Search Privacy Fines
Browse and filter privacy enforcement fines worldwide.
2,028 fines found
Total: $8.1B
| Date | Company | Fine | Regulation | Authority | Country | Type | Summary |
|---|---|---|---|---|---|---|---|
| 2021-09-16 | Bocconi University | €200K | GDPR | Italian Data Protection Authority (Garante) | Italy | Non-compliance with lawful basis for data processing | --Articles: Art. 5 (1) a), c), e) GDPR, Art. 6 GDPR, Art. 9 GDPR, Art. 13 GDPR, Art. 25 GDPR, Art. 35 GDPR, Art. 44 GDPR, Art. 46 GDPR, Art. Art. 2-sexies Codice della Privacy |
| 2021-07-22 | Regione Lombardia | €200K | GDPR | Italian Data Protection Authority (Garante) | Italy | Non-compliance with lawful basis for data processing | --Articles: Art. 5 (1) a), c) GDPR, Art. 6 (1) c), e) GDPR, Art. 6 (2) GDPR, Art. 6 (3) b) GDPR |
| 2019-10-07 | Telecommunication Service Provider | €200K | GDPR | Hellenic Data Protection Authority (HDPA) | Greece | Failure to comply with data processing principles | --Articles: Art. 21 (3) GDPR, Art. 25 GDPR |
| 2022-04-28 | Amiu S.p.A. | €200K | GDPR | Italian Data Protection Authority (Garante) | Italy | Failure to comply with data processing principles | --Articles: Art. 5 GDPR, Art. 6 GDPR, Art. 28 GDPR, Art. 37 GDPR |
| 2020-07-13 | Merlini s.r.l. | €200K | GDPR | Italian Data Protection Authority (Garante) | Italy | Non-compliance with lawful basis for data processing | --Articles: Art. 5 GDPR, Art. 6 GDPR, Art. 7 GDPR, Art. 28 GDPR, Art. 29 GDPR |
| 2019-10-07 | Telecommunication Service Provider | €200K | GDPR | Hellenic Data Protection Authority (HDPA) | Greece | Failure to comply with data processing principles | --Articles: Art. 5 (1) c) GDPR, Art. 25 GDPR |
| 2023-05-03 | GSMA LTD. | €200K | GDPR | Spanish Data Protection Authority (AEPD) | Spain | Failure to implement sufficient measures to ensure information security | --Articles: Art. 35 GDPR |
| 2019-10-07 | Telecommunication Service Provider | €200K | GDPR | Hellenic Data Protection Authority (HDPA) | Greece | Failure to comply with data processing principles | Due to technical errors, the personal data of 8.000 customers wasn’t delet...Due to technical errors, the personal data of 8.000 customers wasn’t deleted upon request Articles: Art. 21 (3) GDPR, Art. 25 GDPR |
| 2022-08-11 | AMPLIFION Hungary Trade and Service Provider LLC | €197K | GDPR | Hungarian National Authority for Data Protection and the Freedom of Information | Hungary | Non-compliance with lawful basis for data processing | --Articles: Art. 5 (1) b) GDPR, Art. 6 (1) GDPR, Art. 12 (1) GDPR, Art. 14 GDPR |
| 2019-09-19 | Delivery Hero | €195K | GDPR | Data Protection Authority of Berlin | Germany | Non-compliance with subjects' rights protection safeguards | --Articles: Art. 15 GDPR, Art. 17 GDPR, Art. 21 GDPR |
| 2019-09-19 | Delivery Hero | €195K | GDPR | Data Protection Authority of Berlin | Germany | Non-compliance with subjects' rights protection safeguards | The Company had retained the personal data of customers who had expressed their ...The Company had retained the personal data of customers who had expressed their desire to discontinue receiving emails from the company. Eight customers complained to have received such emails, despite not having solicited them. Moreover, the company refused to share information with five subjects regarding their rights to withdraw consent in the processing of personal information. Articles: Art. 15 GDPR, Art. 17 GDPR, Art. 21 GDPR |
| 2022-03-04 | Norwegian Parliament | €195K | GDPR | Norwegian Supervisory Authority (Datatilsynet) | Norway | Failure to comply with data processing principles | --Articles: Art. 5 (1) f) GDPR, Art. 32 (1) b), d) GDPR |
| 2019-07-25 | Active Assurances | €180K | GDPR | French Data Protection Authority (CNIL) | France | Failure to implement sufficient measures to ensure information security | --Articles: Art. 32 GDPR |
