Search Privacy Fines
Browse and filter privacy enforcement fines worldwide.
2,028 fines found
Total: $8.1B
| Date | Company | Fine | Regulation | Authority | Country | Type | Summary |
|---|---|---|---|---|---|---|---|
| 2023-02-17 | Suomen Asiakastieto Oy | €440K | GDPR | Deputy Data Protection Ombudsman | Finland | Non-cooperation with Data Protection Authority | --Articles: Art. 58 (2) GDPR |
| 2021-10-18 | Østre Toten municipality | €412K | GDPR | Norwegian Supervisory Authority (Datatilsynet) | Norway | Non-compliance with lawful basis for data processing | --Articles: Art. 5 (1) f) GDPR, Art. 32 GDPR |
| 2021-07-26 | Monsanto Corporation | €400K | GDPR | French Data Protection Authority (CNIL) | France | Information obligation non-compliance | --Articles: Art. 14 GDPR, Art. 28 GDPR |
| 2018-07-17 | Hospital | €400K | GDPR | Portuguese Data Protection Authority (CNPD) | Portugal | Failure to implement sufficient measures to ensure information security | The hospital was found to create fake doctor profiles for the personnel to unlaw...The hospital was found to create fake doctor profiles for the personnel to unlawfully access patient data. The management system found 985 registered doctors when the hospital only had 296 doctors. Articles: Art. 5 (1) f) GDPR, Art. 32 GDPR |
| 2021-07-22 | Atac s.p.a. | €400K | GDPR | Italian Data Protection Authority (Garante) | Italy | Failure to implement sufficient measures to ensure information security | --Articles: Art. 5 GDPR, Art. 6 GDPR, Art. 30 GDPR, Art. 32 GDPR |
| 2018-07-17 | Hospital | €400K | GDPR | Portuguese Data Protection Authority (CNPD) | Portugal | Failure to implement sufficient measures to ensure information security | --Articles: Art. 5 (1) f) GDPR, Art. 32 GDPR |
| 2021-11-12 | Transavia | €400K | GDPR | Dutch Supervisory Authority for Data Protection (AP) | Netherlands | Failure to implement sufficient measures to ensure information security | --Articles: Art. 32 (1), (2) GDPR |
| 2019-05-28 | SERGIC | €400K | GDPR | French Data Protection Authority (CNIL) | France | Failure to implement sufficient measures to ensure information security | The company was fined because of two reasons – the complete lack of security mea...The company was fined because of two reasons – the complete lack of security measures, and excessive data storage. Regarding the former reason, personal data, including health cards, IDs, divorce judgments, and account statements were available online with no authentication procedure. Moreover, the company breached the data storage deadline it had in place and kept clients’ data for more than it should have. Articles: Art. 32 GDPR |
| 2021-11-04 | Régie autonome des transports parisiens | €400K | GDPR | French Data Protection Authority (CNIL) | France | Non-compliance with lawful basis for data processing | --Articles: Art. 5 (1) c) GDPR, Art. 5 (1) e) GDPR, Art. 5 (2) GDPR, Art. 32 GDPR |
| 2019-05-28 | SERGIC | €400K | GDPR | French Data Protection Authority (CNIL) | France | Failure to implement sufficient measures to ensure information security | --Articles: Art. 32 GDPR |
| 2020-11-24 | City of Stockholm | €394K | GDPR | Data Protection Authority of Sweden | Sweden | Failure to implement sufficient measures to ensure information security | --Articles: Art. 5 GDPR, Art. 32 GDPR |
| 2020-12-03 | Karolinska University Hospital of Solna | €390K | GDPR | Data Protection Authority of Sweden | Sweden | Failure to implement sufficient measures to ensure information security | --Articles: Art. 5 (1) f) GDPR, Art. 5 (2) GDPR, Art. 32 (1) GDPR, Art. 32 (2) GDPR |
| 2021-02-11 | Roma Capitale | €350K | GDPR | Italian Data Protection Authority (Garante) | Italy | Failure to implement sufficient measures to ensure information security | --Articles: Art. 5 GDPR, Art. 6 GDPR, Art. 28 GDPR, Art. 32 GDPR |
