Search Privacy Fines
Browse and filter privacy enforcement fines worldwide.
52 fines found
Total: $4.8M
| Date | Company | Fine | Regulation | Authority | Country | Type | Summary |
|---|---|---|---|---|---|---|---|
| 2022-01-19 | Fortum Marketing and Sales Polska S.A. | €1.0M | GDPR | Polish National Personal Data Protection Office (UODO) | Poland | Failure to comply with data processing principles | --Articles: Art. 5 (1) f) GDPR, Art 24 (1) GDPR, Art. 25 (1) GDPR, Art. 28 (1) GDPR, Art. 32 (1), (2) GDPR |
| 2019-09-10 | Morele.net | €645K | GDPR | Polish National Personal Data Protection Office (UODO) | Poland | Failure to implement sufficient measures to ensure information security | Morele.net was sanctioned with a fine of PLN 2.8 million because it hadn’t ensur...Morele.net was sanctioned with a fine of PLN 2.8 million because it hadn’t ensured the proper security standards of customers’ data. As a consequence, more than 2.2 million people had their personal data accessed illegally. Articles: Art. 32 GDPR |
| 2019-09-10 | Morele.net | €645K | GDPR | Polish National Personal Data Protection Office (UODO) | Poland | Failure to implement sufficient measures to ensure information security | --Articles: Art. 32 GDPR |
| 2020-12-14 | Virgin Mobile Polska | €443K | GDPR | Polish National Personal Data Protection Office (UODO) | Poland | Non-compliance with lawful basis for data processing | --Articles: Art. 5 (1) f), (2) GDPR, Art. 25 (1) GDPR, Art. 32 (1) b), d), (2) GDPR |
| 2020-12-17 | ID Finance Poland Sp. z o.o. | €235K | GDPR | Polish National Personal Data Protection Office (UODO) | Poland | Failure to implement sufficient measures to ensure information security | --Articles: Art. 5 (1) f) GDPR, Art. 25 (1) GDPR, Art. 32 (1) b), d), (2) GDPR |
| 2019-03-29 | Bisnode | €220K | GDPR | Personal Data Protection Office | Poland | Non-compliance with the right of consent | --Articles: Art.14 GDPR |
| 2019-03-29 | Bisnode | €220K | GDPR | Personal Data Protection Office | Poland | Non-compliance with the right of consent | The Company failed to observe Art.14 of the GDPR, which states that the data con...The Company failed to observe Art.14 of the GDPR, which states that the data controller must inform the data subject of the processing of personal data. The DPA has stated that Bisnode has three months to notify a total of 6 million people of this. Articles: Art.14 GDPR |
| 2019-03-26 | Private company | €220K | GDPR | Polish National Personal Data Protection Office (UODO) | Poland | Information obligation non-compliance | The private company was fined for having breached the information obligation in ...The private company was fined for having breached the information obligation in the case of personal data of several entrepreneurs. The data was taken from public sources (Central Electronic Register and Information on Economic Activity) and used for commercial purposes. In accordance with Art. 14(1) – (3) of the GDPR, the company was obligated to inform all the individuals concerned about the data processing. However, the company informed only those individuals for whom it had email addresses. For the rest, the high operational costs made them ignore the information obligation. Articles: Art. 14 GDPR |
| 2019-03-26 | Private company | €220K | GDPR | Polish National Personal Data Protection Office (UODO) | Poland | Information obligation non-compliance | --Articles: Art. 14 GDPR |
| 2022-01-19 | Santander Bank Polska S.A. | €117K | GDPR | Polish National Personal Data Protection Office (UODO) | Poland | Insufficient fulfilment of data breach notification obligations | --Articles: Art. 34 (1) GDPR |
| 2021-10-04 | Bank Millennium S.A | €78K | GDPR | Polish National Personal Data Protection Office (UODO) | Poland | Information obligation non-compliance | --Articles: Art. 33 (1) GDPR, Art. 34 (1) GDPR |
| 2022-01-19 | PIKA Sp. z o.o. | €53K | GDPR | Polish National Personal Data Protection Office (UODO) | Poland | Non-compliance with subjects' rights protection safeguards | --Articles: Art. 28 (3) c), f) GDPR, Art. 32 (1), (2) GDPR |
