.svg "Nathan Trust Logo")
.svg "Vector (18)"){kind=small}
GDPR fines and penalties
Newsfeed: GDPR Complaints, Cautions, fines, and penalties.
The various European Supervisory Authorities are increasingly active with more and more enforcement actions every week.
--------------------------------------------------------------------------------
04/06/2020
Finnish DPA imposes administrative fine for several deficiencies in the personal data processing
Country: Finland
Company: Taksi Helsinki
Industry: Taxi Operator
The Office of the Data Protection Ombudsman’s sanctions board imposed an administrative fine of EUR 72,000 on Taksi Helsinki. The company had not assessed the risks and effects of personal data processing before adopting a camera surveillance system that records audio and video in its taxis. Deficiencies were also noted in the information provided to customers and the documentation of personal data processing.
Read more here: https://edpb.europa.eu/news/national-news/2020/finnish-dpa-imposes-administrative-fine-several-deficiencies-personal-data_en
--------------------------------------------------------------------------------
18/05/2020
Tusla becomes the first organization fined for GDPR rule breach
Country: Ireland
Company: Tusla
Industry: Child Protection
The child and family agency, Tusla, has become the first organization in the State fined for a breach of the General Data Protection Regulation (GDPR). The agency was fined €75,000 arising out of an investigation into three cases where information about children was wrongly disclosed to unauthorized parties.
Read more here: https://www.irishtimes.com/news/crime-and-law/tusla-becomes-first-organisation-fined-for-gdpr-rule-breach-1.4255692
-------------------------------------------------------------------------------
04/05/2020
Biometric time and attendance systems restricted by European data protection rules, Dutch authority issues fine
Country: Netherlands
The Dutch Data Protection Authority, meanwhile, has levied a €725,000 (roughly US$791,000) fine against a company for scanning its employee’s biometrics with a fingerprint time and attendance system. The Autoriteit Persoonsgegevens ruled that the company did not establish the exceptional grounds for the system’s implementation which would have provided a legal basis for its use.
-------------------------------------------------------------------------------
12/03/2020
Sweden fines Google $8 million for right-to-be-forgotten violations and demands it keep websites in the dark
Country: Sweden
Company: Google
Industry: Search
Sweden’s Data Protection Authority (DPA) has slapped Google with a 75 million kronor ($8 million) fine for “failure to comply” with Europe’s General Data Protection Regulation (GDPR) after the internet giant reportedly failed to adequately remove search result links under right-to-be-forgotten requests. In a notable twist, the DPA also demanded that Google refrain from informing website operators their URLs will be de-indexed.
Read more here: https://venturebeat.com/2020/03/11/sweden-fines-google-8-million-for-right-to-be-forgotten-violations-and-demands-it-keep-websites-in-the-dark/
--------------------------------------------------------------------------------
03/03/2020
Tennis Association fined EUR 525K for selling data to sponsors without consent of data subjects
Country: Netherlands
Industry: Sports
Company: The Royal Dutch Lawn Tennis Association
In the view of the DPA, the sale of personal data without the consent (freely given and at any time revocable; Art 6 Abs 1 lit a GDPR) of the data subject concerned is generally prohibited. The controller argued, that it had a legitimate interest (Art 6 Abs 1 lit f GDPR) in selling the data.
Read more here: https://www.linkedin.com/pulse/nl-tennis-association-fined-eur-525k-selling-data-thomas-schweiger/
-------------------------------------------------------------------------------
21/01/2020
EUR 1.500,-- GDPR-fine for CCTV at a takeaway that covered the street and a nearby gas station without privacy notice
Country: Austria
Privacy Regulator: Datenschutzbehörde
Industry: CCTV
In the explanatory memorandum, the Court explicitly refers to Art.13 GDPR and the possibility to use a “layered privacy notice” to information as well as a combination of means for information and also refers to the European Data Protection Board, Guidelines 3/2019 on the processing of personal data through video devices, 10.07.2019, p. 21ff: As part of video surveillance, the most important information should be displayed in a warning, while the necessary additional information can be made available by other means (as a second layer)."
