GDPR Fine Tracker
An overview of fines and penalties which data protection authorities within the EU have imposed under the EU General Data Protection Regulation (GDPR, DSGVO)
Most of the data is based on enforcementtracker.com, provided by CMS Law.Tax
We added additional functionalities such as multiselect filtering.
| id | ID | Date | Country | Authority | Fine in € | Company | Sector | Article | Type | Summary | Link | timestamp | n | c | Link |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1 | ETid-1 | 2018-12-09 | AUSTRIA | Austrian Data Protection Authority (dsb) | 4,800 | Betting place | Industry and Commerce | Art. 13 GDPR | Insufficient fulfilment of information obligations | Video surveillance was not sufficiently marked and a large part of the sidewalk of the facility was recorded. Surveillance of the public space in this way, i.e. on a large scale by private individuals, is not permitted. | link' rel='' target='_self'> | 02.10.2024 10:23 | 4,800 | 1 | link |
| 2 | ETid-2 | 2018 | AUSTRIA | Austrian Data Protection Authority (dsb) | 1,800 | Kebab restaurant | Accomodation and Hospitalty | Art. 5 GDPR, Art. 13 GDPR, Art. 14 GDPR | Insufficient legal basis for data processing | CCTV was unlawfully used. Sufficient information about the video surveillance was missing. In addition, the storage period of 14 days was too long and therefore against the principle of data minimization. Addendum: Fine has been reduced to EUR 1500 by court, see link | link' rel='' target='_self'> | 02.10.2024 10:23 | 1,800 | 1 | link |
| 3 | ETid-3 | 2018-09-27 | AUSTRIA | Austrian Data Protection Authority (dsb) | 300 | Private car owner | Individuals and Private Associations | Art. 5 (1) a) GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | A Dashcam was unlawfully used. | link' rel='' target='_self'> | 02.10.2024 10:23 | 300 | 1 | link |
| 4 | ETid-4 | 2018-12-20 | AUSTRIA | Austrian Data Protection Authority (dsb) | 2,200 | Private person | Individuals and Private Associations | Art. 5 (1) a) GDPR, Art. 5 (1) c) GDPR, Art. 6 (1) GDPR, Art. 13 GDPR | Insufficient legal basis for data processing | The fine was imposed against a private person who was using CCTV at his home. The video surveillance covered areas which are intended for the general use of the residents of the multi-party residential complex, namely: parking lots, sidewalks, courtyard, garden and access areas to the residential complex; in addition, the video surveillance covered garden areas of an adjacent property. The video surveillance subject of the proceedings is therefore not limited to areas which are under the exclusive power of control of the controller. Video surveillance is therefore not proportionate to the purpose and not limited to what is necessary. The video surveillance records the hallway of the house and films residents entering and leaving the surrounding apartments, thereby intervening in their highly personal areas of life without the consent to record their image data. The video surveillance was not properly indicated. | link' rel='' target='_self'> | 02.10.2024 10:23 | 2,200 | 1 | link |
| 5 | ETid-5 | 2019-05-28 | BELGIUM | Belgian Data Protection Authority (APD) | 2,000 | Mayor | Public Sector and Education | Art. 5 (1) b) GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The administrative fine was imposed for the misuse of personal data by a mayor for campaign purposes. | link' rel='' target='_self'> | 02.10.2024 10:23 | 2,000 | 1 | link |
| 6 | ETid-6 | 2018-12-04 | BULGARIA | Bulgarian Commission for Personal Data Protection (KZLD) | 500 | Bank | Finance, Insurance and Consulting | Art. 5 (1) b) GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | A fine of 1000 BGN (or roughly 500 EUR) was imposed on a bank for calling a client for the unresolved bills of his neighbor. This provoked the client to evoke his right to be forgotten. After not receiving any answer from the bank he filed another motion, for which the bank did take action in the statutory period. Nonetheless, the client filed a complaint to KZLD. The infringement for which the bank was fined was for the processing of the client’s personal data was not linked to his consumer credit agreement. Since the purpose for which the data were processed was different from that communicated at the time of conclusion of the contract, the bank had, in the point of view of KZLD, to request additional consent from its client. | link link' rel='' target='_self'> | 02.10.2024 10:23 | 500 | 1 | link link |
