;Yes;Art. 5 (1) a) GDPR, Art. 6 (1) GDPR, Art. 21 (2), (3) GDPR, Art. 12 (3) GDPR, Art. 25 (1) GDPR;Insufficient legal basis for data processing;The Italian DPA (Garante) has imposed a fine of EUR 80,000 on Planet Group Spa. The controller made promotional calls on behalf of TIM s.p.a.. Several of these calls were made even though the data subjects had not consented or had objected to the calls. Garante found that the controller had contacted a total of 47,981 telephone numbers without consent or legal basis. In addition, Garante highlighted that the controller had not respected the data subjects' right to object. In one case, a user had been contacted 155 times in one month, even though he had exercised his right to object.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9577371
662;Italian Data Protection Authority (Garante);Italy;25.03.21;30000;OneDirect Srl;Yes;Onedirect Srl;Italy;Wholesale;4300000;1;Private;Yes;Art. 6 (1) GDPR, Art. 7 (1) GDPR, Art. 30 GDPR, Art. 31 GDPR;Insufficient legal basis for data processing;The Italian DPA (Garante) has imposed a fine of EUR 30,000 on OneDirect Srl. A data subject had filed two complaints with the DPA after receiving advertisements by e-mail from the controller, even though he had not consented to it. Even after the data subject had repeatedly objected to the sending, the controller had not stopped the mailings. Moreover, the controller did not respond to the data subject's objections. Furthermore, the controller did not maintain a register of its processing activities and had not sufficiently cooperated with the DPA in the course of the investigation.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9577323
663;Italian Data Protection Authority (Garante);Italy;25.03.21;20000;GEDI News Network Spa;Yes;Gedi News Network Spa;Italy;Newspapers & Publishing;222600000;849;Private;Yes;Art. 12 (3), (4) GDPR;Insufficient legal basis for data processing;The Italian DPA (Garante) has imposed a fine of EUR 20,000 on GEDI News Network Spa. A data subject filed a complaint with the Italian DPA against the controller regarding an article published by the latter in which he was referred to. In this context, the data subject exercised his right under Art. 17 GDPR and requested the deletion of the article, considering it no longer relevant. However, the controller did not respond to the data subject's request in a timely manner.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9577346
664;Belgian Data Protection Authority (APD);Belgium;26.04.21;100000;Financial company;No;NA;NA;Finance & Insurance;NA;NA;NA;Yes;Art. 5 (1) f) GDPR, Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;The Belgian DPA (APD) has imposed a fine of EUR 100,000 on a financial company. A data subject had filed two complaints with the APD against the company. They were based on 20 queries of her personal data from the credit register of the National Bank of Belgium. The controller employs the data subject's ex-husband, who allegedly used his role to unlawfully gain access to the register in order to obtain financial information about the data subject and thus gain an advantage in their divorce proceedings. As the DPA noted, the data protection violations occurred due to the fact that the controller had not taken adequate organizational measures to protect personal data from unauthorized processing.;https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-56-2021.pdf
665;Deputy Data Protection Ombudsman;Finland;21.04.21;75000;ParkkiPate Oy;Yes;ParkkiPate Oy;Finland;Services;8570135;105;Private;Yes;Art. 5 (1) c) GDPR, Art. 12 (3), (4), (6) GDPR, Art. 14 (2) a) GDPR, Art. 14 (3) GDPR, Art. 15 GDPR, Art. 17 (1) a) GDPR, Art. 25 (2) GDPR;Insufficient fulfilment of data subjects rights;The Finnish DPA has imposed a fine of EUR 75,000 on ParkkiPate Oy. A number of people had been issued parking tickets by the controller and had thereupon requested information about which personal data was being processed and, in some cases, requested the deletion of their data. However, in order to process the requests, the controller stated that it needed the ID card number and address of the data subjects for identification purposes, as their name with the parking ticket number was not sufficient to verify their identity. According to the DPA, the controller has not only violated its duty to inform the data subjects and the right to delete their data, but has also violated the principle of data minimization. The DPA stressed that it is permitted to request further proof of identification if there are reasonable doubts about the identity of the data subject. However, in the cases in question, no such doubts had existed. Furthermore, the DPA found a violation of the principle of storage limitation. The controller had stored photos of incorrectly parked cars and copies of parking tickets for possible future disputes in court without having defined a deadline for the deletion of the data.;https://tietosuoja.fi/documents/6927448/58640544/Seuraamuskollegion+p%C3%A4%C3%A4t%C3%B6s_henkil%C3%B6tietojen+k%C3%A4sittely+pys%C3%A4k%C3%B6inninvalvontamaksujen+yhteydess%C3%A4.pdf/9b105604-51e0-7beb-e21b-df1b504843e6/Seuraamuskollegion+p%C3%A4%C3%A4t%C3%B6s_henkil%C3%B6tietojen+k%C3%A4sittely+pys%C3%A4k%C3%B6inninvalvontamaksujen+yhteydess%C3%A4.pdf?t=1619763172841
666;Hungarian National Authority for Data Protection and the Freedom of Information (NAIH);Hungary;24.03.21;27700;Budapest Fovaros Kormanyhivatala XI. keruleti Hivatalat (11th District Public Health Department of the Government Office of the Capital City Budapest);Yes;Budapest Fovaros Kormanyhivatala XI. keruleti Hivatalat;Hungaria;Politics & Government;NA;NA;Other;No;Art. 32 (1) a), b) GDPR, Art. 32 (2) GDPR, Art. 33 (1) GDPR, Art. 34 (1) GDPR;Insufficient technical and organisational measures to ensure information security;The Hungarian DPA (NAIH) has fined the XI District Office of the Government of Budapest EUR 27,700.The controller had emailed health data regarding Covid-19 rapid tests, as well as the contact details of the people tested, to doctors in a single Excel file, unencrypted and without any further measures to ensure confidentiality. The DPA found that the controller had failed to implement technical and organizational measures that ensured the protection of personal data. In addition, the controller failed to inform the DPA and the data subjects about the data violations.;https://naih.hu//hatarozatok-vegzesek?download=354:bfkh-xi-keruleti-hivatalanal-bekovetkezett-egeszsegugyi-adatokat-erinto-adatvedelmi-incidens-es-adatbiztonsagi-hianyossagok
667;Norwegian Supervisory Authority (Datatilsynet);Norway;05.05.21;NA;Disqus Inc.;Yes;Disqus, Inc.;United States;IT Services;2700000;30;Private;No;Art. 5 (1), (2) GDPR, Art. 6 GDPR, Art. 12 GDPR, Art. 13 GDPR;Insufficient legal basis for data processing;On May 5, 2021, the Norwegian DPA (Datatilsynet) announced that it intents to fine Disqus Inc. EUR 2, 500, 000 for violations of Art. 5 (1), (2) GDPR, Art. 6 GDPR, Art. 12 GDPR and Art. 13 GDPR.  It is alleged that Disqus unlawfully tracked visitors of Norwegian websites which used the Disqus plugin. Their data was then passed on to third-party advertisers.;https://www.datatilsynet.no/contentassets/8311c84c085b424d8d5c55dd4c9e2a4a/advance-notification-of-an-administrative-fine--disqus-inc.pdf
668;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;07.05.21;2000;World Class Romania S.A.;Yes;World Class Romania S.A.;Romania;Sports, Fitness & Recreation;32200000;427;Private;Yes;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;The Romanian DPA (ANSPDCP) has imposed a fine of EUR 2,000 on World Class Romania S.A.. The controller had published the termination letter of an employee in a WhatsApp group used by the controller's employees. As a result, all members of this WhatsApp group were granted unauthorized access to certain personal data of the data subject (surname, first name, address, ID number, information related to the request for termination).;https://www.dataprotection.ro/?page=Comunicat_07_/_05_/_2021&lang=ro
669;Icelandic data protection authority ('Personuvernd');Iceland;29.04.21;23100;InfoMentor ehf;Yes;InfoMentor ehf;Iceland;IT Services;NA;NA;Private;Yes;Art. 32 (1) b), d) GDPR;Insufficient technical and organisational measures to ensure information security;The Icelandic DPA (Personuvernd) has imposed a fine of EUR 23,100 on InfoMentor ehf. Previously, the controller had reported a data breach according to Art. 33 GDPR. The incident concerned the company's online system, which is mainly used by schools and other institutions for communication and information purposes. In the course of its investigations, the DPA determined that inadequate technical and organizational security measures on the part of the controller led to the breach. Due to a security leak that resulted in the six-digit system number of each user being visible in the URL address of a specific page within the mentor system, unauthorized persons gained access to the personal data of 424 children.;https://www.personuvernd.is/information-in-english/greinar/personal-data-breach-in-the-information-system-mentor-administrative-fine
670;Spanish Data Protection Authority (aepd);Spain;04.05.21;1500000;EDP Comercializadora, S.A.U.;Yes;EDP-Energias de Portugal SA;Portugal;Energy;12200000000;11610;Public;No;Art. 13 GDPR, Art. 25 GDPR;Insufficient fulfilment of information obligations;The Spanish DPA (AEPD) has imposed a fine of EUR 1,500,000 on EDP Comercializadora, S.A.U.. The decision follows, in particular, several complaints received for processing personal data without consent. As the DPA found, the controller had failed to inform data subjects in accordance with Art. 13 GDPR when collecting their data. This involved data subjects not being informed of their rights under Art. 15 GDPR - Art. 22 GDPR, and the contact details of the controller (e.g. its address) being incomplete.  Besides, the company's business practice allowed it to conclude contracts with customer representatives instead of with the customers directly. In these cases, however, the data controller did not check whether there was actually an authorization to represent the data subjects. The DPA finds that the controller failed to implement a procedure to verify the authorization of the alleged representatives.The fine is composed proportionately of EUR 1,000,000 for a breach of Art. 13 GDPR and EUR 500,000 for a breach of Art. 25 GDPR.;https://www.aepd.es/es/documento/ps-00037-2020.pdf
671;Spanish Data Protection Authority (aepd);Spain;04.05.21;1500000;EDP Energia, S.A.U;Yes;EDP-Energias de Portugal SA;Portugal;Energy;12200000000;11610;Public;No;Art. 13 GDPR, Art. 25 GDPR;Insufficient fulfilment of information obligations;The Spanish DPA (AEPD) has imposed a fine of EUR 1,500,000 on EDP Energia, S.A.U.. The decision follows, in particular, several complaints received for processing personal data without consent. As the DPA found, the controller had failed to inform data subjects in accordance with Art. 13 GDPR when collecting their data. This involved data subjects not being informed of their rights under Art. 15 GDPR - Art. 22 GDPR, and the contact details of the controller (e.g. its address) being incomplete.  Besides, the company's business practice allowed it to conclude contracts with customer representatives instead of with the customers directly. In these cases, however, the data controller did not check whether there was actually an authorization to represent the data subjects. The DPA finds that the controller failed to implement a procedure to verify the authorization of the alleged representatives.The fine is composed proportionately of EUR 1,000,000 for a breach of Art. 13 GDPR and EUR 500,000 for a breach of Art. 25 GDPR.;https://www.aepd.es/es/documento/ps-00236-2020.pdf
672;Dutch Supervisory Authority for Data Protection (AP);Netherlands;16.06.20;7500;PVV Overijssel;Yes;Partij Voor De Overijssel;Netherlands;Politics & Government;NA;NA;Other;Yes;Art. 33 GDPR;Insufficient fulfilment of data breach notification obligations;The Dutch DPA (AP) fined the Overijssel local branch of the PVV party EUR 7,500 for failing to notify the AP of a personal data breach, in violation of Art. 33 GDPR. An email regarding the convening of a meeting had been sent via an open distribution list due to a human error. Since the total of 101 recipients were addressed as 'Friends of the PVV' in the email, the political beliefs of the data subjects were thus disclosed to all addressees.;https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/boete_pvv_overijssel.pdf
673;Spanish Data Protection Authority (aepd);Spain;12.05.21;3000;Solram T Y R S.L.;Yes;Solram T Y R S.L.;Spain;Building Construction;NA;NA;Private;Yes;Art. 17 GDPR;Insufficient fulfilment of data subjects rights;The Spanish DPA (AEPD) has imposed a fine of EUR 3,000 on Solram T Y R S.L.. A data subject had filed a complaint with the AEPD against the controller due to the fact that the controller continued to send him advertisements via WhatsApp, despite the fact that he had requested the deletion of his data.;https://www.aepd.es/es/documento/ps-00113-2021.pdf
674;Italian Data Protection Authority (Garante);Italy;25.03.21;4000;Comune di Castellanza;Yes;Comune di Castellanza;Italy;Politics & Government;NA;NA;Other;Yes;Art. 5 (1) a), c) GDPR, Art. 6 (1) c), e) GDPR, Art. 6 (2) GDPR, Art. 6 (3) b) GDPR;Insufficient legal basis for data processing;The Italian DPA (Garante) has imposed a fine of EUR 4,000 on the municipality of Castellanza. The municipality had uploaded documents containing personal data of the data subject on its website, which were freely accessible. The documents concerned a legal proceeding of the data subject.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9584421
676;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;13.05.21;2000;Telekom Romania Communications SA;Yes;Deutsche Telekom AG;Germany;Telecommunications;97600000000;226291;Public;No;Art. 6 GDPR, Art. 21 GDPR;Insufficient fulfilment of data subjects rights;The Romanian DPA (ANSPDCP) has imposed a fine of EUR 2,000 on Telekom Romania Communications SA. The controller had made an advertising call to the data subject although the latter had exercised his right to object to the processing of his personal data for marketing and advertising purposes by requesting the controller to delete his telephone number and e-mail address from the Telekom database.;https://www.dataprotection.ro/?page=Comunicat_Presa_13_/_05_/_2021&lang=ro
677;Spanish Data Protection Authority (aepd);Spain;14.05.21;30000;Allianz Compania de Seguros y Reaseguros, S.A.;Yes;Allianz SE;Germany;Finance & Insurance;106300000000;148737;Public;No;Art. 6 GDPR;Insufficient legal basis for data processing;The Spanish DPA (AEPD) has fined Allianz Compania de Seguros y Reaseguros, S.A. EUR 30,000. The controller had sent an invoice to the data subject although no contractual relationship existed. The data subject had concluded a motorcycle insurance policy with the controller in 2016, but had terminated the policy in 2017.;https://www.aepd.es/es/documento/ps-00123-2021.pdf
678;Dutch Supervisory Authority for Data Protection (AP);Netherlands;20.12.20;525000;Locatefamily.com;Yes;Locatefamily.com;United States;IT Services;NA;NA;Private;No;Art. 27 GDPR;Non-compliance with general data processing principles;The Dutch DPA (AP) has imposed a fine of EUR 525,000 on Locatefamily.com. Locatefamily.com is a platform where people can search for the contact information of family members they have lost contact with or other people they would like to get in touch with. The data subjects complained that their contact information (name, address, phone number) was published on the website without their knowledge. The data subjects were not able to request the deletion of their data published on the site easily, because Locatefamily.com did not have any representation in the European Union. Organizations offering goods or services in the EU must have a representative to whom EU citizens can turn to obtain information or exercise their data protection rights. Accordingly, the Dutch data protection authority found a breach of Art. 27 GDPR.;https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/20210512_boetebesluit_ap_locatefamily.pdf
679;Hungarian National Authority for Data Protection and the Freedom of Information (NAIH);Hungary;25.03.21;1425;Operator of a care facility;No;NA;NA;Healthcare;NA;NA;Private;Yes;Art. 5 (1) a), b), c) GDPR, Art. 6 GDPR, Art. 13 (1), (2) GDPR;Insufficient legal basis for data processing;The Hungarian DPA (NAIH) has imposed a fine of EUR 1,425 on the operator of a care facility. The operator had installed a total of 25 cameras in all rooms of the facility, with the exception of the restrooms, locker rooms and the main nurses' station. Both the residents of the facility and the employees were recorded by the video surveillance. The controller states that the cameras were installed for security purposes. These included preventing unauthorized persons from gaining access to the facility and deterring theft. The DPA states that such extensive video surveillance was not necessary for the processing purpose (security of the facility). Furthermore, the controller did not sufficiently inform the data subjects about the data processing.;https://naih.hu//hatarozatok-vegzesek?download=380:kamerak-uzemeltetese-idosek-otthonaban
681;Polish Data Protection Authority (UODO);Poland;22.04.21;245000;Cyfrowy Polsat S.A.;Yes;Cyfrowy Polsat SA;Poland;TV, Film & Radio;2400000000;6086;Public;Yes;Art. 24 (1) GDPR, Art. 32 (1), (2) GDPR, Art. 34 (1) GDPR;Insufficient technical and organisational measures to ensure information security;The Polish DPA (UODO) has fined Cyfrowy Polsat S.A. EUR 245,000. The fine was based on a large number of data breaches reported by the controller to the DPA. Frequently, postal correspondence containing personal data was lost or delivered to the wrong recipient. The DPA notes that although the data breaches were caused by the courier company contracted by the controller, the controller had to ensure that such breaches did not occur. The controller failed to implement technical and organizational measures appropriate to the risk to protect the processing of the data. Furthermore, the controller did not notify the data subjects about the data breaches until two to three months later.;https://www.uodo.gov.pl/decyzje/DKN.5130.3114.2020
682;Italian Data Protection Authority (Garante);Italy;15.04.21;2000;Societa triveneta di chirurgia;Yes;Societa triveneta di chirurgia;Italy;NA;NA;NA;Other;Yes;Art. 5 (1) a), c) GDPR, Art. 6 GDPR, Art. 9 GDPR;Insufficient legal basis for data processing;The Italian DPA (Garante) has imposed a fine of EUR 2,000 on Societa triveneta di chirurgia. A physician had shown slides of a clinical case at a congress, which were subsequently published on the controller's website. The slides contained personal data of a patient, such as the patient's initials, age, gender, a detailed history of the pathology suffered by the patient, details of admissions from 1980 to 2016 and the surgical procedures performed during this period, indicating the date of admission and surgery, the surgical department that performed the procedures, the days spent in hospital, numerous diagnostic images, and 22 photographs showing the patient during the surgeries. At no time had the data subject consented to such processing of his personal data.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9567489
683;Italian Data Protection Authority (Garante);Italy;15.04.21;5000;Physician;No;NA;NA;NA;NA;NA;Other;Yes;Art. 5 (1) a), c) GDPR, Art. 6 GDPR, Art. 9 GDPR;Insufficient legal basis for data processing;The Italian DPA (Garante) has imposed a fine of EUR 5,000 on a physician. The controller had shown slides of a clinical case at a congress, which were subsequently published on the website of the Societa triveneta di chirurgia. The slides contained personal data of a patient, such as the patient's initials, age, gender, a detailed medical history of the patient, details of admissions from 1980 to 2016 and surgical procedures performed during that period, indicating the date of admission and the date of surgery, the surgical department that performed the procedures, the days spent in hospital, numerous diagnostic images and 22 photographs showing the patient during the surgeries. At no time had the data subject consented to such processing of his or her personal data.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9587637
685;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;19.05.21;2000;Banca Comerciala Romana S.A.;Yes;Banca Comerciala Romana Sa;Romania;Banks;762400000;8426;Private;Yes;Art. 5 (1) a), d), (2) GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;The Romanian DPA (ANSPDCP) has fined Banca Comerciala Romana S.A. EUR 2,000. A data subject had initiated a complaint with the DPA because the controller had used his personal data in the context of an enforcement procedure for debts arising from a credit agreement of which he was unaware.;https://www.dataprotection.ro/?page=Comunicat_Presa_19_05_2021_2&lang=ro
686;Italian Data Protection Authority (Garante);Italy;15.04.21;40000;Comune di Palermo;Yes;Comune Di Palermo;Italy;Politics & Government;384900000;7486;Other;Yes;Art. 5 (1) f) GDPR, Art. 25 GDPR, Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;The Italian DPA (Garante) has imposed a fine of EUR 40,000 on the municipality of Palermo. A data subject had filed a complaint with the Italian DPA against the municipality of Palermo. His complaint was based on the fact that his personal data from a food subsidy application he had submitted had been acquired by an unauthorized person and processed for his own purposes. As the DPA determined in the course of its investigations, such processing had occurred because the municipality had not implemented adequate technical and organizational measures to ensure the security and confidentiality of the processing.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9587053
687;Dutch Supervisory Authority for Data Protection (AP);Netherlands;24.03.20;15000;CP&A;Yes;CP&A B.V.;Netherlands;Services;5616171;66;Private;Yes;Art. 9 GDPR, Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;"The Dutch DPA (AP) has imposed a fine of EUR 15,000 on CP&A.
The controller had documented both the causes of illness and specific complaints of the data subjects as part of the recording of employee absences due to illness. The DPA found that this was unlawful since health data is granted special protection. Employers are not permitted to record either the reasons or causes of sick leave. 
Furthermore, the DPA found that the controller had not implemented adequate technical and organizational measures to protect the processing when recording absences. Namely, the absence registration was accessible online, without any form of authentication. Yet, when an absence system is accessible via the Internet, the system is to be accessed only through a multi-factor authentication. In the DPA's view, another form of authentication would have been required in addition to the 'normal' login.";https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/boete_cpa_verzuimregistratie.pdf
688;Norwegian Supervisory Authority (Datatilsynet);Norway;20.05.21;39000;Municipality of Oslo;Yes;Oslo Community;Norway;Politics & Government;NA;NA;Other;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;The Norwegian DPA (Datatilsynet) has imposed a fine of EUR 39,000 on the Municipality of Oslo. On a website of the controller a subpoena from the public prosecutor's office concerning the data subject had been published. The subpoena contained, among other things, personal information such as health data. The incident occurred because the subpoena was not originally classified as confidential and accordingly was not exempted from public disclosure. The document was publicly available for five hours before it was removed.;https://www.datatilsynet.no/regelverk-og-verktoy/lover-og-regler/avgjorelser-fra-datatilsynet/2021/overtredelsesgebyr-til-oslo-kommune/
689;Data Protection Authority of Ireland;Ireland;23.03.21;90000;Irish Credit Bureau DAC;Yes;Irish Credit Bureau Designated Activity Company;Ireland;Finance & Insurance;5800000;16;Private;Yes;Art. 5 (2) GDPR, Art. 24 (1) GDPR, Art. 25 (1) GDPR;Insufficient technical and organisational measures to ensure information security;The Irish DPA (DPC) has imposed a fine of EUR 90,000 on Irish Credit Bureau (ICB). The fine follows a data breach reported by the controller to the DPA on August 31, 2018. The controller is a credit reporting agency that maintains a database of credit contract performance between financial institutions and borrowers. The data breach occurred when the controller made a code change to its database that contained a technical error. As a result, between June 28, 2018 and August 30, 2018, the ICB database inaccurately updated the records of 15,120 closed accounts. The controller disclosed 1,062 inaccurate account records to financial institutions or affected individuals before the issue was resolved.;https://www.dataprotection.ie/sites/default/files/uploads/2021-05/Redacted_23.03.2021_Decision_IN-19-7-2.pdf
690;Spanish Data Protection Authority (aepd);Spain;21.05.21;3000;Physician;No;NA;NA;NA;NA;NA;Other;Yes;Art. 6 GDPR;Insufficient legal basis for data processing;The Spanish DPA (AEPD) has fined a physician EUR 3,000. The controller had left his/her former clinic and started working in a new clinic. The complainant had taken over the controller's former clinic. The purchase agreement explicitly stated that the selling party (the controller) was not allowed to make a copy of the patient's files under any circumstances. Nevertheless, the controller had informed his/her former patients that his/her services could be obtained at his/her new clinic in the future. The AEPD found that the controller had acted not only in breach of contract but also in breach of data protection legislation by contacting the former patients.;https://www.aepd.es/es/documento/ps-00066-2021.pdf
691;Spanish Data Protection Authority (aepd);Spain;25.05.21;900;Managing Director of a company;No;NA;NA;NA;NA;NA;Other;Yes;Art. 13 GDPR;Insufficient fulfilment of information obligations;The Spanish DPA (AEPD) has imposed a fine of EUR 1,500 on the managing director of a company. A data subject filed a complaint with the AEPD against the controller with whom he had entered into a contract. The fine is based on the fact that the controller had not properly informed the data subject about the processing of his data when collecting it. The AEPD considers this to be a violation of Art. 13 GDPR. The original fine of EUR 1,500 was reduced to EUR 900 due to immediate payment and admission of guilt.;https://www.aepd.es/es/documento/ps-00036-2021.pdf
692;Hungarian National Authority for Data Protection and the Freedom of Information (NAIH);Hungary;27.04.21;1400;Company;No;NA;NA;NA;NA;NA;NA;Yes;Art. 5 (1), (2) GDPR, Art. 6 GDPR, Art. 13 GDPR;Insufficient legal basis for data processing;The Hungarian DPA (NAIH) has imposed a fine of EUR 1,400 on a company. In the course of his professional activities, a data subject had made a telephone call to the controller on September 23, 2019. The controller had recorded the conversation without informing the data subject or obtaining his consent and then provided it to the company where the data subject was employed. The employer of the data subject subsequently terminated his employment because the recorded telephone call apparently did not meet the company's service and professional standards. The DPA finds that the controller not only processed the data subject's data without a legal basis, but also breached its accountability obligation by failing to demonstrate the lawfulness of the processing. In addition, the controller violated its duty to provide information under Art. 13 GDPR.;https://naih.hu//hatarozatok-vegzesek?download=381:diszpecseri-munkakort-betolto-munkavallaloval-folytatott-telefonhivas-rogzitese
693;Hungarian National Authority for Data Protection and the Freedom of Information (NAIH);Hungary;27.04.21;570;Company;No;NA;NA;NA;NA;NA;NA;Yes;Art. 5 (1) a), (2) GDPR, Art. 6 GDPR, Art. 13 GDPR;Insufficient legal basis for data processing;The Hungarian DPA (NAIH) has imposed a fine of EUR 570 on a company. In the course of his professional activities, a data subject had made a telephone call to a company on September 23, 2019. The company had recorded the conversation without informing the data subject or obtaining his consent, and subsequently made it available to the company where the data subject was employed (the controller). The controller then terminated the employment relationship because the recorded telephone conversation apparently did not meet the controller's service and professional standards. The DPA finds that the controller not only processed the data subject's data without a legal basis, but also breached its accountability obligations by failing to demonstrate the lawfulness of the processing. In addition, the controller violated its obligation to provide information pursuant to Art. 13 GDPR.;https://naih.hu//hatarozatok-vegzesek?download=381:diszpecseri-munkakort-betolto-munkavallaloval-folytatott-telefonhivas-rogzitese
694;Spanish Data Protection Authority (aepd);Spain;25.05.21;100000;Vodafone Espana, SAU;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 28 GDPR;Insufficient technical and organisational measures to ensure information security;The Spanish DPA (AEPD) has imposed a fine of EUR 100,000 on Vodafone Espana, S.A.U.. A data subject had filed a complaint with the Spanish DPA against the telecommunications company. According to the complaint, the data subject had received an advertising call from a company, which was made on behalf of Vodafone Espana, S.A.U., although the data subject was registered in the Robinson advertising exclusion list. According to Vodafone's commissioned processor, the advertising call to the data subject had occurred due to an error in the call number filtering system. In the course of its investigation, the DPA found that Vodafone had not established any measures to avoid advertising calls to numbers on the Robinson list. In the present case, Vodafone had not even been aware that the number of the data subject was on the Robinson list, which meant that it was not blocked for the commissioned company.;https://www.aepd.es/es/documento/ps-00030-2021.pdf
695;Spanish Data Protection Authority (aepd);Spain;25.05.21;4000;Alava Norte, S.L.;Yes;Alava Norte, S.L.;Spain;Real Estate;NA;NA;Private;Yes;Art. 5 (1) c) GDPR;Non-compliance with general data processing principles;The Spanish DPA (AEPD) has fined Alava Norte, S.L. EUR 4,000. The controller had installed three 360 video surveillance cameras on the facade of one of its buildings to secure the facility. These also captured parts of the public space. The AEPD considered this to be a violation of the principle of data minimization, as such extensive video surveillance was not necessary to fulfill the purpose of the processing (security of the facility).;https://www.aepd.es/es/documento/ps-00378-2020.pdf
696;Spanish Data Protection Authority (aepd);Spain;25.05.21;6000;Desolasol Restauracion, S.L.;Yes;Desolasol Restauracion Sl.;Spain;Restaurants, Cafes & Bars;1900000;32;Private;Yes;Art. 5 (1) f) GDPR;Non-compliance with general data processing principles;The Spanish DPA (AEPD) has fined Desolasol Restauracion S.L. EUR 6,000. The data subject had submitted a consumer complaint form to the restaurant because he was unable to converse at the table due to the volume of the music. A copy of the form remained with the controller. Due to an error by a restaurant employee, the copies of the form were given to other guests of the restaurant who were present during the incident.;https://www.aepd.es/es/documento/ps-00316-2020.pdf
697;Spanish Data Protection Authority (aepd);Spain;26.05.21;3000;Vodafone Espana, S.A.U.;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 58 (1) GDPR;Insufficient cooperation with supervisory authority;Failure to provide information to the Spanish DPA (AEPD) within the required timeframe in violation of Art. 58 GDPR. The original fine of EUR 5,000 was reduced by 20% EUR 3,000 due to immediate payment and admission of guilt.;https://www.aepd.es/es/documento/ps-00155-2021.pdf
698;Italian Data Protection Authority (Garante);Italy;25.03.21;7000;TECNOMEDICAL S.r.l.;Yes;"	Tecnomedical Srl (Napoli)";Italy;Wholesale;1900000;52;Private;Yes;Art. 12 (3) GDPR, Art. 15 GDPR;Insufficient fulfilment of data subjects rights;The Italian DPA (Garante) has imposed a fine of EUR 7,000 on TECNOMEDICAL S.r.l.. A data subject filed a complaint with the DPA after the controller failed to properly respond to his request for information. The data subject had requested access to his personal data. For this purpose, he demanded a copy of his medical records and the medical documentation of his dental implant surgery that had taken place. However, the controller did not provide the information in due time and in its entirety.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9590711
700;Norwegian Supervisory Authority (Datatilsynet);Norway;18.05.21;95500;Innovasjon Norge;Yes;Innovasjon Norge (Oslo);Norway;Finance & Insurance;166100000;658;Private;Yes;Art. 5 (1) GDPR, Art. 6 (1) GDPR;Insufficient legal basis for data processing;The Norwegian DPA (Datatilsynet) fined the national development bank Innovasjon Norge NOK 1,000,000 (EUR 95,500). The controller had carried out several credit checks on the data subject without any contractual basis for doing so. For this purpose, the bank had analyzed numerous financial data of the data subject without the data subject's consent.;https://www.datatilsynet.no/contentassets/ecc60fae5be740da81468d4eb23c43a3/vedtak-om-overtredelsesgebyr-til-innovasjon-norge.pdf
702;Spanish Data Protection Authority (aepd);Spain;21.05.21;3000;Homeowners Association;No;NA;NA;NA;NA;NA;NA;Yes;Art. 5 (1) c) GDPR, Art. 12 GDPR;Non-compliance with general data processing principles;Video surveillance of public space and thus violation of the principle of data minimization. Furthermore: Violation of information obligations, as insufficient information has been provided about video surveillance.;https://www.aepd.es/es/documento/ps-00156-2020.pdf
703;Hellenic Data Protection Authority (HDPA);Greece;12.05.21;5000;KARIERA A.E.;Yes;KARIERA A.E.;Greece;Services;NA;70;Private;Yes;Art. 17 GDPR, Art. 21 GDPR, Art. 25 GDPR;Insufficient fulfilment of data subjects rights;The Hellenic DPA has imposed a fine of EUR 5,000 on ?ARIERA A.E.. A data subject had filed a complaint with the DPA against the controller due to the fact that the controller continued to send him e-mail advertisements even though he had requested the deletion of his data and the controller had confirmed the deletion. Due to a technical error, the data subject's data had not been deleted.;https://www.dpa.gr/sites/default/files/2021-05/20_2021anonym.pdf
704;Italian Data Protection Authority (Garante);Italy;21.04.21;15000;Fondazione Policlinico Tor Vergata di Roma;Yes;"	Fondazione Ptv Policlinico Tor Vergata";Italy;Hospitals;3200000;1000;Private;Yes;Art. 5 (1) a), f) GDPR, Art. 13 GDPR, Art. 25 GDPR, Art. 32 GDPR;Non-compliance with general data processing principles;The Italian DPA (Garante) has imposed a fine of EUR 15,000 on Fondazione Policlinico Tor Vergata di Roma. In February 2020, a data subject filed a complaint with Garante alleging a breach of data protection laws in relation to the booking services for medical specialists offered by the controller. In order to book a relevant appointment on the booking portal, visitors had to fill out an online form in which various personal data was requested. As the DPA found, the controller had not implemented adequate technical and organizational measures to ensure the protection of data processing. In addition, the controller did not comply with its information obligations pursuant to Art. 13 GDPR, as it had not properly informed the data subjects about the processing of their personal data at the time of the data collection.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9591223
705;Spanish Data Protection Authority (aepd);Spain;21.05.21;45000;Telefonica de Espana, S.A.U;Yes;Telefónica SA;Spain;Telecommunications;41600000000;112797;Public;Yes;Art. 6 GDPR;Insufficient legal basis for data processing;"The Spanish DPA (AEPD) has imposed a fine of EUR 75,000 on Telefonica de Espana, S.A.U.. A data subject had filed a complaint with the AEPD against the telecommunications company. 
The controller had booked a service for the data subject without the data subject having concluded a contract for it. After the data subject had accordingly not made any payments for this service, the service was canceled in the same year and a collection agency was commissioned to collect allegedly outstanding debts. The AEPD determined that neither the data processing for the service booking nor the transfer of the data subject's personal data to the collection agency had taken place lawfully. The original fine of EUR 75,000 was reduced to EUR 45,000 due to immediate payment and acknowledgement of debt.";https://www.aepd.es/es/documento/ps-00135-2021.pdf
706;Spanish Data Protection Authority (aepd);Spain;02.06.21;4000;Avalos Consultores, S.L.;Yes;Avalos Consultores, S.L.;Spain;Services;NA;25;Private;Yes;Art. 6 GDPR;Insufficient legal basis for data processing;The Spanish DPA (AEPD) has imposed a fine of EUR 4,000 on Avalos Consultores, S.L.. The data subject, who was a client of the controller, filed a complaint with the AEPD because the controller had transferred her personal data to the agency Torrent Asesores Nga, S.L. without her consent.;https://www.aepd.es/es/documento/ps-00116-2021.pdf
707;Italian Data Protection Authority (Garante);Italy;15.04.21;12000;Istituto Nazionale Previdenza Sociale (INPS);Yes;"	Istituto Nazionale Della Previdenza Sociale";Italy;Finance & Insurance;1500000000;26706;Private;Yes;Art. 5 (1) a) GDPR, Art. 12 GDPR, Art. 15 GDPR;Insufficient fulfilment of data subjects rights;The Italian DPA (Garante) has imposed a fine of EUR 12,000 on the Italian National Institute for Social Security (Istituto Nazionale della Previdenza Sociale). That fine was based on the fact that the controller failed to respond properly to two requests for information that the data subject had submitted to the controller. The requests were related to the disclosure of personal data of the data subject to third parties. Initially, the data subject had received no response to either request. In the course of the investigation, the controller then provided him with information and explained that the previous requests had not been answered due to a technical error in its e-mail system;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9592133
708;Spanish Data Protection Authority (aepd);Spain;04.06.21;6000;Creator Energy S.L.;Yes;Creator Energy S.L.;Spain;Services;NA;NA;Private;Yes;Art. 6 (1) b) GDPR;Insufficient legal basis for data processing;The Spanish DPA (AEPD) has imposed a fine of EUR 6,000 on Creator Energy S.L.. The controller had used the personal data of the data subject without his consent to conclude contracts for gas and electricity supplies and a maintenance service.;https://www.aepd.es/es/documento/ps-00126-2021.pdf
709;Spanish Data Protection Authority (aepd);Spain;07.06.21;20000;Master Distancia S.A.;Yes;Master Distancia Sa;Spain;Education;42600000;356;Private;Yes;Art. 6 (1) GDPR;Insufficient legal basis for data processing;The Spanish DPA (AEPD) has imposed a fine of EUR 25,000 on Master Distancia S.A.. The controller had included personal data of the data subject in a credit report register without sufficient legal basis. The controller justified this with alleged debts the data subject had with the controller. In fact, however, the parties were still in arbitration. Accordingly, the controller had no authorization to include the data subject's data in the register. The original fine of EUR 25,000 was reduced to EUR 20,000 due to immediate payment.;https://www.aepd.es/es/documento/ps-00140-2021.pdf
710;Spanish Data Protection Authority (aepd);Spain;07.06.21;19600;Radiotelevision del principado de Asturias;Yes;Radiotelevisión del Principado de Asturias;Spain;TV, Film & Radio;21516792;NA;Other;Yes;Art. 5 (1) c) GDPR, Art. 12 GDPR;Non-compliance with general data processing principles;The Spanish DPA (AEPD) has imposed a fine of EUR 26,000 on Radiotelevision del principado de Asturias. The fine consists of EUR 20,000 due to a violation of Art. 5 (1) c) GDPR and EUR 6,000 due to a violation of Art. 12 GDPR. The fine was based on the fact that the controller installed a video surveillance system totaling 14 video cameras and monitoring the business premises. The controller states that the cameras were installed for the purpose of security of the premises. However, the cameras captured the employees' offices in a way that was not necessary for this purpose. For example, one camera also captured a considerable part of the employees' recreation room. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform. The fine was reduced to EUR 19,600 due to timely payment and admission of guilt.;https://www.aepd.es/es/documento/ps-00261-2020.pdf
715;Data Protection Authority of Sweden (Integritetsskyddsmyndigheten);Sweden;07.06.21;25000;Region Sormland;Yes;"	Länsstyrelsen I Södermanlands Län";Sweden;Politics & Government;3600000;100;Other;Yes;Art. 5 (1) a) GDPR, Art. 13 GDPR;Insufficient fulfilment of information obligations;"The Swedish DPA has imposed a fine of EUR 25,000 on Region Sormland. The fine is related to an investigation against three companies and three Swedish regions. 