| 2019-07-25 | Active Assurances | €180K | GDPR | French Data Protection Authority (CNIL) | France | Failure to implement sufficient measures to ensure information security | The company had allowed for personal data belonging to clients (including copies...The company had allowed for personal data belonging to clients (including copies of the driver’s license) to be publicized online. Apparently, unauthorized access was detected, and the fault lies with the inappropriate security measures. Articles: Art. 32 GDPR |
| 2022-11-02 | Setubal Municipality | €180K | GDPR | Portuguese Data Protection Authority (CNPD) | Portugal | Non-compliance with lawful basis for data processing | --Articles: Art. 5 (1) e), f) GDPR, Art. 13 (1), (2) GDPR, Art. 37 (1), (7) GDPR |
| 2021-12-28 | SLIMPAY | €180K | GDPR | French Data Protection Authority (CNIL) | France | Failure to implement sufficient measures to ensure information security | --Articles: Art. 28 GDPR, Art. 32 GDPR, Art. 34 GDPR |
| 2022-07-07 | UBEEQO INTERNATIONAL | €175K | GDPR | French Data Protection Authority (CNIL) | France | Failure to comply with data processing principles | --Articles: Art. 5 (1) c) GDPR, Art. 12 GDPR |
| 2019-03-29 | Bergen Municipality | €170K | GDPR | Norwegian Supervisory Authority (Datatilsynet) | Norway | Failure to implement sufficient measures to ensure information security | The municipality had employed insufficient security measures in protecting its c...The municipality had employed insufficient security measures in protecting its computer systems. As a result, personal data related to more than 35.000 individuals became publicly accessible. In the case of a few schools, anyone could access information related to the staff, the pupils, and the employees of the school. Moreover, the municipality has received warnings about the weakness of its security measures before but chose not to do anything. Articles: Art. 5 (1) f) GDPR, Art. 32 GDPR |
| 2019-03-29 | Bergen Municipality | €170K | GDPR | Norwegian Supervisory Authority (Datatilsynet) | Norway | Failure to implement sufficient measures to ensure information security | --Articles: Art. 5 (1) f) GDPR, Art. 32 GDPR |
| 2019-03-01 | Taxa 4x35 | €160K | GDPR | Danish Data Protection Authority (Datatilsynet) | Denmark | Failure to comply with processing principles | --Articles: Art. 5(1) e) GDPR |
| 2019-03-01 | Taxa 4x35 | €160K | GDPR | Danish Data Protection Authority (Datatilsynet) | Denmark | Failure to comply with processing principles | The taxi company was discovered having over 9 million person records that it sto...The taxi company was discovered having over 9 million person records that it stored unlawfully. Because the company hadn’t deleted this personal data, the Danish Data Protection Authority issued a fine. Articles: Art. 5(1) e) GDPR |
| 2022-01-26 | Uppsala hospital board | €152K | GDPR | Data Protection Authority of Sweden | Sweden | Non-compliance with lawful basis for data processing | --Articles: Art. 5 (1) f) GDPR, Art. 32 (1) GDPR |
| 2019-12-19 | Aegean Marine Petroleum Network Inc. | €150K | GDPR | Hellenic Data Protection Authority (HDPA) | Greece | Failure to comply with data processing principles | --Articles: Art. 5 GDPR, Art. 6 GDPR, Art. 32 GDPR |
| 2019-07-30 | PWC Business Solutions | €150K | GDPR | Hellenic Data Protection Authority (HDPA) | Greece | Non-compliance with lawful basis for data processing | --Articles: Art. 5 (1) GDPR, Art. 5 (2) GDPR, Art. 6 (1) GDPR, Art. 13 (1) c) GDPR, Art. 14 (1) c) GDPR |
| 2021-11-11 | TIM S.p.A. | €150K | GDPR | Italian Data Protection Authority (Garante) | Italy | Non-compliance with subjects' rights protection safeguards | --Articles: Art. 15 GDPR |