Search Privacy Fines

Articles: Art. 32 GDPR

The company was fined because it processed personal data without the consent of the affected parties.

Articles: Art. 5 GDPR, Art. 6 GDPR

A second fine was issued to the company for the unlawful processing of employee biometric data (fingerprints). The processing of biometric data allegedly was necessary to give employees access to certain rooms. The national DPA argued that this was too excessive.

Articles: Art. 5 (1) GDPR, Art. 6 GDPR, Art. 7 GDPR, Art. 9 GDPR

The company installed video surveillance in order to monitor employee activity. The problem arose from the fact that some cameras were installed in the locker rooms where the staff kept their spare clothes and regularly used to get dressed and undressed.

Articles: Art. 5 (1) GDPR, Art. 6 GDPR, Art. 7 GDPR

Articles: Art. 6 (1) GDPR

Articles: Art. 31 GDPR, Art. 58 GDPR

The company sent advertising emails to multiple recipients where every one of the recipients was able to see the email address of all other recipients. This was because the sender sent all the email addresses as CC instead of BCC.

Articles: Art. 32 GDPR

An insurance company sent advertising emails to clients without the necessary consent.

Articles: Art. 6 GDPR

Two Belgian politicians, a city councilor and a mayor have been fined €5,000 each for sending out campaign emails to recipients who have not consented to receive such emails.

Articles: Art. 6 GDPR

Two Belgian politicians, a city councilor and a mayor have been fined €5,000 each for sending out campaign emails to recipients who have not consented to receive such emails.

Articles: Art. 6 GDPR

Articles: Art. 12 (1) GDPR, Art. 15 (1) GDPR

Articles: Art. 24 GDPR, Art. 32 GDPR

Vodafone mistakenly charged a customer whose information it disclosed to BADEXCUG, a solvency registry. SETSTI, the Spanish telecommunications and information agency demanded that Vodafone reimburse the client. The AEPD decided that Vodafone had acted erroneously and that it had breached the principle of accuracy.

Articles: Art. 5 (1) d) GDPR

The data controller company lacked a data processing agreement with the Spanish service provider.

Articles: Art. 28 of the GDPR

Articles: Art. 6 GDPR

Articles: Art. 6 GDPR

Articles: Art. 5 (1) a) GDPR, Art. 6 GDPR, Art. 9 (2), (4) GDPR, Art. 37 (7) GDPR

Articles: Art. 6 GDPR

The data controller could not provide access to personal information to a patient because the dossier could not be identified. The patient complained to the Commissioner about this, and the hospital was fined 5.000 Euros.

Articles: Art. 15 GDPR

This fine was apparently withdrawn. The case concerned the Kolibri Image who lodged a complaint that a service provider did not want to sign a processing agreement. Afterward, the Kolibri Image was fined because it didn’t have any processing agreement with the service provider. However, the company argued that the service provider was not a processor, and therefore the fine was unreasonable and unwarranted.

Articles: Art. 28 (3) GDPR

Articles: Art. 5 GDPR, Art. 6 GDPR, Art. 2-ter Codice della privacy

The Lands Authority had a data breach where 10 GB worth of personal data was publicly accessible on the internet. The data contained sensitive information about data subjects. The Data Protection Commissioner might issue a fine of 25.000 Euros for each of the violations (data breaches).

Articles: Art. 5 GDPR, Art. 32 GDPR

Articles: Art. 5 GDPR, Art. 6 GDPR

Articles: Art. 5 (1) a), f) GDPR, Art. 9 GDPR

Articles: Art. 32 (1) b), (2) GDPR