Search Privacy Fines
Browse and filter privacy enforcement fines worldwide.
26 fines found
Total: $676.1M
| Date | Company | Fine | Regulation | Authority | Country | Type | Summary |
|---|---|---|---|---|---|---|---|
| 2024-08-01 | Uber | €290.0M | GDPR | Netherlands AP | Netherlands | transfer | Transferred European driver data to US without adequate safeguards.Transferred European driver data to US without adequate safeguards. Articles: Art. 44 |
| 2024-08-26 | Uber | €290.0M | GDPR | Netherlands AP | Netherlands | transfer | Transferred European driver data to US without adequate safeguards.Transferred European driver data to US without adequate safeguards. Articles: Art. 44 |
| 2024-09-03 | Clearview AI | €30.5M | GDPR | Netherlands AP | Netherlands | consent | Built illegal facial recognition database with Dutch citizens photos.Built illegal facial recognition database with Dutch citizens photos. Articles: Art. 5, Art. 6, Art. 9, Art. 14, Art. 27 |
| 2022-04-07 | Dutch Tax and Customs Administration | €3.7M | GDPR | Dutch Supervisory Authority for Data Protection (AP) | Netherlands | Failure to comply with data processing principles | --Articles: Art. 5 (1) a), b), d), e) GDPR, Art. 6 (1) GDPR, Art. 32 (1) GDPR, Art. 35 (2) GDPR |
| 2021-11-25 | Dutch Minister of Finance | €2.8M | GDPR | Dutch Supervisory Authority for Data Protection (AP) | Netherlands | Failure to comply with data processing principles | --Articles: Art. 5 (1) a) GDPR, Art. 6 (1) e) GDPR, Art. 8 Wbp |
| 2019-10-31 | UWV - Insurance provider | €900K | GDPR | Dutch Supervisory Authority for Data Protection (AP) | Netherlands | Failure to implement sufficient measures to ensure information security | --Articles: Art. 32 GDPR |
| 2019-10-31 | UWV - Insurance provider | €900K | GDPR | Dutch Supervisory Authority for Data Protection (AP) | Netherlands | Failure to implement sufficient measures to ensure information security | The Dutch employee insurance service provider – “Uitvoeringsinstituu...The Dutch employee insurance service provider – “Uitvoeringsinstituut Werknemersverzekeringen – UWV did not use multi-factor authentication for accessing the employer web portal. Health and safety services, as well as employers, were able to view and collect data from employees, data to which normally they should not have had access to. Articles: Art. 32 GDPR |
| 2020-07-06 | Bureau Krediet Registration | €830K | GDPR | Dutch Supervisory Authority for Data Protection (AP) | Netherlands | Non-compliance with lawful basis for data processing | --Articles: Art. 12 GDPR, Art. 15 GDPR |
| 2021-04-09 | TikTok | €750K | GDPR | Dutch Supervisory Authority for Data Protection (AP) | Netherlands | Information obligation non-compliance | --Articles: Art. 12 GDPR |
| 2020-04-30 | Unknown organization | €725K | GDPR | Dutch Supervisory Authority for Data Protection (AP) | Netherlands | Non-compliance with lawful basis for data processing | --Articles: Art. 5 GDPR, Art. 9 GDPR |
| 2022-02-24 | Dutch Foreign Ministry | €565K | GDPR | Dutch Supervisory Authority for Data Protection (AP) | Netherlands | Non-compliance with subjects' rights protection safeguards | --Articles: Art. 13 (1) e) GDPR, Art. 32 (1) GDPR |
| 2022-01-14 | DPG Media Magazines B.V. | €525K | GDPR | Dutch Supervisory Authority for Data Protection (AP) | Netherlands | Non-compliance with subjects' rights protection safeguards | --Articles: Art. 12 (2) GDPR |