| 7 | ETid-7 | 2019-02-26 | BULGARIA | Bulgarian Commission for Personal Data Protection (KZLD) | 27,100 | Telecommunication service provider | Media, Telecoms and Broadcasting | Art. 6 GDPR, Art. 5 (1) a) GDPR | Insufficient legal basis for data processing | Repeated registration of prepaid services without the knowledge and consent of the data subject Employees of the telecommunications provider have used personal data and registered the complainant with the company's prepaid service. The data subject had not signed the application and had not consented to the processing of his personal data for the stated purpose. There was also no other legal basis applicable. The signature of the application and the complainant own genuine application were not identical and the persons personal identification number was indicated, but the identity card number was not the complainants one. | link' rel='' target='_self'> | 02.10.2024 10:23 | 27,100 | 1 | link |
| 8 | ETid-8 | 2019-01-17 | BULGARIA | Bulgarian Commission for Personal Data Protection (KZLD) | 500 | Bank | Finance, Insurance and Consulting | Art. 6 GDPR, Art. 5 (1) a) GDPR | Insufficient legal basis for data processing | A bank gained personal data concernign a student wihtout a legal basis. | link' rel='' target='_self'> | 02.10.2024 10:23 | 500 | 1 | link |
| 9 | ETid-9 | 2019-02-22 | BULGARIA | Bulgarian Commission for Personal Data Protection (KZLD) | 500 | Employer | Employment | Art. 15 GDPR | Insufficient fulfilment of data subjects rights | An employee sent a request to his employer for access to personal data concerning him. The request was not answered in time and not in a complete way. | link' rel='' target='_self'> | 02.10.2024 10:23 | 500 | 1 | link |
| 10 | ETid-10 | 2019 | CYPRUS | Cypriot Data Protection Commissioner | 5,000 | State Hospital | Health Care | Art. 15 GDPR | Insufficient fulfilment of data subjects rights | A patient complained to the Commissioner that the request for access to her medical file was not satisfied by the hospital because the dossier could not be identified/located by the controller. After investigating the case, an administrative fine of €5,000 was imposed on the hospital. | link' rel='' target='_self'> | 02.10.2024 10:23 | 5,000 | 1 | link |
| 11 | ETid-11 | 2019 | CYPRUS | Cypriot Data Protection Commissioner | 10,000 | Newspaper | Media, Telecoms and Broadcasting | Art. 6 GDPR | Insufficient legal basis for data processing | The publication of the newspaper, both in hard copy and in electronic form, allegedly involved inconvenience, unnecessary and unlawful detention of a citizen, and revealed the names and pictures of the two police investigators involved, as well as the photograph of a third police investigator. The Commissioner considered that the aim could be achieved by referring only to the initials of their name and/or their faces being blurred and/or publishing photographs drawn from a distant distance so that it was impossible to identify the persons, and these actions would not bring any change in the nature of the case. | link' rel='' target='_self'> | 02.10.2024 10:23 | 10,000 | 1 | link |
| 12 | ETid-12 | 2019-01-10 | CZECH REPUBLIC | Czech Data Protection Auhtority (UOOU) | 388 | Employer | Employment | Art. 6 GDPR | Insufficient legal basis for data processing | A former employee of a company requested the deletion of information relating to him/her which was published on the Facebook website of the employer and which was still available long after the termination of the employment relationship. The fine was imposed because the employer did not delete the information relating to the former employee. | link' rel='' target='_self'> | 02.10.2024 10:23 | 388 | 1 | link |