In all 21 regions of Sweden, a telephone hotline that offers advice on various health-related topics can be reached by dialing 1177. Each region operates its own health advice service, either internally or through contracted subcontractors, but together they form a national network.
In 2019, the media reported that recorded calls to the 1177 helpline were available on a web server without password protection or other security measures. 
All calls to the 1177 number initially went to the company Inera, which managed and developed the shared systems. Calls to the number 1177 from people living in the Stockholm, Sormland and Varmland regions were put through by Inera to Medhelp AB, which took the calls. Medhelp had in turn contracted the Thai company Medicall Co Ltd. to take calls on weekends and at night. Both Medhelp and Medicall had a contract with the technology company Voice Integrate Nordic AB for, among other things, call recordings. A data breach had then occurred in which recordings of calls to the number 1177 were available on the Internet on a storage server belonging to Voice Integrate. 
The incident resulted from the misconfiguration of a network-attached storage device that was publicly accessible over the Internet and did not use encrypted communications. A large number of calls were accessed due to the vulnerability. 

The DPA imposed the fine on Region Sormland  for collecting call data from data subjects without first properly informing them of its processing.";https://www.imy.se/globalassets/dokument/beslut/2021/2021-06-07-beslut-region-sormland.pdf
716;Data Protection Authority of Sweden (Integritetsskyddsmyndigheten);Sweden;07.06.21;25000;Region Varmland;Yes;Länsstyrelsen I Värmlands Län;Sweden;Politics & Government;3600000;200;Other;Yes;Art. 5 (1) a) GDPR, Art. 13 GDPR;Insufficient fulfilment of information obligations;"The Swedish DPA has imposed a fine of EUR 25,000 on Region Varmland. The fine is related to an investigation against three companies and three Swedish regions. 

In all 21 regions of Sweden, a telephone hotline that offers advice on various health-related topics can be reached by dialing 1177. Each region operates its own health advice service, either internally or through contracted subcontractors, but together they form a national network.
In 2019, the media reported that recorded calls to the 1177 helpline were available on a web server without password protection or other security measures. 
All calls to the 1177 number initially went to the company Inera, which managed and developed the shared systems. Calls to the number 1177 from people living in the Stockholm, Sormland and Varmland regions were put through by Inera to Medhelp AB, which took the calls. Medhelp had in turn contracted the Thai company Medicall Co Ltd. to take calls on weekends and at night. Both Medhelp and Medicall had a contract with the technology company Voice Integrate Nordic AB for, among other things, call recordings. A data breach had then occurred in which recordings of calls to the number 1177 were available on the Internet on a storage server belonging to Voice Integrate. 
The incident resulted from the misconfiguration of a network-attached storage device that was publicly accessible over the Internet and did not use encrypted communications. A large number of calls were accessed due to the vulnerability. 

The DPA imposed the fine on Region Varmland for collecting call data from data subjects without first properly informing them of its processing.";https://www.imy.se/globalassets/dokument/beslut/2021/2021-06-07-beslut-region-varmland.pdf
717;Data Protection Authority of Sweden (Integritetsskyddsmyndigheten);Sweden;07.06.21;50000;Region Stockholm;Yes;Region Stockholm;Sweden;Politics & Government;760200000;10000;Other;Yes;Art. 5 (1) a) GDPR, Art. 13 GDPR, Art. 14 GDPR;Insufficient fulfilment of information obligations;"The Swedish DPA has imposed a fine of EUR 50,000 on Region Stockholm. The fine is related to an investigation against three companies and three Swedish regions. 

In all 21 regions of Sweden, a telephone hotline that offers advice on various health-related topics can be reached by dialing 1177. Each region operates its own health advice service, either internally or through contracted subcontractors, but together they form a national network.
In 2019, the media reported that recorded calls to the 1177 helpline were available on a web server without password protection or other security measures. 
All calls to the 1177 number initially went to the company Inera, which managed and developed the shared systems. Calls to the number 1177 from people living in the Stockholm, Sormland and Varmland regions were put through by Inera to Medhelp AB, which took the calls. Medhelp had in turn contracted the Thai company Medicall Co Ltd. to take calls on weekends and at night. Both Medhelp and Medicall had a contract with the technology company Voice Integrate Nordic AB for, among other things, call recordings. A data breach had then occurred in which recordings of calls to the number 1177 were available on the Internet on a storage server belonging to Voice Integrate. 
The incident resulted from the misconfiguration of a network-attached storage device that was publicly accessible over the Internet and did not use encrypted communications. A large number of calls were accessed due to the vulnerability. 

The DPA imposed the fine on Region Stockholm for collecting call data from data subjects without first properly informing them of its processing.";https://www.imy.se/globalassets/dokument/beslut/2021/2021-06-07-beslut-region-stockholm.pdf
718;Data Protection Authority of Sweden (Integritetsskyddsmyndigheten);Sweden;07.06.21;1200000;MedHelp AB;Yes;Medhelp Ab;Sweden;Healthcare;20300000;100;Private;Yes;Art. 5 (1) a), f) GDPR, Art. 6 GDPR, Art. 9 (1) GDPR, Art. 13 GDPR, Art. 32 GDPR;Non-compliance with general data processing principles;"The Swedish DPA has imposed a fine of EUR 1,200,000 on MedHelp AB. The fine is related to an investigation against three companies and three Swedish regions. 

In all 21 regions of Sweden, a telephone hotline that offers advice on various health-related topics can be reached by dialing 1177. Each region operates its own health advice service, either internally or through contracted subcontractors, but together they form a national network.
In 2019, the media reported that recorded calls to the 1177 helpline were available on a web server without password protection or other security measures. 
All calls to the 1177 number initially went to the company Inera, which managed and developed the shared systems. Calls to the number 1177 from people living in the Stockholm, Sormland and Varmland regions were put through by Inera to Medhelp AB, which took the calls. Medhelp had in turn contracted the Thai company Medicall Co Ltd. to take calls on weekends and at night. Both Medhelp and Medicall had a contract with the technology company Voice Integrate Nordic AB for, among other things, call recordings. A data breach had then occurred in which recordings of calls to the number 1177 were available on the Internet on a storage server belonging to Voice Integrate. 
The incident resulted from the misconfiguration of a network-attached storage device that was publicly accessible over the Internet and did not use encrypted communications. A large number of calls were accessed due to the vulnerability. 

The Swedish DPA found that MedHelp had failed to take appropriate technical and organizational measures to ensure an adequate level of security to protect personal data so that unauthorized persons could not access it. Similarly, MedHelp had failed to properly inform callers about the processing of their personal data in accordance with Art. 13 GDPR. 

In addition, the DPA finds the outsourcing of the processing of personal data to Medicall to be a breach of the legality principle set out in the GDPR. This is because Medicall is not covered by Swedish health and medical legislation and is therefore not subject to the legally regulated confidentiality obligation that exists in the Swedish healthcare sector.";https://www.imy.se/globalassets/dokument/beslut/2021/2021-06-07-beslut-medhelp.pdf
719;Data Protection Authority of Sweden (Integritetsskyddsmyndigheten);Sweden;07.06.21;64500;Voice Integrate Nordic AB;Yes;Voice Integrate Nordic AB;Sweden;IT Services;NA;5;Private;Yes;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;"The Swedish DPA has imposed a fine of EUR 64,500 on Voice Integrate Nordic AB. The fine is related to an investigation against three companies and three Swedish regions. 

In all 21 regions of Sweden, a telephone hotline that offers advice on various health-related topics can be reached by dialing 1177. Each region operates its own health advice service, either internally or through contracted subcontractors, but together they form a national network.
In 2019, the media reported that recorded calls to the 1177 helpline were available on a web server without password protection or other security measures. 
All calls to the 1177 number initially went to the company Inera, which managed and developed the shared systems. Calls to the number 1177 from people living in the Stockholm, Sormland and Varmland regions were put through by Inera to Medhelp AB, which took the calls. Medhelp had in turn contracted the Thai company Medicall Co Ltd. to take calls on weekends and at night. Both Medhelp and Medicall had a contract with the technology company Voice Integrate Nordic AB for, among other things, call recordings. A data breach had then occurred in which recordings of calls to the number 1177 were available on the Internet on a storage server belonging to Voice Integrate. 
The incident resulted from the misconfiguration of a network-attached storage device that was publicly accessible over the Internet and did not use encrypted communications. A large number of calls were accessed due to the vulnerability. 

The Swedish DPA found that Voice Integrate had failed to take appropriate technical and organizational measures to ensure an adequate level of security to protect personal data so that unauthorized persons could not access it.";https://www.imy.se/globalassets/dokument/beslut/2021/2021-06-07-beslut-voice-integrate.pdf
720;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;09.06.21;2000;S.C. Dreamtime Call S.R.L.;Yes;S.C. Dreamtime Call S.R.L.;Romania;Services;271583;52;Private;Yes;Art. 31 GDPR, Art. 58 GDPR;Insufficient cooperation with supervisory authority;The Romanian DPA (ANSPDCP) has fined S.C. Dreamtime Call S.R.L. EUR 2,000 for failing to provide information requested by the DPA during an investigation.;https://www.dataprotection.ro/?page=Comunicat_Presa_09_06_2021&lang=ro
721;Polish National Personal Data Protection Office (UODO);Poland;27.04.21;5050;PNP S.A.;Yes;PNP S.A.;Poland;Services;10620;54;Private;Yes;Art. 31 GDPR, Art. 58 (1) e) GDPR;Insufficient cooperation with supervisory authority;The controller failed to provide information requested by the Polish DPA (UODO) for investigative purposes.;https://uodo.gov.pl/decyzje/DKE.561.23.2020
722;Data Protection Authority of Sweden (Integritetsskyddsmyndigheten);Sweden;09.06.21;34800;Directorate of the Ostra Skaraborg Rescue Service;Yes;Räddningstjänsten Östra Skaraborg;Sweden;Politics & Government;2500000;50;Other;Yes;Art. 5 (1) a), c) GDPR, Art. 32 (1), (4) GDPR;Non-compliance with general data processing principles;The Swedish DPA has imposed a fine of EUR 34,800 on the directorate of the Ostra Skaraborg Rescue Service. The DPA had received information that several fire stations in Ostra Skaraborg operated surveillance cameras that filmed areas where firefighters were changing during an emergency, whereupon it initiated a review of the camera surveillance. The video surveillance was taking place around the clock, although the controller itself stated that video surveillance was only required in case of emergency alarms. The DPA concludes that the 24/7 monitoring was too far-reaching, but notes that the controller had weighty reasons for the camera surveillance. However, the camera surveillance should be limited to emergencie cases. The fine is composed proportionally of EUR 29,800 for a violation of Art. 5 (1) a), c) GDPR and EUR 5,000 for a violation of Art. 32 (1), (4) GDPR.;https://www.imy.se/globalassets/dokument/beslut/2021/2021-06-09-beslut-raddningstjanst-ostra-skaraborg.pdf
723;Norwegian Supervisory Authority (Datatilsynet);Norway;28.05.21;39700;BRAbank ASA;Yes;BRAbank ASA;Norway;Banks;37000000;58;Public;Yes;Art. 24 GDPR, Art. 32 (1), (2) GDPR;Insufficient technical and organisational measures to ensure information security;"The Norwegian DPA (Datatilsynet) has imposed a fine of EUR 39,700 on BRAbank ASA. The controller had reported a data breach to the DPA on September 6, 2019. On the controller's website, some customers were able to view other customers' data on the 'My Page' section. These included credit terms and address information of other customers. The section had been activated shortly before for 500 selected customers and was intended, among other things, to provide an overview of loans taken out with the controller. 
Based on investigations into the case, the DPA found that the controller had not complied with the GDPR's requirements for risk assessment and appropriate technical measures in connection with the launch of the customer portal. According to the DPA's assessment, the personal data security breach could have been prevented if the controller had conducted a risk assessment and review as required by law.";https://www.datatilsynet.no/contentassets/28e9c4b1562743debffbc9ab253f3db2/vedtak-om-overtredelsesgebyr---brabankasa.pdf
725;Dutch Supervisory Authority for Data Protection (AP);Netherlands;04.02.21;12000;Orthodontic Clinic;No;NA;NA;Hospitals;NA;NA;NA;Yes;Art. 32 (1) GDPR;Insufficient technical and organisational measures to ensure information security;The Dutch DPA (AP) has fined an orthodontic clinic EUR 12,000. The web form that new patients used to sign up contained mandatory fields for all sorts of patient personal data. The data that the patients (mostly children) entered into the form was then sent to the orthodontic clinic via an unencrypted - and thus unsecured - connection. This presented the risk of unauthorized third parties accessing the personal data of the data subjects.;https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/boete_orthodontiepraktijk.pdf
727;Spanish Data Protection Authority (aepd);Spain;14.06.21;1200;Inmopiso Zaragoza S.L.;Yes;Inmopiso Zaragoza S.L.;Spain;Real Estate;NA;NA;Private;Yes;Art. 13 GDPR;Insufficient fulfilment of information obligations;The controller failed to provide accurate information about the data collection in accordance with Art. 13 GDPR. The original fine of EUR 2,000 was reduced to EUR 1,200 due to immediate payment and admission of guilt.;https://www.aepd.es/es/documento/ps-00177-2021.pdf
728;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;09.06.21;2000;La Santrade S.R.L.;Yes;La Santrade S.R.L.;Romania;Retail & Trade;1900000;12;Private;Yes;Art. 31 GDPR, Art. 58 GDPR;Insufficient cooperation with supervisory authority;The Romanian DPA (ANSPDCP) has fined La Santrade S.R.L. EUR 2,000 for failing to provide information requested by the DPA during an investigation.;https://www.dataprotection.ro/?page=Comunicat_Presa_16_06_2021&lang=ro
729;Polish National Personal Data Protection Office (UODO);Poland;19.03.21;4900;Funeda Sp. z o.o.;Yes;Funeda Sp. z o.o.;Poland;Finance & Insurance;NA;NA;Private;Yes;Art. 31 GDPR, Art. 58 (1) a), e)  GDPR;Insufficient cooperation with supervisory authority;The Polish DPA (UODO) has fined Funeda Sp. z o.o. EUR 4,900 for failing to provide information requested by the DPA during an investigation.;https://www.uodo.gov.pl/decyzje/DKE.561.25.2020
730;Danish Data Protection Authority (Datatilsynet);Denmark;16.06.21;27000;Vejle Municipality;Yes;Vejle Kommune;Denmark;Politics & Government;111500000;1000;Other;Yes;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;The Danish DPA (Datatilsynet) has imposed a fine of EUR 27,000 on Vejle municipality. The Danish DPA had started investigations against the municipality after it had reported a data breach pursuant to Art. 33 GDPR. The municipal dental care service had sent automated welcome letters to both parents as part of the treatment of children, which contained the contact details of both parents. In this process, the municipality had not checked whether it was permitted to pass the information on to the other parent. In several cases, parents thus received the address of the other parent, regardless of whether the other parent had name and address protection. The DPA considered this to be a failure of the municipality to take technical and organizational measures to ensure adequate data protection.;https://www.datatilsynet.dk/presse-og-nyheder/nyhedsarkiv/2021/jun/vejle-kommune-indstilles-til-boede
732;Lithuanian Data Protection Authority (VDAI);Lithuania;21.06.21;20000;UAB VS FITNESS;Yes;Vs Fitness Uab;Lithuania;Sports, Fitness & Recreation;2200000;38;Private;Yes;Art. 5 (1) a), c) GDPR, Art. 9 (1) GDPR, Art. 13 (1), (2) GDPR, Art. 30 GDPR, Art. 35 (1) GDPR;Non-compliance with general data processing principles;The Lithuanian DPA (VDAI) has imposed a fine of EUR 20,000 on UAB VS FITNESS. After receiving a notification from an individual stating that scanning a fingerprint was necessary to use the services of a sports club owned by the controller, the DPA started an investigation against the controller. The DPA's review found that the consent given by customers to have their fingerprint patterns processed was not voluntary as there were no other identification measures. In addition, the DPA found that the controller also unlawfully processed employees' fingerprints. The controller also failed to set out for what purpose and on what legal basis it processed the employees' biometric data. It also did not conduct a data protection impact assessment and did not demonstrate the necessity and proportionality of the processing of the employees' fingerprints. Furthermore, the DPA finds that the controller did not comply with its information obligations pursuant to Art. 13 GDPR.;https://vdai.lrv.lt/lt/naujienos/sporto-klubui-skirta-bauda-uz-bendrojo-duomenu-apsaugos-reglamento-pazeidimus-tvarkant-klientu-ir-darbuotoju-pirstu-atspaudus
733;Data Protection Authority of Sweden (Integritetsskyddsmyndigheten);Sweden;21.06.21;1600000;Storstockholms Lokaltrafik;Yes;Storstockholms Lokaltrafik;Sweden;Transportation & Logistics;1959477581;500;Other;Yes;Art. 5 (1) a), c) GDPR, Art. 6 (1) f) GDPR, Art. 13 GDPR;Insufficient legal basis for data processing;"The Swedish DPA has fined Storstockholms Lokaltrafik (Stockholm Local Transport Company) EUR 1,600,000. 
The controller had equipped ticket inspectors with body-worn cameras, which were designed to prevent threatening situations, document incidents, and ensure that the right person was fined for traveling on Stockholm's public transportation without a valid ticket.
Ticket inspectors were required to keep the camera on for their entire shift and were therefore able to film all passengers who passed the inspector. Since several hundred thousand people use public transportation in Stockholm every day, a large number of people were thus at risk of being monitored by video and audio recordings.

The DPA believes that body-worn camera technology could be used to prevent and document threatening situations, but that the pre-recording time should be reduced to a maximum of 15 seconds, as a longer pre-recording time is not necessary to achieve the above-mentioned purposes. Furthermore the DPA found that audio recordings did not contribute to the identification of persons without a valid ticket. The DPA therefore considered the audio recordings to be a violation of the principles of legality and transparency as well as data minimization. The DPA also criticized the controller for not providing sufficient information about the camera surveillance, including the fact that not only images but also sounds were recorded.";https://www.imy.se/globalassets/dokument/beslut/2021/2021-06-21-beslut-sl.pdf
734;French Data Protection Authority (CNIL);France;14.06.21;500000;BRICO PRIVE;Yes;Brico Prive;France;E-Commerce;22700000;100;Private;Yes;Art. 5 (1) e) GDPR, Art. 13 GDPR, Art. 17 GDPR, Art. 32 GDPR, Art. 82 Loi informatique et libertes, Art. L. 34-5 CPCE;Non-compliance with general data processing principles;"The French DPA (CNIL) has imposed a fine of EUR 500,000 on BRICO PRIVE.
CNIL conducted three inspections at BRICO PRIVE between 2018 and 2021 and identified several deficiencies in the processing of personal data of prospects and customers.
The controller, for example, had not complied with the data retention periods it had established. In this regard the data of more than 16,000 customers who had not placed an order in the last five years had been retained. The same applied to more than 130,000 people who had not logged into their customer accounts for five years.
In addition, the controller violated its information obligations under Art. 13 GDPR. Furthermore, the controller failed to fulfill its obligation to fully comply with the deletion requests received. 
The CNIL also found that the controller did not implement sufficient technical and organizational measures to ensure information security. Thus, for example, the controller did not require the use of a secure password during the process of opening an account the companys website or when employees accessed the customer relationship management software. The fine is composed proportionately of EUR 300,000 for violations of Art. 5(1) e) GDPR, Art. 13 GDPR, Art. 17 GDPR and Art. 32 GDPR and EUR 200,000 for violations of Art. 82 Loi informatique et libertes and Art. L. 34-5 CPCE.";https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000043668709
736;Spanish Data Protection Authority (aepd);Spain;22.06.21;10000;TNT EXPRESS WORLDWIDE SPAIN, S.L.;Yes;Tnt Express Worldwide Spain Sl;Spain;Transportation & Logistics;157400000;1200;Private;Yes;Art. 5 (1) d) GDPR;Non-compliance with general data processing principles;The Spanish DPA (AEPD) has imposed a fine of EUR 10,000 on TNT EXPRESS WORLDWIDE SPAIN, S.L.. The data subject had placed a private order with the controller and had entered the address of his workplace as the delivery address. The delivery was correctly delivered, but the invoice was issued to the company where the data subject was employed and not to the data subject. Both the invoice and the delivery bill contained various personal data of the data subject. These were disclosed to his employer as a result of the incident.;https://www.aepd.es/es/documento/ps-00301-2020.pdf
737;Italian Data Protection Authority (Garante);Italy;13.05.21;2856169;Iren Mercato S.p.A.;Yes;Iren Mercato Spa;Italy;Energy;2200000000;488;Private;Yes;Art. 5 (1), (2) GDPR, Art. 6 (1) GDPR, Art. 7 (1) GDPR;Insufficient legal basis for data processing;The Italian DPA (Garante) fined Iren Mercato S.p.A. EUR 2,856,169 for failing to verify that all transfers of data of recipients of promotional activities were covered by consent. Several data subjects filed complaints with the DPA against the controller because they had received unsolicited advertising to which they had never consented. In its investigation against the cotroller, the DPA found that the cotroller had in fact processed personal data for telemarketing activities that it had not collected directly but had acquired from other sources. It had not checked whether valid consents had been obtained from the advertising addressees for all transfers of the data. The controller had received lists of personal data from one company, which in turn had acquired them from two other companies. The latter companies had obtained the consent of potential customers for the telemarketing carried out by them and by third parties, but this consent did not include the transfer of customer data to the controller. In this context, the DPA emphasized that consent given by a customer to a company for third-party promotional activities cannot extend its effectiveness to subsequent transfers to other operators.;https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/9670025
738;Norwegian Supervisory Authority (Datatilsynet);Norway;04.06.21;49200;Moss municipality;Yes;Moss Kommune;Norway;Politics & Government;NA;NA;Other;Yes;Art. 32 (1) b), d) GDPR;Insufficient technical and organisational measures to ensure information security;"The Norwegian DPA (Datatilsynet) has fined the municipality of Moss EUR 49,200 for inadequately securing personal data. 
In January, the municipality of Rygge was annexed to the municipality of Moss. For this reason, several IT systems from both municipalities were combined. 
Due to inadequate security measures, a data breach occurred in a productive system used in the municipality's health service. 
This system processed personal and health data and affected people who live in the municipality and use the health center. The system is used for services related to immunization programs in the municipality, as well as for other health checks and follow-ups of pregnant women. About 2000 people were potentially affected by the breach. Due to the data breach, errors had occurred in vaccine registration. As a result, the data subjects were at risk of receiving the wrong vaccines. There was also a potential for their immunization data to be misfiled in the national immunization registry.
Furthermore, errors occurred in follow-ups for pregnant women, including information on the week of pregnancy or the mother's drug use. 
Also, patient information was provided to health workers in a health service ward without being required and without access being documented.";https://www.datatilsynet.no/contentassets/e7e029cdedec4c4e8907aef6bb08590c/20_02165-9-vedtak-om-overtredelsesgebyr--moss-kommune-236334_9_1.pdf
740;Icelandic data protection authority ('Personuvernd');Iceland;15.06.21;34000;Huppuis ehf;Yes;Huppuis ehf;Iceland;Restaurants, Cafes & Bars;NA;NA;Private;Yes;Art. 5 (1) a), c) GDPR, Art. 6 (1) GDPR, Art. 12 (1) GDPR, Art. 13 (1), (2) GDPR;Non-compliance with general data processing principles;The Icelandic DPA (Personuvernd) has imposed a fine of EUR 34,000 on Huppuis ehf. A former employee filed a complaint against the controller with the DPA. The reason for this was the camera surveillance installed by the controller. During their shifts, the controller's employees wore clothing provided by the controller.However, the designated changing room of the store was a storage room in which large quantities of cleaning materials were stored.  Due to a lack of sufficient space in this room, the employees (mostly minors) had to change in the general employee area, which was covered by a video camera. The controller stated that they had installed the video camera for security purposes. The DPA concluded that the controller had a legitimate interest in the video surveillance, but that the interests of the mostly underage employees must also be taken in account. The controller should have tried to implement less restrictive measures. In addition, the DPA underlined that the information on video surveillance was inadequate in both the employee and customer service areas. In determining the amount of the fine, the fact that a large number of the data subjects were minors was taken into account as an aggravating factor.;https://www.personuvernd.is/urlausnir/huppuis-ehf.-sektud-vegna-voktunar-med-eftirlitsmyndavelum-i-starfsmannarymi-1
741;Polish National Personal Data Protection Office (UODO);Poland;21.06.21;35300;Sopockie Towarzystwo Ubezpieczen ERGO Hestia S.A.;Yes;ERGO Group AG;Germany;Finance & Insurance;1500000000;9847;Private;No;Art. 33 (1) GDPR, Art. 34 (1) GDPR;Insufficient fulfilment of data breach notification obligations;The controller had sent an email to  that contained personal data of a customer to the wrong recipient. The leaked data included data such as the name, postal address of the data subject and insurance details. In this context the controller had not informed either the Polish DPA nor the data subjects about the data breach in a timely manner within 72 hours.;https://www.uodo.gov.pl/decyzje/DKN.5131.3.2021
743;Italian Data Protection Authority (Garante);Italy;10.06.21;2600000;Foodinho s.r.l.;Yes;Foodinho Srl;Italy;Telecommunications;32000000;69;Private;Yes;Art. 5 (1) a), c), e) GDPR, Art. 13 GDPR, Art. 22 (3) GDPR, Art. 25 GDPR, Art. 30 (1) a), b), c), f), g) GDPR, Art. 32 GDPR, Art. 35 GDPR, Art. 37 (7) GDPR;Non-compliance with general data processing principles;The Italian DPA (Garante) has fined Foodinho s.r.l. EUR 2,600,000. Foodinho is an Italian food delivery service. The investigation against Foodinho mainly focused on the drivers of Foodinho. In the process, the DPA found some serious violations of applicable data protection regulations. Thus, the DPA identified some irregularities concerning the algorithms of the Foodinho system. In particular, the DPA found that the controller had not adequately informed employees about how the system worked and did not guarantee the accuracy and correctness of the results of the algorithms used to evaluate drivers. Furthermore, the DPA found violations of the principles of data minimization as well as memory limitation. For example, the systems processed drivers' data to an extent that exceeded the purpose of the processing and, in some cases, stored the data significantly longer than necessary. In addition, the controller had not taken sufficient technical and organizational measures to ensure secure data processing. The controller had also not conducted a data protection impact assessment, although this would have been necessary due to the considerable amount of data of different types relating to a significant number of data subjects. Separate proceedings are being conducted against the parent company GlovoApp23 by the Spanish DPA (AEPD).;https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/9675440
744;Deputy Data Protection Ombudsman;Finland;24.06.21;8500;Magazine publisher;No;NA;NA;Newspapers & Publishing;NA;NA;NA;Yes;Art. 5 (1) a) GDPR, Art. 7 (2), (4) GDPR, Art. 12 (2) GDPR, Art. 21 (2) GDPR, Art. 24 (1) GDPR, Art. 28 (1), (3) GDPR;Insufficient legal basis for data processing;"The Finnish DPA has imposed a fine of EUR 8,500 on a magazine publisher. The DPA received four complaints against the magazine publisher for unsolicited telephone advertising.The controller had carried out direct marketing using an automated calling system, without valid consent from the recipients of the calls.
Specifically, the controller had obtained the apparent consent for direct marketing when a customer subscribed to a magazine on its website, for example.  The subscriber to the magazine was required to accept the terms of the subscription and contract, which included consent to direct marketing. If the consent to direct marketing was not given, the magazine could not be subscribed. The DPA states that the consent and the way it was obtained did not comply with the GDPR. Indeed, the consent was not specifically requested for direct marketing and the consent collected together with the subscription and contract terms did not constitute voluntary consent for the purpose of direct marketing. 

