Search Privacy Fines
Browse and filter privacy enforcement fines worldwide.
2,028 fines found
Total: $8.1B
| Date | Company | Fine | Regulation | Authority | Country | Type | Summary |
|---|---|---|---|---|---|---|---|
| 2021-09-06 | Hellenic Technical Enterprises Ltd. | €40K | GDPR | Cypriot Data Protection Commissioner | Cyprus | Failure to implement sufficient measures to ensure information security | --Articles: Art. 32 GDPR |
| 2020-06-09 | Telefónica SA | €40K | GDPR | Spanish Data Protection Authority (AEPD) | Spain | Non-compliance with lawful basis for data processing | --Articles: Art. 6 GDPR |
| 2022-11-10 | Usl Valle d’Aosta | €40K | GDPR | Italian Data Protection Authority (Garante) | Italy | Failure to comply with data processing principles | --Articles: Art. 5 (1) a), f) GDPR, Art. 9 GDPR, Art. 25 GDPR, Art. 32 GDPR |
| 2022-04-07 | Azienda ospedaliera di Perugia | €40K | GDPR | Italian Data Protection Authority (Garante) | Italy | Failure to implement sufficient measures to ensure information security | --Articles: Art. 5 (1) a), f) GDPR, Art. 13 GDPR, Art. 14 GDPR, Art. 25 GDPR, Art. 30 GDPR, Art. 32 GDPR, Art. 35 GDPR |
| 2020-03-03 | Vodafone España | €40K | GDPR | Spanish Data Protection Authority (AEPD) | Spain | Non-compliance with lawful basis for data processing | The company sent a text message to a person’s phone number informing them ...The company sent a text message to a person’s phone number informing them that their contract was modified. The affected person, however, was not actually a Vodafone client. The AEPD determined that Vodafone had processed the affected person’s personal details without consent. Articles: Art. 5 GDPR |
| 2021-05-28 | BRAbank ASA | €40K | GDPR | Norwegian Supervisory Authority (Datatilsynet) | Norway | Failure to implement sufficient measures to ensure information security | --Articles: Art. 24 GDPR, Art. 32 (1), (2) GDPR |
| 2020-06-09 | Xfera Moviles S.A. | €39K | GDPR | Spanish Data Protection Authority (AEPD) | Spain | Non-compliance with lawful basis for data processing | --Articles: Art. 5 (1) f) GDPR |
| 2021-01-14 | Coop Finmark SA | €39K | GDPR | Norwegian Supervisory Authority (Datatilsynet) | Norway | Failure to comply with data processing principles | --Articles: Art. 5 (1) a) GDPR, Art. 6 GDPR |
| 2021-01-12 | Unknown | €39K | GDPR | Norwegian Supervisory Authority (Datatilsynet) | Norway | Failure to comply with data processing principles | --Articles: Art. 5 GDPR, Art. 6 GDPR |
| 2020-02-28 | Coop Finnmark SA | €37K | GDPR | Norwegian Supervisory Authority (Datatilsynet) | Norway | Non-compliance with lawful basis for data processing | --Articles: Art. 5 GDPR, Art. 6 GDPR |
| 2019-10-25 | Vodafone Espana | €36K | GDPR | Spanish Data Protection Authority (AEPD) | Spain | Non-compliance with lawful basis for data processing | --Articles: Art. 5 GDPR, Art. 6 GDPR |
| 2019-04-01 | Vodafone Espana | €36K | GDPR | Spanish Data Protection Authority (AEPD) | Spain | Non-compliance with lawful basis for data processing | --Articles: Art. 5 (1) f) GDPR |
| 2020-12-21 | Banco Bilbao Vizcaya Argentaria, S.A. | €36K | GDPR | Spanish Data Protection Authority (AEPD) | Spain | Failure to comply with data processing principles | --Articles: Art. 5 (1) d) GDPR |
| 2019-10-25 | Vodafone Espana | €36K | GDPR | Spanish Data Protection Authority (AEPD) | Spain | Non-compliance with lawful basis for data processing | Vodafone Espana called the complainant to offer its services but the data subjec...Vodafone Espana called the complainant to offer its services but the data subject refused. His personal data had been acquired by the company through his daughter. Despite his refusal, Vodafone Espana provided the services and demanded payment for them. Therefore, the company had unlawfully processed the complainant’s personal data without express consent. Articles: Art. 5 GDPR, Art. 6 GDPR |
