Search Privacy Fines

Articles: Art. 5 (1) f) GDPR, Art. 32 GDPR

Articles: Art. 13 (1) e) GDPR, Art. 32 (1) GDPR

Articles: Art. 5 (1) a), b), e) GDPR, Art. 6 (1) GDPR, Art. 8 GDPR, Art. 12 (1), (2) GDPR, Art. 13 GDPR, Art. 25 GDPR, Art. 30 (1) GDPR, Art. 22 (2) LSSI

Articles: Art. 27 GDPR

Articles: Art. 12 (2) GDPR

Articles: Art. 38 (6) GDPR

Articles: Art. 5 GDPR, Art. 6 GDPR

The Royal Dutch Tennis Association (“KNLTB”) was fined a total of €525,000 for selling the personal data of more than 350,000 of its members to sponsors. The sponsors have then contacted some of these individuals by email and telephone for marketing purposes. Personal data sold included the name, gender, and address of various individuals. No consent was obtained from the affected individuals beforehand. The Royal Dutch Tennis Association (“KNLTB”) argued that it had a legitimate interest to sell this data, and as such did not commit a GDPR breach. The Dutch Data Protection Authority, however, rejected this and ruled that KNLTB had no legal basis to sell the personal data of its members to third parties.

Articles: Art. 5 GDPR, Art. 6 GDPR

Articles: Art. 32 GDPR

Data leakage due to the inappropriate security and organizational measures of the company. Information related to more than 23.000 credits records belonging to more than 33.000 customers were made public. The data included names, ID numbers, biometric data, addresses, and copies of identity cards.

Articles: Art. 32 GDPR

Articles: Art. 5 (1) e) GDPR, Art. 13 GDPR, Art. 17 GDPR, Art. 32 GDPR, Art. 82 Loi informatique et libertés, Art. L. 34-5 CPCE

Articles: Art. 5 GDPR, Art. 6 GDPR, Art. 13 GDPR, Art. 14 GDPR, Art. 21 GDPR

Articles: Art. 5 (1) a) GDPR, Art. 13 GDPR, Art. 14 GDPR, Art. 28 (2), (3) GDPR, Art. 32 GDPR

Futura Internationale was fined because after several individuals have complained that they were cold-called by the company even after they have expressly requested not to be called again. The reason why the fine was so high relative to similar cases and fines was that the CNIL determined that the company had received a large number of letters requesting to be taken off from the call lists but decided to ignore them. More so, Futura Internationale was found to store excessive information about customers and their health data. The company did also not inform their customers about the processing of their personal data and that all telephone conversations were recorded.

Articles: Art. 5 GDPR, Art. 6 GDPR, Art. 13 GDPR, Art. 14 GDPR, Art. 21 GDPR

Articles: Art. 32 (1) b), c), d) GDPR, Art. 32 (2) GDPR

Articles: Art. 5 (1) a) GDPR, Art. 6 GDPR, Art. 7 GDPR, Art. 12 (1) GDPR, Art. 13 GDPR, Art. 130 (1), (2), (3) Codice della privacy

Articles: Art. 5 (1) f) GDPR, Art. 5 (2) GDPR, Art. 28 (3) GDPR, Art. 32 (2) GDPR, Art. 44 GDPR

Articles: Art. 32 GDPR, Art. 33 GDPR, Art. 34 GDPR

Failed to secure consumer data, leading to breach affecting millions. CEO ordered to implement security program.

Articles: Art. 5 (1) f) GDPR, Art. 5 (2) GDPR, Art. 32 (1) GDPR

Articles: Art. 32 GDPR

After a serious investigation, the DDPA surmised that the Hague Hospital failed to provide the appropriate security measures for possession of patient records. This investigation had started following several events when multiple staff hospital members had checked the personal data of a Dutch person. Measures were taken, and the hospital was warned – it would have to update its security measures by the 2nd of October 2019 or it would incur e penalty of 100.000 EUR every two weeks.

Articles: Art. 32 GDPR

Articles: Art. 33 (1), (5) GDPR

Articles: Art. 32 GDPR

Articles: Art. 5 (1) f), (2) GDPR, Art. 25 (1) GDPR, Art. 32 (1) b), d), (2) GDPR