Read more here: https://www.linkedin.com/pulse/austria-eur-1500-gdpr-fine-cctv-takeway-covered-street-schweiger/
--------------------------------------------------------------------------------
21/01/2020
it is not fine, not to appoint a DPO if you are obliged to - a German DPA fined an SME with EUR 10.000
Country: Germany
Privacy Regulator: Lubeck DPA
The Federal Commissioner for Data Protection in Germany informed the general public that a GDPR-fine of EUR 10,000 was imposed on Rapidata GmbH because the company had not appointed a data protection officer (DPO) - despite an obligation and request to do so
Read more here: https://www.linkedin.com/pulse/fine-appoint-dpo-you-obliged-german-dpa-fined-sme-eur-schweiger/
-------------------------------------------------------------------------------
15/01/2020
Swedish DPA issues fine on organization entrusted with publishing certificate
Country: Sweden
Company: Mrkoll.se
Industry: Credit Rating
The Swedish DPA has issued an administrative fine of 35 000 EUR towards Mrkoll.se – a site that publishes personal data of all Swedes above the age of 16 – for infringement of the credit information Act and the GDPR. The site has carried out credit information activity in a way that isn’t in compliance with the regulation.
Read more here: https://gdprcommunity.com/swedish-dpa-issues-fine-on-organisation-entrusted-with-publishing-certificate/
--------------------------------------------------------------------------------
14/01/2020
Lübeck Labour Court estimates a fine of €1,000 for the illegal use of an employee photo on Facebook
Country: Germany
Privacy Regulator: Lubeck DPA
In the opinion of the court, this data processing is also unlawful, since there is no consent of the employee (Art. 6 (1) lit. a) GDPR / § 26 (2) Federal Data Protection Act - BDSG). In the opinion of the court, other forms of permission are also out of the question. In particular, the court sees no legitimate interest of the employer under Art. 6 (1) lit. f) GDPR.
Read more here: https://www.linkedin.com/pulse/data-protection-l%25C3%25BCbeck-labour-court-estimates-fine-1000-stefan-hessel/?trackingId=vALvgMptCu0vMFkahe6%2B8g%3D%3D
-------------------------------------------------------------------------------
09/01/2020
Nationwide retailer fined half a million pounds for failing to secure information of at least 14 million people
Country: UK
Company: DSG
Industry: Retail
“Our investigation found systemic failures in the way DSG Retail Limited safeguarded personal data. It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen. “The contraventions, in this case, we're so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR.”
Read more here: https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/01/nationwide-retailer-fined-half-a-million-pounds-for-failing-to-secure-information/?
-------------------------------------------------------------------------------
06/11/2019
Polish DPA: Withdrawal of consent shall not be impeded
Country: Poland
Industry: Online Marketing
Company: ClickQuickNow
Non-compliance: Right to withdraw consent
The company - ClickQuickNow Sp. z o.o. did not implement appropriate technical and organizational measures that would enable easy and effective withdrawal of consent to the processing of personal data and the exercise of the right to obtain the erasure of personal data (the "right to be forgotten"). Thus, it violated the principles of lawfulness, fairness and transparency of the processing of personal data, specified in the GDPR.
Read more here: https://edpb.europa.eu/news/national-news/2019/polish-dpa-withdrawal-consent-shall-not-be-impeded_en
-------------------------------------------------------------------------------
31/10/2019
Facebook agrees to pay a fine over the Cambridge Analytica scandal. Company withdraws appeal against £500,000 penalty imposed by UK data watchdog
Country: UK
Company: Facebook
Industry: Social Media
Since Cambridge Analytica’s data protection violations occurred in 2015, before the implementation of the EU’s general data protection regulation in 2018, the maximum possible fine the ICO could levy was £500,000. If the offences had occurred after May 2018, the potential fine could have been much higher – up to 4% of Facebook’s annual turnover.