| 13 | ETid-13 | 2019-02-04 | CZECH REPUBLIC | Czech Data Protection Auhtority (UOOU) | 1,165 | Car renting company | Industry and Commerce | Art. 5 (1) a) GDPR | Insufficient fulfilment of information obligations | A person who rented a car found out that the car was tracked via GPS by the renting company even though there was no information provided on the fact that the car is being tracked. The Czech Data Protection Authority found that there was no information provided in terms of Art. 13 GDPR and that Art. 6 (1) f) GDPR could not be the legal basis under the concrete circumstances. Due to that the UOOU found that there was a violation of Art. 5 (1) a) GDPR for which it imposed the fine. | link' rel='' target='_self'> | 02.10.2024 10:23 | 1,165 | 1 | link |
| 14 | ETid-14 | 2019-02-28 | CZECH REPUBLIC | Czech Data Protection Auhtority (UOOU) | 582 | Unknown | Not assigned | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | Data was not processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality'). | link' rel='' target='_self'> | 02.10.2024 10:23 | 582 | 1 | link |
| 15 | ETid-15 | 2019-02-04 | CZECH REPUBLIC | Czech Data Protection Auhtority (UOOU) | 1,165 | Credit brokerage | Finance, Insurance and Consulting | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | Data was not processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality'). | link' rel='' target='_self'> | 02.10.2024 10:23 | 1,165 | 1 | link |
| 16 | ETid-16 | 2018-10-25 | CZECH REPUBLIC | Czech Data Protection Auhtority (UOOU) | 388 | Unknown | Not assigned | Art. 15 GDPR | Insufficient fulfilment of data subjects rights | Information was not provided. | link' rel='' target='_self'> | 02.10.2024 10:23 | 388 | 1 | link |
| 17 | ETid-17 | 2019-02-26 | CZECH REPUBLIC | Czech Data Protection Auhtority (UOOU) | 776 | Unknown | Not assigned | Art. 15 GDPR | Insufficient fulfilment of data subjects rights | Information was not provided. | link' rel='' target='_self'> | 02.10.2024 10:23 | 776 | 1 | link |
| 18 | ETid-18 | 2019-03-21 | CZECH REPUBLIC | Czech Data Protection Auhtority (UOOU) | 10,000 | Unknown | Not assigned | Art. 5 (1) GDPR | Non-compliance with general data processing principles | Data was not only processed if adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ('data minimisation') and not only kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed ('storage limitation'). | link' rel='' target='_self'> | 02.10.2024 10:23 | 10,000 | 1 | link |
| 19 | ETid-19 | Unknown | CZECH REPUBLIC | Czech Data Protection Auhtority (UOOU) | 3,140 | UniCredit Bank Czech Republic and Slovakia, a.s. | Finance, Insurance and Consulting | Art. 6 GDPR | Insufficient legal basis for data processing | The bank established a personal bank account for a data subject without his consent or knowledge. The bank supposedly had his personal data available because the subject had disposed of his employer’s company account. The bank was not able to provide The Office for Personal Data Protection with the necessary documentation to prove entering into contract with the data subject. | link' rel='' target='_self'> | 02.10.2024 10:23 | 3,140 | 1 | link |
| 20 | ETid-20 | 2019-05-06 | CZECH REPUBLIC | Czech Data Protection Auhtority (UOOU) | 194 | Unknown | Not assigned | Art. 15 GDPR | Insufficient fulfilment of data subjects rights | Information was not provided. | link' rel='' target='_self'> | 02.10.2024 10:23 | 194 | 1 | link |
| 21 | ETid-21 | 2019 | DENMARK | Danish Data Protection Authority (Datatilsynet) | 160,000 | Taxa 4x35 | Transportation and Energy | Art. 5 (1) e) GDPR | Non-compliance with general data processing principles | The Danish DPA reported the taxi company to the police and recommended a fine (of 1.2M DKK) for non-adherence to the data-minimization principle. While the company deleted the names of its passengers from all its records after two years, the deletion did not include the rest of the ride records (about 8,873,333 taxi trips). Hence, the company continued to hold onto individual's phone numbers. Please note: Since Danish law does not provide for administrative fines as in the GDPR (unless it is an uncomplicated case and the accused person consented), fines will be imposed by courts. | link' rel='' target='_self'> | 02.10.2024 10:23 | 160,000 | 1 | link |