| 2020-12-03 | Sahlgrenska University Hospital | €341K | GDPR | Data Protection Authority of Sweden | Sweden | Failure to implement sufficient measures to ensure information security | --Articles: Art. 5 (1) f) GDPR, Art. 5 (2) GDPR, Art. 32 (1) GDPR, Art. 32 (2) GDPR |
| 2019-12-17 | Doorstep Dispensaree | €320K | GDPR | Information Commissioner (ICO) | United Kingdom | Failure to implement sufficient measures to ensure information security | --Articles: Art. 32 GDPR |
| 2019-12-20 | Doorstep Dispensaree | €320K | GDPR | Information Commissioner (ICO) | United Kingdom | Failure to implement sufficient measures to ensure information security | The company had stored some 500,000 documents containing names, addresses, dates...The company had stored some 500,000 documents containing names, addresses, dates of birth, NHS numbers and medical information and prescriptions in unsealed containers at the back of the building and failed to protect these documents from the elements, resulting in water damage to the documents.The company stored around 500,000 documents that contained the names, addresses, birth fates, and NHS identification numbers as well as medical information and prescriptions in unsealed containers at the back of a building. As a result of this, the documents were exposed to the elements which resulted in water damage and potentially to the loss of some data. Articles: Art. 32 GDPR |
| 2023-01-01 | Ediscom S.p.a. | €300K | GDPR | Italian Data Protection Authority (Garante) | Italy | Failure to comply with data processing principles | --Articles: Art. 5 (1) a), b), c) GDPR, Art. 6 GDPR, Art. 7 GDPR, Art. 14 GDPR, Art. 25 GDPR, Art. 130 Codice della privacy |
| 2022-12-08 | FREE SAS | €300K | GDPR | French Data Protection Authority (CNIL) | France | Non-compliance with subjects' rights protection safeguards | --Articles: Art. 12 GDPR, Art. 15 GDPR, Art. 17 GDPR, Art. 32 GDPR, Art. 33 GDPR |
| 2021-12-28 | FREE MOBILE | €300K | GDPR | French Data Protection Authority (CNIL) | France | Failure to implement sufficient measures to ensure information security | --Articles: Art. 12 GDPR, Art. 15 GDPR, Art. 21 GDPR, Art. 25 GDPR, Art. 32 GDPR |
| 2021-03-10 | VfB Stuttgart 1893 AG | €300K | GDPR | Data Protection Authority of Baden-Wuerttemberg | Germany | Non-compliance with lawful basis for data processing | --Articles: Art. 5 (2) GDPR |
| 2019-12-02 | Unknown | €294K | GDPR | Data Protection Authority of Niedersachsen | Germany | Failure to comply with data processing principles | A company was fined with €294,000 because of the “unnecessarily long”...A company was fined with €294,000 because of the “unnecessarily long” storage and retention of personal data in the selection of personnel. During the selection process, even health data was requested, which was excessive according to the DPA. Articles: Art. 5 GDPR |
| 2019-12-02 | Unknown | €294K | GDPR | Data Protection Authority of Niedersachsen | Germany | Failure to comply with data processing principles | --Articles: Art. 5 GDPR |
| 2020-06-12 | Digi Távközlési Szolgáltató Kft. | €288K | GDPR | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | Hungary | Failure to implement sufficient measures to ensure information security | --Articles: Art. 5 (1) b), (e) GDPR, Art. 32 (1), (2) GDPR |
| 2022-07-21 | Telecommunications company | €285K | GDPR | Croatian Data Protection Authority (AZOP) | Croatia | Failure to implement sufficient measures to ensure information security | --Articles: Art. 25 (1) GDPR, Art. 32 (1) b) GDPR, Art. 32 (2) GDPR |
| 2020-09-03 | Bergen Municipality | €276K | GDPR | Norwegian Supervisory Authority (Datatilsynet) | Norway | Failure to implement sufficient measures to ensure information security | --Articles: Art. 5 (1) f) GDPR, Art. 32 GDPR |