Search Privacy Fines

Vendor security failures and inadequate data controls.

Articles: Art. 32

Vendor security failures and inadequate data controls.

Articles: Art. 32

Articles: Art. 5 GDPR, Art. 6 GDPR

The company collected data from multiple tenants without providing the option to remove that data once it was no longer required. This led to the company retaining personal data of tenants for years (salary statements, social security insurances, health insurances, tax insurances, bank statements). The Berlin Data Commissioner issued a fine of €14,500,000.

Articles: Art. 5 GDPR, Art. 25 GDPR

Articles: Art. 5 GDPR, Art. 6 GDPR

The telecom company 1&1 Telecom GmbH was fined with €9,550,000 after it came to light that sensitive customer information could be obtained by phone by anyone by just telling a client’s name and date of birth. This could have permitted anyone to obtain the personal information of any customer in case they knew their name and date of birth. The BfDI considered that the company failed to implement the necessary technical measures to ensure the protection of personal data. The BfDI further revealed that the fine was intended to be much larger but was eventually decreased due to the cooperation of the company during the investigation.

Articles: Art. 32 GDPR

Articles: <a href="https://www.privacy-regulation.eu/en/32.htm">Art. 32 GDPR</a>

Articles: Art. 5 (1) GDPR, Art. 6 (1) GDPR, Art. 9 GDPR

Articles: Art. 5 GDPR, Art. 6 GDPR, Art. 32 GDPR

Articles: Art. 13 GDPR, Art. 28 GDPR, Art. 30 GDPR, Art. 35 GDPR

Articles: Art. 32 GDPR

Articles: Art. 12 GDPR, Art. 13 GDPR

Articles: Art. 6 (1) GDPR

Articles: Art. 38 (6) GDPR

Articles: Art. 5 (2) GDPR

A company was fined with €294,000 because of the &#8220;unnecessarily long&#8221; storage and retention of personal data in the selection of personnel. During the selection process, even health data was requested, which was excessive according to the DPA.

Articles: Art. 5 GDPR

Articles: Art. 5 GDPR

Articles: Art. 15 GDPR, Art. 17 GDPR, Art. 21 GDPR

The Company had retained the personal data of customers who had expressed their desire to discontinue receiving emails from the company. Eight customers complained to have received such emails, despite not having solicited them. Moreover, the company refused to share information with five subjects regarding their rights to withdraw consent in the processing of personal information.

Articles: Art. 15 GDPR, Art. 17 GDPR, Art. 21 GDPR

The Data Protection Authority of Rheinland-Pfalz issued a fine of €105,000 after a hospital after a mixup of patients. As a consequence of this, wrong invoices were issues to the patients that released sensitive personal data.

Articles: Art. 5 GDPR

Articles: Art. 32 GDPR

Articles: Art. 5 GDPR, Art. 32 GDPR

Upon creation of an applicant portal where interested parties could apply their documents for a job, the food company failed to encrypt the applicant portal. The transmission of the data had no encryption and the data storage was completely unencrypted and offered no password-protected security systems. Moreover, the data was linked to Google, so anyone could find the applicants&#8217; documents and retrieve them after a simple Google search.

Articles: Art. 5 GDPR, Art. 32 GDPR

Because of insufficient data security mechanisms, a digital publication accidentally disclosed personal health data related to several subjects.

Articles: Art. 32 GDPR

Two companies working in finances didn’t follow the procedure when disposing of personal data.

Articles: Art. 32 GDPR