Search Privacy Fines
Browse and filter privacy enforcement fines worldwide.
2,028 fines found
Total: $8.1B
| Date | Company | Fine | Regulation | Authority | Country | Type | Summary |
|---|---|---|---|---|---|---|---|
| 2021-01-27 | Unknown | €150K | GDPR | French Data Protection Authority (CNIL) | France | Failure to implement sufficient measures to ensure information security | --Articles: Art. 32 GDPR |
| 2019-10-09 | Raiffeisen Bank SA | €150K | GDPR | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Romania | Failure to implement sufficient measures to ensure information security | --Articles: Art. 32 GDPR |
| 2021-05-27 | Azienda Provinciale per i Servizi Sanitari di Trento | €150K | GDPR | Italian Data Protection Authority (Garante) | Italy | Non-compliance with lawful basis for data processing | --Articles: Art. 5 (1), f) GDPR, Art. 9 GDPR |
| 2019-10-09 | Raiffeisen Bank SA | €150K | GDPR | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Romania | Failure to implement sufficient measures to ensure information security | Raiffeisen Bank Romania did not observe the necessary security measures required...Raiffeisen Bank Romania did not observe the necessary security measures required by the GDPR when it assessed the scores of individuals on the WhatsApp platform. The personal data was exchanged via WhatsApp. Articles: Art. 32 GDPR |
| 2022-04-28 | Tarento municipality | €150K | GDPR | Italian Data Protection Authority (Garante) | Italy | Failure to comply with data processing principles | --Articles: Art. 5 GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 14 GDPR, Art. 28 GDPR, Art. 35 GDPR |
| 2023-01-19 | Dutch Social Insurance Institution (SVB) | €150K | GDPR | Dutch Supervisory Authority for Data Protection (AP) | Netherlands | Failure to implement sufficient measures to ensure information security | --Articles: Art. 32 (1), (2) GDPR |
| 2019-11-01 | Unknown | €150K | GDPR | Data State Inspectorate (DSI) | Latvia | Non-compliance with lawful basis for data processing | --Articles: Art. 6 GDPR |
| 2019-11-01 | Unknown | €150K | GDPR | Data State Inspectorate (DSI) | Latvia | Non-compliance with lawful basis for data processing | No concrete details have been released at this point other than a fine of €150,0...No concrete details have been released at this point other than a fine of €150,000 was imposed in November 2019. We will update this card once further information emerges. Articles: Art. 6 GDPR |
| 2019-12-19 | "Aegean Marine Petroleum Network Inc. | €150K | GDPR | Hellenic Data Protection Authority (HDPA) | Greece | Art. 5 GDPR|Art. 6 GDPR|Art. 32 GDPR | http://www.dpa.gr/APDPXPortlets/htdocs/documentDisplay.jsp?docid=205,136,113,56,...http://www.dpa.gr/APDPXPortlets/htdocs/documentDisplay.jsp?docid=205,136,113,56,60,108,243,88 Articles: " |
| 2022-04-11 | BASER COMERCIALIZADORA DE REFERENCIA, S.A. | €150K | GDPR | Spanish Data Protection Authority (AEPD) | Spain | Non-compliance with lawful basis for data processing | --Articles: Art. 6 GDPR, Art. 32 GDPR |
| 2019-12-19 | Aegean Marine Petroleum Network Inc. | €150K | GDPR | Hellenic Data Protection Authority (HDPA) | Greece | Failure to comply with data processing principles | --Articles: Art. 5 GDPR, Art. 6 GDPR, Art. 32 GDPR |
| 2020-07-28 | Arp Hansel Hotel Group A/S | €148K | GDPR | Danish Data Protection Authority (Datatilsynet) | Denmark | Failure to implement sufficient measures to ensure information security | --Articles: Art. 5 (1) e) GDPR |
| 2019-02-01 | Leave.EU & GoSkippy | €140K | GDPR | Information Commissioner | United Kingdom | Non-compliance with the right of consent | Leave.EU subscriber emails contained marketing ads related to the GoSkippy servi...Leave.EU subscriber emails contained marketing ads related to the GoSkippy services of the Eldon Insurance firm. The data subjects did not give their consent to this, hence the fine issued by the ICO. Articles: Art.14 of the GDPR |
| 2019-02-01 | Leave.EU & GoSkippy | €140K | GDPR | Information Commissioner | United Kingdom | Non-compliance with the right of consent | --Articles: Art.14 of the GDPR |
| 2023-03-15 | Vodafone Espana, S.A.U. | €136K | GDPR | Spanish Data Protection Authority (AEPD) | Spain | Non-compliance with lawful basis for data processing | --Articles: Art. 6 GDPR, Art. 32 GDPR |
| 2021-08-05 | Insurance Company | €135K | GDPR | National Commission for Data Protection (CNPD) | Luxembourg | Failure to comply with data processing principles | --Articles: Art. 5 (1) f) GDPR, Art. 32 (1) a), b) GDPR, Art. 33 (1), (5) GDPR |
| 2020-05-03 | Telenor Norge AS | €134K | GDPR | Norwegian Supervisory Authority (Datatilsynet) | Norway | Failure to implement sufficient measures to ensure information security | --Articles: Art. 32 GDPR |
| 2022-06-22 | Gyldendal A/S | €134K | GDPR | Danish Data Protection Authority (Datatilsynet) | Denmark | Failure to comply with data processing principles | --Articles: Art. 5 (1) e) GDPR |
| 2022-07-13 | DKV Seguros y Reaseguros, S.A.E. | €132K | GDPR | Spanish Data Protection Authority (AEPD) | Spain | Failure to comply with data processing principles | --Articles: Art. 5 (1) f) GDPR, Art. 32 GDPR, Art. 33 GDPR |
| 2019-06-27 | Unicredit Bank SA | €130K | GDPR | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Romania | Failure to implement sufficient measures to ensure information security | The Company was issued a fine because it had failed to provide the necessary sec...The Company was issued a fine because it had failed to provide the necessary security and organization measures in two cases. Firstly, it failed in the appropriate determination of the data processing means. Secondly, it failed in the appropriate implementation of necessary security safeguards, which led to the public disclosure of the personal data of over 337.042 people. Articles: Art. 25 (1) GDPR, Art. 5 (1) c) GDPR |
| 2019-06-27 | Unicredit Bank SA | €130K | GDPR | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Romania | Failure to implement sufficient measures to ensure information security | --Articles: Art. 25 (1) GDPR, Art. 5 (1) c) GDPR |
| 2023-03-16 | CITYSCOOT | €125K | GDPR | French Data Protection Authority (CNIL) | France | Failure to comply with data processing principles | --Articles: Art. 5 (1) c) GDPR, Art. 28 (3) GDPR, Art. 82 Loi informatique et libertés |
| 2022-03-08 | Energy company | €124K | GDPR | Croatian Data Protection Authority (AZOP) | Croatia | Non-compliance with subjects' rights protection safeguards | --Articles: Art. 15 (3) GDPR |
| 2022-12-27 | Company | €122K | GDPR | Deputy Data Protection Ombudsman | Finland | Insufficient fulfilment of information obligations | --Articles: Art. 9 GDPR |
| 2020-02-27 | Vodafone España | €120K | GDPR | Spanish Data Protection Authority (AEPD) | Spain | Non-compliance with lawful basis for data processing | The company was not able to prove that an individual had given them consent to a...The company was not able to prove that an individual had given them consent to access and process their personal data with the goal of opening a telephone contract. The AEPD further explained that the company unlawfully disclosed the affected person’s personal data to third party credit agencies. Articles: Art. 5 GDPR |