Read more here: https://www.theguardian.com/technology/2019/oct/30/facebook-agrees-to-pay-fine-over-cambridge-analytica-scandal
-------------------------------------------------------------------------------
14/10/2019
EUR 800,-- in non-material damages under Art 82 GDPR awarded by Austrian Court for the processing of party preferences without legal basis
Country: Austria
Privacy Regulator: Datenschutzbehörde
Company: Austria Post
The Court of Feldkirch (Austria) awards a natural person the personal data (“party preference”) of which has been processed by the Austrian Postal Corp. without legal basis EUR 800,-- in non-material damages according to Art 82 GDPR
Read more here: https://www.linkedin.com/pulse/eur-800-non-material-damages-under-art-82-gdpr-court-schweiger/?trackingId=QXdnQUIokNmEYWiFywz0Tw%3D%3D
--------------------------------------------------------------------------------
05/11/2019
Deutsche Wohnen has to pay a 14.5 million euros penalty
Country: Germany
Privacy Regulator: Berling DPA
Company: Deutsche Wohnen
Deutsche Wohnen must pay a 14.5 million euros penalty. The system saved data from applicants - and can not delete them. Among other things, Deutsche Wohnen has sensitive information on the financial circumstances, salary certificates, and insurance data of the applicants. The fine is the second-highest fine ever imposed in Europe for data breaches - and the highest in Germany
--------------------------------------------------------------------------------
30/08/2019
Polish retailer gets €645,000 fine under GDPR for “insufficient organizational and technical safeguards”
Country: Poland
Industry: Retail
Company: Morele.net
Non-compliance: Data Breach
An online retailer in Poland has received a hefty fine under the General Data Protection Regulation (GDPR) after failing to protect the data collected from 2.2 million customers through the company’s nine websites.
Read more here: https://securityboulevard.com/2019/09/polish-retailer-gets-e645000-fine-under-gdpr-for-insufficient-organizational-and-technical-safeguards/
-------------------------------------------------------------------------------
21/08/2019
Swedish school board fined for using facial recognition to take the class register
Country: Sweden
Company: School
Industry: Facial Recognition
The Swedish Data Inspection Authority said it has imposed its first penalty for breach of GDPR, to a school in Skelleftea that had been trialling facial recognition to register pupil attendance. The authority scrutinized the three-week pilot 22 pupils and found that the school board's handling of personal information did not comply with GDPR. The fine amounts to SEK 200,000.
--------------------------------------------------------------------------------
17/08/2019
The state could face a massive Public Services Card bill
Country: Ireland
After a 20-month investigation, the Data Protection Commissioner (DPC), Helen Dixon, found that the expansion of the card’s remit to other State services from its social welfare origins is illegal under data protection legislation.
Read more here: https://www.irishexaminer.com/breakingnews/ireland/state-could-face-massive-public-services-card-bill-944497.html
--------------------------------------------------------------------------------
15/08/2019
Irish data protection commissioner opens investigation into Verizon Media
Country: Ireland
Company: Verizon
Industry: Online Media
The investigation comes on foot of complaints across the EU related to the company’s use of online cookies.
-------------------------------------------------------------------------------
30/07/2019
CNIL publishes revised guidelines on cookies and other tracking technology
Country: France
Industry: Cookies
On the one hand, scrolling down or swiping through a website or application can no longer be viewed as a valid expression of consent to the implementation of cookies. On the other hand, stakeholders who operate tracking devices must be able to prove that they have obtained the consent.
Read more here: https://www.cnil.fr/en/cookies-and-other-tracking-devices-cnil-publishes-new-guidelines
-------------------------------------------------------------------------------
25/07/2019
ACTIVE INSURANCE: € 180,000 sanction for breach of customer data security
Country: France
Industry: Insurance
Company: ACTIVE INSURANCE
An online check revealed that the accounts of the company's customers were accessible via hypertext links referenced on a search engine.
Read more here: https://www.cnil.fr/fr/active-assurances-sanction-de-180-000-euros-pour-atteinte-la-securite-des-donnees-des-clients
-------------------------------------------------------------------------------
16/07/2019
Haga fined for the insufficient internal security of patient records
Country: Netherlands
Industry: Hospital
Company: Haga Hospital
The Haga Hospital does not have the internal security of patient records in order. This is the conclusion of a study by the Dutch Data Protection Authority (AP).
Read more here: https://www.autoriteitpersoonsgegevens.nl/nl/nieuws/haga-beboet-voor-onvoldoende-interne-beveiliging-pati%C3%ABntendossiers
-------------------------------------------------------------------------------
16/07/2019
Estate agency fined £80,000 for failing to keep tenants’ data safe
Country: Estate Agency
Company: Life at Parliament View
Industry: Hotels
The security breach happened when Life at Parliament View Ltd (LPVL) transferred personal data from its server to a partner organization and failed to switch off an ‘Anonymous Authentication’ function. This failure meant access restrictions were not implemented and allowed anyone going online to have full access to all the data stored between March 2015 and February 2017.