In addition, it was not possible for data subjects to exercise their right to object due to the fact that the direct marketing calls were made using automated calling systems and the voice bots could not understand specific questions from data subjects about their data. 

Furthermore, the magazine publisher had commissioned a call center to carry out the advertising campaign and had not regulated its processing activities in a contract on commissioned processing.";https://finlex.fi/fi/viranomaiset/tsv/2021/20210863
745;Croatian Data Protection Authority (azop);Croatia;05.07.21;NA;IT services company;No;NA;NA;IT Services;NA;NA;NA;Yes;Art. 32 (1) b), (2) GDPR;Insufficient technical and organisational measures to ensure information security;A Croatian IT company provides IT services to entities such as mobile operators, banks and state institutions in Croatia, as well as to companies abroad (USA, Great Britain, the Netherlands, etc.), thereby acting as a data processor in relation to personal data. The data controller, a telecommunications company using the services of the IT provider, informed the DPA as well its users of the potential breach of personal data by the IT provider. The incident consisted of a security breach which led to unauthorized access and processing of personal data by hackers and involved personal data of 28,085 respondents. The incident occurred because the IT provider had not taken the necessary measures to achieve an adequate level of security in accordance with existing and foreseeable risks. The IT provider, as a data processor, was obliged to take appropriate technical security measures in such a way as to ensure the permanent confidentiality of the system, including regular testing, evaluation and assessment of the effectiveness of technical and organizational measures to ensure security of processing. When assessing the appropriate level of security, the IT provider should have taken particular account of the risks of unauthorized disclosure of personal data. Due to failure to take appropriate technical measures for the security of personal data processing, the DPA imposed an administrative fine on the IT provider. The amount of the fine is NA at the moment. In its decision, the DPA took into account the nature of the IT provider?s business activity, whose role should be to support other entities through opinions and guidelines, proposing solutions for the implementation of web applications, and especially designing and implementing appropriate technical measures.;https://azop.hr/izdane-nove-upravne-novcane-kazne/
746;Danish Data Protection Authority (Datatilsynet);Denmark;07.07.21;53800;Nordbornholms Byggeforretning Aps;Yes;Nordbornholms Byggeforretning Aps;Denmark;Building Construction;3200000;35;Private;Yes;Art. 5 GDPR, Art. 6 GDPR;Insufficient legal basis for data processing;"The Danish DPA ( Datatilsynet) has imposed a fine of EUR 53,800 on Nordbornholms Byggeforretning Aps. 

In 2018, the DPA was contacted by a data subject who complained that his former employer Nordbornholms Byggeforretning ApS, had disclosed information about him to the company's customers.

The controller had emailed two of the company's customers informing them that the former employee had committed crimes in the course of employment and had admitted to committing them, as well as describing in detail the alleged course of events. 

According to the DPA, the controller in such a case had a 
legitimate interest in disclosing information about the former employee's dismissal to its customers and in informing the customers that, as a result, the employee could not enter into any contracts on behalf of the company. However, such a detailed description of the allegations was not necessary and thus unlawful.";https://www.datatilsynet.dk/presse-og-nyheder/nyhedsarkiv/2021/jul/privat-virksomhed-indstillet-til-boede
747;Italian Data Protection Authority (Garante);Italy;13.05.21;84000;Comune di Bolzano;Yes;Comune Di Bolzano;Italy;Politics & Government;62000000;1018;Other;Yes;Art. 5 (1) a), c) GDPR, Art. 6 GDPR, Art. 9 GDPR, Art. 13 GDPR, Art. 35 GDPR;Non-compliance with general data processing principles;"The Italian DPA (Garante) has fined the municipality of Bolzano EUR 84,000. A former employee of the municipality filed a complaint with the DPA against the municipality. 
In particular, the former employee complained that the municipality processed personal data related to his internet use during working hours and that he later received a notice of initiation of disciplinary proceedings accusing him of accessing Facebook for more than 40 minutes and YouTube for more than 3 hours during his working hours and of using the municipality's computer for private purposes.  The DPA's investigation revealed that the municipality had been using a system to control and filter employees' internet browsing for about a decade, with monthly retention of data and creation of special reports for network security purposes. The system also collected information that had nothing to do with professional activities and, in any case, concerned the private life of the person in question.
The DPA finds that the controller thus violated the principle of data minimization, lawfulness and purpose limitation. The controller should rather have taken less intrusive measures to prevent the private use of the Internet. The DPA pointed out that the need to reduce the risk of misuse of Internet navigation cannot lead to the complete elimination of any privacy of the data subject at the workplace, even in cases where the employee uses network services provided by the employer. In addition, the controller had not adequately informed employees about the collection of Internet history, in violation of its obligation under Article 13 of the GDPR. 
Furthermore, the investigation identified other violations in the processing of data related to employees' requests for extraordinary medical examinations, which were made using a special form. The form provided by the controller had to be checked by the head of the organizational unit, a circumstance that led to the unlawful processing of health data.";https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9669974
750;Italian Data Protection Authority (Garante);Italy;10.06.21;20000;Dentist;No;NA;NA;Healthcare;NA;NA;NA;Yes;Art. 5 (1) a), c) GDPR;Insufficient legal basis for data processing;"The Italian DPA (Garante) has fined a dentist EUR 20,000. A data subject filed a complaint with the DPA against the dentist for refusing to treat him after the data subject had indicated he had HIV in his medical history form. 
In the dentist's clinic, it was common practice for patients to fill out a medical history form before medical treatment, which contained questions about previous, existing or suspected infectious diseases (e.g. tuberculosis, hepatitis, HIV). The DPA considered this to be a violation of the principles of legality. It stated that it was legitimate to ask for such information in order to better plan medical treatment. However, it was not permissible to collect such information and then refuse treatment to the patient.";https://gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/9677521
751;Dutch Supervisory Authority for Data Protection (AP);Netherlands;31.05.21;450000;UWV (Dutch employee insurance service provider);Yes;Stichting Pensioenfonds Uwv;Netherlands;Finance & Insurance;9300000;17;Private;Yes;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;The Dutch DPA (AP) has fined UWV (the Dutch employee insurance service provider - 'Uitvoeringsinstituut Werknemersverzekeringen) EUR 450,000. The UWV had not properly secured the sending of group messages via the 'My Workbook' environment. This is a personal environment on the UWV website where job seekers have contact with the UWV. As a result, there were multiple data leaks of personal information, including health information, from a total of more than 15,000 individuals.;https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/boete_uwv_beveiliging_groepsberichten.pdf
754;Spanish Data Protection Authority (aepd);Spain;08.07.21;50000;Caixabank S.A.;Yes;CaixaBank SA;Spain;Banks;10900000000;35434;Public;Yes;Art. 6 (1) f) GDPR;Insufficient legal basis for data processing;The Spanish DPA (AEPD) has imposed a fine of EUR 50,000 on Caixabank S.A.. A data subject had filed a complaint with the DPA because he had received commercial advertising from the controller, although he had objected to the processing of his data for advertising purposes and the controller had replied that it would comply with this request.;https://www.aepd.es/es/documento/ps-00259-2020.pdf
755;Spanish Data Protection Authority (aepd);Spain;08.07.21;4000;Malagatrom S.L.U.;Yes;Malagatrom S.L.U.;Spain;E-Commerce;NA;NA;Private;Yes;Art. 6 GDPR;Insufficient legal basis for data processing;The Spanish DPA (AEPD) has imposed a fine of EUR 4,000 on Malagatrom S.L.U.. The data subject had purchased a product from the controller via the platform 'Amazon', which was delivered defectively . The data subject then decided to leave a negative review on the controller's store page due to the defective delivery. Thereupon, the controller published personal data of the data subject, such as his first and last name, address, cell phone number as well as the name of his wife and her cell phone number on the store page of the defendant in the Amazon portal.;https://www.aepd.es/es/documento/ps-00459-2020.pdf
756;Croatian Data Protection Authority (azop);Croatia;05.07.21;NA;Insurance company;No;NA;NA;Finance & Insurance;NA;NA;NA;Yes;Art. 13 GDPR, Art. 14 GDPR, Art 27 (1) of the National Implementation Law;Insufficient fulfilment of information obligations;The DPA has ex officio, without prior notice, conducted a direct supervision over an insurance company based in Zagreb. Upon inspection of its business facility for carrying out technical inspections and vehicle registration and contracting insurance services, the DPA established that both the business facility and its external surface are under video surveillance. However, the DPA established that the insurance company has failed to provide notice of such surveillance, which is contrary to Art 27 (1) of the Law on the Implementation of GDPR. Namely, data controllers and processors are obliged to indicate that the object and its outer surface are under video surveillance, and such notice must be visible at the latest when entering the perimeter of the recording and must contain all the prescribed information. Due to the breach, the DPA imposed an administrative fine on the insurance company.;https://azop.hr/izdane-nove-upravne-novcane-kazne/
757;Danish Data Protection Authority (Datatilsynet);Denmark;09.07.21;80700;Medicals Nordic I/S;Yes;Charlottenlund Lægehus Medicals Nordic I/S;Denmark;Healthcare;1600000;75;Private;Yes;NA;Non-compliance with general data processing principles;The Danish DPA (Datatilsynet) has fined Medicals Nordic I/S EUR 80,700. In January 2021, the DPA became aware that Medicals Nordic was using WhatsApp to transmit confidential information and health data about citizens being tested in the company's test centres. All employees working in a test centre were invited to a WhatsApp group associated with the test centre. The members of these WhatsApp groups received all the messages transmitted by other employees in the groups. The employees shared confidential information about citizens to the company's central administration through those WhatsApp groups. This meant that employees who, did not have a work-related need to process information - which other employees had to transmit to the central administration - nevertheless received the information, which included, inter alia, personal identity numbers and health data of citizens.;https://www.datatilsynet.dk/presse-og-nyheder/nyhedsarkiv/2021/jul/medicals-nordic-is-indstillet-til-boede
759;Danish Data Protection Authority (Datatilsynet);Denmark;16.07.21;67900;Region of Syddanmark;Yes;Region Syddanmark;Denmark;Politics & Government;94900000;1000;Other;Yes;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;"The Danish DPA (Datatilsynet) has fined the Region of Syddanmark EUR 67,900 for failing to comply with its obligation as a data controller to implement adequate security measures. The matter came to the attention of the DPA when a citizen complained to the authority in 2020 about the lack of security in the processing of personal data of the citizen's child by the region, and shortly thereafter the region reported the matter to the authority as a personal data breach.

The Region of Syddanmark had maintained a database for research and clinical purposes for a period of more than 1.5 years, whereby the database was not adequately secured against unauthorized access. By manipulating URLs, it was possible to gain access to PDF documents stored in the database. This allowed citizens who were registered in the database - and who also had a login to the database - to access the personal data of people registered in the database. The database contained questionnaires with health information on more than 30,000 children receiving psychiatric care.";https://www.datatilsynet.dk/presse-og-nyheder/nyhedsarkiv/2021/jul/region-syddanmark-indstilles-til-boede
761;Spanish Data Protection Authority (aepd);Spain;09.07.21;1500;Aparcamiento Arcusa S.L.U.;Yes;Aparcamiento Arcusa S.L.U.;Spain;Real Estate;NA;NA;Private;Yes;Art. 5 (1) c) GDPR, Art. 13 GDPR;Non-compliance with general data processing principles;The Spanish DPA (AEPD) has imposed a fine of EUR 1,500 on Aparcamiento Arcusa S.L.U. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform. The fine is made up of EUR 1,000 for a violation of Art. 5 (1) c) GDPR and EUR 500 for a violation of Art. 13 GDPR.;https://www.aepd.es/es/documento/ps-00435-2020.pdf
762;Spanish Data Protection Authority (aepd);Spain;06.07.21;4200;Marbella Resorts S.L.;Yes;Marbella Resorts Sl.;Spain;Real Estate;2600000;18;Private;Yes;Art. 28 (3) GDPR;Insufficient data processing agreement;The Spanish DPA (AEPD) has imposed a fine of EUR 7,000 on Marbella Resorts S.L.. In the case at hand, the data subject had booked a room in the hotel complex of the controller. On the day of the data subject's arrival, a concierge made copies of the data subject's data. However, the concierge was not authorized to do so. He was solely authorized to verify the reservation and then to give the guests the keys to their room. After providing the controller with his personal data, the data subject discovered that his personal data had been published on a page with online content for adults. In this regard, the DPA found a lack of diligence on the part of the controller in managing the personal data of its customers and thus a violation of Article 28 (3) GDPR. The fine is composed proportionally of EUR 2,000 for a breach of Art. 22(2) LSSI and 5,000 EIR for a breach of Art. 28(3) GDPR. However, the original fine of EUR 7,000 was reduced to EUR 4,200 due to the immediate payment and admission of guilt.;https://www.aepd.es/es/documento/ps-00151-2021.pdf
764;Spanish Data Protection Authority (aepd);Spain;07.07.21;2000;Homeowners Association;No;NA;NA;NA;NA;NA;NA;Yes;Art. 5 (1) c) GDPR;Non-compliance with general data processing principles;Usage of CCTV camera which also captured the public space in violation of the principle of data minimisation.;https://www.aepd.es/es/documento/ps-00364-2020.pdf
767;Hellenic Data Protection Authority (HDPA);Greece;08.07.21;5000;Pediatrician;No;NA;NA;Healthcare;NA;NA;NA;Yes;Art. 12 (1) GDPR, Art. 15 (1) GDPR;Insufficient fulfilment of data subjects rights;The Hellenic DPA has fined a pediatrician EUR 5,000. A father had asked the controller to view the medical records contained in his child's patient file via e-mail. However, the controller did not comply with this request.;https://www.dpa.gr/sites/default/files/2021-07/26_2021anonym.pdf
768;Spanish Data Protection Authority (aepd);Spain;12.07.21;45000;Telefonica Moviles Espana, S.A.U.;Yes;Telefónica SA;Spain;Telecommunications;41600000000;112797;Public;Yes;Art. 6 GDPR;Insufficient legal basis for data processing;The Spanish DPA (AEPD) has fined Telefonica Mobiles Espana, S.A.U. EUR 45,000. A data subject filed a complaint against the controller with the DPA. His complaint was based on the fact that his telephone number and customer profile were used by controller employees to conduct tests in call centers and branches without his consent. As a result, the data subject received 247 unsolicited calls from the controller. The original fine of EUR 75,000 was reduced to EUR 45,000 due to immediate payment and acknowledgement of responsibility.;https://www.aepd.es/es/documento/ps-00180-2021.pdf
769;Polish National Personal Data Protection Office (UODO);Poland;30.06.21;3000;Fundacje Promocji Mediacji i Edukacji Prawnej Lex Nostra;Yes;Fundacje Promocji Mediacji i Edukacji Prawnej Lex Nostra;Poland;NA;NA;NA;Other;Yes;Art. 33 (1) GDPR, Art. 34 (1) GDPR;Insufficient fulfilment of data breach notification obligations;The Polish DPA (UODO) has imposed a fine of EUR 3,000 on the Fundacje Promocji Mediacji i Edukacji Prawnej Lex Nostra Foundation for the promotion of mediation and legal education. The controller had not immediately informed the DPA and the data subjects about a personal data breach. Several folders containing personal data had been stolen from the controller in early 2020. These included the names, addresses and telephone numbers, and in 3 to 4 cases also the PESEL numbers (Polish identification number) of 96 data subjects.;https://uodo.gov.pl/decyzje/DKN.5131.11.2020
770;Dutch Supervisory Authority for Data Protection (AP);Netherlands;09.04.21;750000;TikTok;Yes;Beijing Bytedance Technology Co., Ltd.;China;IT Services;17611500000;60000;Private;No;Art. 12 GDPR;Insufficient fulfilment of information obligations;The Dutch DPA (AP) has fined the video portal TikTok EUR 750,000 for violating the privacy of young children. The information that Dutch users - mostly young children - received from TikTok when installing and using the app was in English and therefore not easy to understand. By not providing the privacy policy in Dutch, TikTok did not adequately explain how the app collects, processes, and reuses personal data. The DPA considered this to be a violation of the company's duty to provide information.;https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/boete_tiktok.pdf
771;French Data Protection Authority (CNIL);France;20.07.21;1750000;SGAM AG2R LA MONDIALE;Yes;Sgam Ag2R La Mondiale;France;Finance & Insurance;16200000;50;Private;Yes;Art. 5 (1) e) GDPR, Art. 13 GDPR, Art. 14 GDPR;Non-compliance with general data processing principles;"The French DPA (CNIL) has fined private insurer SGAM AG2R LA MONDIALE EUR 1,750,000. 
The CNIL had carried out an inspection at the AG2R LA MONDIALE group in 2019.

On this occasion, the CNIL found that the controller kept the data of millions of individuals for an excessive period of time and did not comply with their information obligations in the context of telephone canvassing campaigns.

With regard to the data of prospects, the controller did not comply with the maximum retention period of three years defined in the reference framework and in the Group's processing register. As a result, the controller retained the data of nearly 2,000 customers who had not been in contact with the controller for more than three years, and in some cases five years.

In relation to customer data, the controller did not comply with the maximum statutory retention periods stipulated in the Insurance Code and the Commercial Code. In this case, the controller retained the data of more than 2 million customers, some of which were sensitive (health) or specific (banking data), beyond the legally permitted retention periods after the end of the contract.";https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000043829617?isSuggest=true
772;Italian Data Protection Authority (Garante);Italy;27.05.21;120000;Azienda Usl della Romagna;Yes;Azienda Unita' Sanitaria Locale Della Romagna;Italy;Healthcare;634700000;14407;Private;Yes;Art. 5 (1) f) GDPR, Art. 9 GDPR;Non-compliance with general data processing principles;The Italian DPA (Garante) has fined Azienda Usl della Romagna EUR 120,000. The local health authority of Romagna had accidentally transmitted a patient's report regarding an abortion to a general practitioner. However, the patient had asked not to inform her general practitioner about it. The transmission of the report was made through the regional network 'Sole'. The investigation by Garante revealed that the data had been accidentally transmitted due to an error in the software that manages patient admissions, discharges and transfers.;https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/9682619
773;Italian Data Protection Authority (Garante);Italy;27.05.21;150000;Azienda Provinciale per i Servizi Sanitari di Trento;Yes;Azienda Provinciale Per I Servizi Sanitari Della Provincia Autonoma Di Trento;Italy;Healthcare;16500000;283;Private;Yes;Art. 5 (1) a), f) GDPR, Art. 9 GDPR;Non-compliance with general data processing principles;The Italian DPA (Garante) has fined Azienda Provinciale per i Servizi Sanitari di Trento EUR 150,000. The controller had accidentally forwarded 293 medical reports of 175 patients to their general practitioners, even though the patients had asked not to forward the reports to their general practitioners. Among the patients in question had been two minors and several women who had undergone abortions. The investigation by Garante found that the data had been accidentally transmitted due to an error in the software that manages patient reports.;https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/9682641
774;Spanish Data Protection Authority (aepd);Spain;26.07.21;2000;Intersumi S.C.;Yes;Intersumi S.C.;Spain;Wholesale;191033;2;Private;Yes;Art. 13 GDPR;Insufficient fulfilment of information obligations;The Spanish DPA (AEPD) has imposed a fine of EUR 2,000 on Intersumi S.C.. The controller failed to provide an adequate privacy statement on its website.;https://www.aepd.es/es/documento/ps-00197-2021.pdf
775;Spanish Data Protection Authority (aepd);Spain;26.07.21;2000;Fincas Miguel Garcia S.L.;Yes;Fincas Miguel Garcia S.L.;Spain;Real Estate;NA;1;Private;Yes;Art. 13 GDPR;Insufficient fulfilment of information obligations;The Spanish DPA (AEPD) has fined Fincas Miguel Garcia S.L. in the amount of EUR 2,000. A data subject had filed a complaint against the controller, alleging a breach of Art. 13 GDPR. The DPA found that the information provided to the data subject by the controller did not comply with the provisions of Art. 13 GDPR, as essential aspects were missing, such as information on the purposes of the processing for which the personal data collected are intended and its legal basis, as well as information on the legitimate interests of the controller that justify the processing, the period for which the personal data will be stored and the right to withdraw consent at any time.;https://www.aepd.es/es/documento/ps-00202-2021.pdf
776;French Data Protection Authority (CNIL);France;26.07.21;400000;Monsanto Company;Yes;Bayer AG;Germany;Chemicals;37000000000;99538;Public;No;Art. 14 GDPR, Art. 28 GDPR;Insufficient fulfilment of information obligations;"The French DPA (CNIL) has fined MONSANTO EUR 400,000.

In May 2019, several media revealed that MONSANTO was in possession of a file containing the personal data of more than 200 political figures or members of civil society (e.g. journalists, environmental activists, scientists or farmers) likely to influence the debate or public opinion on the renewal of the authorization of glyphosate in Europe. At the same time, the CNIL received seven complaints from data subjects affected by this file.

For each of these individuals, the file contained information such as the organization they belonged to, the position they held, their business address, their business phone number, their cell phone number, their business email address, and in some cases their Twitter account. In addition, CNIL noted that each person was assigned a score from 1 to 5 to evaluate their influence, credibility, and support for Monsanto on various issues.

The DPA believes that the company violated the provisions of the GDPR by not informing the data subjects that their data was stored in this file. In addition, the CNIL complained that the company had not given the contractual guarantees that should normally regulate the relationship with a subcontractor. 

The creation of contact files by stakeholders for lobbying purposes is not illegal in itself. However, CNIL stressed that data subjects nevertheless have the right to be informed of the existence of the file in order to exercise additional rights, in particular the right to object. 

In addition, the CNIL found that the data collection was carried out by a provider contracted by Monsanto and that Monsanto violated Article 28 of the General Data Protection Regulation by not including in its contracts with the data processor the provisions foreseen in the GDPR, in particular regarding data security.";https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000043860997https://www.cnil.fr/fr/fichier-de-lobbying-sanction-de-400-000-euros-lencontre-de-la-societe-monsanto
777;Spanish Data Protection Authority (aepd);Spain;26.07.21;2520000;Mercadona S.A.;Yes;Mercadona Sa;Spain;Food & Beverage;20900000000;93219;Private;Yes;Art. 5 (1) c) GDPR, Art. 6 GDPR, Art. 9 GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 25 (1) GDPR, Art. 35 GDPR;Insufficient legal basis for data processing;"The Spanish DPA (AEPD) has fined Mercadona S.A. EUR 2,520,000. The controller had installed facial recognition systems in Mercadona stores for the purpose of tracking individuals with criminal convictions or restraining orders. The system captured everyone who entered the stores, including minors and MERCADONA employees.
During its investigation, the DPA found numerous privacy violations. 

For instance, the system violated the principle of data minimization, the principle of necessity and proportionality since the controller could process multiple biometric data - beyond the purpose of the system. 

In addition, the DPA concluded that Mercadona's privacy impact assessment was deficient as it did not take into account the specific and unique risks to Mercadona's employees posed by data processing through facial recognition systems.

Furthermore, MERCADONA had violated its duty to inform according by not properly providing data subjects with information about the processing of their personal data.

The original fine of EUR 3,150,000 consisted of EUR 500,000 due to a violation of Art. 5(1)(c), EUR 2,000,000 due to a violation of Art. 6 and Art. 9 of the GDPR, EUR 100,000 due to a violation of Art. 12 and Art. 13 of the GDPR, EUR 500,000 due to a violation of Art. 25(1) of the GDPR, and EUR 50,000 due to a violation of Art. 35 of the GDPR. The original fine was reduced to EUR 2,250,000 due to voluntary payment.";https://www.aepd.es/es/documento/ps-00120-2021.pdf
778;National Commission for Data Protection (CNPD);Luxembourg;16.07.21;746000000;Amazon Europe Core S.a.r.l.;Yes;Amazon.com, Inc.;United States;E-Commerce;338200000000;1298000;Public;No;NA;Non-compliance with general data processing principles;In its quarterly report, Amazon.com Inc. announced that the DPA from Luxembourg (CNPD) had fined Amazon Europe Core S.a r.l. EUR 746,000,000 for failing to process personal data in compliance with the GDPR. Amazon plans to take legal action against the decision.;https://www.sec.gov/ix?doc=/Archives/edgar/data/0001018724/000101872421000020/amzn-20210630.htm#i5986f88ea1e04d5c91ff09fed8d716f0_103
779;Spanish Data Protection Authority (aepd);Spain;29.07.21;3000;UNIVERSIDAD A DISTANCIA DE MADRID, S.A.;Yes;"	Universidad A Distancia De Madrid Sa";Spain;Education;17500000;326;Private;Yes;Art. 17 (1) GDPR, Art. 21 LSSI;Insufficient fulfilment of data subjects rights;The Spanish DPA (AEPD) has imposed a fine on UNIVERSIDAD A DISTANCIA DE MADRID, S.A.. A data subject had filed a complaint against the distance learning university. He stated that he had requested the controller to delete all his data and prohibit its processing for any purpose. He received a confirmation, that his data had been completely deleted. Nevertheless, the data subject later received advertising from the controller by e-mail. The AEPD then imposed a fine of EUR 5,000, which was reduced to EUR 3,000 due to acknowledgement of guilt and immediate payment.;https://www.aepd.es/es/documento/ps-00310-2021.pdf
780;Spanish Data Protection Authority (aepd);Spain;27.07.21;500;Website operator;No;NA;NA;IT Services;NA;NA;NA;Yes;Art. 13 GDPR;Insufficient fulfilment of information obligations;The Spanish DPA (AEPD) fined a website operator EUR 500 due to the fact that its privacy policy did not comply with the requirements of Art. 13 GDPR.;https://www.aepd.es/es/documento/ps-00015-2021.pdf
781;Spanish Data Protection Authority (aepd);Spain;27.07.21;1000;NEXTSTEPAGENCY, S.L.;Yes;NEXTSTEPAGENCY, S.L.;Spain;Advertising & Marketing;41372;1;Private;Yes;Art. 13 GDPR;Insufficient fulfilment of information obligations;The Spanish DPA (AEPD) has fined NEXTSTEPAGENCY, S.L. EUR 1,000. A website of the controller lacked reliable data about the owner of the website such as tax number and postal address.;https://www.aepd.es/es/documento/ps-00157-2021.pdf
782;Spanish Data Protection Authority (aepd);Spain;27.07.21;10000;PERSONAL MARK, S.L.;Yes;PERSONAL MARK, S.L.;Spain;Services;NA;NA;Private;Yes;Art. 17 GDPR;Insufficient fulfilment of data subjects rights;The Spanish DPA (AEPD) has imposed a fine of EUR 10,000 on PERSONAL MARK, S.L.. A data subject complained that she was receiving promotional text messages from the controller, despite having requested the deletion of her personal data from the controllers's databases on several occasions.;https://www.aepd.es/es/documento/ps-00488-2020.pdf
783;Spanish Data Protection Authority (aepd);Spain;27.07.21;2400;PODEMOS PARTIDO POLI?TICO;Yes;Podemos;Spain;Politics & Government;NA;NA;Other;Yes;Art. 5 (1) c) GDPR, Art. 13 GDPR;Non-compliance with general data processing principles;The Spanish DPA (AEPD) has imposed a fine on the political party PODEMOS PARTIDO POLITICO. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform. Due to voluntary payment and acknowledgement of guilt, the original fine in the amount of EUR 4,000 was reduced to EUR 2,400.;https://www.aepd.es/es/documento/ps-00277-2021.pdf
784;Spanish Data Protection Authority (aepd);Spain;27.07.21;900;Owners Association;No;NA;NA;NA;NA;NA;NA;Yes;Art. 5 (1) c) GDPR;Non-compliance with general data processing principles;The Spanish DPA (AEPD) has imposed a fine on an owners' association. A data subject claimed to the DPA that the controller had installed a camera on one of his houses, which recorded both the public pool area and parts of the data subject's house. The original fine of EUR 1,500 was reduced to EUR 900 due to voluntary payment and acknowledgement of guilt.;https://www.aepd.es/es/documento/ps-00396-2020.pdf
785;Spanish Data Protection Authority (aepd);Spain;27.07.21;2000;Owners Association;No;NA;NA;NA;NA;NA;NA;Yes;Art. 5 (1) c) GDPR;Non-compliance with general data processing principles;The Spanish DPA (AEPD) has imposed a fine of EUR 2,000 on an owners' association. A data subject claimed to the DPA that the controller had installed a camera that recorded both the pool area and other parts of the interior of the data subject's home.;https://www.aepd.es/es/documento/ps-00394-2020.pdf
786;Deputy Data Protection Ombudsman;Finland;05.07.21;25000;Higher Education Institution;No;NA;NA;Education;NA;NA;NA;Yes;Art. 5 (1) c) GDPR, Art. 6 GDPR,  3 Law 759/2004;Non-compliance with general data processing principles;"The Finnish DPA imposed a fine of EUR 25,000 on a higher education institution for data protection violations in the processing of employee location data.
The controller had introduced a mobile application that allowed teleworkers to clock in and out. The use of the application on a mobile device also required authorization for location data collection. The collection of location data at the time of clocking in was a feature of the app, without which it was not possible to clock in working hours using the app.
 
