GDPR fines and notices
The General Data Protection Regulation (GDPR) is a European Union regulation that specifies standards for data protection and electronic privacy in the European Economic Area, and the rights of European citizens to control the processing and distribution of personally-identifiable information.
Violators of GDPR may be fined up to €20 million, or up to 4% of the annual worldwide turnover of the preceding financial year, whichever is greater.[1] The following is a list of fines and notices issued under the GDPR, including reasoning.
Date | Organisation | Amount | Issued by | Reason(s) |
---|---|---|---|---|
2018-10 | Hospital do Barreiro | €400,000 | Portugal (CNPD) | "...based on access policies to databases, which allowed technicians and physicians to consult patients’ clinical files, without proper authorization."[2] |
2018-11-21 | Knuddels.de (German social network) | €20,000 | Germany (LfDI) | "...unauthorized access to and disclosure of personal data of around 330,000 users, including passwords and email addresses."[3] |
2019-01-21 | Google LLC | €50 million | France (CNIL) | Insufficient transparency, control, and consent over the processing of personal data for the purposes of behavioural advertising.[4][5] |
2019-03-07 | Unnamed bank | €1,560 | Hungary (NAIH) | Failure to erase and correct data at the request of the data subject. |
2019-03-07 | Unnamed debt collector | €1,560 | Hungary (NAIH) |
Breaching the principles of transparency and data minimisation. [7] |
2019-03-15 | Bisnode (business, credit and market information) | €220,000 | Poland (UODO) | |
2019-03-16 | Lower Silesian Football Association | €13,000 | Poland (UODO) |
Listing personal information of 585 referees on its website.[9] |
2019-04-04 | Rousseau (participatory democracy platform) | €50,000 | Italy (GPDP) | Failing to protect users' personal data.[10] |
2019-05-08 | The Municipality of Bergen | €170,000 | Norway (Datatilsynet) |
File with login credentials for 35,000 students and employees found in a public storage area.[11] |
2019-05-16 | MisterTango UAB (payment services) | €61,500 | Lithuania (ADA) | Processing more personal data than is necessary for effecting of the payment.[12] |
2019-05-28 | Unnamed Belgian mayor | €2,000 | Belgium (GBA/APD) | Misuse of personal data collected for local administrative purposes for election campaign purposes.[13] |
2019-06 | La Liga | €250,000 | Spain (AEPD) | Poorly disclosing purpose for requesting GPS and microphone permissions within the football league's mobile app. When the app was open, it transmitted the user's location if it detected an acoustic fingerprint embedded within game telecasts. This was used to help pinpoint the locations of venues that may be screening the games from unauthorized feeds.[14][15] |
2019-06-11 | IDDesign A/S (furniture) | DKK 1,5 million | Denmark (Datatilsynet) | Failure to delete personal data from an older system: processing personal data for a longer time than necessary.[16] |
2019-06-18 | Unnamed police officer | €1,400 | Germany (LfDI) | Autonomously processing personal data for non-legal purposes.[17] |
2019-06-18 | Sergic (real estate services) | €400,000 | France (CNIL) |
Failure to implement appropriate security measures; failure to define appropriate data retention periods for the personal data of unsuccessful rental candidates.[18] |
2019-06-18 | Uniontrad Company (translation services) | €20,000 | France (CNIL) |
Excessive video surveillance of employees; single, shared password for messaging system; ignoring earlier CNIL order to change practices.[19] |
2019-06-24 | EE (telecoms) | £100,000 | UK (ICO) | Sending over 2.5 million direct marketing messages to its customers, without consent.[20][21] |
2019-06-27 | UniCredit Bank Romania | €130,000 | Romania (ANSPDCP) | Failure to implement appropriate technical and organisational measures[22][23] |
2019-07-08 | British Airways | £183 million | UK (ICO) | Use of poor security arrangements that resulted in a 2018 web skimming attack affecting 500,000 consumers.[24][25][26] Highest fine issued so far as of 24-9-2020 |
2019-07-03 | Marriott International | €235,000 | Turkey (KVKK) | Failure to implement necessary technical and administrative and measures to ensure data security and breaching notification obligations[27] |
2019-07-03 | Cathay Pacific | €88,000 | Turkey (KVKK) | Failure to implement necessary technical and administrative and measures to ensure data security and breaching notification obligations[28] |