Read more here: https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/estate-agency-fined-80-000-for-failing-to-keep-tenants-data-safe/
-------------------------------------------------------------------------------
09/07/2019
Information Commissioner's Office (ICO) intends to fine Marriott International, Inc more than £99 million under GDPR for the data breach.
Country: UK
Company: Marriott International
Industry: Hotels
The data breach involved the personal data of approx. 339 million guests. Of the 339 million data subjects, approx. 30 million related to residents of 31 countries within the EEA. Marriot had notified the ICO about the breach in November 2018.
Read more here: https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/statement-intention-to-fine-marriott-international-inc-more-than-99-million-under-gdpr-for-data-breach/
--------------------------------------------------------------------------------
08/07/2019
ICO intends to fine British Airways £183.39m under GDPR for data breach
Country: UK
Company: British Airways
Industry: Airline
The ICO has made a statement indicating its intention to fine British Airways £183.39 million for GDPR infringements from September 2018. The personal data of approx. 500,000 customers were diverted to a fraudulent site where it was harvested by the attackers. It is alleged that poor security arrangements on the British Airways website resulted in the breach.
Read more here: https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/ico-announces-intention-to-fine-british-airways/
--------------------------------------------------------------------------------
04/07/2019
Unicredit Bank gets first GDPR-related fine issued in Romania
Country: Romania
Company: Unicredit Bank
Industry: Banking
The sanction was applied to Unicredit Bank S.A. as a result of the failure to apply appropriate technical and organizational measures, both in the determination of the processing means and the processing operations themselves, to effectively implement data protection principles, such as minimizing data to a minimum and integrating the necessary safeguards in the processing,
Read more here: http://business-review.eu/business/legal/first-fine-on-gdpr-202887
-------------------------------------------------------------------------------
24/06/2019
ICO fines telecoms company EE Limited for sending unlawful text messages.
Country: UK
Company: EE
Industry: Telco
The messages, sent in early 2018, encouraged customers to access and use the ‘My EE’ app to manage their account and also to upgrade their phone; the second batch of messages was sent to customers who had not engaged with the first.
Read more here: https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/06/ico-fines-telecoms-company-ee-limited-for-sending-unlawful-text-messages/
--------------------------------------------------------------------------------
14/06/2019
Facebook’s EU regulator says it ‘remains to be seen if Mark Zuckerberg is serious about privacy
Country: Ireland
Company: Facebook
Industry: Social Media
The Irish regulator conducting nearly one dozen investigations into Facebook isn’t convinced by Mark Zuckerberg’s privacy push.
Read more here: https://www.cnbc.com/2019/06/13/facebook-investigations-by-eu-ireland-regulator-nearing-conclusions.html
--------------------------------------------------------------------------------
12/06/2019
LaLiga fined €250k for soccer app’s privacy-violating spy mode
Country: Spain
Privacy Regulator: AEPD
Company: La Liga
Industry: Pro Soccer
users of the LaLiga app were outraged to discover the smartphone software does rather more than show minute-by-minute commentary of football matches — but can use the microphone and GPS of fans’ phones to record their surroundings in a bid to identify bars that are unofficially streaming games instead of coughing up for broadcasting rights.
Read more here: https://techcrunch.com/2019/06/12/laliga-fined-280k-for-soccer-apps-privacy-violating-spy-mode/
--------------------------------------------------------------------------------
12/06/2019
Austrian Supreme Court green-lights GDPR case against Facebook
Country: Austria
Privacy Regulator: Datenschutzbehörde
Company: Facebook
Industry: Social Media
A potential landmark case against Facebook for violating General Data Protection Regulation rights has been given the go-ahead by the Austrian Supreme Court
Read more here: https://www.computerweekly.com/news/252464942/Austrian-Supreme-Court-green-lights-GDPR-case-against-Facebook
--------------------------------------------------------------------------------
10/06/2019
DVLA sale of driver details to private parking firms looked at by authorities
Country: UK
Industry: Government Agency
Company: Driver and Vehicle Licensing Agency
Non-compliance: Data Breach
A spokesperson for the ICO told Auto Express: “We are aware of the issues around the sharing of registered keepers details between the DVLA and private parking companies, and we are currently considering if and how new data protection laws affect this data sharing.