According to the information received from the controller, the controller did not actively use or exploit the location data in any situation, but only processed the location data at the time of clocking in for technical reasons. However, the mere fact that time clocking is not possible in the application without processing the location data does not make it necessary to process them.
The DPA therefore considered this to be a violation of the lawfulness of the data collection and of the principle of data minimization, since the processing of location data was not necessary for the purpose of the processing - i.e., the mere recording of working hours.";https://tietosuoja.fi/-/korkeakoululle-seuraamusmaksu-tietosuojarikkomuksista-tyoajanseurannassa-kertyneiden-sijaintitietojen-kasittelyssa
788;Spanish Data Protection Authority (aepd);Spain;27.07.21;60000;PRA Iberia S.L.;Yes;Pra Iberia Sl.;Spain;Finance & Insurance;24600000;85;Private;Yes;Art. 6 (1) GDPR, Art. 15 GDPR;Insufficient legal basis for data processing;The Spanish DPA (AEPD) has fined PRA Iberia S.L. EUR 60,000. A data subject had filed a complaint against the controller with the AEPD. The complaint was based on the fact that the controller asserted a claim arising from a contract that the data subject had never concluded and of which he had no knowledge.  The AEPD points out that the data subject had attempted to exercise his right to information, but received no response from the controller, that instead continued to add interest to the data subject's alleged debt.;https://www.aepd.es/es/documento/ps-00467-2020.pdf
790;Italian Data Protection Authority (Garante);Italy;22.07.21;2500000;Deliveroo Italy s.r.l.;Yes;Deliveroo Plc;United Kingdom;IT Services;1200000000;2060;Public;No;Art. 5 (1) a), c), e) GDPR, Art. 13 GDPR, Art. 22 (3) GDPR, Art. 25 GDPR, Art. 30 (1) c), f), g) GDPR, Art. 32 GDPR, Art. 35 GDPR, Art. 37 (7) GDPR;Non-compliance with general data processing principles;"The Italian DPA (Garante) has fined food delivery service Deliveroo Italy s.r.l. EUR 2,500,000 for unlawfully processing the personal data of approximately 8000 drivers. Garante's investigation revealed numerous and serious data protection violations.
The violations included a lack of transparency in the algorithms used to manage drivers, both when assigning jobs and when booking work shifts.
Deliveroo had used a centralized system for driver management through which it then processed and managed the assignment of orders as well as the booking of work shifts.
However, Garante notes that the controller did not adequately inform the drivers about the functioning of the system they had installed on their smartphones, and did not ensure the accuracy and correctness of the results of the algorithmic systems used to evaluate the drivers. 
In addition, Garante found that Deliveroo carried out a meticulous control of the drivers' work performance - through the continuous geolocation of their device, which went far beyond what was necessary to assign the order (e.g., recording the position every 12 seconds) - and through the storage of a large amount of personal data collected during the execution of the orders, including communication with customer service. In this context, the storage period of the various data had not been defined in a manner appropriate to the purpose. Instead, the controller had defined a flat storage period of six years. Furthermore, the Garante found that the controller had not implemented adequate technical and organizational measures to ensure adequate security of the processing. Deliveroo Italy had also not conducted a data protection impact assessment, although this would have been necessary due to the risk posed to the drivers.";https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/9685994
791;Data Protection Authority of Niedersachsen;Germany;NA;65000;Company;No;NA;NA;NA;NA;NA;NA;Yes;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;The DPA of Lower Saxony has imposed a fine of EUR 65,000 on a company. The reason for the proceedings was a report by the company to the authority regarding a data breach pursuant to Art. 33 GDPR. As a result, the DPA conducted an audit of the company's web presence. In the process, the DPA discovered that an outdated web store application was used on the site, which was no longer provided with security updates. The developer had explicitly warned against further use of this version, as it contained significant security vulnerabilities. The investigations of the DPA further revealed that the passwords stored in the database were not sufficiently secured. The DPA concluded that the technical measures taken by the responsible party were not adequate for the protection requirements of the GDPR, resulting in a violation of Art. 32 GDPR.;https://lfd.niedersachsen.de/download/169169,
792;Austrian Data Protection Authority (dsb);Austria;02.08.21;2000000;Unser O-Bonus Club GmbH;Yes;Unser Ö-Bonus Club GmbH;Austria;Advertising & Marketing;NA;NA;Private;Yes;Art. 6 GDPR, Art. 7 GDPR, Art. 12 GPDR;Insufficient legal basis for data processing;"The Austrian DPA has imposed a fine of EUR 2,000,000 on Rewe affiliate O-Bonus Club GmbH. 
When signing up for the customer loyalty program jo Bonus Club, the controller is said to have failed to properly explain that customers' data and shopping behavior are used to create individual profiles, and that the information is also passed on to partner companies. According to the GDPR, the clarification must be easily accessible and in simple language. However, the controller had designed the registration for the jo Bonus Club in such a way that the clarification about profiling could only be found after scrolling down. However, the consent was placed higher up, so in all cases the consents were obtained before the clarification. In turn, on the physical flyers, the signature box placed at the bottom of the form appeared as if it were a confirmation of enrollment in the club, even though it constituted consent to profiling as well.
The DPA concluded that the controller breached its duty to provide consent in an understandable and easily accessible form in clear and simple language. Accordingly, it deemed the consents to be invalid and the profiling carried out on their basis to be unlawful.";https://www.heise.de/news/Rewe-wird-fuer-Kunden-Profiling-in-Oesterreich-bestraft-6153577.html
793;Spanish Data Protection Authority (aepd);Spain;27.07.21;2000;Body Tonic Shop S.L.;Yes;Body Tonic Shop S.L.;Spain;Accommodation;NA;NA;Private;Yes;Art. 6 (1) GDPR;Insufficient legal basis for data processing;The Spanish DPA (AEPD) has imposed a fine of EUR 2,000 on Body Tonic Shop S.L.. The data subject had signed a contract with the gym Fitness Place. In this contract, the data subject agreed that his data could be shared with the company Vasco Andaluza de Inversiones S.L., the owner of Fitness Place sports centers. However, the company shared the data with Gerco Fit S.L. and Body Tonic Shop S.L., although this was not foreseen in the contract. Gerco Fit S.L. and Body Tonic Shop S.L. then processed the data without a legal basis.;https://www.aepd.es/es/documento/ps-00147-2021.pdf
794;Spanish Data Protection Authority (aepd);Spain;27.07.21;2000;Gerco Fit S.L.;Yes;Gerco Fit S.L.;Spain;Sports, Fitness & Recreation;NA;NA;Private;Yes;Art. 6 (1) GDPR;Insufficient legal basis for data processing;The Spanish DPA (AEPD) has imposed a fine of EUR 2,000 on Gerco Fit S.L.. The data subject had signed a contract with the gym Fitness Place. In this contract, the data subject agreed that his data could be shared with the company Vasco Andaluza de Inversiones S.L., the owner of Fitness Place sports centers. However, the company shared the data with Gerco Fit S.L. and Body Tonic Shop S.L., although this was not foreseen in the contract. Gerco Fit S.L. and Body Tonic Shop S.L. then processed the data without a legal basis.;https://www.aepd.es/es/documento/ps-00148-2021.pdf
795;Spanish Data Protection Authority (aepd);Spain;27.07.21;2000;Vasco Andaluza de Inversiones S.L.;Yes;Vasco Andaluza de Inversiones S.L.;Spain;Sports, Fitness & Recreation;NA;NA;Private;Yes;Art. 6 (1) GDPR;Insufficient legal basis for data processing;The Spanish DPA (AEPD) has imposed a fine of EUR 2,000 on Vasco Andaluza de Inversiones S.L.. The data subject had signed a contract with the gym Fitness Place. In this contract, the data subject agreed that his data could be shared with the controller, the owner of Fitness Place sports centers. However, the company shared the data with Gerco Fit S.L. and Body Tonic Shop S.L., although this was not foreseen in the contract. Gerco Fit S.L. and Body Tonic Shop S.L. then processed the data without a legal basis.;https://www.aepd.es/es/documento/ps-00146-2021.pdf
796;Spanish Data Protection Authority (aepd);Spain;27.07.21;1000;APARTAMENTOS PLAYA DE COVACHOS, S.L.;Yes;APARTAMENTOS PLAYA DE COVACHOS, S.L.;Spain;Accommodation;NA;NA;Private;Yes;Art. 13 GDPR;Insufficient fulfilment of information obligations;The Spanish DPA (AEPD) imposed a fine of EUR 1,000 on APARTAMENTOS PLAYA DE COVACHOS, S.L.. The controller had installed a video surveillance system at its resort and informed about it on information posters, which, however, did not contain any information about the identity and contact details of the responsible person.;https://www.aepd.es/es/documento/ps-00476-2020.pdf
798;Spanish Data Protection Authority (aepd);Spain;27.07.21;3000;UST GLOBAL ESPANIA, S.A.;Yes;Ust Global Private Limited;United Kingdom;IT Services;74700000;355;Private;No;Art. 5 (1) f) GDPR;Non-compliance with general data processing principles;The Spanish DPA (AEPD) has imposed a fine of EUR 3,000 on UST GLOBAL ESPANA, S.A.. An employee filed a complaint against the controller with the DPA. UST GLOBAL ESPANA, S.A. was acting as a service provider for OpenBank as part of a project. On 08.01.2020, the controller informed OpenBank by email that two new employees (one of them the complainant) would join the project, for which it requested access to the VPN and other applications. This email, which was sent with a copy to both employees, included their first and last names, professional email addresses, and ID card numbers. This way, both gained mutual unauthorized access to their colleague's data. The DPA considered this to be a violation of the principle of integrity and confidentiality.;https://www.aepd.es/es/documento/ps-00360-2020.pdf
799;Spanish Data Protection Authority (aepd);Spain;27.07.21;3000;INSTAPACK, S.L.;Yes;INSTAPACK, S.L.;Spain;Transportation & Logistics;NA;NA;Private;Yes;Art. 5 (1) a) GDPR, Art. 6 (1) a) GDPR;Insufficient legal basis for data processing;The Spanish DPA (AEPD) has imposed a fine of EUR 3,000 on INSTAPACK, S.L.. A data subject had filed a complaint with the DPA. The reason for the complaint is that he had been receiving thousands of SMS messages on his cell phone every month informing him of the receipt of orders and deliveries and in this context asking him to rate the company. He also stated that he had sent a request for deletion of his data to the contact address indicated on the controller's website, but without having received a reply. Even after he submitted the deletion request, the sending of the messages continued.;https://www.aepd.es/es/documento/ps-00106-2021.pdf
803;Spanish Data Protection Authority (aepd);Spain;30.07.21;4000;Gas inspector;No;NA;NA;Building Construction;NA;NA;NA;Yes;Art. 6 (1) GDPR;Insufficient legal basis for data processing;The Spanish DPA (AEPD) has fined a gas inspector. The controller had carried out butane gas checks in the private homes of the data subjects on the basis of a list containing their surnames, first names, addresses and telephone numbers. However, the data subjects had never consented to be included in the list. The original fine of EUR 5,000 was reduced to EUR 4,000 due to acknowledgement of guilt.;https://www.aepd.es/es/documento/ps-00206-2021.pdf
804;Spanish Data Protection Authority (aepd);Spain;09.08.21;1000;BAZTANDIS, S.L.;Yes;Baztandis Sl.;Spain;Food & Beverage;1700000;9;Private;Yes;Art. 13 GDPR;Insufficient fulfilment of information obligations;Use of surveillance cameras without proper contact information on the data controller, in violation of Art. 13 GDPR.;https://www.aepd.es/es/documento/ps-00264-2021.pdf
806;Spanish Data Protection Authority (aepd);Spain;05.08.21;6000;Future Vinline S.L.;Yes;Future Vinline S.L.;Spain;Food & Beverage;805308;4;Private;Yes;Art. 13 GDPR;Insufficient fulfilment of information obligations;The Spanish Data Protection Agency (AEPD) has fined Future Vinline S.L.. The privacy policy on the website operated by the controller did not comply with the provisions of the GDPR. The original fine of EUR 10,000 was reduced to EUR 6,000 due to a voluntary payment and an admission of guilt.;https://www.aepd.es/es/documento/ps-00251-2021.pdf
807;Italian Data Protection Authority (Garante);Italy;10.06.21;40000;Aeroporto Guglielmo Marconi di Bologna S.p.a.;Yes;Aeroporto Guglielmo Marconi di Bologna SpA;Italy;Aviation;59300000;444;Public;Yes;Art. 5 (1) f) GDPR, Art. 25 GDPR, Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;The identity of whistleblowers must be protected by special confidentiality rules, as the information processed is particularly sensitive and the risk of retaliation and discrimination in the work environment is high. In this context, the controller is obliged to comply with the principles of data protection and to ensure the integrity and security of the data. Against this background, the Italian DPA (Garante) fined Aeroporto Guglielmo Marconi di Bologna S.p.a. EUR 40,000 and its software supplier EUR 20,000 for violations of the GDPR. In the course of the DPA's investigation, it was found that the application for collecting and managing criminal reports was accessed without the use of a secure network protocol (e.g., the link protocol) and that the application itself did not provide for encryption of the reporting party's identification data, the information about the report and the attached documents. The DPA considered this to be a violation of the obligation to take technical and organizational measures that ensure a level of security appropriate to the risk to the data subjects. In addition, the DPA found that the controller should have conducted an impact assessment, given the sensitivity of the information processed and the risks and vulnerability of the data subjects.;https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/9685922
808;Italian Data Protection Authority (Garante);Italy;10.06.21;40000;aiComply S.r.l.;Yes;aiComply S.r.l.;Italy;IT Services;NA;25;Private;Yes;Art. 28 GDPR, Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;"The identity of whistleblowers must be protected by special confidentiality rules, as the information processed is particularly sensitive and the risk of retaliation and discrimination in the work environment is high. In this context, the controller is obliged to comply with the principles of data protection and to ensure the integrity and security of the data. Against this background, the Italian Data Protection Authority (Garante) fined Aeroporto Guglielmo Marconi di Bologna S.p.a. EUR 40,000 and its software supplier aiComply S.r.l. EUR 20,000 for violations of the GDPR.
In the course of the DPA's investigation, it was found that the application for collecting and managing criminal reports was accessed without the use of a secure network protocol (e.g., the link protocol) and that the application itself did not provide for encryption of the reporting party's identification data, the information about the report and the attached documents. 
The DPA considered this to be a violation of the obligation to take technical and organizational measures that ensure a level of security appropriate to the risk to the data subjects. 
In addition, the DPA found that aiComply failed to contractually regulate the relationships with two other companies that processed data on its behalf.";https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/9685947
809;Norwegian Supervisory Authority (Datatilsynet);Norway;12.08.21;9600;Waxing Palace AS;Yes;Waxing Palace A/S;Norway;Services;NA;NA;Private;Yes;Art. 5 GDPR, Art. 6 GDPR, Art. 13 GDPR;Insufficient legal basis for data processing;The Norwegian DPA (Datatilsynet) has imposed a fine of EUR 9,600 on the waxing salon operator of Waxing Palace AS. The controller had camera surveillance of the controller's reception area. The DPA found that the controller had no legal basis for the camera surveillance, as well as had not provided sufficient information about it. The camera surveillance concerned both employees and customers.;https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2021/gebyr-til-waxing-palace-as/
810;Spanish Data Protection Authority (aepd);Spain;10.08.21;2000;DESPACHO TEJEDOR INFANTES CONSULTORES ASESORES;Yes;Despacho Tejedor Infantes Consultores Asesores S.l.;Spain;Services;NA;NA;Private;Yes;Art. 5 (1) f) GDPR;Non-compliance with general data processing principles;The Spanish DPA (AEPD) has imposed a fine of EUR 2,000 on DESPACHO TEJEDOR INFANTES CONSULTORES ASESORES, S.L.. The controller had forwarded two emails containing personal data (payroll and extension of working hours) of the data subject to an employee.;https://www.aepd.es/es/documento/ps-00213-2021.pdf
811;Spanish Data Protection Authority (aepd);Spain;03.08.21;96000;Vodafone Espana, S.A.U.;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 6 (1) GDPR, Art. 17 GDPR;Insufficient legal basis for data processing;The Spanish DPA (AEPD) has imposed a fine on Vodafone Espana, S.A.U.. A data subject had filed a complaint with the DPA against the controller for failing to comply with her deletion request. The data subject states that on she had received calls from the company ISGF on behalf of the controller claiming a debt received from a third party for an ADSL connection for the residence of the data subject. However, the data subject had never entered into a contract for an ADSL connection. Instead, the contract had been concluded by a third party who had fraudulently used the name and ID number of the data subject to conclude the contract in her name. The data subject then requested ISGF to cancel the contract and asked the controller to delete her personal data. However, the controller had not responded to her request. The DPA then imposed a fine of EUR 120,000 which consisted of EUR 70,000 due to a violation of Art. 6 (1) GDPR and EUR 50,000 due to a violation of Art. 17 (1) GDPR. The original fine was reduced to EUR 96,000 due to voluntary payment.;https://www.aepd.es/es/documento/ps-00188-2021.pdf
812;Hungarian National Authority for Data Protection and the Freedom of Information (NAIH);Hungary;20.04.21;2800;Website operator;No;NA;NA;IT Services;NA;NA;NA;Yes;Art. 5 (2) GDPR, Art. 24 GDPR;Non-compliance with general data processing principles;The Hungarian DPA (NAIH) has imposed a fine of EUR 2,800 on a website operator. The controller had failed to prove the lawfulness of its processing of personal data upon request by the DPA. The DPA considered this to be a breach of the controller's duty of accountability.;https://www.naih.hu/hatarozatok-vegzesek?download=408:elszamoltathatosag-elvenek-megsertese
813;Hungarian National Authority for Data Protection and the Freedom of Information (NAIH);Hungary;18.06.21;28400;Magyar Telekom Nyrt.;Yes;Deutsche Telekom AG;Germany;Telecommunications;97600000000;226291;Public;No;Art. 5 (1) d) GDPR, Art. 6 (1) GDPR, Art. 12 (2), (3), (4) GDPR, Art. 17 (1) GDPR, Art. 25 GDPR;Insufficient fulfilment of data subjects rights;The Hungarian DPA (NAIH) has imposed a fine of EUR 28,400 on Magyar Telekom Nyrt. The controller had mistakenly sent an e-mail newsletter to the data subject. This occurred due to the fact that a third party had mistakenly entered the wrong e-mail address, namely that of the data subject. The data subject then requested the controller to delete his data several times. He continued to receive the newsletter and instead of deleting the data, the controller sent him a link to unsubscribe from the newsletter.;https://www.naih.hu/hatarozatok-vegzesek?download=405:erintetti-jogok-biztositasanak-kotelezettsege-nem-ugyfel-erintettek-reszere
814;Spanish Data Protection Authority (aepd);Spain;13.08.21;1000;Employer;No;NA;NA;NA;NA;NA;NA;Yes;Art. 13 GDPR;Insufficient fulfilment of information obligations;The Spanish DPA (AEPD) has imposed a fine of EUR 1,000 on an employer. The controller had installed a video surveillance system without properly informing employees.;https://www.aepd.es/es/documento/ps-00506-2020.pdf
815;Spanish Data Protection Authority (aepd);Spain;23.08.21;2000;Company owner;No;NA;NA;NA;NA;NA;NA;Yes;Art. 13 GDPR;Insufficient fulfilment of information obligations;The Spanish DPA (AEPD) has imposed a fine of EUR 2,000 on a company owner. A person had applied for a job at the controller's company and sent the controller his CV via WhatsApp. Thereby, he was neither informed about the processing of his personal data nor about his data subject rights. The AEPD considered this to be a violation of Art. 13 of the GDPR.;https://www.aepd.es/es/documento/ps-00237-2021.pdf
816;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;24.08.21;3000;Actamedica SRL;Yes;Actamedica SRL;Romania;Healthcare;1222595;24;Private;Yes;Art. 28 (1) GDPR, Art. 32 GDPR, Art. 33 GDPR;Insufficient technical and organisational measures to ensure information security;The Romanian DPA (ANSPDCP) has fined Actamedica SRL EUR 3,000. The controller had informed a private individual about the loss of her biological samples and a sum of money sent via a courier service. When asked what personal data had been disclosed on this occasion and whether the ANSPDCP had been informed of this incident, the controller only provided the contact details of his lawyer and an e-mail address of the courier service to which the private individual could address her complaint. The ANSPDCP found a breach of the controller's obligation to implement technical and organizational measures to ensure a level of protection appropriate to the risk to data subjects, as well as a breach of the controller's obligation to notify the ANSPDCP of the data breach.;https://www.dataprotection.ro/?page=Comunicat_Presa_24_08_2021&lang=ro
817;Polish National Personal Data Protection Office (UODO);Poland;13.08.21;2200;President of the Zgierz District Court;Yes;Urzad Gminy Zgierz;Poland;Politics & Government;2900000;50;Other;Yes;Art. 5 (1) f) GDPR, Art. 25 (1) GDPR, Art. 32 (1) b), d), (2) GDPR;Insufficient technical and organisational measures to ensure information security;The Polish DPA (UODO) has imposed a fine of EUR 2,200 on the president of the Zgierz District Court. The president had reported a data breach involving the loss of an unencrypted USB stick by a probation officer. The data medium stored the data of 400 persons under probation supervision. The lost and at the same time unsecured data carrier has not yet been found, so that unauthorized persons could still have access to the personal data it contained. The president had assumed that the duty to secure the data did not lie with himself, but with the respective probation officers who had these data in use. However, the DPA found that the president himself should have secured the USB sticks.;https://www.uodo.gov.pl/decyzje/DKN.5131.22.2021
818;Spanish Data Protection Authority (aepd);Spain;26.08.21;1000;Owners Association;No;NA;NA;NA;NA;NA;NA;Yes;Art. 5 (1) c) GDPR;Non-compliance with general data processing principles;The Spanish DPA (AEPD) has imposed a fine of EUR 1,000 on an owners' association. The controller had unlawfully installed a video surveillance system in a residential complex which recorded, among other things, common areas such as the swimming pool, as well as parts of the public space. In addition, video cameras were installed in the rooms where the guards of the residential complex dressed, without any notice being given. The DPA considered this to be a violation of the principle of data minimization.;https://www.aepd.es/es/documento/ps-00345-2020.pdf
819;Spanish Data Protection Authority (aepd);Spain;25.08.21;120000;Banco Bilbao Vizcaya Argentaria, S.A.;Yes;Banco Bilbao Vizcaya Argentaria SA;Spain;Banks;31800000000;123174;Public;Yes;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;The Spanish DPA (AEPD) has imposed a fine on Banco Bilbao Vizcaya Argentaria, S.A.. The reason for this had been a complaint from a person relating to a lack of authentication. Accordingly, only the ID number had to be given as identification when providing information by telephone. This could allow any person to call, provide an ID number, and thus receive the information associated with the ID number without any verification that the caller is actually the ID holder. The DPA considered this to be a failure to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk posed to the data subjects. The original fine of EUR 200,000 was reduced to EUR 120,000 due to voluntary payment and acknowledgement of guilt.;https://www.aepd.es/es/documento/ps-00362-2021.pdf
820;Data Protection Authority of Ireland;Ireland;02.09.21;225000000;WhatsApp Ireland Ltd.;Yes;Meta Platforms, Inc;United States;IT Services;103164000000;71970;Public;No;Art. 5 (1) a) GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 14 GDPR;Insufficient fulfilment of information obligations;"The Irish DPA (DPC) has imposed a fine of EUR 225,000,000 on WhatsApp Ireland Ltd. The DPA had started extensive investigations into the messaging service's compliance with transparency obligations back in December 2018. In this context, the DPC investigated whether WhatsApp complied with its obligations under the GDPR regarding the provision of information and the transparency of this information to users and non-users of WhatsApp. 

In the course of the investigation, the DPC found that WhatsApp had committed serious violations of Art. 12 GDPR, Art. 13 GDPR and Art. 14 GDPR with respect to the information provided to users. 

Following the investigation, the DPC submitted a draft decision under Art. 60 GDPR to other affected European supervisory authorities in December 2020. The DPC subsequently received objections from eight supervisory authorities. Due to lack of agreement, the DPC initiated a dispute resolution procedure pursuant to Art. 65 GDPR on June 3, 2021. 

The European Data Protection Supervisor (EDPB), by its decision of July 28, 2021, then, required the DPC to reassess and increase its proposed fine based on a number of factors. The EDPS found a violation of the principle of transparency set forth in Article 5(1) a) of the GDPR in addition to the violations found by the DPC, and requested this to be reflected in the final amount of the fine. 

Based on this, the DPC imposed the fine in the amount of EUR 225,000,000. 

The fine is composed as follows:

EUR 90,000,000 for the violation of Art. 5 (1) a) GDPR;
EUR 30,000,000 for the violation of Art. 12 GDPR;
EUR 30,000,000 for the violation of Art. 13 GDPR; and
EUR 75,000,000 for the violation of Art. 14 GDPR.


With respect to Art. 12 GDPR and Art. 13 GDPR, the DPC found that WhatsApp had failed to provide information about the nature of the data collection 'in a concise, transparent, intelligible and easily accessible form, using clear and plain language.' This includes making the information easy for children to understand when it is addressed to them. For example, WhatsApp had distributed information about the relationship between WhatsApp and other Facebook companies and the sharing of data under that relationship through a variety of texts. Much of the information provided was of such general nature, moreover, that the DPC deemed it meaningless. Users often had to overcome multiple links to FAQs to get to the information they were looking for on WhatsApp's website. In this regard, the DPC stated that it would be unreasonable to expect users to search the WhatsApp website after failing to find sufficient information in the privacy statement itself.

With regard to Art. 14 GDPR, one of the issues was the impact of a user's consent allowing the messaging platform to have access to his or her contacts. As such, the company searched its users' contact information on their phones for phone numbers and other data, not only from other WhatsApp users, but also from contacts who do not even have a WhatsApp account. The DPC finds that this data had been processed unlawfully, as these contacts (especially those who do not have a WhatsApp account) had not received any information about this processing and therefore could not possibly have given their consent. 

Given the seriousness and the far-reaching nature and impact of the breaches, the DPA concluded that there had also been a violation of the transparency principle from Art. 5 (1) a) GDPR.";https://edpb.europa.eu/system/files/2021-09/dpc_final_decision_redacted_for_issue_to_edpb_01-09-21_en.pdf
821;Spanish Data Protection Authority (aepd);Spain;30.08.21;6000;Furnishyourspace S.L.;Yes;Furnishyourspace S.L.;Spain;Wholesale;5100000;10;Private;Yes;Art. 5 (1) a) GDPR, Art. 6 GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 21 (4) GDPR;Insufficient fulfilment of information obligations;"The Spanish DPA (AEPD) imposed a fine of EUR 6,000 on FurnishYourSpace S.L.. The AEPD had received a complaint from the Berlin DPA via the EU Internal Market Information System about the inadequate design of the controller's privacy notice. 
Namely, the identity and contact details of the controller were provided in the privacy notice, but under a misleading heading that gave the impression that they were provided for a business purpose. In addition, the purposes of the processing were not clearly stated. 
No information was provided regarding the legal basis, the retention period of the personal data and the data subjects' right to object. Also, the privacy notice was confusing and the wording contained grammatical errors and used terms that are not part of common usage.

In addition, the privacy notice required a tax identification number in order to issue a simplified invoice, i.e., an invoice not exceeding the amount of EUR 3,000. The AEPD found this to be a violation of the principle of legality. 

The fine is composed as follows:

EUR 3,000 for a breach of Art. 12 GDPR and Art. 13 GDPR;
EUR 1,000 for a breach of Art. 21 (4) GDPR; and
EUR 2,000 for a breach of Art. 5 (1) a) GDPR and Art. 6 GDPR.";https://www.aepd.es/es/documento/ps-00462-2019.pdf
822;Spanish Data Protection Authority (aepd);Spain;23.08.21;1800;Agency;No;NA;NA;NA;NA;NA;NA;Yes;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;The Spanish DPA (AEPD) has imposed a fine on an agency. The controller had disposed of documents containing personal data of its clients in the garbage. The AEPD considered this to be a lack of security and data protection measures in the sense of Art. 32 GDPR, which states that 'the controller and processor shall implement appropriate technical and organizational measures to ensure an adequate level of security.' The original fine of EUR 3,000 was reduced to EUR 1,800 due to voluntary payment and acknowledgement of guilt.;https://www.aepd.es/es/documento/ps-00164-2021.pdf
823;Spanish Data Protection Authority (aepd);Spain;02.09.21;4000;Automecanica Jerez, S.L.;Yes;Automecanica Jerez, S.L.;Spain;Services;NA;NA;Private;Yes;Art. 5 (1) f) GDPR, Art. 32 GDPR, Art. 21 LSSI;Insufficient technical and organisational measures to ensure information security;The Spanish DPA (AEPD) has fined Automecanica Jerez, S.L. EUR 4,000. The controller had sent commercial e-mails to a large number of people without their consent. In doing so, the controller failed to hide the personal data of the recipients, such as surname, first name and email address, which allowed the other recipients to view the data. The AEPD considered this to be a violation of Article 5 (1) f) GDPR and Article 32 GDPR, as the controller had failed to implement technical and organizational measures to ensure an adequate level of security in the processing of personal data. Furthermore the AEPD found a breach of Art. 21 LSSI.;https://www.aepd.es/es/documento/ps-00259-2021.pdf
824;Danish Data Protection Authority (Datatilsynet);Denmark;08.09.21;53800;Midtjylland Region;Yes;Region Midtjylland;Denmark;Politics & Government;132400000;1000;Other;Yes;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;"The Danish DPA has imposed a fine of EUR 53,800 on Midtjylland Region.

On June 12, 2020, the DPA received a notification from the region regarding a personal data security breach pursuant to Art. 33 GDPR. According to the notification, all patients and staff at a lifestyle center were able to access a building where up to 100,000 physical patient records were stored, including health information and personal identity number details. The reason for this was that both staff and patients had been given key cards that allowed them to access all three buildings of the lifestyle center, regardless of whether the user was required to access them. 
In addition, passersby were able to take a look at the covers of some of the records -which showed personal data such as identity numbers and names - through a window in the building.
In this context, the DPA found that the Midtjylland Region had not taken adequate security measures for the storage of personal data.

