Search Privacy Fines

Browse and filter privacy enforcement fines worldwide.

← Back to Overview

Regulation

Country

Year

Min Fine (USD)

Sort

2,028 fines found

Total: $8.1B

Date	Company	Fine	Regulation	Authority	Country	Type	Summary
2020-09-03	Bergen Municipality	€276K	GDPR	Norwegian Supervisory Authority (Datatilsynet)	Norway	Failure to implement sufficient measures to ensure information security	-- Articles: Art. 5 (1) f) GDPR, Art. 32 GDPR
2023-04-12	Aldi	€253K	GDPR	Hungarian National Authority for Data Protection and the Freedom of Information	Hungary	Unknown	-- Articles: Unknown
2026-02-01	NL Municipalities (x10)	€250K	GDPR	Netherlands AP	Netherlands	other	Unlawful processing of religious data
2019-06-11	Professional Football League (LaLiga)	€250K	GDPR	Spanish Data Protection Authority (AEPD)	Spain	Information obligation non-compliance	-- Articles: Art. 5 (1) a), Art. 7 (3) GDPR
2020-08-05	Spartoo	€250K	GDPR	French Data Protection Authority (CNIL)	France	Failure to comply with data processing principles	-- Articles: Art. 5 (1) GDPR, Art. 13 GDPR, Art. 14 GDPR
2022-01-01	Unknown	€250K	GDPR	Data Protection Commissioner of Malta	Malta	Failure to implement sufficient measures to ensure information security	-- Articles: Art. 32 (1), (2) GDPR
2022-02-02	IAB Europe	€250K	GDPR	Belgian Data Protection Authority (APD)	Belgium	Non-compliance with lawful basis for data processing	-- Articles: Art. 5 (1) a) GDPR, Art. 5 (2) GDPR, Art. 6 (1) GDPR, Art. 9 (1), (2) GDPR, Art. 12 (1) GDPR, Art. 13 GDPR, Art. 14 GDPR, Art. 24 (1) GDPR, Art. 30 GDPR, Art. 31 GDPR, Art. 32 (1), (2) GDPR, Art. 37 GDPR
2019-06-11	Professional Football League (LaLiga)	€250K	GDPR	Spanish Data Protection Authority (AEPD)	Spain	Information obligation non-compliance	A fine was issued to the National Football League (LaLiga) because it had failed... A fine was issued to the National Football League (LaLiga) because it had failed to inform users of the implications contained within the app it offered. This app remotely accessed the users’ microphones once every minute to check pubs screening football matches. The AEPD thinks that the users were not sufficiently informed of this. Moreover, the users did not have the adequate possibility to withdraw their consent, once given. Articles: Art. 5 (1) a), Art. 7 (3) GDPR
2022-09-13	GIE INFOGREFFE	€250K	GDPR	French Data Protection Authority (CNIL)	France	Failure to implement sufficient measures to ensure information	-- Articles: Art. 5 (1) e) GDPR, Art. 32 GDPR
2026-02-01	NL Municipalities (x10)	€250K	GDPR	Netherlands AP	Netherlands	consent	Unlawful processing of religious data by 10 Dutch municipalities. Unlawful processing of religious data by 10 Dutch municipalities. Articles: Art. 5, Art. 9
2020-12-03	Östergötland Region	€244K	GDPR	Data Protection Authority of Sweden	Sweden	Failure to implement sufficient measures to ensure information security	-- Articles: Art. 5 (1) f) GDPR, Art. 5 (2) GDPR, Art. 32 (1) GDPR, Art. 32 (2) GDPR
2020-12-03	Västerbotten Region	€244K	GDPR	Data Protection Authority of Sweden	Sweden	Failure to implement sufficient measures to ensure information security	-- Articles: Art. 5 (1) f) GDPR, Art. 5 (2) GDPR, Art. 32 (1) GDPR, Art. 32 (2) GDPR
2020-12-17	ID Finance Poland Sp. z o.o.	€235K	GDPR	Polish National Personal Data Protection Office (UODO)	Poland	Failure to implement sufficient measures to ensure information security	-- Articles: Art. 5 (1) f) GDPR, Art. 25 (1) GDPR, Art. 32 (1) b), d), (2) GDPR
2022-12-09	Viking Line Oy Abp	€230K	GDPR	Deputy Data Protection Ombudsman	Finland	Failure to comply with data processing principles	-- Articles: Art. 5 (1) a), d) GDPR, Art. 12 (3) GDPR, Art. 13 GDPR, Art. 15 (1) GDPR, Art. 25 (1) GDPR
2019-03-29	Bisnode	€220K	GDPR	Personal Data Protection Office	Poland	Non-compliance with the right of consent	-- Articles: Art.14 GDPR
