Search Privacy Fines
Browse and filter privacy enforcement fines worldwide.
2,028 fines found
Total: $8.1B
| Date | Company | Fine | Regulation | Authority | Country | Type | Summary |
|---|---|---|---|---|---|---|---|
| 2020-03-03 | Vodafone España | €24K | GDPR | Spanish Data Protection Authority (AEPD) | Spain | Non-compliance with lawful basis for data processing | The company sent two SMS messages to a person informing them about the rate chan...The company sent two SMS messages to a person informing them about the rate change of a contract as well as the purchase of a mobile phone. The customer did not consent to the processing of their personal data and Vodafone sent the text messages without prior written consent from the customer. Articles: Art. 5 GDPR, Art. 6 GDPR |
| 2020-08-31 | Surveyor General of Poland (‘GKK’) | €23K | GDPR | Polish National Personal Data Protection Office (UODO) | Poland | Failure to comply with data processing principles | --Articles: Art. 5 GDPR, Art. 6 GDPR |
| 2020-07-15 | Office for geodesy and cartography | €22K | GDPR | Polish National Personal Data Protection Office (UODO) | Poland | Failure to implement sufficient measures to ensure information security | --Articles: Art. 32 GDPR, Art. 58 GDPR |
| 2020-12-10 | Budapesti Műszaki és Gazdaságtudományi Egyetem (Budapest University of Technology and Economics) | €22K | GDPR | Hungarian National Authority for Data Protection and the Freedom of Information | Hungary | Multiple | --Articles: Art. 5 (1) a), b), c) GDPR, Art. 6 (1) GDPR, Art. 9 (2) GDPR, Art. 12 GDPR, Art. 13 GDPR |
| 2019-10-19 | Vodafone Espana | €21K | GDPR | Spanish Data Protection Authority (AEPD) | Spain | Non-compliance with lawful basis for data processing | Vodafone had processed personal data of the claimant (bank details, name, surnam...Vodafone had processed personal data of the claimant (bank details, name, surname and national identification number) years after the contractual relationsid had ended. The fine of EUR 35.000 was reduced to EUR 21.000.Vodafone processed the personal details of a former client, details that included first name, last name and national ID number, several years after their contractual relationship had ended. The initial fine was set at €35,000 but it was reduced to €21,000 due to cooperation on behalf of Vodafone Espana. Articles: Art. 6 (1) GDPR |
| 2019-10-19 | Vodafone Espana | €21K | GDPR | Spanish Data Protection Authority (AEPD) | Spain | Non-compliance with lawful basis for data processing | --Articles: Art. 6 (1) GDPR |
| 2020-03-10 | Addiction Medicine Center | €21K | GDPR | Icelandic Data Protection Authority ('Persónuvernd') | Iceland | Failure to implement sufficient measures to ensure information security | --Articles: Art. 5 (1) f) GDPR, Art. 32 GDPR |
| 2020-03-10 | Addiction Medicine Center | €21K | GDPR | Icelandic Data Protection Authority ('Persónuvernd') | Iceland | Failure to implement sufficient measures to ensure information security | A former employee of National Center of Addiction Medicine (‘SAA’) r...A former employee of National Center of Addiction Medicine (‘SAA’) received boxes that contained personal belongings that he supposedly left there but personal data and health records of 252 former patients and documents with the names of around 3,000 individuals who once participated in an alcohol and drug abuse rehabilitation program. Articles: Art. 5 (1) f) GDPR, Art. 32 GDPR |
| 2020-08-04 | PrivatBo A.M.B.A | €20K | GDPR | Danish Data Protection Authority (Datatilsynet) | Denmark | Failure to implement sufficient measures to ensure information security | --Articles: Art. 5 GDPR, Art. 32 GDPR |
| 2022-08-17 | Danish Immigration Agency | €20K | GDPR | Danish Data Protection Authority (Datatilsynet) | Denmark | Failure to implement sufficient measures to ensure information | --Articles: Art. 5 (1) f) GDPR, Art. 32 GDPR |
| 2021-12-16 | Corradi s.r.l. | €20K | GDPR | Italian Data Protection Authority (Garante) | Italy | Non-compliance with lawful basis for data processing | --Articles: Art. 5 (1) a), c), e) GDPR, Art. 13 GDPR, Art. 157 Codice della privacy |