In addition, the region had not established sufficient guidelines for access restrictions when creating key cards, and had not conducted adequate periodic testing, assessment, and evaluation of the security measures taken. 

In evaluating the question of whether a fine should be imposed, the Danish DPA took into account, as an aggravating factor, that the region processed large amounts of sensitive data, such as health data.";https://www.datatilsynet.dk/presse-og-nyheder/nyhedsarkiv/2021/sep/region-midtjylland-indstillet-til-boede
825;Data Protection Authority of Ireland;Ireland;07.09.21;1400;Vodafone Ireland Limited;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 21 GDPR;Insufficient fulfilment of data subjects rights;The Irish DPA has fined Vodafone Ireland Limited EUR 1,400. Vodafone had in several cases sent marketing SMS and emails and made telephone calls without the consent of the data subjects. Despite several revocations by the data subjects, they continued to receive unsolicited advertising. In one case, a former customer had contacted Vodafone seven times and asked not to receive any more advertising calls on his cell phone. Despite his request, he continued to receive advertising calls. In another case, a customer received an advertising call on his cell phone number and informed Vodafone during the conversation that he did not want to receive any more advertising calls. Despite his request, Vodafone made twelve more marketing calls to his cell phone. In another case, the data subject filled out a form clearly stating his wish not to receive marketing calls from Vodafone. However, the employee who processed the request failed to register the customer's marketing preferences. As a result, the customer subsequently received fourteen more unsolicited commercial messages - seven emails and seven text messages.;https://dataprotection.ie/en/news-media/data-protection-commission-welcomes-outcome-prosecution-proceedings-taken-against-three-ireland
826;Italian Data Protection Authority (Garante);Italy;22.07.21;200000;Regione Lombardia;Yes;Regione Lombardia;Italy;Politics & Government;199900000;3500;Other;Yes;Art. 5 (1) a), c) GDPR, Art. 6 (1) c), e) GDPR, Art. 6 (2) GDPR, Art. 6 (3) b) GDPR;Non-compliance with general data processing principles;"The Italian DPA (Garante) has imposed a fine of EUR 200,000 on the Region of Lombardy. The region had published on its website the personal data of more than 100,000 students who had applied for state scholarships or financial grants for the purchase of textbooks, technical equipment and teaching materials. As the Garante's preliminary audit revealed, it was possible to view and download the list of approved and funded applications, the list of approved and to be funded applications, the list of state scholarship recipients and the list of ineligible applications from the region's website. These lists included personally identifiable information such as the application ID, the applicant's name, the student's grade, the code and name of the school, as well as the application number. 
In this context, the DPA stated that the data of persons applying for economic benefits must be protected in a special way to prevent the economic and social hardship of the data subjects from becoming evident.";https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/9697724,
827;Italian Data Protection Authority (Garante);Italy;22.07.21;800000;Roma Capitale;No;Roma Capitale;Italy;Politics & Government;198700000;3590;Other;Yes;Art. 5 GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 25 GDPR, Art. 28 GDPR, Art. 32 GDPR;Non-compliance with general data processing principles;"The Italian DPA (Garante) has imposed a fine of EUR 800,000 on Roma Capitale. The Garante had launched an investigation following a complaint from an individual who had complained about the new parking meters installed in the city in 2018. In fact, the company Atac s.p.a., which was also contracted by the city to manage the parking lots, had initiated a technical upgrade of the parking meters in order to offer new services (e.g., the payment of fines/fees or the purchase/renewal of public transport tickets) and introduce new payment methods that also take into account the vehicle's license plate number. Part of the equipment was supplied by another company, Flowbird Italia s.r.l. All parking information was then managed through a centralized system, which could also be accessed through an app by the employees responsible for controlling parking fees.

Irregularities were then identified during the investigation. Namely, the city of Rome, as data controller, had not provided information on the processing of the drivers' data, had not designated the company Atac as data processor, and had not provided it with the necessary instructions to process the data collected. Also, the subcontractor was not formally instructed nor instructed on how to proceed with the data processing.

It was also found that the companies had not established a data processing register. Also, the retention periods for the collected data were not specified, and appropriate security measures were not taken. For example, it was found that at the time of the audit, some data flows to and from the system implemented by Atac were going through insecure channels. In addition, officials could have checked any license plate en masse and repeatedly over time, for example, to find out a person's habits and parking location. 


In calculating the fine for the unlawful data processing, the DPA aggravatingly took into account the large amount of personal data processed (from June 2018 to November 2019, the system established by Atac had already collected the data of 8,600,000 stops and potentially affects all users of the paid parking service in the city area) and the sanctions already received for data protection violations, but also the positive cooperation offered by the city and the companies to remedy some violations detected during the inspection.";https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/9698558,
828;Italian Data Protection Authority (Garante);Italy;22.07.21;30000;Flowbird Italia s.r.l.;Yes;Flowbird Italia Srl;Italy;Wholesale;10900000;25;Private;Yes;Art. 5 GDPR, Art. 6 GDPR, Art. 30 GDPR;Non-compliance with general data processing principles;The Italian DPA (Garante) has imposed a fine of EUR 30,000 on Flowbird Italia s.r.l.. The Garante had launched an investigation following a complaint from an individual who had complained about the new parking meters that were installed in the city of Rome in 2018. In fact, the company Atac s.p.a., which was also contracted by the city to manage the parking lots, had initiated a technical upgrade of the parking meters in order to offer new services (e.g., the payment of fines/fees or the purchase/renewal of public transport tickets) and introduce new payment methods that also take into account the vehicle's license plate number. Part of the equipment was supplied by Flowbird Italia s.r.l. All parking information was then managed through a centralized system, which could also be accessed through an app by the employees responsible for controlling parking fees. During the investigation the DPA found that Flowbird Italia had not established a data processing register.;https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/9698558,
829;Italian Data Protection Authority (Garante);Italy;22.07.21;400000;Atac s.p.a.;Yes;Azienda per i Trasporti Autoferrotranviari del Comune di Roma;Italy;Transportation & Logistics;864870000;11882;Other;Yes;Art. 5 GDPR, Art. 6 GDPR, Art. 30 GDPR, Art. 32 GDPR;Non-compliance with general data processing principles;The Italian DPA (Garante) has imposed a fine of EUR 400,000 against Atac s.p.a.. The Garante had launched an investigation following a complaint from an individual who had complained about the new parking meters installed in the in the city of Rome. In fact, the company Atac s.p.a., which was contracted by the city to manage the parking lots, had initiated a technical upgrade of the parking meters in order to offer new services (e.g., the payment of fines/fees or the purchase/renewal of public transport tickets) and introduce new payment methods that also take into account the vehicle's license plate number. All parking information was then managed through a centralized system, which could also be accessed through an app by the employees responsible for controlling parking fees. Irregularities were then identified during the investigation. It was found that Atac had not established a data processing register. Also, the retention periods for the collected data were not specified, and appropriate security measures were not taken. For example, it was found that at the time of the audit, some data flows to and from the system implemented by were going through insecure channels. In addition, officials could have checked any license plate en masse and repeatedly over time, for example, to find out a person's habits and parking location.;https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/9698597,
832;Cypriot Data Protection Commissioner;Cyprus;06.09.21;25000;Hellenic Technical Enterprises Ltd.;Yes;Hellenic Technical Enterprises Limited;Cyprus;Wholesale;8200000;6;Private;Yes;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;The Cypriot DPA has imposed a fine of EUR 25,000 on Hellenic Technical Enterprises Ltd.. The controller hat designed the ticket sales system of the soccer clubs AC Omonia and APOEL FC. Due to a lack of security measures in the ticket sales system, it was possible for an unauthorized person to access and disclose personal data of fans on the club's website. This data involved the name, the fan card number and the ID number of the data subjects. The DPA concluded that the controller failed to implement adequate technical and organizational security measures. In separate proceedings, the DPA fined APOEL FC and AC Omonia for the same violations.;http://www.dataprotection.gov.cy/dataprotection/dataprotection.nsf/All/57759977195D3477C225874800434764?OpenDocument,
833;Spanish Data Protection Authority (aepd);Spain;13.09.21;1000;GESTIONES AUTO LOW COST S. L.;Yes;GESTIONES AUTO LOW COST S. L.;Spain;Retail & Trade;NA;NA;Private;Yes;Art. 13 GDPR;Insufficient fulfilment of information obligations;The Spanish DPA (AEPD) imposed a fine of EUR 1,000 on GESTIONES AUTO LOW COST S. L. due to the fact that the company's website did not contain a privacy policy.;https://www.aepd.es/es/documento/ps-00302-2021.pdf
834;Spanish Data Protection Authority (aepd);Spain;13.09.21;1000;Hairdressing salon;No;NA;NA;Services;NA;NA;NA;Yes;Art. 13 GDPR;Insufficient fulfilment of information obligations;The Spanish DPA (AEPD) has imposed a fine of EUR 1,000 on a hairdressing salon. The controller had installed video surveillance cameras and had not properly informed the data subjects about the processing of the data by the cameras.;https://www.aepd.es/es/documento/ps-00226-2021.pdf
835;Spanish Data Protection Authority (aepd);Spain;13.09.21;9000;Website operator;No;NA;NA;IT Services;NA;NA;NA;Yes;Art. 6 GDPR, Art. 13 GDPR;Insufficient legal basis for data processing;The Spanish DPA (AEPD) has imposed a fine of EUR 9,000 on the controller of a website. A person had filed a complaint with the DPA due to the fact that the controller had published his first and last name as well as a screenshot of his Linkedin profile on his website. The controller had neither obtained the data subject's consent for this, nor had he informed him about the processing of his personal data. The DPA considered this to be a violation of Art. 6 GDPR and Art. 13 GDPR.;https://www.aepd.es/es/documento/ps-00156-2021.pdf
836;Danish Data Protection Authority (Datatilsynet);Denmark;16.09.21;10000;Favrskov municipality;Yes;Favrskov Kommune;Denmark;Politics & Government;102400000;1000;Other;Yes;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;"The Danish DPA has imposed a fine of EUR 10,000 on Favrskov municipality. 

On August 19, 2020, the DPA received a notification from Favrskov Municipality of a personal data breach under Art. 33 GDPR.  The notification stated that during a break-in at the municipality's premises, a laptop was stolen which contained a program that provided an overview of the municipality's care facilities and thus information on the names and personal identity numbers of approximately 100 individuals with physical or mental disabilities.

The computer hard drive in question was not encrypted and the program in question, which contained confidential and sensitive personal data, was not equipped with security measures.

In reviewing the case, the DPO found that Favrskov Municipality had not ensured the encryption of the hard drives of the municipality's laptops for a long period of time prior to August 12, 2020, resulting in an inadequate level of security.

The DPA considered this to be a violation of Art. 32 GDPR, as the municipality had failed to implement appropriate technical and organizational measures to ensure a level of protection commensurate with the risk.";https://www.datatilsynet.dk/presse-og-nyheder/nyhedsarkiv/2021/sep/favrskov-kommune-indstilles-til-boede-
838;Spanish Data Protection Authority (aepd);Spain;16.09.21;4000;Frigorifica Botana S.L.;Yes;Frigorifica Botana Sl;Spain;Wholesale;15400000;42;Private;Yes;Art. 5 (1) c) GDPR;Non-compliance with general data processing principles;The Spanish DPA (AEPD) has imposed a fine of EUR 4,000 on Frigorifica Botana S.L.. The main activity of Frigorifica Botana is freezing, storing and processing seafood. Based on a complaint against the controller, the AEPD had initiated investigations against it. The controller had installed a video surveillance system (audio and video) that captured, among other things, parts of a conference room. In this context, the DPA found that the controller had violated the principle of data minimization by processing data without a valid reason and without informing the data subjects about the video surveillance in advance.;https://www.aepd.es/es/documento/ps-00093-2021.pdf
839;Danish Data Protection Authority (Datatilsynet);Denmark;17.09.21;67200;Syddanmark Region;Yes;Region Syddanmark;Denmark;Politics & Government;102600000;1000;Other;Yes;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;"The Danish DPA imposed a fine of EUR 67,200 on Syddanmark Region. 
On March 9, 2020, the DPA received a notification from Syddanmark Region regarding a personal data breach according to Art. 33 GDPR. The Syddanmark Region states that since May 2011, a PowerPoint presentation was available on its website that had been created at Odense University Hospital for training purposes and contained charts with personal data - including health information and ID card number details - of 3,915 patients. 
The region used a screening tool to periodically check for inadvertent postings of personal identity numbers on its website. However, the screening tool was unable to scan the underlying data in PowerPoint presentations.
In this context, the DPA found that the region had not implemented appropriate technical and organizational measures to ensure a level of protection appropriate to the risk. 
In assessing whether a fine should be imposed, the DPA took into aggravating consideration the fact that Syddanmark Region processes large amounts of personal data, including health data - which is of a sensitive nature.";https://www.datatilsynet.dk/presse-og-nyheder/nyhedsarkiv/2021/sep/region-syddanmark-indstillet-til-boede
841;Hellenic Data Protection Authority (HDPA);Greece;26.08.21;20000;National Bank of Greece;Yes;National Bank of Greece SA;Greece;Banks;2800000000;9107;Public;Yes;Art. 12 (1), (2), (3) GDPR, Art. 15 (1) GDPR;Insufficient fulfilment of data subjects rights;The Hellenic DPA has imposed a fine of EUR 20,000 on the National Bank of Greece. A data subject had filed a complaint against a company and the bank after they failed to comply with his right to information.  After returning a product he had purchased from a company, the data subject had asked the company via Facebook Messenger to inform him about the request to cancel his credit card statements sent electronically to the bank. However, the controller refused to comply, whereupon the data subject asserted the same right with the bank, which, however, did not provide him with a response.;https://www.dpa.gr/sites/default/files/2021-09/36_2021anonym.pdf
842;Hellenic Data Protection Authority (HDPA);Greece;03.09.21;8000;Rhodes Municipal Transport Company;Yes;Municipal Enterprise Sygkoinonion Roda;Greece;Transportation & Logistics;8900000;100;Other;Yes;Art. 5 (1) c) GDPR, Art. 12 (3) GDPR, Art. 15 GDPR;Insufficient fulfilment of data subjects rights;"The Hellenic DPA has imposed a fine of EUR 8,000 on the Rhodes Municipal Transport Company. A former employee had filed a complaint against the controller with the DPA. The former employee was in a legal dispute with the controller after the latter had reported him for alleged embezzlement. Against this background, he had asked the controller to send him, for his defense in the criminal proceedings, a copy of the video recordings recorded by the bus's video surveillance system on the day on which the incident in question allegedly occurred. However, the controller had never responded to his request. 
The DPA considered this to be a violation of the data subject's right to information pursuant to Art. 12 (3) GDPR and Art. 15 GDPR.

Furthermore, the controller had provided the data subject with a certificate about his previous employment, which, in addition to the type and duration of employment, also contained the information that he had been dismissed due to a criminal offense. The DPA considers this to be a violation of the principle of proportionality pursuant to Art. 5 (1) c) GDPR.

The fine is composed proportionately of EUR 3,000 for a violation of Art. 5 (1) (c) GDPR and EUR 5,000 for a violation of Art. 12 (3) and Art. 15 GDPR.";https://www.dpa.gr/sites/default/files/2021-09/39_2021anonym.pdf
844;Spanish Data Protection Authority (aepd);Spain;20.09.21;18000;CEDICO, CENTRO DE DIAGNOSTICO POR LA IMAGEN, S.L.;Yes;Centro Medico De Diagnostico Por La Imagen Slu;Spain;Healthcare;5000000;28;Private;Yes;Art. 5 (1) f) GDPR;Non-compliance with general data processing principles;The Spanish DPA (AEPD) has imposed a fine on CEDICO, CENTRO DE DIAGNOSTICO POR LA IMAGEN, S.L.. The data subject filed a complaint with the AEPD. He had requested an MRI scan of his knee due to an accident at work. In addition, he had contacted his insurance company in order to obtain a sick leave. The insurance company then contacted the controller, who transmitted the data subject's medical records. In doing so, the controller also provided the insurer with the report of a previous MRI scan of the knee that the data subject had undergone due to an event outside of work. In its evaluation, the insurer thus also referred to the MRI report outside working hours and attributed the data subject's incapacity to work to this event. In consequence, no sick leave was granted to the data subject. The DPA considered the disclosure of the earlier MRI report to the insurance company to be a violation of the principle of integrity and confidentiality. The original fine of EUR 30,000 was reduced to EUR 18,000 due to the voluntary payment and admission of guilt.;https://www.aepd.es/es/documento/ps-00262-2021.pdf
845;Spanish Data Protection Authority (aepd);Spain;14.09.21;40000;Vodafone Espana, S.A.U.;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 6 (1) GDPR;Insufficient legal basis for data processing;The Spanish DPA (AEPD) imposed a fine on Vodafone Espana, S.A.U. for insufficient legal basis for data processing. The data subject stated that two telephone lines were registered in his name, for each of which charges were made. However, the data subject had never concluded contracts with the company for either of these lines. Rather, the contracts in question were concluded by fraudsters using the data subject's personal data. Nevertheless, the personal data was entered into the company's information systems without any verification as to whether the contracts had been lawfully and actually concluded by the data subject. The contracts were concluded even though they were not signed and the information provided by the fraudster, such as the address or date of birth, did not match those on the data subject's ID card. The original fine of EUR 50,000 was reduced to EUR 40,000 due to voluntary payment.;https://www.aepd.es/es/documento/ps-00193-2021.pdf
846;Data Protection Authority of Hamburg;Germany;24.09.21;900000;Vattenfall Europe Sales GmbH;Yes;NA;NA;NA;NA;NA;NA;Yes;Art. 12 GDPR, Art. 13 GDPR;Insufficient data processing agreement;The DPA from Hamburg has imposed a fine of EUR 900,000 on Vattenfall Europe Sales GmbH. The fine is related to data matching, which the controller had carried out in the period from August 2018 to December 2019 in the course of contract inquiries for special contracts. The special contracts served to attract new customers and were accompanied by bonus payments for the customers. The controller compared personal data of prospective customers who had submitted an inquiry for a special contract with contracts concluded by existing customers. If this revealed that an applicant had already signed a contract with the controller, then switched to another supplier and now wanted to sign a contract again, the controller could reject the application for the special contract if necessary. This was intended to prevent 'bonus shopping', which is not lucrative for the companies. However, the controller had not properly informed the customers that such comparisons would be made. The DPA considered this to be a violation of the company's transparency and information obligations. Around 500,000 people were affected.;https://www.heise.de/news/DSGVO-Vattenfall-muss-900-000-Euro-nach-Bonushopper-Auslese-zahlen-6200668.html
847;Information Commissioner of Isle of Man;United Kingdom;11.12.20;3250;Cosmetic Medical Limited;Yes;Cosmetic Medical Limited;United Kingdom;Retail & Trade;NA;NA;Private;Yes;Art. 31 GDPR;Insufficient cooperation with supervisory authority;The DPA of Isle of Man has imposed a fine of EUR 3,250 on Cosmetic Medical Limited. A data subject had filed a complaint with the DPA regarding the controller's failure to comply with her request to exercise her right of access to personal data. As part of its investigation, the DPA sent the controller a request for information in order to clarify the facts of the case. However, the controller had not responded to this request in due time. The DPA concluded that as the controller did not properly cooperate with the authorities, it violated Article 31 of the GDPR.;https://www.inforights.im/media/1903/cosmedltd_pn_11dec2020_website.pdf
849;Spanish Data Protection Authority (aepd);Spain;14.09.21;56000;Vodafone Espana, S.A.U.;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 6 (1) GDPR;Insufficient legal basis for data processing;The Spanish DPA (AEPD) imposed a fine on Vodafone Espana, S.A.U. for insufficient legal basis for data processing.The data subject stated that several telephone lines were registered in his name.  However, the data subject had never signed contracts with the company for any of these lines. Rather, the contracts in question were concluded by fraudsters using the data subject's personal data. Nevertheless, the personal data was entered into the company's information systems without any verification as to whether the contracts had been lawfully and actually concluded by the data subject. The original fine of EUR 70,000 was reduced to EUR 56,000 due to the voluntary payment.;https://www.aepd.es/es/documento/ps-00189-2021.pdf
850;Spanish Data Protection Authority (aepd);Spain;14.09.21;56000;Vodafone Espana, S.A.U.;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 6 (1) GDPR;Insufficient legal basis for data processing;The Spanish DPA (AEPD) imposed a fine on Vodafone Espana, S.A.U. due to insufficient legal basis for data processing. The data subject stated that, unauthorized third parties had gained access to her Vodafone account and had booked the Vodafone Unlimited package in her name, as well as purchased an iPhone 11 Pro Max in installments. The DPA notes that the controller had not adequately verified whether the contracts had been lawfully and actually concluded by the data subject. The original fine of EUR 70,000 was reduced to EUR 56,000 due to the voluntary payment.;https://www.aepd.es/es/documento/ps-00190-2021.pdf
851;Norwegian Supervisory Authority (Datatilsynet);Norway;27.09.21;496000;Ferde AS;Yes;Ferde As;Norway;Energy;343200000;88;Private;Yes;Art. 5 (1) f) GDPR, Art. 5 (2) GDPR, Art. 28 (3) GDPR, Art. 32 (2) GDPR, Art. 44 GDPR;Non-compliance with general data processing principles;"The Norwegian DPA has fined Ferde AS, a Norwegian toll company, EUR 496,000.  
Through a report on the state-owned broadcasting company NRK, the Norwegian DPA became aware that Ferde AS was transferring information on passages in toll rings to a data processor in China. On this basis, the DPA initiated an investigation into whether Ferde has implemented routines and measures to ensure adequate information security for the information transferred to China.

As part of its operations, Ferde is responsible for registering passages at toll booths. The registration is usually done by a chip in the car. If the chip in the car is not properly registered or the car does not have a chip, a photo of the car's license plate is taken.

These images are then sent to an automatic optical character recognition system to digitally read the license plate. In cases where the image quality is not good enough for automatic interpretation, the image is transmitted for manual processing. Ferde contracted Unitel Bratseth Services (UBS), which also has employees in China, for this task. 

After its investigations, the DPA concluded that Ferde AS had violated a number of basic obligations of the GDPR for a period of 1-2 years. 

For one thing, Ferde had not conducted a risk assessment before processing personal data and before using manual image processing by the processor. However, this would have been necessary to assess the risks associated with the transfer and to determine whether further security measures may be required. 

In addition, the DPA found that Ferde had not entered into a proper processor contract regarding the processing of UBS.As a result, the transfer of the personal data in question to China took place without a valid legal basis. 
In determining the amount of the fine, the DPA took into account the aggravating factor that a large amount of personal data was affected by the violation. On the other hand, the fact that no material or immaterial damage to the affected parties could be proven had a mitigating effect.";https://www.datatilsynet.no/contentassets/7121f4f2de614186bc535823c9da7102/20_01727-3vedtak-om-overtredelsesgebyr---ferde-as.pdf
852;Spanish Data Protection Authority (aepd);Spain;14.09.21;56000;Vodafone Espana, S.A.U.;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 6 (1) GDPR;Insufficient legal basis for data processing;The Spanish DPA (AEPD) imposed a fine on Vodafone Espana, S.A.U. due to insufficient legal basis for data processing. The data subject stated that unauthorized third parties gained access to his Vodafone account and signed three mobile phone contracts in his name. The DPA found that Vodafone had failed to verify whether the contracts were lawful and actually concluded by the data subject. The contracts were concluded even though they were not signed and the information provided by the fraudster, such as address or date of birth, did not match those of the data subject. The original fine of EUR 70,000 was reduced to EUR 56,000 due to the voluntary payment.;https://www.aepd.es/es/documento/ps-00191-2021.pdf
853;Spanish Data Protection Authority (aepd);Spain;14.09.21;56000;Vodafone Espana, S.A.U.;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 6 (1) GDPR;Insufficient legal basis for data processing;"The Spanish DPA (AEPD) imposed a fine on Vodafone Espana, S.A.U. for insufficient legal basis for data processing. The data subject stated that he received a call from Vodafone in which the latter requested him to pay for three telephone lines.
In the call, he explained to Vodafone that the said lines had neither been ordered nor authorized by him, so he asked to send him the invoices. On the invoices, the data subject recognized that the telephone and account numbers did not match its own.During its investigation, the DPA found that an unauthorized third party had concluded the contracts for the lines in the name of the data subject.  In addition, the DPA found that Vodafone failed to verify the identity of the person who concluded the contract and to take the necessary precautions to ensure that these incidents do not occur. The original fine of EUR 70,000 was reduced to EUR 56,000 due to voluntary payment.";https://www.aepd.es/es/documento/ps-00192-2021.pdf
854;Spanish Data Protection Authority (aepd);Spain;28.09.21;3000;Bar owner;No;NA;NA;Restaurants, Cafes & Bars;NA;NA;NA;Yes;Art. 5 (1) b) GDPR;Non-compliance with general data processing principles;The Spanish DPA (AEPD) has fined a bar owner EUR 3,000. A data subject had filed a complaint with the DPA. He had suffered an accident in the bar which was recorded by the surveillance cameras. The controller states that he had installed the surveillance cameras for security purposes. At a later date, the video was distributed via WhatsApp and published in a digital newspaper. The data subject claims to be personally affected in his reputation by the publication of the video. The DPA concludes that the publication of the images was not related to the purpose of the video surveillance and that the controller therefore violated Art. 5 (1) b) GDPR.;https://www.aepd.es/es/documento/ps-00236-2021.pdf
855;Spanish Data Protection Authority (aepd);Spain;29.09.21;5000;CYNGASA, S.L.;Yes;CYNGASA, S.L.;Spain;Building Construction;NA;NA;Private;Yes;Art. 6 GDPR;Insufficient legal basis for data processing;The Spanish DPA (AEPD) has imposed a fine of EUR 5,000 on CYNGASA, S.L.. The data subject, when requesting a work report, discovered that the controller had disclosed his personal data to a third party company without his consent. The data involved included among others first and last name as well as his social security number.;https://www.aepd.es/es/documento/ps-00244-2021.pdf
856;Spanish Data Protection Authority (aepd);Spain;29.09.21;10000;ACONCAGUA JUEGOS S.A.;Yes;ACONCAGUA JUEGOS S.A.;Spain;Sports, Fitness & Recreation;NA;NA;Private;Yes;Art. 37 GDPR;Insufficient involvement of data protection officer;The Spanish DPA (AEPD) has imposed a fine of EUR 10,000 on ACONCAGUA JUEGOS S.A.. The controller had failed to appoint a data protection officer and thus violated Art. 37 GDPR.;https://www.aepd.es/es/documento/ps-00231-2021.pdf
857;Danish Data Protection Authority (Datatilsynet);Denmark;29.09.21;107000;Danish Cancer Society;Yes;Danish Cancer Society;Denmark;NA;NA;NA;Other;Yes;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;"The Danish DPA has fined the Danish Cancer Society EUR 107,000 for failing to comply with the requirements of the GDPR regarding appropriate security measures. 

The Danish Cancer Society had reported four data breaches according to Art. 33 GDPR to the DPA. Two of these involved computer thefts, two phishing attacks - and all four were due to the Danish Cancer Foundation's failure to implement technical and organizational measures to ensure a level of security appropriate to the risk to data subjects. 

A similar personal data breach already occurred in August 2018, when the Foundation fell victim to phishing and spoofing hacking attacks. In this context, the Danish Cancer Society stated that it should increase protection through multifactor authentication, however, this was not implemented.

The data of at least 1,448 individuals was compromised, and in several cases it involved sensitive personal health data, including medical history.";https://www.datatilsynet.dk/presse-og-nyheder/nyhedsarkiv/2021/sep/kraeftens-bekaempelse-indstillet-til-boede
858;Norwegian Supervisory Authority (Datatilsynet);Norway;20.09.21;40200;Hoylandet Municipality;Yes;Høylandet Kommune;Norway;Politics & Government;33000000;309;Other;Yes;Art. 32 (1) b), (2) GDPR;Insufficient technical and organisational measures to ensure information security;The Norwegian DPA has imposed a fine of EUR 40,200 on the municipality of Hoylandet. The latter had reported a data breach to the DPA in accordance with Art. 33 GDPR. An employee gained access to several image files (bitmap) when she had to create new letter templates and insert an image logo from the file. The image files that the employee had access to contained sensitive information about individuals who had no connection with the municipality of Hoylandet. The information included health data among others. The DPA found that the municipality had not implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk to the data subjects. Instead, the municipality stated that it had simply asked employees using the relevant computer program to avoid opening bitmap files that were not created by the municipality. The error has meanwhile been corrected and the municipality has introduced a new internal control system.;https://www.datatilsynet.no/contentassets/d01675e54b9447298952002ff1c208fb/vedtak-om-overtredelsesgebyr---hoylandet-kommune.pdf
859;Norwegian Supervisory Authority (Datatilsynet);Norway;20.09.21;75600;ST. OLAVS HOSPITAL HF;Yes;St. Olavs Hospital Hf;Norway;Hospitals;989000000;11067;Other;Yes;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;"The Norwegian DPA has fined St. Olav's Hospital in the amount of EUR 75,600. The hospital suffered three data leaks in accordance with Art. 33 the GDPR. The first incident had occurred between January 13, 2011, and January 27, 2020, at the hospital's cardiology department following an upgrade for a new treatment-oriented health registry for the cardiology laboratory. 

In connection with the upgrade, a test server was used on which treatment reports were temporarily cached and then copied to the new system. However, the reports in the test server were not deleted. Moreover, another error occurred, which allowed all authenticated employees to access the reports. About 21,000 reports were affected. 

The second breach occurred in the period from May 17, 2015 to January 28, 2020, when reports from medical devices (pulse oximeters for long-term measurement of oxygen saturation and pulse) were stored in a file area accessible to any employee with an authenticated and active account. 

The third breach occurred in the period from January 01, 2018 to December 09, 2019. Passwords for various databases were stored in plain text in a file on the hospital's server. Employees with an active hospital system account were able to first connect to the server viaRemote Desktop and then search for a file with a password in the database. 