Read more here: https://www.autoexpress.co.uk/car-news/consumer-news/91275/dvla-sale-of-driver-details-to-private-parking-firms-looked-at-by
--------------------------------------------------------------------------------
06/06/2019
CNIL issues 400K euro fine for GDPR violations
Country: France
Industry: Real Estate
Company: Sergic
Non-compliance: Data Breach
France's data protection authority, the CNIL, has fined the real estate company Sergic 400,000 euros for violations of the EU General Data Protection Regulation.
Read more here: https://iapp.org/news/a/cnil-issues-400k-euro-fine-for-gdpr-violations/
--------------------------------------------------------------------------------
4/06/19
Google faces privacy complaints in European countries
Country: 9 EU Countries
Industry: Adtech
Company: Google
Non-compliance: Google’s privacy woes are set to increase after campaigners on Tuesday filed complaints to data protection regulators in France, Germany, and seven other EU countries over the way it deals with data in online advertising.
Read more here: https://www.reuters.com/article/us-eu-google-privacy/google-faces-privacy-complaints-in-france-germany-7-other-eu-countries-idUSKCN1T51G3
-------------------------------------------------------------------------------
01/06/2019
Austrian data protection authority on the (missing) responsibility of the representative according to the GDPR
Country: Austria
Privacy Regulator: Datenschutzbehörde
Industry: Article 27 Rep
In a decision of 7 March, 2019 (DSB-D130.033/0003-DSB/2019, German) the Austrian data protection authority (DPA) had to deal, among other things, with the question of whether the supervisory authority could also take action against the representative in the Union in the event of unlawful data processing by the data controller, established in the USA.
Read more here: https://www.linkedin.com/pulse/austrian-data-protection-authority-missing-according-gdpr-piltz/
--------------------------------------------------------------------------------
27/05/2019
How far does the GDPR’s right of access extend? Cologne Regional Court: The right under Art. 15 GDPR does not serve to simplify a person's accounting.
Country: Germany
Privacy Regulator: All
There is a comprehensive right of access to stored or processed personal data. This includes data such as name or date of birth as well as any features that could enable a person to be identified, e.g. health data, account number, etc.
Read more here: https://www.linkedin.com/pulse/how-far-does-gdprs-right-access-extend-cologne-regional-piltz/
--------------------------------------------------------------------------------
24/05/2019
Data Protection Commission reflects on the first year of the GDPR
Country: Ireland
Non-compliance: GDPR Compliance
The GDPR, which applied from 25 May 2018, has marked the start of a new era in data protection standards in the EU and significantly strengthens the rights of individuals as well as increases the obligations on organizations in terms of how they collect and use personal data.
Read more here: https://www.dataprotection.ie/en/news-media/press-releases/data-protection-commission-reflects-first-year-gdpr
--------------------------------------------------------------------------------
22/05/2019
Data protection watchdog launches a statutory inquiry into Google's Ad Exchange
Country: Ireland
Industry: Adtech
Company: Google
Non-compliance: GDPR Compliance
The purpose of the inquiry is to establish whether processing of personal data carried out at each stage of an advertising transaction complies with the relevant provisions of the General Data Protection Regulation (GDPR), including the lawful basis for processing, the principles of transparency and data minimization, as well as Google's retention practices
Read more here: https://www.rte.ie/news/business/2019/0522/1051099-data-protection-watchdog-to-probe-googles-ad-exchange/
--------------------------------------------------------------------------------
21/05/2019
Adtech Giant Quantcast Facing GDPR Investigation into Breach of Privacy
Country: Ireland
Industry: Adtech
Company: Quancast
Non-compliance: Data Breach
The decision by the Irish DPC to investigate adtech giant Quantcast could mean that further breach of privacy investigations into this space could be forthcoming.