2019-07-09 | Marriott International | £99 million | UK (ICO) | Failure to undertake sufficient due diligence when acquiring Starwood hotels group, whose systems where compromised in 2014, exposing approximately 339 million guest records[29] |
2019-07-16 | HagaZiekenhuis | €460,000 | The Netherlands (AP) | Insufficient security of medical records[30][31] |
2019-07-25 | Active Assurances | €180,000 | France (CNIL) |
Failure to implement appropriate security measures.[32] |
2019-07-25 | PricewaterhouseCoopers | €150,000 | Greece (HDPA) |
Unlawful processing of employee data.[33] |
2019-08-21 | Skellefteå High School Board | €20,000 | Sweden (SDPA) |
Using facial recognition technology to monitor the attendance of students in school on an invalid legal basis; processing sensitive biometric data unlawfully and failure to do an adequate impact assessment including seeking prior consultation with the Swedish DPA.[34] |
2019-??-?? | Unnamed company | €3,135 | Hungary (NAIH) |
Infringing a data subject's access rights. [35] |
2019-08-12 | Unnamed medical company | €55,000 | Austria (DSB) |
Not appointing a DPO, not publishing its contact details or reporting those to the supervisory authority, obligatory consent of data subjects (Art. 7), not providing information (Art. 13, 14), no DPIA despite handling sensitive data (Art. 35). [36] |
2019-08-12 | Unnamed online retailer | €7,000 | Latvia (DSI) |
Nonconformity with data subjects rights to erasure and non-cooperation with the supervisory authority. [37] |
2019-09-19 | Unnamed retailer | €10,000 | Belgium (GBA/APD) | Demanding an electronic identity card to create a customer loyalty card.[38] |
2019-09-20 | Online retailer Morele.net | €645,000 | Poland (UODO) |
Insufficient protection of personal data, leading to the exposure of data of about 2.2 million people[39] |
2019-10-17 | Vueling Airlines | €30,000 | Spain (AEPD) | Failing to obtain valid consent to process customer cookies, as per privacy notice. [40] |
2019-12-09 | 1&1 Ionos | €9,550,000 | Germany (BfDI) |
Insufficient protection of personal data, failing to put “sufficient technical and organizational measures” in place to protect customer data in its call centers. Violation of article 32 of GDPR [41] |
2019-12-17 | Doorstep Dispensaree | £275,000 | UK (ICO) | "cavalier attitude to data protection”, having left 500,000 patient records in an unsecured location [42] |
2020-03-10 | $8 million | Sweden | Right-to-be-forgotten violations[43][44] | |
2020-07-14 | Google LLC (Google Belgium) | €600,000 | Belgium (GBA/APD) |
Failure to respect a citizen's right to be forgotten.[45] |
2020-07-06 | BKR | €840,000 | The Netherlands (AP) | Failing to give access to personal data free of charge, failing to provide easy means of accessing the data, putting unreasonable limits on the number of requests per individual [46] |
2020-12-10 | Amazon | $42M | France | Tracking cookies without consent[47] |
2020-12-10 | $120M | France | Tracking cookies without consent [47] |
References
- "L_2016119EN.01000101.xml". eur-lex.europa.eu. Archived from the original on 10 November 2017. Retrieved 28 August 2016.
- "Hospital Do Barreiro fined by Comissão Nacional de Protecção de Dados in 400,000 Euro for allowing improper access to clinical files". 24 June 2019. Retrieved 27 June 2019.
- "Data Protection Authority of Baden-Württemberg Issues First German Fine Under the GDPR". 23 November 2018. Retrieved 27 June 2019.
- Fox, Chris (21 January 2019). "Google hit with £44m GDPR fine". BBC News. Retrieved 14 June 2019.
- Porter, Jon (21 January 2019). "Google fined €50 million for GDPR violation in France". The Verge. Retrieved 14 June 2019.
- "Hungary fines two companies for GDPR infringement". CMS. 19 March 2019. Retrieved 10 September 2019.
- "Hungary fines two companies for GDPR infringement". CMS. 19 March 2019. Retrieved 10 September 2019.
- Lomas, Natasha (30 March 2019). "Covert data-scraping on watch as EU DPA lays down 'radical' GDPR red-line". TechCrunch. Retrieved 24 June 2019.
- Clark, Sam (17 May 2019). "Polish watchdog issues second GDPR fine". Global Data Review. Retrieved 24 June 2019.
- "5Stars defend their digital democracy in face of privacy sanction". Politico. 19 April 2019. Retrieved 27 June 2019.
- "Administrative fine of 170.000 € imposed on Bergen Municipality". Datatilsynet. 12 April 2019. Retrieved 24 June 2019.
- "First Significant Fine Was Imposed for the Breaches of the General Data Protection Regulation in Lithuania". 21 May 2019. Retrieved 24 June 2019.
- Fiten, Bernd (3 June 2019). "First GDPR fine in Belgium: € 2000 imposed on a mayor". Retrieved 24 June 2019.