| 2020-03-03 | Royal Dutch Tennis Assoc. | €525K | GDPR | Dutch Supervisory Authority for Data Protection (AP) | Netherlands | Non-compliance with lawful basis for data processing | The Royal Dutch Tennis Association (“KNLTB”) was fined a total of €5...The Royal Dutch Tennis Association (“KNLTB”) was fined a total of €525,000 for selling the personal data of more than 350,000 of its members to sponsors. The sponsors have then contacted some of these individuals by email and telephone for marketing purposes. Personal data sold included the name, gender, and address of various individuals. No consent was obtained from the affected individuals beforehand. The Royal Dutch Tennis Association (“KNLTB”) argued that it had a legitimate interest to sell this data, and as such did not commit a GDPR breach. The Dutch Data Protection Authority, however, rejected this and ruled that KNLTB had no legal basis to sell the personal data of its members to third parties. Articles: Art. 5 GDPR, Art. 6 GDPR |
| 2020-03-03 | Royal Dutch Tennis Assoc. | €525K | GDPR | Dutch Supervisory Authority for Data Protection (AP) | Netherlands | Non-compliance with lawful basis for data processing | --Articles: Art. 5 GDPR, Art. 6 GDPR |
| 2020-12-20 | Locatefamily.com | €525K | GDPR | Dutch Supervisory Authority for Data Protection (AP) | Netherlands | Failure to comply with data processing principles | --Articles: Art. 27 GDPR |
| 2019-06-18 | Hague Hospital | €460K | GDPR | Dutch Supervisory Authority for Data Protection (AP) | Netherlands | Failure to implement sufficient measures to ensure information security | After a serious investigation, the DDPA surmised that the Hague Hospital failed ...After a serious investigation, the DDPA surmised that the Hague Hospital failed to provide the appropriate security measures for possession of patient records. This investigation had started following several events when multiple staff hospital members had checked the personal data of a Dutch person. Measures were taken, and the hospital was warned – it would have to update its security measures by the 2nd of October 2019 or it would incur e penalty of 100.000 EUR every two weeks. Articles: Art. 32 GDPR |
| 2019-06-18 | Hague Hospital | €460K | GDPR | Dutch Supervisory Authority for Data Protection (AP) | Netherlands | Failure to implement sufficient measures to ensure information security | --Articles: Art. 32 GDPR |
| 2021-05-31 | UWV (Dutch Employee insurance service provider) | €450K | GDPR | Dutch Supervisory Authority for Data Protection (AP) | Netherlands | Failure to implement sufficient measures to ensure information security | --Articles: Art. 32 GDPR |
| 2021-11-12 | Transavia | €400K | GDPR | Dutch Supervisory Authority for Data Protection (AP) | Netherlands | Failure to implement sufficient measures to ensure information security | --Articles: Art. 32 (1), (2) GDPR |
| 2026-02-01 | NL Municipalities (x10) | €250K | GDPR | Netherlands AP | Netherlands | consent | Unlawful processing of religious data by 10 Dutch municipalities.Unlawful processing of religious data by 10 Dutch municipalities. Articles: Art. 5, Art. 9 |
| 2023-01-19 | Dutch Social Insurance Institution (SVB) | €150K | GDPR | Dutch Supervisory Authority for Data Protection (AP) | Netherlands | Failure to implement sufficient measures to ensure information security | --Articles: Art. 32 (1), (2) GDPR |
| 2019-10-31 | Menzis | €50K | GDPR | Dutch Supervisory Authority for Data Protection (AP) | Netherlands | Non-compliance with lawful basis for data processing | --Articles: Art. 5 GDPR |
| 2019-10-31 | Menzis | €50K | GDPR | Dutch Supervisory Authority for Data Protection (AP) | Netherlands | Non-compliance with lawful basis for data processing | The marketing staff of the health insurance company Menzis had access to patient...The marketing staff of the health insurance company Menzis had access to patients’ data. Articles: Art. 5 GDPR |
| 2020-03-24 | CP&A | €15K | GDPR | Dutch Supervisory Authority for Data Protection (AP) | Netherlands | Failure to implement sufficient measures to ensure information security | --Articles: Art. 9 GDPR, Art. 32 GDPR |
| 2021-02-04 | Orthodontic Clinic | €12K | GDPR | Dutch Supervisory Authority for Data Protection (AP) | Netherlands | Failure to implement sufficient measures to ensure information security | --Articles: Art. 32 (1) GDPR |