Read more here: https://www.cpomagazine.com/data-privacy/adtech-giant-quantcast-facing-gdpr-investigation-into-breach-of-privacy/
--------------------------------------------------------------------------------
15/05/2019
No More Games! The CNIL Publishes its 2018 and 2019 Activity Report
The CNIL blows the whistle for the end of the transition period. For the first time, the CNIL’s 2019 investigation program is not specific to an industry and potentially impacts controllers and processors throughout all sectors of business. Going forward, the CNIL will also be more thorough and less lenient.
Read more here: https://www.natlawreview.com/article/no-more-games-cnil-publishes-its-2018-and-2019-activity-report
--------------------------------------------------------------------------------
13/09/19
ICO Calls Out HMRC for Illegal Biometric Data Collection
Country: UK
Privacy Regulator: ICO
Company: HMRC
Non-compliance: Consent/No DPIA
Non-compliance: In the first case of its kind since the EU-wide legislation was introduced, the Information Commissioner’s Office (ICO) called out the government agency over its Voice ID authentication system.
Read more here: https://www.infosecurity-magazine.com/news/ico-hmrc-illegal-biometric-data-1/
-------------------------------------------------------------------------------
08/05/2019
ONE FILE IS IN THE WRONG PLACE. PRICE: €170 000
_.png)
Country: Norway
Industry: Local Government
Company: Municipality of Bergen
Non-compliance: Data Breach
The breach came to the DPAs attention by the report of one of the students of the public school, administrated by the Municipality of Bergen, who found a file with login credentials for 35,000 students and employees, in a public storage area.
Read more here: https://aigine.se/en/one-file-in-the-wrong-place-price-170-000e/gdpr/
--------------------------------------------------------------------------------
03/05/2019
Large GDPR Fines Are Imminent, EU Privacy Regulators Say
Country: Ireland
Officials from Ireland and the U.K. said they are investigating major GDPR cases and plan to announce enforcement actions in the next few months, adding that the cases took time to build.
Read more here: https://www.wsj.com/articles/large-gdpr-fines-are-imminent-eu-privacy-regulators-say-11556829079
--------------------------------------------------------------------------------
02/05/2019
Post GDPR enforcement in Germany - a sneak peek
Country: Germany
Privacy Regulator: All
German Supervisory Authorities have issued 41 fines since the EU General Data Protection Regulation (‘GDPR’) became enforceable in May 2018.
-------------------------------------------------------------------------------
30/04/2019
The French Conseil d’Etat lowers the amount of a fine imposed by the French Data Protection Authority
Industry: Data Breach
Companies: Airbus
a decision dated 17 April 2019, the Conseil d'Etat (the Supreme Administrative Court) confirmed a decision of sanction issued by the French Data Protection Authority (the CNIL) but reduced the amount of the sanction from €250,000 to €200,000.
--------------------------------------------------------------------------------
26/04/2019
Ireland’s data watchdog to investigate Facebook passwords leak
Country: Ireland
Industry: Social Media
Company: Facebook
Non-compliance: Data Breach/Passwords
Ireland’s Data Protection Commission (DPC) has launched a statutory investigation into the revelation that Facebook stored hundreds of millions of user passwords insecurely.
Read more here: https://www.siliconrepublic.com/enterprise/data-protection-commission-ireland-facebook-investigation
--------------------------------------------------------------------------------
24/04/19
The Data Protection Ombudsman ordered Svea Ekonomi to correct its practices in the processing of personal data
Country: EU
Industry: AI
Company: Svea Ekonomi
Non-compliance: The Data Protection Ombudsman also pointed out that the company's online credit decision service should be considered automatic decision-making of the kind referred to in Article 22 of the General Data Protection Regulation
Read more here: https://edpb.europa.eu/news/national-news/2019/data-protection-ombudsman-ordered-svea-ekonomi-correct-its-practices_en
-------------------------------------------------------------------------------
09/04/19
EU Launches GDPR Probe into Microsoft Contracts
Country: EU
Industry: Search/Location
Company: Google
Non-compliance: The EU has launched an investigation into contracts Microsoft holds with its institutions to ensure data processing is conducted in compliance with the GDPR.
Read more here: https://www.infosecurity-magazine.com/news/eu-launches-gdpr-probe-into-1/
-------------------------------------------------------------------------------
30/03/2019
Poland's DPA issues its first GDPR fine
Country: Poland
Industry: Software
Company: Bisnode
Non-compliance: Consent
The Personal Data Protection Office fined digital marketing company Bisnode 220,000 euros for its failure to fulfil its data subject rights obligations under Article 14 of the GDPR. The DPA has given Bisnode three months to reach out to 6 million people to meet its Article 14 information notification requirements.