The DPA found that the hospital had failed to establish effective access controls.";https://www.datatilsynet.no/contentassets/447e5ad0c7f346fc9cc1c0d62d023bba/vedtak-om-overtredelsesgebyr--st.-olavs-hospital-hf.pdf
860;Spanish Data Protection Authority (aepd);Spain;04.09.21;1500;AMPUDIA DIAZ, S.L.;Yes;AMPUDIA DIAZ, S.L.;Spain;Restaurants, Cafes & Bars;NA;25;Private;Yes;Art. 5 (1) c) GDPR, Art. 13 GDPR;Non-compliance with general data processing principles;The Spanish DPA (AEPD) has imposed a fine of EUR 1,500 on AMPUDIA DIAZ, S.L.. The controller had installed a video surveillance system in its premises, which recorded an adjacent public sidewalk among other things. This made it possible to record passers-by. The controller had not installed any signs informing about the video surveillance. The DPA found that the controller had violated the principle of data minimization and its duty to inform. The fine consists of EUR 1,000 for a violation of Art. 5(1)(c) GDPR and EUR 500 for a violation of Art. 13 GDPR.;https://www.aepd.es/es/documento/ps-00471-2020.pdf
861;Spanish Data Protection Authority (aepd);Spain;04.10.21;2000;Store owner;No;NA;NA;Retail & Trade;NA;NA;NA;Yes;Art. 5 (1) c) GDPR;Non-compliance with general data processing principles;The Spanish DPA (AEPD) has imposed a fine of EUR 2,000 on the owner of a store. The controller had installed a video surveillance system that covered, among other things, a public street. Thereby, the DPA found that the controller had violated the principle of data minimization.;https://www.aepd.es/es/documento/ps-00187-2021.pdf
862;Spanish Data Protection Authority (aepd);Spain;04.10.21;1000;Store owner;No;NA;NA;Retail & Trade;NA;NA;NA;Yes;Art. 13 GDPR;Insufficient fulfilment of information obligations;The Spanish DPA (AEPD) has imposed a fine of EUR 1,000 on the owner of a store. The controller had installed a video surveillance system, however, without having placed signs informing about the use of video surveillance.;https://www.aepd.es/es/documento/ps-00243-2021.pdf
863;Norwegian Supervisory Authority (Datatilsynet);Norway;21.09.21;12500;Ultra-Technology AS;Yes;Ultra-Technology As;Norway;Industrial;1900000;39;Private;Yes;Art. 6 (1) GDPR;Insufficient legal basis for data processing;The Norwegian Data Protection Authority has imposed a fine of EUR 12,500 on Ultra-Technology AS. Background of the fine is a complaint from a data subject who was credit-checked without any customer relationship or other affiliation to Ultra-Technology AS.;https://www.datatilsynet.no/contentassets/53bc6882df7e426299e6d551428fc811/vedtak-om-overtredelsesgebyr--ultra-technology-as.pdf
864;Spanish Data Protection Authority (aepd);Spain;04.10.21;5000;CALDERERIA Y SOLDADURA DE ESTRUCTURAS METALICAS, S.L.;Yes;CALDERERIA Y SOLDADURA DE ESTRUCTURAS METALICAS, S.L.;Spain;Industrial;NA;NA;Private;Yes;Art. 6 GDPR;Insufficient legal basis for data processing;The Spanish DPA (AEPD) has fined CALDERERIA Y SOLDADURA DE ESTRUCTURAS METALICAS, S.L. EUR 5,000 for unlawfully processing an individual's data. Previously, CYNGASA, S.L. had disclosed the data to the controller without the consent of the data subject. The data concerned included, among others, his first and last name and social security number. CYNGASA, S.L. received a fine in a separate proceeding as well.;https://www.aepd.es/es/documento/ps-00245-2021.pdf
865;Spanish Data Protection Authority (aepd);Spain;05.10.21;4000;CLUB DEPORTIVO SANSUENA, S.L.;Yes;CLUB DEPORTIVO SANSUENA, S.L.;Spain;Sports, Fitness & Recreation;NA;NA;Private;Yes;Art. 5 (1) e) GDPR, Art. 6 GDPR, Art. 32 (1) b), d) GDPR;Insufficient legal basis for data processing;The Spanish DPA (AEPD) has fined CLUB DEPORTIVO SANSUENA, S.L. EUR 4,000 for adding the cell phone number of a data subject to a WhatsApp group without the data subject's consent.;https://www.aepd.es/es/documento/ps-00260-2021.pdf
866;National Commission for Data Protection (CNPD);Luxembourg;05.08.21;135000;Insurance company;No;NA;NA;Finance & Insurance;NA;NA;NA;Yes;Art. 5 (1) f) GDPR, Art. 32 (1) a), b) GDPR, Art. 33 (1), (5) GDPR;Insufficient technical and organisational measures to ensure information security;"The DPA of Luxembourg has imposed a fine of EUR 135,000 on an insurance company. 

On October 19, 2018, an employee of the controller had sent an e-mail to an uninvolved third party instead of the data subject. This occurred due to an error by the employee who had incorrectly entered the e-mail address of the data subject. In addition to the name and gender of the data subject, the e-mail also contained detailed information about the data subject's illnesses. In addition, the attachment contained three forms relating to illnesses that the data subject had reported in connection with the conclusion of a life insurance policy.On November 29, the same incident occurred. The second misdirected e-mail contained, in addition to the data subject's name, very specific questions about a particular pathology, the last name of the life insurance doctor, the address of said doctor, and two blank forms related to said pathology to be filled out by him or his doctor

The DPA noted that it had not been informed of the data breach in a timely manner in accordance with Art. 33 GDPR. The company had also not complied with its documentation obligation under Art. 33 (5) GDPR. 
Furthermore, the DPA found that the controller had failed to implement technical and organizational measures to ensure a level of security appropriate to the risk for the data subjects.";https://cnpd.public.lu/content/dam/cnpd/fr/decisions-fr/2021/Decision-31FR-2021-sous-forme-anonymisee.pdf
867;Spanish Data Protection Authority (aepd);Spain;08.10.21;30000;ORANGE ESPAGNE, S.A.U.;Yes;Orange SA;France;Telecommunications;37800000000;150711;Public;No;Art. 6 (1) a) GDPR;Insufficient legal basis for data processing;The Spanish DPA has imposed a fine on ORANGE ESPAGNE, S.A.U.. A data subject had filed a complaint with the DPA as she had received a total of 30 calls from Jazztel employees (subsidiary of Orange Espagne, S.A.U.) and text messages between 03/01/2021 and 03/03/2021 without ever having been a customer of the company. She then requested that her phone number be deleted from the company database. Although the controller confirmed the deletion of the data, she continued to receive calls and text messages from the controller. The original fine of EUR 50,000 was reduced to EUR 30,000 due to the admission of guilt and the voluntary payment.;https://www.aepd.es/es/documento/ps-00471-2020.pdf
868;Spanish Data Protection Authority (aepd);Spain;11.10.21;10000;MAF.COM ESQUI CLUB;Yes;MAF.COM ESQUI CLUB;Spain;Sports, Fitness & Recreation;NA;NA;Other;Yes;Art. 7 GDPR;Insufficient legal basis for data processing;The Spanish DPA (AEPD) has imposed a fine of EUR 10,000 on MAF.COM ESQUI CLUB. The mother of an underage girl who had attended ski lessons with the controller filed a complaint with the DPA against the latter. The controller had published videos of the mother's daughter on its website and social media channels without her consent. The images were only disseminated with the consent of the father, who enrolled the girl in the ski course. The girl's parents were divorced at the time of the incident. The DPA found that the controller had failed to obtain consent from both parents and thus processed the images without a valid legal basis.;https://www.aepd.es/es/documento/ps-00104-2021.pdf
869;Italian Data Protection Authority (Garante);Italy;16.09.21;5000;La Prima S.r.l.;Yes;La Prima Srl (Foggia);Italy;Wholesale;38100000;245;Private;Yes;Art. 5 GDPR, Art. 6 GDPR, Art. 24 GDPR, Art. 25 GDPR;Insufficient legal basis for data processing;The Italian DPA (Garante) has imposed a fine of EUR 5,000 on the real estate portal La Prima S.r.l.. A data subject had filed a complaint against the controller with the DPA. She complained about receiving a contact request on Linkedin by an employee of La Prima, which aimed to offer real estate services related to a specific property owned by the data subject. The controller had obtained the information regarding the data subject's ownership of the property from an openly accessible public register. At no time had the data subject consented to such a contact request. The controller had argued during the DPA's investigation that consent for others to contact her could be inferred from the fact that she had a public profile. However, the DPA noted that the exchange of information via a social network should only allow for what is specified in the relevant terms of use. The DPA clarified that the platform is intended to enable the exchange of contact information in order to make job offers. In contrast, it is not intended that users use the platform to send messages to other users in order to sell services. Moreover, it is irrelevant whether a user profile is public or not. Consequently, the DPA concluded that the controller had processed the data unlawfully.;https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/9705632
870;Spanish Data Protection Authority (aepd);Spain;13.10.21;40000;Vodafone Espana, S.A.U.;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 5 (1) f) GDPR, Art. 32 GDPR;Non-compliance with general data processing principles;The Spanish DPA has imposed a fine on Vodafone Espana, S.A.U.. A woman filed a complaint against the controller based on the fact that the controller had sent telephone bills belonging to a third party to her e-mail address. After bringing this to the attention of the controller, she received no response. Thereupon, she contacted the controller by telephone in this regard. However, none of the employees were able to help her with this concern. The DPA concluded that the controller had violated the principle of integrity and confidentiality set out in Art. 5 (1) f) GDPR, and that the controller had failed to implement technical and organizational measures to ensure a level of security appropriate to the risk to the data subjects. The original fine of EUR 50,000 was reduced to EUR 40,000 due to voluntary payment.;https://www.aepd.es/es/documento/ps-00111-2021.pdf
871;Austrian Data Protection Authority (dsb);Austria;28.09.21;9500000;Austrian Post;Yes;Österreichische Post AG;Austria;Transportation & Logistics;2000000000;24747;Public;Yes;NA;NA;The Austrian DPA imposed a fine of EUR 9.5 million on the Austrian Post on September 28, 2021. The main accusation is that, in addition to the contact options used by Austrian Post via mail, web contact form and customer service, data protection-related inquiries should also be allowed via e-mail. According to the newspaper 'Der Standard', the Austrian Post had only introduced a contact form for data protection inquiries, in order to automate the process of inquiries and to obtain all information necessary for processing the inquiries.;https://news.post.at/presse/de/post/id/1711838/DATENSCHUTZVERFAHREN%20DER%20%C3%96STERREICHISCHEN%20POST,
872;Austrian Data Protection Authority (dsb);Austria;NA;4000000;Bank;No;NA;NA;Banks;NA;NA;NA;Yes;NA;NA;According to the newspaper 'Der Standard', the Austrian DPA has imposed a fine of EUR 4 million on a bank in 2021. Further information is not yet disclosed.;https://www.derstandard.at/story/2000130047781/post-und-joe-im-visier-der-datenschutzbehoerde
873;Austrian Data Protection Authority (dsb);Austria;NA;1200000;Customer loyalty program;No;NA;NA;Advertising & Marketing;NA;NA;NA;Yes;NA;NA;According to the newspaper 'Der Standard', the Austrian DPA has imposed a fine of EUR 1.2 million on a customer loyalty program in 2021. Further information has not yet been disclosed.;https://www.derstandard.at/story/2000130047781/post-und-joe-im-visier-der-datenschutzbehoerde
875;Data Protection Authority of Ireland;Ireland;06.10.21;NA;Facebook Ireland Limited;Yes;Meta Platforms, Inc;United States;IT Services;103164000000;71970;Public;No;Art. 5 (1) a) GDPR, Art. 12 (1) GDPR, Art. 13 (1) c) GDPR;Insufficient fulfilment of information obligations;"The organization 'None of your business' (NOYB) published a draft decision of the Irish DPA (DPC) on October 13, 2021, which indicates that it proposes a fine between EUR 28 million and EUR 36 million against Facebook.

The draft primarily addresses the fact that Facebook has included details on data processing in its terms of service, thus relying on Art. 6 (1) b) rather than on consent pursuant to Art. 6 (1) a) GDPR. 
Critics consider this a loophole used by Facebook to circumvent the stricter GDPR requirements of consent according to Art. 6 (1) a) GDPR.

However, the DPC emphasizes that the GDPR does not establish a hierarchy of legal bases that can be used to process personal data.

Yet, the DPC noted that Facebook failed to provide clear information about its legal basis for data processing and highlights that the information provided by Facebook is discontinuous and that users are referred to different documents and texts of the data policy and terms of service. 

The DPC concludes its draft that Facebook has thus violated Art. 5 (1) a) GDPR, Art. 12 (1) GDPR and Art. 13 (1) c) GDPR.

The draft decision will now be forwarded to other European data protection authorities allowing them to comment on it.";https://noyb.eu/sites/default/files/2021-10/IN%2018-5-5%20Draft%20Decision%20of%20the%20IE%20SA.pdf
876;Italian Data Protection Authority (Garante);Italy;16.09.21;200000;Bocconi University;Yes;Universita' Commerciale Luigi Bocconi;Italy;Education;76200000;904;Private;Yes;Art. 5 (1) a), c), e) GDPR, Art. 6 GDPR, Art. 9 GDPR, Art. 13 GDPR, Art. 25 GDPR, Art. 35 GDPR, Art. 44 GDPR, Art. 46 GDPR, Art. Art. 2-sexies Codice della Privacy;Non-compliance with general data processing principles;"The Italian DPA (Garante) has imposed a fine of EUR 200,000 on Bocconi University. A student had filed a complaint with the DPA about possible GDPR violations related to the use of a monitoring system during written exams. In the context of the emergency situation triggered by the Covid-19 pandemic, the university had equipped itself with the remote monitoring software Respondus provided by the American company Respondus Inc. to ensure the normal running of the exams, since it was not possible to take the exams live and in person as usual. The software was able to monitor the behavior of the students through video recordings and snapshots taken at random intervals. In addition, the exam was audio-visually recorded and a photograph was taken of each examinee at the beginning of the exam. At the end of the exam, the system processed the video, inserted warning signals regarding possible indications of incorrect behavior, and, among other things, assigned a so-called 'review priority' so that the examiner could subsequently assess whether an unauthorized act had been committed during the exam. In its investigation the DPA found that students were not properly informed of the processing of their personal data involved in the use of Respondus. For instance they were not informed that they would be audiovisually recorded and that the images would subsequently be processed. In addition, students were not provided with information regarding specific retention periods for personal data. Nor had they received sufficient information about the fact that their personal data would be transferred to the United States; instead, they were only informed in general terms that personal data would be processed both within and outside the territory of the European Union. Furthermore, the DPA found that the little information the students had received was presented in a fragmented and disorganized manner in various documents. The DPA considered this to be a violation of the principles of lawfulness, fairness and transparency. The DPA also found that the university had processed the personal data without a valid legal basis. Thus, consent to the processing of personal data was a prerequisite to participate in the exams in the first place. As an alternative to online exams, the option of an in-person exam was proposed. However, in the light of the  pandemic, this also meant an increased health risk. Students were also concerned that refusing to take the online exams would negatively impact their grades. Consequently, the DPA concluded that the students' consent could not be considered voluntary. Further, the DPA found that the university retained the data for 12 months, although this would not have been necessary for the purpose of ensuring that the exams were properly carried out. 
Eventually, the DPA found violations related to the transfer of data to Respondus. The processing agreement between the University and Respondus was based on the data protection agreement between the EU and the USA, known as the Privacy Shield, although it had been declared invalid by the Schrems II ruling of the Court of Justice of the European Union (CJEU). For this reason, the DPA found that the university transferred personal data to a third country, even though this transfer was not in compliance with the conditions set forth in Chapter V of the GDPR.";https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/9703988
877;Italian Data Protection Authority (Garante);Italy;16.09.21;3296326;Sky Italia S.r.l.;Yes;Sky Italia Srl;Italy;TV, Film & Radio;1500000000;3163;Private;Yes;Art. 5 (1), (2) GDPR, Art. 6 (1) GDPR, Art. 7 GDPR, Art. 12 (2) GDPR, Art. 14 GDPR, Art. 21 GDPR, Art. 28 GDPR, Art. 29 GDPR;Insufficient legal basis for data processing;"The Italian DPA (Garante) has fined Sky Italia S.r.l. EUR 3,296,326 for illegal telemarketing. 
The DPA's decision followed a complex investigation launched after dozens of reports and complaints from people who claimed that they received unsolicited promotional calls and promotional SMS both from Sky Italia directly and through call centers of other companies. 
In this regard, the DPA found that the promotional calls were made without adequately informing the users (such as about the origin of the personal data transmitted to Sky Italia). Thus, data subjects would have had the opportunity to contact the company that collected the data and object to the processing.  Only after obtaining consent, Sky would then have been allowed to proceed with the commercial offers. 
Sky used lists of data it had acquired from other companies for these promotional purposes. Contrary to Sky Italia's view, the consent to the disclosure of data to third parties given by the data subjects to the companies from which Sky Italia had acquired the lists did not authorize Sky Italia to use the data for its own promotional purposes.
In addition, Sky failed to verify the list of individuals who had objected to being contacted for advertising purposes before making the advertising calls. As a result, several data subjects had received advertising calls despite their explicit objection. Further, the DPA found that Sky had failed to properly appoint the suppliers of the lists as data processors. 
In determining the amount of the fine, the DPA took into aggravating consideration that the violations involved 'systemic' conduct that was rooted in the company's operations as well as the fact that Sky should have acquired sufficient experience and competence to make fundamental decisions in compliance with data protection regulations due to its ongoing contacts with the authority and its long-standing presence in the market.";https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9706389,
878;Norwegian Supervisory Authority (Datatilsynet);Norway;18.10.21;412000;Ostre Toten municipality;Yes;Østre Toten Kommune Vann Og Avløp;Norway;Politics & Government;2500000;26;Other;Yes;Art. 5 (1) f) GDPR, Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;"The Norwegian DPA has fined Ostre Toten municipality EUR 412,000. The municipality suffered a cyberattack in January 2021, as a result of which the municipality's data was encrypted as well as backups were deleted. A larger amount of data was later published on the dark web.

Approximately 30,000 documents were affected by the attack. The documents contained, among other things, information on ethnic origin, political opinion, religious beliefs, union memberships, sexual orientation, health status, as well as banking data of the municipality's residents and employees.

The DPA's investigation revealed that the municipality had fundamental deficiencies in the security of personal data and related internal controls.Among other things, the municipality had not used two-factor authentication when logging into systems, and lacked appropriate backup systems.";https://www.datatilsynet.no/contentassets/4609027cf9504e9aa12c3f05b45bdcf7/varsel-om-vedtak-om-overtredelsesgebyr-og-palegg.pdf
879;Spanish Data Protection Authority (aepd);Spain;19.10.21;70000;Vodafone Espana, S.A.U.;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 21 GDPR, Art. 21 LSSI;Insufficient fulfilment of data subjects rights;The Spanish DPA (AEPD) has imposed a fine of EUR 70,000 on VODAFONE ESPANA, S.A.U.. A data subject had filed a complaint with the DPA for having received promotional emails from Vodafone without having expressly consented to this and without having had a prior contractual relationship. The data subject then objected to receiving future e-mails. Vodafone confirmed the objection. Nonetheless, the data subject received four advertising e-mails a few months later. The fine consists of EUR 50,000 for a violation of Art. 21 GDPR and EUR 20,000 for a violation of Art. 21 LSSI.;https://www.aepd.es/es/documento/ps-00142-2021.pdf
880;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;21.10.21;5000;Glove Technology SRL;Yes;Glove Technology Srl;Romania;Wholesale;3000000;16;Private;Yes;Art. 5 (1) a) GDPR, Art. 6 (1) a) GDPR;Insufficient legal basis for data processing;"The Romanian DPA (ANSPDCP) has imposed a fine of EUR 5,000 on Glove Technology SRL. 
The controller had installed a video surveillance system that audiovisually monitored employees at their workplace and recorded conversations between them to be used against them. The DPA found that the controller had violated Art. 5 (1) a) GDPR and Art. 6 (1) GDPR.";https://www.dataprotection.ro/?page=Comunicat_Presa_21.10.2021_2&lang=ro
881;Spanish Data Protection Authority (aepd);Spain;19.10.21;40000;Vodafone Espana, S.A.U.;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 6 (1) GDPR;Insufficient legal basis for data processing;The Spanish DPA (AEPD) has fined Vodafone Espana, S.A.U. EUR 40,000. An individual had filed a complaint with the DPA against Vodafone for debiting his bank account in May 2020 for a Vodafone telephone line whose owner was not him but his ex-partner. As it turned out, the complainant's ex-partner had concluded a contract with Vodafone in his name. She stated that she was authorized to do so, but did not provide any proof of this. The DPA found that Vodafone had unlawfully processed the complainant's data. Indeed, compliance with the principle of lawfulness in the processing of third party data requires that the controller is able to prove lawfulness.;https://www.aepd.es/es/documento/ps-00352-2021.pdf
882;Spanish Data Protection Authority (aepd);Spain;19.10.21;2000;BEEPING FULFILMENT S.L.;Yes;BEEPING FULFILMENT S.L.;Spain;IT Services;NA;NA;Private;Yes;Art. 13 GDPR;Insufficient fulfilment of information obligations;The Spanish DPA (AEPD) has fined BEEPING FULFILMENT S.L. in the amount of EUR 2,000. The controller had not provided the required information about the purposes and characteristics, of the data processing in the privacy policy of a website it operates. The data protection authority considered this to be a violation of Art. 13 GDPR.;https://www.aepd.es/es/documento/ps-00163-2021.pdf
884;Spanish Data Protection Authority (aepd);Spain;21.10.21;3000000;CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U.;Yes;CaixaBank SA;Spain;Banks;10900000000;35434;Public;Yes;Art. 6 (1) GDPR;Insufficient legal basis for data processing;"The Spanish DPA (AEPD) has imposed a fine of EUR 3,000,000 on CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U.. An individual had filed a complaint against the controller. The reason was that Caixabank had requested information about him from a company although, the latter has not been a customer of Caixabank since 2014 and that he was included in an advertising campaign to offer him a pre-grant credit. 

Caixabank had used individuals' data to assess their creditworthiness without their consent. This was used to create financial profiles of the data subjects and to advertise certain financial services (e.g. credit cards or loans) to them on this basis. 

In doing so, the DPA found that the controller had not obtained effective consent from the data subjects. It is true that the data subjects had at one point given consent for their data to be processed by the entire CaixaBank Group. However, the controller had not adequately informed the data subjects about the data processing, including profiling. For example, the controller had only provided data subjects with general information about the various profiling processing operations, so data subjects could not know exactly what the processing they had consented to consisted of.";https://www.aepd.es/es/documento/ps-00500-2020.pdf
885;Spanish Data Protection Authority (aepd);Spain;25.10.21;3000;MERCEDES GERENCIA, S.L.;Yes;"	Mercedes Gerencia Sl.";Spain;Retail & Trade;4500000;6;Private;Yes;Art. 58 (1) GDPR;Insufficient cooperation with supervisory authority;The Spanish DPA (AEPD) has imposed a fine of EUR 3,000 on MERCEDES GERENCIA, S.L.. The controller failed to respond to a request for information from the DPA in a timely manner.;https://www.aepd.es/es/documento/ps-00239-2021.pdf
886;Spanish Data Protection Authority (aepd);Spain;26.10.21;64000;Vodafone Espana, S.A.U.;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 6 (1) GDPR;Insufficient legal basis for data processing;The Spanish DPA (AEPD) imposed a fine on Vodafone Espana, S.A.U. due to insufficient legal basis for data processing. The data subject had filed a complaint against the data controller. The data subject stated that telephone lines were registered in his name for which there were also outstanding payments. However, the data subject had never concluded contracts with the company for any of these lines. Rather, the contracts in question were concluded by fraudsters using the personal data of the data subject. Still, the personal data was entered into the company's information systems without any verification as to whether the contracts were lawful and actually concluded by the data subject. The original fine of EUR 80,000 was reduced to EUR 64,000 due to voluntary payment.;https://www.aepd.es/es/documento/ps-00249-2021.pdf
887;Spanish Data Protection Authority (aepd);Spain;26.10.21;16000;SERVICIOS LOGISTICOS MARTORELL SIGLO XXI, S.L.;Yes;Servicios Logisticos Martorell Siglo Xxi Sl;Spain;Transportation & Logistics;33500000;475;Private;Yes;Art. 35 GDPR;Non-compliance with general data processing principles;The Spanish DPA (AEPD) has imposed a fine on SERVICIOS LOGISTICOS MARTORELL SIGLO XXI, S.L.. The company had installed five terminals with a fingerprint control system to record its employees' working hours. In doing so, the company had failed to conduct a data protection impact assessment. The AEPD found a violation of Art. 35 GDPR for this reason. The original fine of EUR 20,000 was reduced to EUR 16,000 due to voluntary payment.;https://www.aepd.es/es/documento/ps-00050-2021.pdf
888;Spanish Data Protection Authority (aepd);Spain;26.10.21;40000;VODAFONE SERVICIOS, S.L.U.;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 6 (1) GDPR;Insufficient legal basis for data processing;The Spanish DPA (AEPD) has imposed a fine on VODAFONE SERVICIOS, S.L.U.. A data subject filed a complaint with the DPA against the controller. The data subject is a client of the controller. When he checked his bills on the official website 'MY VODAFONE' last December, he found that he had four outstanding bills, but he could not access them. He had also received a number of requests to pay them. He was informed that there was a parallel account at Vodafone with details that partly corresponded to those of him. As it turned out, fraudsters had concluded a mobile phone contract using the personal data of the data subject. However, the personal data had been entered into the company's information systems without any verification that the contract was lawful and had actually been concluded by the data subject. The original fine of EUR 50,000 was reduced to EUR 40,000 due to voluntary payment.;https://www.aepd.es/es/documento/ps-00195-2021.pdf
889;Spanish Data Protection Authority (aepd);Spain;26.10.21;40000;VODAFONE SERVICIOS, S.L.U.;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 6 (1) GDPR;Insufficient legal basis for data processing;The Spanish DPA (AEPD) has imposed a fine on VODAFONE SERVICIOS, S.L.U.. A data subject has filed a complaint with the AEPD against the data controller. The data subject states that she received invoices and debits on her bank account for the payment of Vodafone services that she had not booked herself. The data subject also stated that she was receiving calls from the collection company Bureau Veritas asking her to pay for these services. As it turned out, fraudsters had used the data subject's personal data to conclude a service contract. However, the personal data had been entered into the company's information systems without any verification that the contract was lawful and had actually been concluded by the data subject. The original fine of EUR 50,000 was reduced to EUR 40,000 due to the voluntary payment.;https://www.aepd.es/es/documento/ps-00242-2021.pdf
890;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;01.11.21;1000;IKEA ROMANIA SA;Yes;INGKA Holding B.V.;Netherlands;Retail & Trade;39600000000;217000;Private;No;Art. 32 (1) b), (2) GDPR;Insufficient technical and organisational measures to ensure information security;"The Romanian DPA (ANSPDCP) has imposed a fine of EUR 1,000 on IKEA ROMANIA SA. The controller had sent a notification to the DPA about a personal data breach under Art. 33 GDPR. Accordingly, the controller had organized a drawing contest in which children of IKEA Family members could participate. Participants uploaded their own drawings to an online platform along with entry forms containing their personal data and that of their parents, including their consent. In order to vote for the best drawing, the children's drawings were posted on the online platform and by accident along with it  the personal data included in the participation forms.
At the time of the investigation, it was determined that the security incident had resulted in the unauthorized disclosure of personal data of IKEA Family members (surname, first name and age of minors, as well as surname, first name, city, country, email, IKEA Family membership number and the signature of the parents) on the online platform accessible only to IKEA Family members in Romania. The incident affected 114 people, half of whom were minors. 
The DPA found that the controller had thus breached its obligation under Art. 32 (1) b), (2) GDPR to implement technical and organizational measures that ensure a level of security appropriate to the risk for the data subjects.";https://www.dataprotection.ro/?page=Comunicat_Presa_01_11_2021_2&lang=ro
891;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;01.11.21;5000;S.P.E.E.H. Hidroelectrica S.A.;Yes;Societatea De Producere A Energiei Electrice In Hidrocentrale Hidroelectrica S.A.;Romania;Energy;777300000;3389;Private;Yes;Art. 32 (1) b), (2) GDPR;Insufficient technical and organisational measures to ensure information security;"The Romanian DPA (ANSPDCP) has imposed a fine of EUR 5,000 on S.P.E.H. Hidroelectrica S.A.. The controller had notified the DPA of several breaches of personal data protection under Art. 33 of the GDPR. The data breach led to the data of 325 individuals being accessed unlawfully or passed on to the wrong recipients. The DPA considered this to be a breach by the controller of its obligation under Art. 32 (1) b), (2) GDPR to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk represented by the processing.

In addition, the DPA found that the controller had processed personal data of three customers after they had exercised their right to erase their data and revoked their consent to the processing. The processing was therefore carried out without a valid legal basis. 

The DPA imposed a fine of EUR 5,000 for a breach of Art. 32 (1) b), (2) GDPR. 

