Search Privacy Fines
Browse and filter privacy enforcement fines worldwide.
2,014 fines found
Total: $6.2B
| Date | Company | Fine | Regulation | Authority | Country | Type | Summary |
|---|---|---|---|---|---|---|---|
| 2022-12-13 | Alektum Oy | €750K | GDPR | Deputy Data Protection Ombudsman | Finland | Insufficient fulfilment of data subjects rights | --Articles: Art. 12 (3) GDPR, Art. 15 (1), (3) GDPR |
| 2021-04-09 | TikTok | €750K | GDPR | Dutch Supervisory Authority for Data Protection (AP) | Netherlands | Information obligation non-compliance | --Articles: Art. 12 GDPR |
| 2020-04-30 | Unknown organization | €725K | GDPR | Dutch Supervisory Authority for Data Protection (AP) | Netherlands | Non-compliance with lawful basis for data processing | --Articles: Art. 5 GDPR, Art. 9 GDPR |
| 2022-03-28 | Klarna Bank AB | €720K | GDPR | Data Protection Authority of Sweden | Sweden | Failure to comply with data processing principles | --Articles: Art. 5 (1) a) GDPR, Art. 5 (2) GDPR, Art. 12 (1) GDPR, Art. 13 (2) f) GDPR, Art. 14 (2) g) GDPR |
| 2022-02-01 | Orange Espagne, S.A.U. | €700K | GDPR | Spanish Data Protection Authority (AEPD) | Spain | Non-compliance with lawful basis for data processing | --Articles: Art. 5 (1) f) GDP |
| 2019-09-10 | Morele.net | €645K | GDPR | Polish National Personal Data Protection Office (UODO) | Poland | Failure to implement sufficient measures to ensure information security | Morele.net was sanctioned with a fine of PLN 2.8 million because it hadn’t ensur...Morele.net was sanctioned with a fine of PLN 2.8 million because it hadn’t ensured the proper security standards of customers’ data. As a consequence, more than 2.2 million people had their personal data accessed illegally. Articles: Art. 32 GDPR |
| 2019-09-10 | Morele.net | €645K | GDPR | Polish National Personal Data Protection Office (UODO) | Poland | Failure to implement sufficient measures to ensure information security | --Articles: Art. 32 GDPR |
| 2022-02-08 | Budapest Bank Zrt. | €634K | GDPR | Hungarian National Authority for Data Protection and the Freedom of Information | Hungary | Failure to comply with data processing principles | --Articles: Art. 5 (1) a), b) GDPR, Art. 6 (1), (4) GDPR, Art. 12 (1) GDPR, Art. 13 GDPR, Art. 14 GDPR, Art. 21 (1), (2) GDPR, Art. 24 (1) GDPR, Art. 25 (1), (2) GDPR |
| 2021-12-07 | Psykoterapiakeskus Vastaamo | €608K | GDPR | Deputy Data Protection Ombudsman | Finland | Failure to comply with data processing principles | --Articles: Art. 5 (1) f) GDPR, Art. 33 (1) GDPR, Art. 34 (1) GDPR |
| 2020-07-14 | Google Belgium SA | €600K | GDPR | Belgian Data Protection Authority (APD) | Belgium | Non-compliance with lawful basis for data processing | --Articles: Art. 5 GDPR, Art. 6 GDPR, Art. 17 (1) a) GDPR, Art. 12 GDPR |
| 2022-08-19 | ACCOR SA | €600K | GDPR | French Data Protection Authority (CNIL) | France | Failure to implement sufficient measures to ensure information | --Articles: Art. 12 GDPR, Art. 13 GDPR, Art. 15 GDPR, Art. 21 GDPR, Art. 32 GDPR, L. 34-5 CPCE |
| 2022-11-24 | ÉLECTRICITÉ DE FRANCE | €600K | GDPR | French Data Protection Authority (CNIL) | France | Non-compliance with subjects' rights protection safeguards | --Articles: Art. 7 GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 14 GDPR, Art. 15 GDPR, Art. 21 GDPR, Art. L. 34-5 CPCE |
| 2021-11-25 | Cabinet Office | €585K | GDPR | Information Commissioner (ICO) | United Kingdom | Failure to implement sufficient measures to ensure information security | --Articles: Art. 5 (1) f) GDPR, Art. 32 GDPR |
| 2022-02-24 | Dutch Foreign Ministry | €565K | GDPR | Dutch Supervisory Authority for Data Protection (AP) | Netherlands | Non-compliance with subjects' rights protection safeguards | --Articles: Art. 13 (1) e) GDPR, Art. 32 (1) GDPR |