Read more here: https://techcrunch.com/2019/03/30/covert-data-scraping-on-watch-as-eu-dpa-lays-down-radical-gdpr-red-line/
-------------------------------------------------------------------------------
28/03/2019
Denmark DPA recommends GDPR fine for the taxi company
Country: Denmark
Industry: Taxi
Company: Taxa 4x35
Non-compliance: Data Minimisation
Denmark’s Data Protection Authority (DPA) has recommended fining a taxi company 1.2 million kroner ($180,000) for not deleting customers’ telephone numbers, the first Danish penalty imposed under Europe’s strict 2018 privacy rules.
Read more here: https://news.bloomberglaw.com/privacy-and-data-security/denmark-recommends-first-fine-under-new-eu-privacy-law
-------------------------------------------------------------------------------
08/03/2019
Is this the way the cookie wall crumbles? Dutch data watchdog says nee to take-it-or-leave-it consent
Country: Netherland
Industry: Internet
Non-compliance: Consent
Take-it-or-leave-it cookie walls don't comply with the General Data Protection Regulation, the Dutch data protection authority has said.
Read more here: https://www.theregister.co.uk/2019/03/08/gdpr_forced_consent_tracker_walls_still_a_thing/
-------------------------------------------------------------------------------
31/01/2019
Rubrik Exposes Customer Data, May Face GDPR Fines
Country: Netherlands & Ireland
Industry: Software
Company: Rubrik
Non-compliance: Data Breach
Rubrik, an IT security and cloud data management company, has suffered a massive data leak. The company pulled the server offline on Tuesday (Jan. 29) after being alerted to the leak, which was discovered by security researcher Oliver Hough. The exposed server wasn’t protected with a password.
Read more here: https://www.pymnts.com/news/security-and-risk/2019/rubrik-exposes-customer-data-gdpr-fines/
--------------------------------------------------------------------------------
31/01/2019
Airbus Hit by Cyber Breach, Says Aircraft Production Unaffected
Industry: Data Breach
Companies: Airbus
Airbus SE said its jetliner business was hit by a data breach that gave intruders access to some employees’ personal information.
Read more here: https://www.bloomberg.com/news/articles/2019-01-30/airbus-hit-by-cyber-breach-says-aircraft-production-unaffected?srnd=premium-europe
--------------------------------------------------------------------------------
30/01/2019
DPC confirms it is investigating Facebook breach under GDPR
Country: Ireland
Privacy Regulator: DPC
Industry: Data Breach
Company: RTE
Non-compliance: Data Breach. A memo from the RTÉ newsroom which named an Irish sports star concerning an alleged assault and was subsequently leaked on social media and messaging apps has led RTÉ to notify the Data Protection Commission (DPC).
Read more here: https://www.joe.ie/news/rte-memo-leak-sports-star-656407
-------------------------------------------------------------------------------
28/01/2019
What You Need To Know About the GDPR Complaints Against Top Streaming Companies
Country: Austria
Privacy Regulator: Datenschutzbehörde
Industry: Right to access
Companies: YouTube, Netflix, Spotify, Apple and Amazon
Citing a potential violation of the 2018 European General Data Protection Regulation (GDPR), prominent Austrian privacy activist Max Schrems and his digital rights nonprofit organization noyb (“none of your business”) have filed GDPR complaints on behalf of ten European users against eight major streaming companies, including YouTube, Netflix, Spotify, Apple and Amazon.
Read more here: https://www.cpomagazine.com/data-protection/what-you-need-to-know-about-the-gdpr-complaints-against-top-streaming-companies/
--------------------------------------------------------------------------------
28/01/2019
French Regulatory Body Hits Hard In Its First GDPR Fine
Country: France
Privacy Regulator: CNIL
Industry: Consent
Companies: Google
France’s Commission Nationale de l’Informatique et des Libertés (CNIL) delivered some disheartening news recently when it levied against Google a sanction of $57 million to penalize it for allegedly not having conformed properly to the General Data Protection Regulation (GDPR).