For a violation of Art. 5 (1) a) GDPR, Art. 6 (1) a) GDPR, the DPA further issued a warning.";https://www.dataprotection.ro/index.jsp?page=Comunicat_Presa_01_11_2021_1&lang=ro
892;Italian Data Protection Authority (Garante);Italy;16.09.21;5000;Comune di Montalbano Jonico;Yes;Comune Di Montalbano Jonico;Italy;Politics & Government;2700000;43;Other;Yes;Art. 5 (1) a), c) GDPR, Art. 6 (1) c), e) GDPR, Art. 6 (2) GDPR, Art. 6 (3) b) GDPR, Art. 9 (1), (2), (4) GDPR, Art. 2-ter (1), (3) Codice della privacy, Art. 2-septies (8) Codice della privacy;Non-compliance with general data processing principles;The Italian DPA (Garante) has imposed a fine of EUR 5,000 on the municipality of Montalbano Jonico. An individual had filed a complaint against the municipality with the DPA. He complained that a document was publicly available on the municipality's website, which contained personal data about himself and his father. Under the 'Documents and Data' section of the website, the files of the municipality could be viewed. In this context, it was possible to access a decision on a settlement for the overcoming and removal of architectural barriers in their home by filling out the corresponding search form. The decision clearly contained personal data and information in the text and subject line, such as the name of the complainant and his dependent father, with a reference to his situation as a disabled person. The text of the decision also contained the complainant's date of birth and place of residence, as well as information about the settlement sum. The DPA considered the the publication with indication of the data to be a violation of the principle of data minimization.;https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/9704069
898;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;14.11.21;2900;Vodafone Romania SA;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 32 (1) b) GDPR, Art. 32 (2) GDPR, Art. 3 (1) Law No. 506/2004, Art. 3 (3) a), b) Law No. 506/2004;Insufficient technical and organisational measures to ensure information security;"The Romanian DPA (ANSPDCP) has imposed a fine of EUR 2,900 on VODAFONE Romania S.A.. The company had reported a data breach to the DPA in accordance with Art. 33 GDPR. In the period from November 2020 to June 2021, there had been unauthorized access to personal data of seventy data subjects (mailing of service contracts to wrong email addresses, unauthorized access by employees of the 
controller to personal data of Vodafone customers without their request). The DPA found that the controller did not take appropriate technical and organizational measures to ensure the security of the processing of personal data.";https://www.dataprotection.ro/?page=Comunicat_Presa_11_11_2021&lang=ro
899;Spanish Data Protection Authority (aepd);Spain;12.11.21;1500;Company;No;NA;NA;NA;NA;NA;NA;Yes;Art. 13 GDPR;Insufficient fulfilment of information obligations;Usage of CCTV camera without proper information.;https://www.aepd.es/es/documento/ps-00307-2021.pdf
900;Spanish Data Protection Authority (aepd);Spain;12.11.21;3000;AD735 DATA MEDIA ADVERTISING S.L.;Yes;AD735 Data Media Advertising SL;Spain;Advertising & Marketing;NA;NA;Private;Yes;Art. 58 (1) GDPR;Insufficient cooperation with supervisory authority;Failure to provide requested information to the Spanish DPA (AEPD) within the required timeframe in violation of Art. 58 GDPR.;https://www.aepd.es/es/documento/ps-00240-2021.pdf
901;Polish National Personal Data Protection Office (UODO);Poland;14.10.21;78000;Bank Millennium S.A;Yes;Bank Millennium SA;Poland;Banks;912700000;7493;Public;Yes;Art. 33 (1) GDPR, Art. 34 (1) GDPR;Insufficient fulfilment of data breach notification obligations;"The Polish DPA (UODO) has imposed a fine of EUR 78,000 on Bank Millennium S.A.. 
The UODO had become aware of a data protection breach following a complaint against the bank. It turned out that correspondence sent by the bank through a courier service containing personal data such as first name, last name, PESEL number, home address, account numbers and identification numbers of customers, had been lost. In this regard, the UODO found that the bank had failed to report the incident to the DPA and provide adequate notice to the data subjects.";https://uodo.gov.pl/decyzje/DKN.5131.16.2021
902;Dutch Supervisory Authority for Data Protection (AP);Netherlands;12.11.21;400000;Transavia;Yes;Transavia Airlines B.V.;Netherlands;Aviation;1200000000;2666;Private;Yes;Art. 32 (1), (2) GDPR;Insufficient technical and organisational measures to ensure information security;"The Dutch DPA has fined airline Transavia EUR 400,000. 
In 2019, the airline suffered a data breach, in which a hacker gained access to Transavia's systems through two accounts held by the company's IT department. This could have potentially allowed the hacker to access data such as names, dates of birth, gender, email addresses, phone numbers, flight information and booking numbers of 25 million passengers. It was found that the hacker actually downloaded the personal data of 83,000 people. In 367 cases, the data included medical information of people who had requested, for example, wheelchair transportation or additional services because they were blind or deaf. The DPA noted that a lack of security measures allowed the hacker to access the systems. Thus, it was possible to access the airline's systems simply by entering the password. The systems did not incorporate multi-factor authentication. Furthermore, the access rights of the accounts were not limited to necessary systems, allowing the hacker to use them to gain access to multiple Transavia systems. The DPA found that Transavia had breached its duty to implement technical and organizational measures to ensure a level of security appropriate to the risk to data subjects.";https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/boete_transavia.pdf
903;Spanish Data Protection Authority (aepd);Spain;15.11.21;1000;Supermarket;No;NA;NA;Retail & Trade;NA;NA;NA;Yes;Art. 13 GDPR;Insufficient fulfilment of information obligations;Usage of CCTV camera without proper information.;https://www.aepd.es/es/documento/ps-00149-2021.pdf
905;Spanish Data Protection Authority (aepd);Spain;15.11.21;30000;Vodafone Espana, SAU;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 6 (1) GDPR;Insufficient legal basis for data processing;The Spanish DPA (AEPD) has imposed a fine on Vodafone Espana SAU. A data subject had filed a complaint with the AEPD against the data controller. The data subject states that he had received invoices and debits on his bank account for the payment of Vodafone services that he had not booked himself. The data subject also stated that he had been asked to pay for these services by the debt collection company I.S.G.F. Informes Comerciales, S.L.. As it turned out, fraudsters had used the data subject's personal data to conclude a service contract. Vodafone had subsequently canceled the contract for the booked services. Due to a system error, however, the outstanding invoices had not been canceled, which is why they had been forwarded to the collection agency. The AEPD determined that this transmission was unlawful due to the non-existence of a valid contract. The original fine of EUR 50,000 was reduced to EUR 30,000 due to voluntary payment and admission of guilt.;https://www.aepd.es/es/documento/ps-00312-2021.pdf
906;Bulgarian Commission for Personal Data Protection (KZLD);Bulgaria;26.10.21;380;Bank;No;NA;NA;Banks;NA;NA;NA;Yes;Art. 5 (1) b) GDPR;Non-compliance with general data processing principles;The Bulgarian DPA has fined a bank EUR 380 for the unlawful transfer of personal data to third parties.;https://www.cpdp.bg/download.php?part=rubric_element&aid=4786
907;Spanish Data Protection Authority (aepd);Spain;22.11.21;1000;Neighborhood community;No;NA;NA;NA;NA;NA;NA;Yes;Art. 13 GDPR;Insufficient fulfilment of information obligations;The Spanish DPA has imposed a fine of EUR 1000 on a neighborhood community. The reason for this was that the information sign about a video surveillance system did not contain sufficient information as required by Art. 13 GDPR. The sign contained neither a reference to the data controller nor an  address to contact if one wishes to exercise their data subjects rights.;https://www.aepd.es/es/documento/ps-00339-2021.pdf
908;Spanish Data Protection Authority (aepd);Spain;15.11.21;40000;Vodafone Espana, SAU;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 6 (1) GDPR;Insufficient legal basis for data processing;The Spanish DPA (AEPD) has imposed a fine on Vodafone Espana SAU. An individual had filed a complaint with the DPA. The data subject claims to have received text messages from Vodafone in September 2020 informing him that he had debts from services he had ordered from Vodafone. The billing address listed in the text messages corresponded to that of an old house where the data subject had lived with his ex-partner in the past. Vodafone stated that a system error had led to this incident. This resulted in the data subject appearing as the holder of his former partner's customer account. The original fine of EUR 50,000 was reduced to EUR 40,000 due to voluntary payment.;https://www.aepd.es/es/documento/ps-00268-2021.pdf
909;Cypriot Data Protection Commissioner;Cyprus;12.11.21;925000;WS WiSpear Systems Ltd;Yes;WS WiSpear Systems Ltd;Cyprus;IT Services;NA;5;Private;Yes;Art. 5 (1) a) GDPR;Non-compliance with general data processing principles;"The Cypriot DPA has imposed a fine of EUR 925,000 on WS WiSpear Systems Ltd. 
The company had collected various data from individuals (Media Access Control addresses and International Mobile Subscriber Identity data) without their knowledge as part of tests and presentations of technologies. In this context, the DPA found a violation of the principle of legality, objectivity and transparency.";https://www.dataprotection.gov.cy/dataprotection/dataprotection.nsf/All/D7D2A1120DDE670AC225878B0040D4E7?OpenDocument
910;French Data Protection Authority (CNIL);France;04.11.21;400000;Regie autonome des transports parisiens;Yes;Regie Autonome Des Transports Parisiens;France;Transportation & Logistics;217900000;10000;Private;Yes;Art. 5 (1) c) GDPR, Art. 5 (1) e) GDPR, Art. 5 (2) GDPR, Art. 32 GDPR;Non-compliance with general data processing principles;The French DPA (CNIL) imposed a fine of EUR 400,000 on RATP (the operator of the public transport system in Paris). In May 2020, a trade union filed a complaint with the CNIL alleging that the number of strike days exercised by staff were included in files used to prepare promotion decisions. The CNIL then conducted investigations in several RATP bus centers. These led to confirmation of this practice in three RATP bus centers. The CNIL indicated that files for evaluating performance and promotion prospects should only contain data necessary for evaluating employees.In particular, it was sufficient to indicate the total number of days of absence without the need to go into detail and distinguish the days associated with the exercise of the right to strike. It found that the use of data on the number of days staff members were on strike was not necessary for these purposes, and that the RATP thus violated the principle of data minimization set forth in Article 5 (1) (c) GDPR. In addition, the DPA found that the RATP had excessively retained many of its employees' data. Indeed, the RATP kept files on the evaluation of staff members for more than three years after the promotion commission, although their retention was only required for 18 months after the holding of these commissions. Further, CNIL found that RATP did not adequately differentiate between staff authorization levels, allowing more staff than necessary to access certain data. For this reason, CNIL concluded that RATP failed in its duty to implement appropriate technical and organizational measures to ensure a level of protection appropriate to the risk.;https://www.cnil.fr/fr/fichiers-devaluation-des-agents-sanction-de-400-000-euros-lencontre-de-la-ratp
912;Spanish Data Protection Authority (aepd);Spain;22.11.21;2000;ANIVERSALIA NETWORKS, S.L.;Yes;ANIVERSALIA NETWORKS, S.L.;Spain;IT Services;NA;NA;Private;Yes;Art. 13 GDPR;Insufficient fulfilment of information obligations;The Spanish DPA (AEPD) fined ANIVERSALIA NETWORKS, S.L. EUR 2,000 due to the fact that the privacy policy on its website did not comply with the requirements of Art. 13 GDPR.;https://www.aepd.es/es/documento/ps-00346-2021.pdf
913;Spanish Data Protection Authority (aepd);Spain;23.11.21;3000;FUENSANTA S.L.;Yes;Fuensanta Sl;Spain;Hospitals;4400000;57;Private;Yes;Art. 58 (1) GDPR;Insufficient cooperation with supervisory authority;The controller failed to provide information requested by the Spanish DPA (AEPD) for investigative purposes.;https://www.aepd.es/es/documento/ps-00289-2021.pdf
914;Spanish Data Protection Authority (aepd);Spain;23.11.21;40000;Vodafone Espana, SAU;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 6 (1) GDPR;Insufficient legal basis for data processing;The Spanish DPA (AEPD) has fined Vodafone Espana S.A.U. EUR 40,000. An individual had filed a complaint against Vodafone with the DPA because her cell phone line was transferred to a third party without her consent and she was charged amounts from a third party phone line. The reason for this was a technical error in Vodafone's systems.;https://www.aepd.es/es/documento/ps-00269-2021.pdf
915;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;26.11.21;2000;Valoris Center S.R.L.;Yes;Valoris Center Srl;Romania;Services;4800000;583;Private;Yes;Art. 29 GDPR, Art. 32 (1) b) GDPR, Art. 32 (4) GDPR;Insufficient technical and organisational measures to ensure information security;The Romanian DPA (ANSPDCP) has imposed a fine of EUR 2,000 on Valoris Center S.R.L.. The controller notified the DPA of a data breach pursuant to Art. 33 GDPR. A call center employee of the controller had accidentally sent a customer an Excel file containing data from other customers of the controller. In the course of the investigation, it was determined that this breach resulted in the unauthorized disclosure of or access to personal data such as email address, username, user ID, phone number, customer name, customer code, customer PIN, with a total of 11169 natural persons affected by the incident. The DPA found that the controller had failed to implement technical and organizational measures to ensure a level of security appropriate to the risk to data subjects.;https://www.dataprotection.ro/?page=Comunicat_Presa_26_11_2021_Amenda&lang=ro
916;Icelandic data protection authority ('Personuvernd');Iceland;23.11.21;51000;Icelandic Ministry of Industry and Innovation;Yes;Atvinnuvega- og nýsköpunarráðuneyti Íslands;Iceland;Politics & Government;NA;250;Other;Yes;Art. 5 GDPR, Art. 6 GDPR, Art. 7 GDPR, Art. 13 GDPR, Art. 25 GDPR, Art. 28 GDPR, Art. 32 GDPR;Non-compliance with general data processing principles;"The Icelandic Data Protection Authority has imposed a fine of EUR 51,000 on the Ministry of Industry and Innovation and a fine of EUR 27,200 on YAY ehf. 

The fine is related to a campaign by the ministry to encourage Icelanders to travel domestically in the summer of 2020. This involved a digital gift voucher that could be obtained through the app of the company YAY ehf.  
The DPA received a number of complaints regarding the fact that the use of the travel gift required extensive personal information and access to users' phones. As a result, the DPA launched investigations against the ministry and the company. 
The DPA found that the ministry had violated the principle of legality and transparency.
Participating individuals were only required to agree to the General Terms of Use of the YAY app in order to participate in the voucher promotion. However, the DPA found that by doing so, the data subjects had not expressly consented to the processing of their personal data carried out as part of the promotion. 
The DPA also found that the information provided about the actual processing of personal data was insufficient. 
Moreover, neither the ministry nor YAY ehf. had implemented appropriate technical and organizational measures to ensure the security of the processing of personal data. 
Also, due to a configuration error on the part of YAY, more data than necessary was processed, which is why the DPA found a violation of the principle of data minimization.";https://www.personuvernd.is/urlausnir/akvordun-um-sekt-vegna-ferdagjafar-stjornvalda
917;Icelandic data protection authority ('Personuvernd');Iceland;23.11.21;27200;YAY ehf.;Yes;YAY ehf.;Iceland;IT Services;NA;NA;Private;Yes;Art. 5 GDPR, Art. 6 GDPR, Art. 28 GDPR, Art. 32 GDPR;Non-compliance with general data processing principles;"The Icelandic Data Protection Authority has imposed a fine of EUR 51,000 on the Ministry of Industry and Innovation and a fine of EUR 27,200 on YAY ehf. 

The fine is related to a campaign by the ministry to encourage Icelanders to travel domestically in the summer of 2020. This involved a digital gift voucher that could be obtained through the app of the company YAY ehf.  
The DPA received a number of complaints regarding the fact that the use of the travel gift required extensive personal information and access to users' phones. As a result, the DPA launched investigations against the ministry and the company. 
The DPA found that the ministry had violated the principle of legality and transparency.
Participating individuals were only required to agree to the General Terms of Use of the YAY app in order to participate in the voucher promotion. However, the DPA found that by doing so, the data subjects had not expressly consented to the processing of their personal data carried out as part of the promotion. 
The DPA also found that the information provided about the actual processing of personal data was insufficient. 
Moreover, neither the ministry nor YAY ehf. had implemented appropriate technical and organizational measures to ensure the security of the processing of personal data. 
Also, due to a configuration error on the part of YAY, more data than necessary was processed, which is why the DPA found a violation of the principle of data minimization.";https://www.personuvernd.is/urlausnir/akvordun-um-sekt-vegna-ferdagjafar-stjornvalda
918;Spanish Data Protection Authority (aepd);Spain;24.11.21;9000;UNION FINANCIERA ASTURIANA S.A. E.F.C.;Yes;"	Union Financiera Asturiana, Sociedad Anonima Establecimiento Financiero De Credito";Spain;Finance & Insurance;716000;22;Private;Yes;Art. 6 (1) GDPR;Insufficient legal basis for data processing;The Spanish DPA (AEPD) fined UNION FINANCIERA ASTURIANA S.A. E.F.C.. The controller had carried out a credit check on the data subject without any contractual basis for doing so. The original fine of EUR 15,000 was reduced to EUR 9,000 due to voluntary payment and admission of guilt.;https://www.aepd.es/es/documento/ps-00467-2021.pdf
921;Spanish Data Protection Authority (aepd);Spain;29.11.21;4000;TIGERS MARKET, S.L.;Yes;TIGERS MARKET, S.L.;Spain;Advertising & Marketing;NA;NA;Private;Yes;Art. 48 (1) b) LGT, Art. 21 GDPR, Art. 23 LOPDGDD;Insufficient fulfilment of data subjects rights;The Spanish DPA (AEPD) imposed a fine of EUR 4,000 on TIGERS MARKET, S.L.. The data subject had received advertising calls from the controller, although the data subject was registered in the Robinson advertising exclusion list.;https://www.aepd.es/es/documento/ps-00489-2021.pdf
922;Spanish Data Protection Authority (aepd);Spain;29.11.21;1000;Restaurant owner;No;NA;NA;Restaurants, Cafes & Bars;NA;NA;NA;Yes;Art. 13 GDPR;Insufficient fulfilment of information obligations;The Spanish DPA (AEPD) has fined a restaurant owner EUR 1,000 for failing to provide information signs about CCTV surveillance in the establishment.;https://www.aepd.es/es/documento/ps-00305-2021.pdf
923;Spanish Data Protection Authority (aepd);Spain;30.11.21;1500;Neighborhood community;No;NA;NA;NA;NA;NA;NA;Yes;Art. 5 (1) c) GDPR;Non-compliance with general data processing principles;The Spanish DPA (AEPD) fined a neighborhood community. The controller had installed video cameras on their private property in such a way that they could capture images of the public space and the neighbor's private property. The AEPD considered this to be a violation of the principle of data minimization.;https://www.aepd.es/es/documento/ps-00349-2021.pdf
924;Spanish Data Protection Authority (aepd);Spain;30.11.21;5000;ASOCIACION ESPANOLA PARA LA ENSENANZA ONLINE;Yes;ASOCIACION ESPANOLA PARA LA ENSENANZA ONLINE;Spain;Education;NA;NA;Other;Yes;Art. 17 (1) GDPR, Art. 21 LSSI;Insufficient fulfilment of data subjects rights;The Spanish DPA (AEPD) has fined ASOCIACION ESPANOLA PARA LA ENSENANZA ONLINE in the amount of EUR 5,000. A data subject had indicated that he had objected to further newsletter subscription and had requested the controller to delete all of his data. However, he continued to receive advertisements from the data controller.;https://www.aepd.es/es/documento/ps-00417-2021.pdf
925;Spanish Data Protection Authority (aepd);Spain;30.11.21;20000;DAVISER SERVICIOS, S.L.;Yes;Daviser Servicios Srl;Spain;Services;2200000;38;Private;Yes;Art. 5 (1) c) GDPR;Non-compliance with general data processing principles;The Spanish DPA (AEPD) has imposed a fine of EUR 20,000 on DAVISER SERVICIOS, S.L.. The company had been processing biometric data (fingerprints) of employees for access to certain rooms, although less intrusive means (such as key cards) could have been used to protect the privacy of the data subjects. The AEPD found that the controller had violated the principle of data minimization.;https://www.aepd.es/es/documento/ps-00010-2021.pdf
926;Spanish Data Protection Authority (aepd);Spain;30.11.21;5000;ASOCIACION ESPANOLA PARA LA ENSENANZA ONLINE;Yes;ASOCIACION ESPANOLA PARA LA ENSENANZA ONLINE;Spain;Education;NA;NA;Other;Yes;Art. 17 (1) GDPR, Art. 21 LSSI;Insufficient fulfilment of data subjects rights;The Spanish DPA (AEPD) has fined ASOCIACION ESPANOLA PARA LA ENSENANZA ONLINE in the amount of EUR 5,000. A data subject had indicated that he had objected to further newsletter subscription and had requested the controller to delete all of his data. However, he continued to receive advertisements from the data controller.;https://www.aepd.es/es/documento/ps-00424-2021.pdf
927;Lithuanian Data Protection Authority (VDAI);Lithuania;29.11.21;110000;UAB Prime Leasing;Yes;Prime Leasing Uab;Lithuania;Transportation & Logistics;7500000;49;Private;Yes;Art. 32 (1) b), d) GDPR;Insufficient technical and organisational measures to ensure information security;"The Lithuanian DPA has fined UAB Prime Leasing, the operator of the short-term car rental platform CityBee, EUR 110,000. The DPA conducted the investigation on its own initiative after information about a possible personal data breach (Art. 33 GDPR) of the company's customers became public in February 2021. According to the company, they learned about the security breach from another cybersecurity service provider who informed them that the customer data of 110,302 CityBee users had been published on the website of the hacking forum RaidForums.com. This included data such as names, addresses, phone numbers, email addresses, personal identification numbers, driver's license numbers, type of payment card and the last four digits of the card number of the data subjects. 

The DPA's investigation revealed that the published data originated from an unsecured backup copy of a database. 

The DPA found that the data breach occurred due to the company's failure to comply with its obligation to implement technical and organizational measures to ensure a level of security appropriate to the risk to data subjects. 

The company had, for example, failed to appoint a person with appropriate competence to be responsible for security and risk management.  It had also failed to ensure that accesses to database files were logged and evaluated. 
In addition, the company had stored the database unencrypted, so that a person with technical knowledge could have had full access to the data in the file after downloading it. The personal codes in the database were furthermore stored unprotected and the passwords in the database were only encrypted with an encryption algorithm that was considered insecure.";https://vdai.lrv.lt/lt/naujienos/automobiliu-nuomos-bendrovei-skirta-bauda-del-duomenu-saugumo-pazeidimo-pagal-bendraji-duomenu-apsaugos-reglamenta
928;Italian Data Protection Authority (Garante);Italy;28.10.21;2000;OTTO s.r.l.;Yes;OTTO srl;Italy;Retail & Trade;NA;NA;Private;Yes;Art. 13 GDPR;Insufficient fulfilment of information obligations;The Italian DPA (Garante) has imposed a fine of EUR 2,000 on OTTO s.r.l.. During an administrative inspection of a store managed by OTTO, the police found that a video surveillance system with three cameras was installed in the store. However, it found that the controller had not provided sufficient information on the presence of the CCTV. The DPA considered this to be a violation of Art. 13 GDPR.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9721784
929;Italian Data Protection Authority (Garante);Italy;28.10.21;2000;Anfiteatro Flavio s.r.l.;Yes;Anfiteatro Flavio srl;Italy;Accommodation;NA;NA;Private;Yes;Art. 13 GDPR;Insufficient fulfilment of information obligations;The Italian DPA (Garante) has imposed a fine of EUR 2,000 on Anfiteatro Flavio s.r.l.. During an administrative inspection of a hotel managed by Anfiteatro Flavio, the police found that a video surveillance system with three cameras was installed in the store. However, it found that the controller had not provided sufficient information on the presence of the CCTV. The DPA considered this to be a violation of Art. 13 GDPR.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9721758
930;Information Commissioner (ICO);United Kingdom;25.11.21;585000;Cabinet Office;No;NA;NA;Politics & Government;NA;NA;Other;Yes;Art. 5 (1) f) GDPR, Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;"The UK DPA (ICO) has fined the Cabinet Office EUR 585,000. 

On December 27, 2019, the Cabinet Office published a file on GOV.UK containing the names and uncensored addresses of more than 1,000 individuals who had received New Year's honors. Individuals from a wide range of professions across the United Kingdom were affected, including individuals with a high public profile.

After learning of the data breach, the Cabinet Office removed the web link to the file. However, the file was still in the cache and was accessible online to people who had the exact website address.

The disclosed personal data was available online for two hours and 21 minutes and had been accessed 3,872 times.

The breach occurred due to an error in the setup of the Cabinet Office's new IT system. 

The ICO found that the Cabinet Office failed to take appropriate technical and organizational measures to ensure a level of protection appropriate with the risk to data subjects.";https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2021/12/cabinet-office-fined-500-000-for-new-year-honours-data-breach/
931;Italian Data Protection Authority (Garante);Italy;29.09.21;2000;Physician;No;NA;NA;NA;NA;NA;NA;Yes;Art. 5 (1) a) GDPR, Art. 9 GDPR;Insufficient legal basis for data processing;"The Italian DPA (Garante) has fined a physician EUR 2,000. A patient had complained to the DPA that the doctor had disclosed his personal data to third parties without authorization. The doctor had recommended medical products to the data subject as part of his treatment. A few days later, the data subject received a call from the marketing consultant behind the recommended products. The data subject pointed out that he had never given his consent to the disclosure of his data. 

The Garante states that no specific consent is required for the processing of personal data necessary for medical treatment. Here, however, the data was processed for the purpose of product promotion, and therefore explicit consent would have been required under Art. 9 GDPR. The physician thus processed the data unlawfully.";https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9720448
932;Italian Data Protection Authority (Garante);Italy;14.10.21;8000;Health Protection Agency of Sardinia (ATS);Yes;Health Protection Agency of Sardinia;Italy;Politics & Government;NA;NA;Other;Yes;Art. 5 GDPR, Art. 9 GDPR;Insufficient legal basis for data processing;The Italian DPA (Garante) has imposed a fine of EUR 8,000 on the Health Protection Agency of Sardinia (ATS). A patient had mistakenly received medical records and clinical documentation from another patient in his own file.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9722265
933;Spanish Data Protection Authority (aepd);Spain;01.12.21;5000;INTRODUCTION BUSINESS CAPITAL MEDIA, S.L.;Yes;INTRODUCTION BUSINESS CAPITAL MEDIA, S.L.;Spain;Advertising & Marketing;NA;NA;Private;Yes;Art. 48 (1) b) LGT, Art. 21 GDPR, Art. 23 LOPDGDD;Insufficient fulfilment of data subjects rights;The Spanish DPA (AEPD) imposed a fine of EUR 5,000 on INTRODUCTION BUSINESS CAPITAL MEDIA, S.L.. The data subject had received advertising calls from the controller, although the data subject was registered in the Robinson advertising exclusion list.;https://www.aepd.es/es/documento/ps-00459-2021.pdf
934;Spanish Data Protection Authority (aepd);Spain;02.12.21;2000;IMAGINA FRAN SPORT, S.L.;Yes;IMAGINA FRAN SPORT, S.L.;Spain;E-Commerce;NA;NA;Private;Yes;Art. 13 GDPR;Insufficient fulfilment of information obligations;The Spanish DPA (AEPD) fined IMAGINA FRAN SPORT, S.L. EUR 2,000 due to the fact that its privacy policy did not comply with the requirements of Art. 13 GDPR. For instance, the website contained outdated information.;https://www.aepd.es/es/documento/ps-00384-2021.pdf
935;Spanish Data Protection Authority (aepd);Spain;23.11.21;40000;Vodafone Espana, S.A.U.;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 6 (1) GDPR;Insufficient legal basis for data processing;The Spanish DPA (AEPD) imposed a fine on Vodafone Espana, S.A.U. due to insufficient legal basis for data processing.  A data subject had filed a complaint against the data controller due to the fact that telephone lines were registered in his name, although he had never concluded contracts with the company for any of these lines. Vodafone had accidentally assigned the data of the data subject to the contracts of another Vodafone customer, which is why the contracts went under his name. Against this background, the DPA considered the processing of the data subject's data by Vodafone to be unlawful. The original fine of EUR 50,000 was reduced to EUR 40,000 due to voluntary payment.;https://www.aepd.es/es/documento/ps-00280-2021.pdf
936;Spanish Data Protection Authority (aepd);Spain;23.11.21;40000;Vodafone Espana, S.A.U.;Yes;Vodafone Group Plc;United Kingdom;Telecommunications;43300000000;105000;Public;No;Art. 6 (1) GDPR;Insufficient legal basis for data processing;The Spanish DPA (AEPD) has imposed a fine on Vodafone Espana, S.A.U.. A data subject had filed a complaint with the DPA as the controller had transferred her cell phone line to another person without her consent due to a technical error. In addition, the data subject's account was debited with amounts that belonged to a third party's phone line. The DPA found that Vodafone had unlawfully processed the data subject's data. The original fine of EUR 50,000 was reduced to EUR 40,000 due to voluntary payment.;https://www.aepd.es/es/documento/ps-00269-2021.pdf
937;Spanish Data Protection Authority (aepd);Spain;02.11.21;2000;COOPERA RC SERVICES, S.L.;Yes;COOPERA RC SERVICES, S.L.;Spain;Services;NA;NA;Private;Yes;Art. 13 GDPR;Insufficient fulfilment of information obligations;The Spanish DPA (AEPD) has imposed a fine of EUR 2,000 on COOPERA RC SERVICES. The controller had not provided sufficient contact details through which data subjects could exercise their rights.;https://www.aepd.es/es/documento/ps-00452-2021.pdf
944;Spanish Data Protection Authority (aepd);Spain;03.12.21;1000;Store owner;No;NA;NA;Retail & Trade;NA;NA;NA;Yes;Art. 13 GDPR;Insufficient fulfilment of information obligations;The Spanish DPA (AEPD) has fined a store owner EUR 1,000 for failing to provide information signs about CCTV surveillance in the establishment.;https://www.aepd.es/es/documento/ps-00306-2021.pdf
945;Spanish Data Protection Authority (aepd);Spain;07.12.21;24000;NBQ Technology, S.A.U.;Yes;Nbq Technology Sau;Spain;Finance & Insurance;6600000;32;Private;Yes;Art. 6 (1) GDPR;Insufficient legal basis for data processing;The Spanish DPA (AEPD) has fined NBQ Technology, S.A.U.. A data subject filed a complaint with the DPA against the company after they had denied him a financial transaction due to alleged outstanding payments on a loan. As it turned out, an identity thief had obtained the data subject's data without authorization and applied for a loan from the data controller under pretense of the data subject's identity. The controller then approved the loan. Since the data processed in the course of granting the loan did not belong to the borrower but to the data subject, the AEPD found that the controller had no legal basis for processing the data. The processing was therefore unlawful and a breach of Art. 6 (1) GDPR was affirmed. The original fine of EUR 40,000 was reduced to EUR 24,000 due to the immediate payment and the admission of guilt.;https://www.aepd.es/es/documento/ps-00487-2021.pdf
946;Dutch Supervisory Authority for Data Protection (AP);Netherlands;25.11.21;2750000;Dutch Minister of Finance;No;Dutch Minister of Finance;Denmark;Politics & Government;NA;NA;Other;No;Art. 5 (1) a) GDPR, Art. 6 (1) e) GDPR, Art. 8 Wbp;Insufficient legal basis for data processing;"The Dutch DPA (AP) has fined the Minister of Finance EUR 2,75 million. 

In the context of childcare benefit applications, tax offices had processed data on the dual nationality of applicants for several years.

However, the DPA found that the data on dual nationality of Dutch citizens would not have been necessary when assessing an application for childcare benefits.

The said data had also been processed for the purpose of combating organized fraud and for automatic classification in the authority's risk system. However, even for these purposes, the processing would not have been necessary. 

For this reason, the tax and customs administration should have deleted the data on dual nationality as early as January 2014. Nevertheless, as of May 2018, the dual citizenship data of a total of 1,4 million people were still registered in the systems of the tax and customs administration.

The DPA therefore found that the data had been unlawfully processed due to the lack of a valid legal basis. Furthermore the DPA stated that the data subjects had been discriminated against on the basis of their nationality.";https://autoriteitpersoonsgegevens.nl/nl/nieuws/boete-belastingdienst-voor-discriminerende-en-onrechtmatige-werkwijze
948;Norwegian Supervisory Authority (Datatilsynet);Norway;24.11.21;98000;Norwegian State Pension Fund (SPK);Yes;Statens pensjonsfond;Norway;Politics & Government;NA;NA;Other;Yes;Art. 5 (1) c), e) GDPR, Art. 6 (1) GDPR, Art. 9 (2) GDPR;Insufficient legal basis for data processing;The Norwegian DPA has imposed a fine of EUR 98,000 on the Norwegian State Pension Fund (SPK). The controller had notified the DPA of a data breach pursuant to Art. 33 GDPR. The DPA found that the controller had unlawfully collected certain income information since 2016. For example, the controller had collected health-related information on disability pensions, although this was not required.  Approximately 24,000 individuals were affected by these incidents. In addition, the DPA found that SPK did not implement routines to review and delete excessive information collected until 2019.;https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2021/vedtak-om-overtredelsesgebyr-til-statens-pensjonskasse/
949;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;13.12.21;2000;SC Nobiotic Pharma SRL;Yes;SC Nobiotic Pharma SRL;Romania;Wholesale;58894;3;Private;Yes;Art. 58 (1) GDPR;Insufficient cooperation with supervisory authority;Failure to provide requested information to the Romanian DPA within the required timeframe in violation of Art. 58 GDPR.;https://www.dataprotection.ro/?page=Comunicat_Presa_13_12_2021&lang=ro
950;Norwegian Supervisory Authority (Datatilsynet);Norway;13.12.21;6300000;Grindr LLC;Yes;Grindr Llc;United States;IT Services;NA;3;Private;No;Art. 6 (1) GDPR, Art. 9 (1) GDPR;Insufficient legal basis for data processing;"The Norwegian DPA has fined Grindr LLC EUR 6.3 million. Grindr is a location-based social networking app designed for gay, bi, trans and queer people.  In 2020, the Norwegian Consumer Protection Authority filed a complaint against Grindr with the Norwegian DPA, alleging that the portal had shared information about users' GPS location, IP address, cell phone advertising ID, age and gender with several third parties for marketing purposes. 