- "LaLiga facing €250k fine for GDPR violations in app used to spy on users". TechRepublic. Retrieved 14 June 2019.
- Geigner, Timothy. "La Liga Fined 250K Euros For Using Mobile App To Try To Catch 3rd Party Pirates". Techdirt. Retrieved 14 June 2019.
- "Danish DPA set to fine furniture company". 11 June 2019. Retrieved 24 June 2019.
- "German Data Protection Authority of Baden-Württemberg fines an employee of a public body". 24 June 2019. Retrieved 26 June 2019.
- Lanois, Paul (21 June 2019). "Videosurveillance: CNIL issues fine of 20,000 euros against a small company in France". Fieldfisher. Retrieved 24 June 2019.
- Lanois, Paul (21 June 2019). "Videosurveillance: CNIL issues fine of 20,000 euros against a small company in France". Fieldfisher. Retrieved 24 June 2019.
- "EE fined £100,000 for unlawful texts". BBC News. 24 June 2019. Retrieved 24 June 2019.
- "ICO fines telecoms company EE Limited for sending unlawful text messages". ICO. 24 June 2019. Retrieved 24 June 2019.
- "First Fine For The Application Of Gdpr". 4 July 2019. Retrieved 9 July 2019.
- "First fine by the Romanian Supervisory Authority". 5 July 2019. Retrieved 9 July 2019.
- "British Airways faces record £183m fine for data breach". 8 July 2019. Retrieved 8 July 2019.
- Sweney, Mark (8 July 2019). "BA faces £183m fine over passenger data breach". The Guardian. ISSN 0261-3077. Retrieved 8 July 2019.
- "UK's ICO fines British Airways a record £183M over GDPR breach that leaked data from 500,000 users". TechCrunch. Retrieved 8 July 2019.
- "ICO proposes fines against British Airways and Marriott". 14 July 2019. Retrieved 15 July 2019.
- "ICO proposes fines against British Airways and Marriott". 14 July 2019. Retrieved 15 July 2019.
- "Intention to fine Marriott International, Inc more than £99 million under GDPR for data breach". 9 July 2019. Retrieved 15 July 2019.
- "Haga beboet voor onvoldoende interne beveiliging patiëntendossiers". 16 July 2019. Retrieved 17 July 2019.
- "Hague Hospital Fined €460,000 For Not Protecting Patient's Privacy". 16 July 2019. Retrieved 17 July 2019.
- Lanois, Paul (25 July 2019). "CNIL issues fine of €280.000 for failure to implement "basic security measures"". Fieldfisher. Retrieved 29 July 2019.
- "Exercise of the Hellenic DPA's corrective powers pursuant to the GDPR for selection and application of inappropriate legal basis and violation of the principle of accountability by a company". HDPA. 30 July 2019. Retrieved 5 August 2019.
- "Facial recognition in school renders Sweden's first GDPR fine". EDPB. 22 August 2019. Retrieved 3 September 2019.
- "First GDPR fine in Hungary for breaching data subject's rights". Lexology. 15 February 2019. Retrieved 10 September 2019.
- "Austrian DPA fines controller in the medical sector". EDPB. 12 August 2019. Retrieved 11 September 2019.
- "Data State Inspectorate of Latvia imposes a financial penalty of 7000 euros against online retailer". EDPB. 3 September 2019. Retrieved 11 September 2019.
- "The Belgian data protection authority imposes a fine of € 10,000". 19 September 2019. Retrieved 2 October 2019.
- "Polish DPA imposes €645,000 fine for insufficient organisational and technical safeguards". 20 September 2019. Retrieved 2 October 2019.
- "The Spanish Data Protection Authority fined the company Vueling for the cookie policy used on its website with 30,000 euros". 17 October 2019. Retrieved 6 November 2019.
- "BfDI verhängt Geldbußen gegen Telekommunikationsdienstleister". 9 December 2019. Retrieved 9 December 2019.
- "Pharmacy incurs first ever UK data protection fine worth £275k". Pharmaceutical Journal. 20 December 2019. Retrieved 24 February 2020.
- "Sweden fines Google $8 million for right-to-be-forgotten violations". 11 March 2020. Retrieved 10 January 2021.
- "Google Remains Atop List of GDPR Fines". 10 March 2020. Retrieved 10 January 2021.
- "Google's failure to respect the « right to be forgotten » results in €600,000 fine". 14 July 2020. Retrieved 10 January 2021.
- "National Credit Register (BKR) fined for personal data access charges". Retrieved 14 August 2020.
- "France fines Google $120M and Amazon $42M for dropping tracking cookies without consent". 10 December 2020. Retrieved 10 January 2021.