Read more here: https://www.forbes.com/sites/daviddoty/2019/01/28/jaccuse-french-regulatory-body-hits-hard-in-its-first-gdpr-fine/#b516beb77136
-------------------------------------------------------------------------------
23/01/2019
Hessian DPA Fines Shipping Company For Missing Data Processing Agreement
Country: Germany
Privacy Regulator: Hessian
Does your company have a processing agreement with each service provider that handles personal information for you as required by the EU General Data Protection Regulation (GDPR)?
Read more here: https://www.jdsupra.com/legalnews/hessian-dpa-fines-shipping-company-for-76851/
--------------------------------------------------------------------------------
18/12/2018
DPC confirms it is investigating Facebook breach under GDPR
Country: Ireland
Privacy Regulator: DPC
Industry: Social Media
Company: Facebook
Non-compliance: Data Breach. “The latest privacy breach at Facebook that affected nearly 7m users is being investigated by the Data Protection Commission (DPC) in Ireland under the General Data Protection Regulation (GDPR), a spokesperson confirmed”
Read more here: https://www.siliconrepublic.com/enterprise/facebook-breach-gdpr
-------------------------------------------------------------------------------
11/12/2018
Busy Year with Millions in ICO Fines Levied for Data Breaches
Country: UK
Privacy Regulator: ICO
Non-compliance: Data Breach. “The UK Data Protection Act 2018 (DPA) and the EU General Data Protection Regulation (GDPR) went into effect this year, and the first enforcement actions came sooner than many industry analysts expected.”
Read more here: https://www.cpomagazine.com/2018/12/11/busy-year-with-millions-in-ico-fines-levied-for-data-breaches/
-------------------------------------------------------------------------------
07/12/2018
Google Facing Complaints of GDPR Violations From Consumer Groups in 7 Countries
Country: EU
Industry: Search/Location
Company: Google
Non-compliance: A group of seven European Union member state countries – Czech Republic, Greece, Norway, the Netherlands, Poland, Slovenia, and Sweden – are now asking European privacy regulators to take action against Google for its “deceptive practices” related to location tracking.
Read more here: https://www.cpomagazine.com/2018/12/07/google-facing-complaints-of-gdpr-violations-from-consumer-groups-in-7-countries/
-------------------------------------------------------------------------------
05/12/2018
Marriott potentially exposed to first big GDPR fine after Starwood data breach
Country: EU
Industry: Hotels
Company: Marrott/Starwood
Non-compliance: The Starwood Hotels and Resorts data breach, in which 500 million hotel guests’ data was exposed, could lead to brand owner Marriott to the world’s first significant fine under GDPR.
Read more here: https://www.campaignlive.co.uk/article/marriott-potentially-exposed-first-big-gdpr-fine-starwood-data-breach/1520070
-------------------------------------------------------------------------------
16/11/2018
Microsoft menaced with GDPR mega-fines in Europe for 'large scale and covert' gathering of people's info via Office
Country: Netherlands
Industry: Software
Company: Microsoft
Non-compliance: Consent. Microsoft broke Euro privacy rules by carrying out the "large scale and covert" gathering of private data through its Office apps.
Read more here: https://www.theregister.co.uk/2018/11/16/microsoft_gdpr/
-------------------------------------------------------------------------------
15/11/2018
As data hack details come to light, Cathay may face stiff EU fine
Country: EU & Global
Industry: Airline
Company: Cathy Pacific
Non-compliance: Data Breach. Cathay has faced increased scrutiny after the airline revealed in a written submission that the data breach had lasted longer than previously stated.
Read more here: https://www.legalbusinessonline.com/news/data-hack-details-come-light-cathay-may-face-stiff-eu-fine/76790
--------------------------------------------------------------------------------
09/11/2018
Mobile applications: formal notice for lack of consent to geolocation data processing for advertising targeting purposes
Country: France
Privacy Regulator: CNIL
Industry: Location Data
Companies: VECTAURY
The President of the CNIL urges the company VECTAURY to collect the consent of individuals to the processing of their geolocation data for targeting purposes via mobile applications.
Read more here: https://www.cnil.fr/fr/applications-mobiles-mise-en-demeure-absence-de-consentement-geolocalisation-ciblage-publicitaire-2
GDPR fines and penalties
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}