| 22 | ETid-22 | 2021-02-12 | DENMARK | Danish Data Protection Authority (Datatilsynet) | 13,450 | IDdesign A / S | Industry and Commerce | Art. 5 (1) e) GDPR, Art. 5 (2) GDPR | Non-compliance with general data processing principles | Original summary: On June 3, 2019, the Danish DPA (Datatilsynet) reported IDdesign to the police and demanded payment of a fine in the amount of EUR 200,850 for the processing of personal data of approximately 385,000 customers for a longer period than necessary for the purposes for which they were processed. Additionally, the company had not established and documented deadlines for deletion of personal data in their new CRM system. The deadlines set for the old system were not deleted after the deadline for the information had been reached. Also, the controller had not adequately documented its personal data deletion procedures. Please note: Since Danish law does not provide for administrative fines as in the GDPR (unless it is an uncomplicated case and the accused person consented), fines will be imposed by courts. Update: On February 12, 2021 the Aarhus District Court decided to impose a fine against IDdesign in the amount of EUR 13,450. With regard to the calculation of the fine, the court disagreed with the proposed amount of the fine. It concluded that the amount should be calculated on the basis of the company's own turnover and not that of the entire group. In addition, the court considered that the mitigating circumstances under Art. 83 (2) GDPR should be taken into account when calculating the fine. Such as that the company had not previously breached the GDPR, as well as that the breach concerned only general personal data. In addition, no data subject suffered damages as a result of the breach. Finally, the court considers that the negligent nature of the breach should be taken into account. | link' rel='' target='_self'> | 02.10.2024 10:23 | 13,450 | 1 | link |
| 23 | ETid-23 | 2019-01-21 | FRANCE | French Data Protection Authority (CNIL) | 50,000,000 | Google LLC | Media, Telecoms and Broadcasting | Art. 13 GDPR, Art. 14 GDPR, Art. 6 GDPR, Art. 5 GDPR | Insufficient legal basis for data processing | The fine was imposed on the basis of complaints from the Austrian organisation 'None Of Your Business' and the French NGO 'La Quadrature du Net'. The complaints were filed on 25th and 28th of May 2018 - immediately after the GDPR became applicable. The complaints concerned the creation of a Google account during the configuration of a mobile phone using the Android operating system. The CNIL imposed a fine of 50 million euros for lack of transparency (Art. 5 GDPR), insufficient information (Art. 13 / 14 GDPR) and lack of legal basis (Art. 6 GDPR). The obtained consents had not been given 'specific' and not 'unambigous' (Art. 4 nr. 11 GDPR). | link' rel='' target='_self'> | 02.10.2024 10:23 | 50,000,000 | 1 | link |
| 24 | ETid-24 | 2019-05-28 | FRANCE | French Data Protection Authority (CNIL) | 400,000 | SERGIC (Real Estate) | Real Estate | Art. 5 (1) e) GDPR | Insufficient technical and organisational measures to ensure information security | The CNIL based the penalty on two grounds: Lack of basic security measures and excessive data storage. As to the first, sensitive user documents uploaded by rental candidates (including ID cards, health cards, tax notices, certificates issued by the family allowance fund, divorce judgments, account statements) were accessible online without any authentication procedure in place. Although the vulnerability was known to the company since March 2018, it was not finally resolved until September 2018. In addition, the company stored the documentation provided by candidates for longer than necessary. The CNIL took into account i.a. the seriousness of the breach (lack of due care in addressing vulnerability and the fact that the documents revealed very intimate aspects of users' lives), the size of the company and its financial standing. | link' rel='' target='_self'> | 02.10.2024 10:23 | 400,000 | 1 | link |
| 25 | ETid-25 | 2018-11-21 | GERMANY | Data Protection Authority of Baden-Wuerttemberg | 20,000 | Knuddels.de | Media, Telecoms and Broadcasting | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | After a hacker attack in July personal data of approx. 330.000 users, including passwords and email addresses had been revealed. | link' rel='' target='_self'> | 02.10.2024 10:23 | 20,000 | 1 | link |
| Country | Sector | Type | timestamp |