2019-03-29	Bisnode	€220K	GDPR	Personal Data Protection Office	Poland	Non-compliance with the right of consent	The Company failed to observe Art.14 of the GDPR, which states that the data con... The Company failed to observe Art.14 of the GDPR, which states that the data controller must inform the data subject of the processing of personal data. The DPA has stated that Bisnode has three months to notify a total of 6 million people of this. Articles: Art.14 GDPR
2023-03-08	Argon Medical Devices	€220K	GDPR	Norwegian Supervisory Authority (Datatilsynet)	Norway	Failure to notify DPA of a data breach	-- Articles: Art. 33 (1) GDPR
2019-03-26	Private company	€220K	GDPR	Polish National Personal Data Protection Office (UODO)	Poland	Information obligation non-compliance	The private company was fined for having breached the information obligation in ... The private company was fined for having breached the information obligation in the case of personal data of several entrepreneurs. The data was taken from public sources (Central Electronic Register and Information on Economic Activity) and used for commercial purposes. In accordance with Art. 14(1) – (3) of the GDPR, the company was obligated to inform all the individuals concerned about the data processing. However, the company informed only those individuals for whom it had email addresses. For the rest, the high operational costs made them ignore the information obligation. Articles: Art. 14 GDPR
2019-03-26	Private company	€220K	GDPR	Polish National Personal Data Protection Office (UODO)	Poland	Information obligation non-compliance	-- Articles: Art. 14 GDPR
2019-04-29	Oslo Municipal Education Department	€203K	GDPR	Norwegian Supervisory Authority (Datatilsynet)	Norway	Failure to implement sufficient measures to ensure information security	The fine was issued on the following grounds: insufficient security measures est... The fine was issued on the following grounds: insufficient security measures established on the app launched by an Oslo school. This app allowed students and parents to contact teachers in real-time. However, unauthorized access was detected, and unknown people gained access to personal data related to students and school employees. Articles: Art. 32 GDPR
2019-06-03	IDdesign A/S	€201K	GDPR	Danish Data Protection Authority (Datatilsynet)	Denmark	Failure to comply with data processing principles	-- Articles: Art. 5 (1) e) GDPR, Art. 5 (2) GDPR
2019-06-03	IDdesign A/S	€201K	GDPR	Danish Data Protection Authority (Datatilsynet)	Denmark	Failure to comply with data processing principles	After an inspection in 2018 when irregularities were noticed, the company IDdesi... After an inspection in 2018 when irregularities were noticed, the company IDdesign was fined. The company had overused the data of over 380.000 customers for a longer period of time than they were allowed to, as per the initial goals of the data processing. Moreover, the company had no clear deadlines regarding the deletion of personal data. The controller had also ignored the necessity of having a clear policy on the data deletion procedures. Articles: Art. 5 (1) e) GDPR, Art. 5 (2) GDPR
2022-04-04	Brussels Airport Zaventem	€200K	GDPR	Belgian Data Protection Authority (APD)	Belgium	Non-compliance with lawful basis for data processing	-- Articles: Art. 5 (1) c) GDPR, Art. 6 (1) e) GDPR, Art. 9 (2) g) GDPR, Art. 12 GDPR, Art. 13 (1) c) GDPR, Art. 13 (2) e) GDPR, Art. 35 (1), (3), (7) b) GDPR
2019-10-07	Telecommunication Service Provider	€200K	GDPR	Hellenic Data Protection Authority (HDPA)	Greece	Failure to comply with data processing principles	Despite the clear refusal of telemarketing calls by the customers, the company p... Despite the clear refusal of telemarketing calls by the customers, the company proceeded to ignore this because of technical errors. Articles: Art. 5 (1) c) GDPR, Art. 25 GDPR
2022-02-01	XFERA MOVILES, S.A.	€200K	GDPR	Spanish Data Protection Authority (AEPD)	Spain	Non-compliance with lawful basis for data processing	-- Articles: Art. 5 (1) f) GDPR

PreviousPage 10 of 82Next