Under GDPR, consent is required for the sharing of this personal data. However, during its investigation, the DPA found that the consent collected by Grindr was not valid. 

Users had to accept the privacy policy in order to use the app, but were not explicitly asked whether they would consent to their data being shared with third parties for marketing purposes. In addition, the information about the disclosure of personal data was not clear or accessible enough for users. 


The DPA points out that this type of data may identify a Grindr user as a member of a sexual minority. Grindr users would sometimes want to use the app anonymously without, for example, giving their full name or uploading a photo of themselves. With the sexual orientation of the users, a special category of personal data, which is subject to a particularly high level of protection, was therefore also affected. 

The DPA therefore considers the infringement to be a particularly serious case that justifies a deterrent high fine. Business models based on behavior-based marketing are widespread in the digital economy, making it important that the fines for GDPR violations are deterrent.";https://www.datatilsynet.no/contentassets/8ad827efefcb489ab1c7ba129609edb5/administrative-fine---grindr-llc.pdf
952;Deputy Data Protection Ombudsman;Finland;07.12.21;608000;Psykoterapiakeskus Vastaamo;Yes;Psykoterapiakeskus Vastaamo Oy;Finland;Healthcare;13500000;260;Private;Yes;Art. 5 (1) f) GDPR, Art. 33 (1) GDPR, Art. 34 (1) GDPR;Non-compliance with general data processing principles;"The Finnish DPA has fined Vastaamo psychotherapy center EUR 608,000. In September 2020, the psychotherapy center reported an attack on its patient database to the DPA. An unauthorized third party had gained access to Vastaamo's medical database on at least two occasions, in December 2018 and March 2019. The attacker had also siphoned off data and left a ransom note on the servers. Due to insufficient logging, neither the exact date of the breach nor the network addresses used by the attacker could be identified.

The most likely cause of the medical database leak was an unprotected port on the database where the root user account of the database was not password protected. The patient database server was open to the Internet without firewall protection during the period between November 26, 2017, and March 13, 2019.

For this reason, the DPA determined that the personal data were not adequately protected against unauthorized and unlawful processing or accidental loss, destruction, or damage, and that the controller had not implemented basic measures for the secure processing of personal data.

As part of its investigation, the DPA also determined that the controller must have known as early as March 2019 that data in the patient information system had been lost and could have been compromised by an external attacker. Vastaamo should have immediately reported the security breach to both the DPA and its patients. However, Vastaamo was significantly late in meeting this obligation. 

The fine is composed proportionately of EUR 145, 600 for the breach of Art. 33 (1) GDPR, EUR 145, 600 for the breach of Art. 34 (1) GDPR and EUR 316, 800 for the breach of Art. 5 (1) f) GDPR.";https://finlex.fi/fi/viranomaiset/tsv/2021/20211183
954;Danish Data Protection Authority (Datatilsynet);Denmark;16.12.21;13450;Municipality of Frederiksberg;Yes;Frederiksberg Kommune;Denmark;Politics & Government;107800000;1000;Other;Yes;Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;"The Danish DPA has fined the municipality of Frederiksberg EUR 13,450. On March 1, 2021, the municipality reported a data breach under Art. 33 GDPR. 

The municipality's dental care service had operated a system through which parents could access their children's dental care letters online. The municipality then extended this access to parents with joint custody. As a result, in several cases, parents gained access to information about the other parent and the child's address, even though the affected parent and child were registered with name and address protection.
The DPA considered this to be a breach of the municipality's duty to implement adequate technical and organizational measures to ensure a level of security appropriate to the risk to the data subjects.";https://www.datatilsynet.dk/presse-og-nyheder/nyhedsarkiv/2021/dec/frederiksberg-kommune-indstilles-til-boede
955;Hungarian National Authority for Data Protection and the Freedom of Information (NAIH);Hungary;27.10.21;13500;Car importer;No;NA;NA;Retail & Trade;NA;NA;NA;Yes;Art. 5 (1), (2) GDPR, Art. 6 (1) GDPR, Art. 12 (1) GDPR, Art. 13 GDPR;Insufficient legal basis for data processing;The Hungarian DPA imposed a fine of EUR 13,500 on a car importer. A customer of one of the company's authorized repair shops filed a complaint with the DPA due to receiving unsolicited emails related to customer surveys from the company after a car inspection. The Hungarian DPA found that the controller did not have a valid legal basis to contact the data subject. It also found that the controller had not complied with its duty to inform under Art. 12 GDPR and Art. 13 GDPR. The emails did not contain any contact information of the controller, for example.;https://naih.hu//hatarozatok-vegzesek?download=469:jogos-erdekre-alapitott-ugyfelelegedettseg-meres-adatvedelmi-megfelelesenek-ertekelese
956;Spanish Data Protection Authority (aepd);Spain;14.12.21;50000;IZA OBRAS Y PROMOCIONES, S.A.;Yes;Iza Obras Y Promociones Sa;Spain;Building Construction;11300000;30;Private;Yes;Art. 5 (1) c) GDPR;Non-compliance with general data processing principles;The Spanish DPA has fined IZA OBRAS Y PROMOCIONES, S.A. EUR 50,000. An employee had filed a complaint with the DPA against the company, alleging that the controller had unauthorizedly disclosed his personal data to another company from which it had received a construction order. The data subject was working as a construction manager on the project, but was absent from work for a period of time due to illness. The controller therefore informed its client and additionally disclosed the data subject's email address and certain health information. The DPA determined that the disclosure of this data would not have been necessary and that the controller had therefore violated the principle of data minimization.;https://www.aepd.es/es/documento/ps-00324-2021.pdf
957;Hellenic Data Protection Authority (HDPA);Greece;08.12.21;30000;One Way Private Company;Yes;One Way Private Company;Greece;Science & Research;8800000;35;Private;Yes;Art. 28 (3) c) GDPR, Art. 32 (2), (4) GDPR, Art. 11 (1) ????? 3471/2006;Insufficient technical and organisational measures to ensure information security;The Hellenic DPA has imposed a fine of EUR 30,000 on One Way Private Company. The DPA received 17 complaints regarding illegal telephone calls for the purpose of advertising. The DPA found that due to an error in the controller's application, telephone calls were made to subscribers included in the list for protection against unsolicited telephone advertising 'Register 11'. The DPA concluded that the controller had failed to implement technical and organizational measures to ensure a level of security appropriate to the risk to the data subjects.;https://www.dpa.gr/sites/default/files/2021-12/52_2021anonym.pdf
959;Spanish Data Protection Authority (aepd);Spain;17.12.21;2000;Online retailer;No;NA;NA;E-Commerce;NA;NA;NA;Yes;Art. 6 GDPR;Insufficient legal basis for data processing;The Spanish DPA has imposed a fine of EUR 2,000 on an online retailer. The data subject bought a product from the controller's online store via eBay and paid with Paypal. However, he received the order via Amazon. Since the data subject had not consented to the transfer of his data to Amazon, the DPA concluded that the controller had processed the data unlawfully.;https://www.aepd.es/es/documento/ps-00300-2021.pdf
960;Norwegian Supervisory Authority (Datatilsynet);Norway;17.12.21;3900;T. Stene Transport AS;Yes;T. Stene Transport AS;Norway;Transportation & Logistics;710958;6;Private;Yes;NA;NA;The Norwegian DPA has fined T. Stene Transport AS EUR 3,900 due to an unfair credit check on a data subject.;https://www.datatilsynet.no/regelverk-og-verktoy/lover-og-regler/avgjorelser-fra-datatilsynet/2021/gebyr-og-palegg-om-a-etablere-rutiner-etter-urettmessig-kredittvurdering/
964;Spanish Data Protection Authority (aepd);Spain;23.12.21;1500;LA OFICINA BAR;Yes;LA OFICINA BAR;Spain;Restaurants, Cafes & Bars;NA;NA;Private;Yes;Art. 5 (1) c) GDPR;Non-compliance with general data processing principles;The Spanish DPA (AEPD) fined LA OFICINA BAR. The bar operated a video surveillance system in which the observation angle of the cameras extended into the public traffic area. The DPA considered this to be a violation of the principle of data minimization.;https://www.aepd.es/es/documento/ps-00389-2021.pdf
966;Spanish Data Protection Authority (aepd);Spain;22.12.21;5000;Sfam Espana General s.l.;Yes;Sfam Espana General s.l.;Spain;Finance & Insurance;NA;NA;Private;Yes;Art. 6 (1) GDPR;Insufficient legal basis for data processing;The Spanish DPA (AEPD) has imposed a fine of EUR 5,000 on Sfam Espana General s.l.. A data subject had filed a complaint with the DPA against the controller for charging her several services that she had not ordered.;https://www.aepd.es/es/documento/ps-00536-2021.pdf
967;Spanish Data Protection Authority (aepd);Spain;22.12.21;5000;HUBSIDE IBERICA S.L.;Yes;Hubside Iberica Sl.;Spain;Telecommunications;1400000;30;Private;Yes;Art. 6 (1) GDPR;Insufficient legal basis for data processing;The Spanish DPA (AEPD) has imposed a fine of EUR 5,000 HUBSIDE IBERICA S.L.. A data subject had filed a complaint with the DPA against the controller for charging her several services that she had not ordered.;https://www.aepd.es/es/documento/ps-00537-2021.pdf
968;Spanish Data Protection Authority (aepd);Spain;16.12.21;60000;Banco Bilbao Vizcaya Argentaria S.A.;Yes;Banco Bilbao Vizcaya Argentaria SA;Spain;Banks;31800000000;123174;Public;Yes;Art. 6 GDPR;Insufficient legal basis for data processing;The Spanish DPA (AEPD) has imposed a fine on Banco Bilbao Vizcaya Argentaria S.A.. A data subject filed a complaint with the DPA due to the fact that the controller repeatedly sent him SMS messages about non-payments, although he had no contractual relationship with the controller.  The controller stated that the unsolicited SMS messages were sent due to human error on part of its employees. The original fine of EUR 100,000 was reduced to EUR 60,000 due to voluntary payment and admission of guilt.;https://www.aepd.es/es/documento/ps-00427-2021.pdf
969;Spanish Data Protection Authority (aepd);Spain;28.12.21;2000;VENTANAS MAKE YOURSELF, S.L.;Yes;VENTANAS MAKE YOURSELF, S.L.;Spain;E-Commerce;NA;NA;Private;Yes;Art. 13 GDPR;Insufficient fulfilment of information obligations;The corporate website did not present a privacy policy on its main page.;https://www.aepd.es/es/documento/ps-00404-2021.pdf
971;French Data Protection Authority (CNIL);France;28.12.21;180000;SLIMPAY;Yes;SlimPay SA;France;IT Services;NA;90;Private;Yes;Art. 28 GDPR, Art. 32 GDPR, Art. 34 GDPR;Insufficient technical and organisational measures to ensure information security;"The French DPA (CNIL) has imposed a fine of EUR 180,000 on the payment institution SLIMPAY. 
In 2015, SLIMPAY conducted an internal research project in which it processed personal data in its databases. When the research project ended in July 2016, the data remained stored on a server, without any security measures and freely accessible on the Internet. The data breach affected about 12 million people.

During its investigation, the CNIL found that the company had failed to implement appropriate technical and organizational measures to ensure a level of security commensurate with the risk to data subjects. Thus, the server access was not subject to any security measures, so that it was possible to access it via the Internet between November 2015 and February 2020

In addition, the DPA found that the company had failed to inform the data subjects about the data breach. 

The CNIL also found that in several cases, contracts the company had concluded with processors were inadequately drafted, as they did not include certain envisaged clauses obliging the processors to process personal data in accordance with the requirements of the GDPR.";https://www.cnil.fr/fr/node/121960
972;French Data Protection Authority (CNIL);France;28.12.21;300000;FREE MOBILE;Yes;Iliad SA;France;Telecommunications;5400000000;14722;Public;Yes;Art. 12 GDPR, Art. 15 GDPR, Art. 21 GDPR, Art. 25 GDPR, Art. 32 GDPR;Insufficient fulfilment of data subjects rights;"The French DPA (CNIL) has imposed a fine of EUR 300,000 on FREEE MOBILE. 

The CNIL had received numerous complaints regarding the company's failure to comply with data subjects' rights. 

During its investigation, the CNIL found that the company had failed to respond to data subjects' requests in a timely manner. In addition, the company failed to comply with the data subjects' right to object, as it continued to send advertisements to the data subjects despite them having exercised their right to object. 
In addition, the CNIL found that the company had failed to implement adequate technical and organizational measures to ensure a level of security appropriate to the risk to the data subjects. For example, it had sent users passwords by email in clear text.";https://www.cnil.fr/fr/node/121974
973;Spanish Data Protection Authority (aepd);Spain;28.12.21;2000;Call shop manager;No;NA;NA;Advertising & Marketing;NA;NA;NA;Yes;Art. 13 GDPR;Insufficient fulfilment of information obligations;The Spanish DPA has imposed a fine of EUR 2,000 on the manager of a call shop. In the context of a job vacancy, the manager had set up a stand where applicants could submit their application documents for a fee of one euro. In this context, the manager did not properly inform the data subjects about the processing of their personal data as required by Art. 13 GDPR.;https://www.aepd.es/es/documento/ps-00390-2021.pdf
974;Norwegian Supervisory Authority (Datatilsynet);Norway;13.12.21;20000;Elektro & Automasjon Systemer AS;Yes;Eas / Elektro & Automasjon Systemer As;Norway;IT Services;3100000;30;Private;Yes;Art. 6 (1) f) GDPR;Insufficient legal basis for data processing;The Norwegian DPA (Datatilsynet) fined Elektro & Automasjon Systemer AS EUR 20,000. The controller had carried out a credit check on an individual, although there was no legal basis for doing so.;https://www.datatilsynet.no/regelverk-og-verktoy/lover-og-regler/avgjorelser-fra-datatilsynet/2022/gebyr-til-elektro--automasjon-systemer-as/
975;Italian Data Protection Authority (Garante);Italy;02.12.21;30000;Ica s.r.l.;Yes;Ica srl;Italy;IT Services;NA;800;Private;Yes;Art. 5 (1) f) GDPR, Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;The Italian DPA (Garante) has fined ICA s.r.l. EUR 30,000. The municipality of Collegno had implemented a system developed by ICA through which citizens could pay fines for traffic violations. However, due to a lack of security precautions, it was theoretically possible for unauthorized persons to access personal data stored via the program. For this reason, the DPA found that ICA had failed to implement appropriate technical and organizational measures providing a level of security commensurate with the risk posed to the data subject.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9733053
976;Italian Data Protection Authority (Garante);Italy;11.11.21;150000;TIM S.p.A.;Yes;TIM S.p.A.;Italy;Telecommunications;17980000000;55198;Public;Yes;Art. 15 GDPR;Insufficient fulfilment of data subjects rights;The Italian DPA (Garante) has fined mobile operator TIM S.p.A. EUR 150,000 for denying a data subject access to his phone data needed to defend himself in a criminal case. Since the data subject received no response to his repeated requests to the company, he turned to the DPA to obtain the data in time for the hearing in the criminal proceedings.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9722894
977;Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP);Romania;06.12.21;6000;Telekom Romania Communications SA;Yes;Deutsche Telekom AG;Germany;Telecommunications;97600000000;226291;Public;No;Art. 5 (1) d), f) GDPR, Art. 5 (2) GDPR, Art. 17 GDPR;Non-compliance with general data processing principles;"The Romanian DPA (ANSPDCP) imposed a fine of EUR 6,000 on Telekom Romania Communications SA. 
A data subject had complained that the controller had sent invoices and messages to his email address informing him of another person's payment arrears.
During the investigation, the DPA found that the controller had collected and processed certain personal data in error, resulting in the unlawful disclosure of the personal data.
At the same time, the DPA found that the controller had not taken the necessary measures to comply with the data subject's request for deletion of his personal data. The fine is composed proportionally EUR 5,000 for a breach of Art. 5 (1) d), f) GDPR, Art. 5 (2) GDPR and EUR 1,000 for a breach of Art. 17 GDPR.";https://www.dataprotection.ro/?page=Comunicat_Presa_06_12_2021_2&lang=ro
978;French Data Protection Authority (CNIL);France;31.12.21;90000000;Google LLC;Yes;Google LLC;United States;IT Services;66000000000;139995;Public;No;Art. 82 loi Informatique et Libertes;Insufficient legal basis for data processing;"On December 31, 2021, the French DPA (CNIL) imposed a fine of EUR 90,000 on GOOGLE LLC. 

The CNIL received several complaints regarding the manner in which cookies could be refused on the websites of google.fr and youtube.com.

The CNIL subsequently conducted an online review of the websites and found that, although the websites offered a button to accept cookies immediately, there was no equivalent solution that would allow the Internet user to reject the deposit of cookies just as easily. Rather, several clicks were required to reject all cookies, in contrast to a single click to accept them.

From this, the CNIL concluded that users would accept the deposit of cookies out of convenience with more frequency. It considered that the design of the cookie deposit interferes with the freedom of consent of Internet users and constitutes a violation of Art. 82 of the French Law on Informatics and Freedoms.

In determining the fine, the fact that a large number of people were affected was taken into account in an aggravating manner. In addition, the CNIL took into account the significant profits that the companies were able to make from the advertising revenue generated indirectly from the data collected through cookies.

The CNIL also pointed to the fact that the authority had already alerted the GOOGLE companies to this breach in February 2021. 

In addition to the fine, the CNIL issued an order requiring the company to provide Internet users in France with a way to reject cookies as easily as they can accept them, within three months of being notified of the decision. Otherwise, companies would face the payment of a penalty of EUR 100,000 per day of delay.";https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000044840532
979;French Data Protection Authority (CNIL);France;31.12.21;60000000;Google Ireland Ltd.;Yes;Google LLC;United States;IT Services;66000000000;139995;Public;No;Art. 82 loi Informatique et Libertes;Insufficient legal basis for data processing;"On December 31, 2021, the French DPA (CNIL) imposed a fine of EUR 60,000 on Google Ireland Ltd.

The CNIL received several complaints regarding the manner in which cookies could be refused on the websites of google.fr and youtube.com.

The CNIL subsequently conducted an online review of the websites and found that, although the websites offered a button to accept cookies immediately, there was no equivalent solution that would allow the Internet user to reject the deposit of cookies just as easily. Rather, several clicks were required to reject all cookies, in contrast to a single click to accept them.

From this, the CNIL concluded that users would accept the deposit of cookies out of convenience with more frequency. It considered that the design of the cookie deposit interferes with the freedom of consent of Internet users and constitutes a violation of Art. 82 of the French Law on Informatics and Freedoms.

In determining the fine, the fact that a large number of people were affected was taken into account in an aggravating manner. In addition, the CNIL took into account the significant profits that the companies were able to make from the advertising revenue generated indirectly from the data collected through cookies.

The CNIL also pointed to the fact that the authority had already alerted the GOOGLE companies to this breach in February 2021. 

In addition to the fine, the CNIL issued an order requiring the company to provide Internet users in France with a way to reject cookies as easily as they can accept them, within three months of being notified of the decision. Otherwise, companies would face the payment of a penalty of EUR 100,000 per day of delay.";https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000044840532
980;French Data Protection Authority (CNIL);France;31.12.21;60000000;Facebook Ireland Ltd.;Yes;Meta Platforms, Inc;United States;IT Services;103164000000;71970;Public;No;Art. 82 loi Informatique et Libertes;Insufficient legal basis for data processing;"On December 31, 2021, the French DPA (CNIL) imposed a fine of EUR 60,000 on Facebook Ireland Ltd.

The CNIL received several complaints regarding the manner in which cookies could be refused on the website of Facebook.com.

The CNIL subsequently conducted an online review of the websites and found that, although the websites offered a button to accept cookies immediately, there was no equivalent solution that would allow the Internet user to reject the deposit of cookies just as easily. Rather, several clicks were required to reject all cookies, in contrast to a single click to accept them.

From this, the CNIL concluded that users would accept the deposit of cookies out of convenience with more frequency. It considered that the design of the cookie deposit interferes with the freedom of consent of Internet users and constitutes a violation of Art. 82 of the French Law on Informatics and Freedoms.

In determining the fine, the fact that a large number of people were affected was taken into account in an aggravating manner. In addition, the CNIL took into account the significant profits that the companies were able to make from the advertising revenue generated indirectly from the data collected through cookies.

The CNIL also pointed to the fact that the authority had already alerted the the company to this breach in February 2021. 

In addition to the fine, the CNIL issued an order requiring the companies to provide Internet users in France with a way to reject cookies as easily as they can accept them, within three months of being notified of the decision. Otherwise, companies would face the payment of a penalty of EUR 100,000 per day of delay.";https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000044840532
983;Spanish Data Protection Authority (aepd);Spain;11.01.22;9000;EDUCANDO JUNTOS SL;Yes;EDUCANDO JUNTOS SL;Spain;Education;NA;NA;Private;Yes;Art. 6 (1) GDPR, Art. 17 GDPR;Insufficient legal basis for data processing;The Spanish DPA (AEPD) has imposed a fine of EUR 9,000 on EDUCANDO JUNTOS SL. The controller had published photos of an employee on some of its channels on social networks and its website. However, the controller had published the photos without having obtained the consent of the data subject. For this reason, the data subject repeatedly requested the removal of the photos from the social networks and the website. However, the controller did not comply with this request. The fine is made up of EUR 6,000 for a violation of Art. 6 (1) GDPR and EUR 3,000 for a violation of Art. 17 GDPR.;https://www.aepd.es/es/documento/ps-00119-2021.pdf
984;Polish National Personal Data Protection Office (UODO);Poland;09.12.21;10000;Warsaw University of Technology;Yes;Politechnika Warszawska;Poland;Education;182700000;5005;Other;Yes;Art. 5 (1) f) GDPR, Art. 5 (2) GDPR, Art. 24 (1) GDPR, Art. 25 (1) GDPR, Art. 32 (1), (2) GDPR;Insufficient technical and organisational measures to ensure information security;The Polish DPA (UODO) has fined Warsaw University of Technology EUR 10,000. The university had reported a data breach to the authority pursuant to Art. 33 GDPR. One of the university's organizational units used an application created by university staff to register for courses and access teaching history, assessment of exam results and billing of fees. In early January 2020, an unauthorized person had downloaded a database from the application that contained personal data of students and faculty (over 5,000 individuals). In its investigation, the DPA found that the Unvierstat had failed to implement appropriate technical and organizational measures that ensured the security of personal data . The DPA also found that the university had not conducted a formal risk assessment.;https://uodo.gov.pl/decyzje/DKN.5130.2559.2020
985;Hellenic Data Protection Authority (HDPA);Greece;31.12.21;25000;PLUS REAL ADVERTISEMENT;Yes;PLUS REAL ADVERTISEMENT;Greece;Advertising & Marketing;NA;NA;Private;Yes;Art. 13 GDPR, Art. 14 GDPR, Art. 11 Law 3471/2006;Insufficient fulfilment of information obligations;The Hellenic DPA has imposed a fine of EUR 25,000 on PLUS REAL ADVERTISEMENT. The controller had conducted advertising calls without the consent of the data subjects. In addition, it did not properly inform the data subjects about the processing of their personal data, thereby violating its information obligations.;https://www.dpa.gr/sites/default/files/2022-01/57_2021anonym.pdf
986;Hellenic Data Protection Authority (HDPA);Greece;31.12.21;30000;INFO COMMUNICATION SERVICES;No;NA;NA;NA;NA;NA;NA;Yes;Art. 13 GDPR, Art. 14 GDPR, Art. 11 Law 3471/2006;Insufficient fulfilment of information obligations;The Hellenic DPA has imposed a fine of EUR 30,000 on INFO COMMUNICATION SERVICES. The controller had conducted advertising calls without the consent of the data subjects. In addition, it did not properly inform the data subjects about the processing of their personal data, thereby violating its information obligations.;https://www.dpa.gr/sites/default/files/2022-01/56_2021anonym.pdf
987;Data Protection Authority of Ireland;Ireland;02.12.21;60000;Irish Teacher Council;Yes;The Teaching Council;Ireland;Politics & Government;1200000;25;Other;Yes;Art. 5 (1) GDPR, Art. 32 (1) GDPR, Art. 33 GDPR;Insufficient technical and organisational measures to ensure information security;"The Irish DPA has imposed a fine of EUR 60,000 on the Irish Teaching Council. The Council notified the DPA of a data breach under Art. 33 of the GDPR. 

Accordingly, two employees of the Council accessed a phishing email that allowed them to set up an automatic forwarding system from their email accounts to a malicious email account. As a result, 323 emails were forwarded to the unauthorized external email address between February 17, 2020 and March 6, 2020. The emails contained the personal data of 9,735 data subjects and the sensitive personal data of one data subject.

The DPA therefore found that the Council had failed to implement appropriate technical and organizational measures to ensure a level of protection for data subjects' personal data commensurate with the risk. 

In addition, the DPA found that the Council failed to report the data breach in a timely manner.";https://www.dataprotection.ie/sites/default/files/uploads/2022-01/Redacted%20Final%20Decision%20The%20Teaching%20Council_20-04-01.pdf
988;Austrian Data Protection Authority (dsb);Austria;14.01.22;8000000;REWE International AG;Yes;REWE Markt GmbH;Germany;Retail & Trade;20900000000;52059;Private;No;NA;NA;The Austrian DPA has imposed a fine of EUR 8 million on REWE International AG. Just in the summer of 2021, the subsidiary 'Unser O-Bonus Club GmbH' received a fine of EUR 2 million. According to the 'Salzburger Nachrichten' newspaper, the fine is based on various violations of the GDPR. Further details about the incident are not known at the moment.;https://noe.orf.at/stories/3138575/
990;Hellenic Data Protection Authority (HDPA);Greece;29.12.21;75000;Greek Ministry of Tourism;Yes;Ministry of Tourism;Greece;Politics & Government;NA;NA;Other;Yes;Art. 13 GDPR, Art. 32 GDPR, Art. 33 GDPR, Art. 37 GDPR;Insufficient technical and organisational measures to ensure information security;"The Hellenic DPA has imposed a fine of EUR 75,000 on the Greek Ministry of Tourism. A data breach had occurred at the authority. According to the DPA, an attempt by a citizen to enter his or her credentials on the authority's online platform resulted in the display of someone else's credentials, including full name, tax number, social security number, postal address, phone number, email address, and fields indicating a disability. The DPA found that the ministry failed to implement adequate technical and organizational measures to secure personal data. 
The ministry failed to report the incident to the DPA. The DPA considered this to be a violation of Article 33 of the GDPR. 
The DPA's investigation also found that the Ministry of Tourism had not appointed a data protection officer, even though an email address of the authority's data protection officer was provided on the above-mentioned platform for communication with users of the platform. This email address, as it turned out, was not active.";https://www.dpa.gr/el/enimerwtiko/prakseisArxis/peristatiko-parabiasis-dedomenon-prosopikoy-haraktira-apo-ypoyrgeio
991;Italian Data Protection Authority (Garante);Italy;02.12.21;7000;Societa Med Store Saronno s.r.l.;Yes;Societa Med Store Saronno s.r.l.;Italy;Healthcare;NA;NA;Private;Yes;Art. 5 (1) f) GDPR, Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;The Italian DPA (Garante) has fined Societa Med Store Saronno s.r.l. EUR 7,000. The nursing home notified the DPA of a data breach pursuant to Art. 33 GDPR. The facility had suffered a cyber attack by a hacker who gained access to personal data and published it. This included publishing radiological images of patients on his Twitter account. The DPA's investigation revealed that the home had only secured the data with simple passwords. For this reason, the DPA found that the home had failed to implement appropriate technical and organizational measures to ensure a level of protection commensurate with the risk.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9734934
992;Italian Data Protection Authority (Garante);Italy;02.12.21;30000;Casa di cura Fondazione Gaetano e Piera Borghi s.r.l.;Yes;"	Casa Di Cura Fondazione Gaetano E Piera Borghi Srl";Italy;Healthcare;3200000;154;Private;Yes;Art. 5 (1) f) GDPR, Art. 32 GDPR;Insufficient technical and organisational measures to ensure information security;The Italian DPA (Garante) has fined Casa di cura Fondazione Gaetano e Piera Borghi s.r.l. EUR 30,000. The nursing home notified the DPA of a data breach pursuant to Art. 33 GDPR. The facility had suffered a cyber attack by a hacker who gained access to personal data and published it. This included publishing radiological images of patients on his Twitter account. The DPA's investigation revealed that the home had only secured the data with simple passwords. For this reason, the DPA found that the home had failed to implement appropriate technical and organizational measures to ensure a level of protection commensurate with the risk.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9734884
993;Italian Data Protection Authority (Garante);Italy;25.11.21;6000;Societa H San Raffaele Resnati s.r.l.;Yes;H San Raffaele Resnati Srl;Italy;Healthcare;21900000;80;Private;Yes;Art. 5 (1) f) GDPR, Art. 9 GDPR;Non-compliance with general data processing principles;The Italian DPA (Garante) has imposed a fine of EUR 6,000 on Societa H San Raffaele Resnati s.r.l. The DPA initiated an investigation against the health care provider after it reported a data breach to the DPA. A patient had mistakenly received medical records and clinical documentation from two other patients due to an error of an employee.;https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9732967
994;Belgian Data Protection Authority (APD);Belgium;16.12.21;75000;Bank;No;NA;NA;Banks;NA;NA;NA;Yes;Art. 38 (6) GDPR;Insufficient involvement of data protection officer;The Belgian DPA has imposed a fine of EUR 75,000 on a bank. The DPA identified a conflict of interest regarding the data protection officer. In addition to his work as data protection officer, he was also head of a department to which he had to report in his capacity as data protection officer. The DPA considered this to be a violation of Art. 38 (6) GDPR.;https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-141-2021.pdf
995;Portuguese Data Protection Authority (CNPD);Portugal;21.12.21;1250000;Lisbon City Council;Yes;Município De Lisboa;Portugal;Politics & Government;742600000;7677;Other;Yes;Art. 5 (1) a), c), e) GDPR, Art. 6 GDPR, Art. 9 (1) a) GDPR, Art. 13 (1), (2) GDPR, Art. 35 (3) GDPR;Insufficient legal basis for data processing;"The Portuguese DPA has imposed a fine of EUR 1.25 million on the Lisbon City Council. The fine is the sum of 225 fines from various violations committed by the municipality since 2018. 
The municipality had sent 111 notifications about demonstrations to various departments and offices within the municipality, as well as to third parties, to ensure that they could properly perform their public duties. The notices contained, among other things, sensitive data of the demonstrators and organizers of the demonstrations. The data revealed, among other things, the political opinion , religious or philosophical beliefs or sexual orientation of the data subjects. The DPA found that the transfer of the data would not have been necessary for the entities to properly perform their public tasks. Thus, the processing took place without a sufficient legal basis. In addition, the DPA found that the municipality had carried out the processing without informing the data subjects, without establishing a policy for the retention of their personal data, and without conducting a data protection impact assessment.";https://www.cnpd.pt/comunicacao-publica/noticias/cnpd-aplica-sancao-ao-municipio-de-lisboa/