| 2018-11-21 | Knuddels.de | €20K | GDPR | Data Protection Authority of Baden-Wuerttemberg | Germany | Failure to implement sufficient measures to ensure information security | --Articles: Art. 32 GDPR |
| 2021-12-16 | FCA Italy s.p.a. | €20K | GDPR | Italian Data Protection Authority (Garante) | Italy | Non-compliance with subjects' rights protection safeguards | --Articles: Art. 12 GDPR |
| 2022-05-13 | Synlab Med srl | €20K | GDPR | Italian Data Protection Authority (Garante) | Italy | Failure to comply with data processing principles | --Articles: Art. 5 (1) a), c) GDPR, Art. 9 GDPR, Art. 2-ter Codice della privacy |
| 2022-10-03 | PIRAEUS BANK S.A. | €20K | GDPR | Hellenic Data Protection Authority (HDPA) | Greece | Failure to implement sufficient measures to ensure information security | --Articles: Art. 13 GDPR |
| 2019-06-13 | Uniontrad Company | €20K | GDPR | French Data Protection Authority (CNIL) | France | Non-compliance with lawful basis for data processing | Complaints from the employees were received that they were unlawfully filmed in ...Complaints from the employees were received that they were unlawfully filmed in the workspace. The company failed to observe the rules pertaining to the unlawful filming of employees all the time, and the necessity of providing information related to the data processing to the employees. The CNIL performed an audit in October 2018, and the company wasn’t observing the data protection laws. Therefore, fines were issued. Articles: Art. 5 (1) c) GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 32 GDPR |
| 2020-02-03 | Iberia Lineas Aereas | €20K | GDPR | Spanish Data Protection Authority (AEPD) | Spain | Non-compliance with lawful basis for data processing | The company continued to send emails to individuals even after the affected indi...The company continued to send emails to individuals even after the affected individuals have requested to be removed from the company’s database or be added to a “no-contact” list. Articles: Art. 5 GDPR, Art. 6 GDPR, Art. 21 GDPR |
| 2022-05-12 | Bazar di Hu Xiaoyan | €20K | GDPR | Italian Data Protection Authority (Garante) | Italy | Failure to comply with data processing principles | --Articles: Art. 5 GDPR, Art. 13 GDPR, Art. 114 Codice della privacy |
| 2020-01-01 | Unknown | €20K | GDPR | Data Protection Commissioner of Malta | Malta | Non-compliance with subjects' rights protection safeguards | --Articles: Art. 13 GDPR, Art. 15 GDPR |
| 2019-06-13 | Uniontrad Company | €20K | GDPR | French Data Protection Authority (CNIL) | France | Non-compliance with lawful basis for data processing | --Articles: Art. 5 (1) c) GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 32 GDPR |
| 2019-10-09 | Vreau Credit SRL | €20K | GDPR | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Romania | Failure to implement sufficient measures to ensure information security | --Articles: Art. 32 GDPR, Art. 33 GDPR |
| 2020-11-06 | Xfera Moviles S.A. | €20K | GDPR | Spanish Data Protection Authority (AEPD) | Spain | Failure to implement sufficient measures to ensure information security | --Articles: Art. 31 GDPR |
| 2019-10-09 | Vreau Credit SRL | €20K | GDPR | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Romania | Failure to implement sufficient measures to ensure information security | The Company sent personal information through the WhatsApp platform to Raiffeise...The Company sent personal information through the WhatsApp platform to Raiffeisen Bank in order to facilitate the assessment of personal scores. The results were returned on the same platform. Articles: Art. 32 GDPR, Art. 33 GDPR |
| 2022-01-01 | Telecommunications company | €20K | GDPR | Croatian Data Protection Authority (AZOP) | Croatia | Non-compliance with lawful basis for data processing | --Articles: Art. 6 (1) GDPR, Art. 5 (1) d) GDPR |
| 2022-11-10 | Sporitalia | €20K | GDPR | Italian Data Protection Authority (Garante) | Italy | Failure to comply with data processing principles | --Articles: Art. 5 (1) a) GDPR, Art. 9 GDPR, Art. 13 GDPR, Art. 30 (1) c) GDPR |