| 2020-03-03 | Royal Dutch Tennis Assoc. | €525K | GDPR | Dutch Supervisory Authority for Data Protection (AP) | Netherlands | Non-compliance with lawful basis for data processing | The Royal Dutch Tennis Association (“KNLTB”) was fined a total of €5...The Royal Dutch Tennis Association (“KNLTB”) was fined a total of €525,000 for selling the personal data of more than 350,000 of its members to sponsors. The sponsors have then contacted some of these individuals by email and telephone for marketing purposes. Personal data sold included the name, gender, and address of various individuals. No consent was obtained from the affected individuals beforehand. The Royal Dutch Tennis Association (“KNLTB”) argued that it had a legitimate interest to sell this data, and as such did not commit a GDPR breach. The Dutch Data Protection Authority, however, rejected this and ruled that KNLTB had no legal basis to sell the personal data of its members to third parties. Articles: Art. 5 GDPR, Art. 6 GDPR |
| 2020-12-20 | Locatefamily.com | €525K | GDPR | Dutch Supervisory Authority for Data Protection (AP) | Netherlands | Failure to comply with data processing principles | --Articles: Art. 27 GDPR |
| 2022-01-14 | DPG Media Magazines B.V. | €525K | GDPR | Dutch Supervisory Authority for Data Protection (AP) | Netherlands | Non-compliance with subjects' rights protection safeguards | --Articles: Art. 12 (2) GDPR |
| 2022-09-20 | Unknown company | €525K | GDPR | Data Protection Authority of Berlin | Germany | Non-cooperation with Data Protection Authority | --Articles: Art. 38 (6) GDPR |
| 2020-03-03 | Royal Dutch Tennis Assoc. | €525K | GDPR | Dutch Supervisory Authority for Data Protection (AP) | Netherlands | Non-compliance with lawful basis for data processing | --Articles: Art. 5 GDPR, Art. 6 GDPR |
| 2022-10-31 | TECHPUMP SOLUTIONS, S.L. | €525K | GDPR | Spanish Data Protection Authority (AEPD) | Spain | Several | --Articles: Art. 5 (1) a), b), e) GDPR, Art. 6 (1) GDPR, Art. 8 GDPR, Art. 12 (1), (2) GDPR, Art. 13 GDPR, Art. 25 GDPR, Art. 30 (1) GDPR, Art. 22 (2) LSSI |
| 2019-08-28 | DSK Bank | €511K | GDPR | Data Protection Commission of Bulgaria (KZLD) | Bulgaria | Failure to implement sufficient measures to ensure information security | Data leakage due to the inappropriate security and organizational measures of th...Data leakage due to the inappropriate security and organizational measures of the company. Information related to more than 23.000 credits records belonging to more than 33.000 customers were made public. The data included names, ID numbers, biometric data, addresses, and copies of identity cards. Articles: Art. 32 GDPR |
| 2019-08-28 | DSK Bank | €511K | GDPR | Data Protection Commission of Bulgaria (KZLD) | Bulgaria | Failure to implement sufficient measures to ensure information security | --Articles: Art. 32 GDPR |
| 2020-12-17 | Roma Capitale (Rome Municipality) | €500K | GDPR | Italian Data Protection Authority (Garante) | Italy | Multiple | --Articles: Art. 5 (1) a) GDPR, Art. 13 GDPR, Art. 14 GDPR, Art. 28 (2), (3) GDPR, Art. 32 GDPR |
| 2022-05-04 | Bulgarian Post EAD | €500K | GDPR | Data Protection Commission of Bulgaria (KZLD) | Bulgaria | Failure to implement sufficient measures to ensure information security | --Articles: Art. 32 (1) b), c), d) GDPR, Art. 32 (2) GDPR |
| 2021-06-14 | Brico Prive | €500K | GDPR | French Data Protection Authority (CNIL) | France | Failure to implement sufficient measures to ensure information security | --Articles: Art. 5 (1) e) GDPR, Art. 13 GDPR, Art. 17 GDPR, Art. 32 GDPR, Art. 82 Loi informatique et libertés, Art. L. 34-5 CPCE |