| 2019-04-01 | Vodafone Espana | €36K | GDPR | Spanish Data Protection Authority (AEPD) | Spain | Non-compliance with lawful basis for data processing | The company had sent a number of emails to a significant number of recipients wi...The company had sent a number of emails to a significant number of recipients without using the BCC feature that would have hid the email addresses of all the recipients from each other. The original fine was set at €60,000 but reduced to €36,000. Articles: Art. 5 (1) f) GDPR |
| 2020-11-19 | Vodafone España, SAU | €36K | GDPR | Spanish Data Protection Authority (AEPD) | Spain | Failure to comply with data processing principles | --Articles: Art. 5 GDPR, Art. 6 GDPR |
| 2022-05-03 | City of Reikjavik | €36K | GDPR | Icelandic Data Protection Authority ('Persónuvernd') | Iceland | Failure to comply with data processing principles | --Articles: Art. 5 GDPR, Art. 6 GDPR, Art. 32 GDPR |
| 2020-11-19 | Vodafone Espana, S.A.U. | €36K | GDPR | Spanish Data Protection Authority (AEPD) | Spain | Non-compliance with lawful basis for data processing | --Articles: Art. 5 GDPR, Art. 6 GDPR |
| 2020-10-28 | Vodafone España, SAU | €36K | GDPR | Spanish Data Protection Authority (AEPD) | Spain | Failure to comply with data processing principles | --Articles: Art. 5 GDPR, Art. 6 GDPR |
| 2021-06-21 | Sopockie Towarzystwo Ubezpieczeń ERGO Hestia S.A. | €35K | GDPR | Polish National Personal Data Protection Office (UODO) | Poland | Failure to implement sufficient measures to ensure information security | --Articles: Art. 33 (1) GDPR, Art. 34 (1) GDPR |
| 2019-12-16 | Nusvar AB | €35K | GDPR | Data Protection Authority of Sweden | Sweden | Non-compliance with lawful basis for data processing | Nusvar AB, which operates the website Mrkoll.se, a site that provides informatio...Nusvar AB, which operates the website Mrkoll.se, a site that provides information on all Swedes over the age of 16, published information on people with overdue payments. Articles: Art. 6 GDPR |
| 2022-10-17 | OES GLOBAL ENERGY S.L. | €35K | GDPR | Spanish Data Protection Authority (AEPD) | Spain | Failure to comply with data processing principles | --Articles: Art. 5 (1) f) GDPR, Art. 32 GDPR |
| 2019-12-16 | Nusvar AB | €35K | GDPR | Data Protection Authority of Sweden | Sweden | Non-compliance with lawful basis for data processing | --Articles: Art. 6 GDPR |
| 2021-06-09 | Directorate of the Ostra Skaraborg Rescure Service | €35K | GDPR | Data Protection Authority of Sweden | Sweden | Failure to implement sufficient measures to ensure information security | --Articles: Art. 5 (1) a), c) GDPR, Art. 32 (1), (4) GDPR |
| 2019-04-05 | Political Party - Undisclosed | €34K | GDPR | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | Hungary | Information obligation non-compliance | The political party did not notify the NAIH about a data breach. Moreover, it di...The political party did not notify the NAIH about a data breach. Moreover, it didn’t document the data breach as per GDPR article 33.5. Therefore, the political party received a fine of HUF 11.000.000 (equivalent to 34.375 EUR). The hacker behind the breach had used a redirection attack on the official website of the political party and disclosed information about more than 6.000 people. Articles: Art. 33 (1) GDPR, Art. 33 (5) GDPR, Art. 34 (1) GDPR |