| 2019-10-16 | ClickQuickNow | €47K | GDPR | Polish National Personal Data Protection Office (UODO) | Poland | Failure to comply with processing principles | --Articles: Art. 5 GDPR |
| 2019-10-16 | ClickQuickNow | €47K | GDPR | Polish National Personal Data Protection Office (UODO) | Poland | Failure to comply with processing principles | The Company did not have the appropriate organizational measures in place that w...The Company did not have the appropriate organizational measures in place that would allow data subjects to withdraw their consent to the processing of personal data. Moreover, the data subjects also couldn’t easily request the deletion of their personal data. Articles: Art. 5 GDPR |
| 2021-06-21 | Sopockie Towarzystwo Ubezpieczeń ERGO Hestia S.A. | €35K | GDPR | Polish National Personal Data Protection Office (UODO) | Poland | Failure to implement sufficient measures to ensure information security | --Articles: Art. 33 (1) GDPR, Art. 34 (1) GDPR |
| 2020-08-31 | Surveyor General of Poland (‘GKK’) | €23K | GDPR | Polish National Personal Data Protection Office (UODO) | Poland | Failure to comply with data processing principles | --Articles: Art. 5 GDPR, Art. 6 GDPR |
| 2020-07-15 | Office for geodesy and cartography | €22K | GDPR | Polish National Personal Data Protection Office (UODO) | Poland | Failure to implement sufficient measures to ensure information security | --Articles: Art. 32 GDPR, Art. 58 GDPR |
| 2021-01-05 | Unknown | €19K | GDPR | Polish National Personal Data Protection Office (UODO) | Poland | Failure to notify DPA of a data breach | --Articles: Art. 34 (1), (2) GDPR, Art. 58 (2) e) GDPR |
| 2020-12-04 | Towarzystwo Ubezpieczeń i Reasekuracji WARTA S.A. | €19K | GDPR | Polish National Personal Data Protection Office (UODO) | Poland | Failure to notify DPA of a data breach | --Articles: Art. 33 (1) GDPR, Art. 34 (1) GDPR |
| 2019-04-25 | Sports association | €13K | GDPR | Polish National Personal Data Protection Office (UODO) | Poland | Non-compliance with lawful basis for data processing | The sports association published personal data related to judges who had receive...The sports association published personal data related to judges who had received judicial licenses online. Moreover, the exact addresses and PESEL numbers of these judges became public. As the sports association acted outside the law, fines were in order. However, there were mitigating circumstances in that the sports association immediately noticed its mistakes and attempted to remove the data from the public domain. Still, these attempts were ineffective, and a penalty was issued. The 585 judges had suffered no damage because of this, so the penalty was adjusted by the president of the Office of Competition and Consumer Protection. Articles: Art. 6 GDPR |
| 2019-04-25 | Sports association | €13K | GDPR | Polish National Personal Data Protection Office (UODO) | Poland | Non-compliance with lawful basis for data processing | --Articles: Art. 6 GDPR |
| 2022-07-06 | Głównego Geodetę Kraju | €12K | GDPR | Polish National Personal Data Protection Office (UODO) | Poland | Failure to implement sufficient measures to ensure information security | --Articles: Art. 33 (1) GDPR, Art. 34 (1) GDPR |
| 2020-09-08 | Warsaw University of Life Sciences | €11K | GDPR | Polish National Personal Data Protection Office (UODO) | Poland | Failure to implement sufficient measures to ensure information security | --Articles: Art. 32 GDPR |
| 2023-03-01 | Housing Cooperative | €11K | GDPR | Polish National Personal Data Protection Office (UODO) | Poland | Insufficient fulfilment of data breach notification obligations | --Articles: Art. 33 (1) GDPR, Art. 34 (1) GDPR |
| 2021-12-09 | Warsaw University of Technology | €10K | GDPR | Polish National Personal Data Protection Office (UODO) | Poland | Non-compliance with lawful basis for data processing | --Articles: Art. 5 (1) f) GDPR, Art. 5 (2) GDPR, Art. 24 (1) GDPR, Art. 25 (1) GDPR, Art. 32 (1), (2) GDPR |