In 2018, GDPR enforcement actions began trickling out from various EU data protection agencies. We want to give people a way to know who was fined, when, and why. This list focuses on major fines of at least €100,000.
Did we miss one? Let us know.
Major GDPR fine count:
- 2020: 19
- 2019: 30
- 2018: 1
- Total: 50
Major GDPR fine total in Euros (approximate due to currency conversion):
- 2020: € 135,253,736
- 2019: € 235,915,407
- 2018: € 400,000
- Total: € 371,569,143
Alpin is now CoreSaaS.
2020 Major GDPR Fines
UPDATED: As a result of an attack on British Airways’ website, about 500,000 customer records were extracted by a malicious third party. The UK’s data protection agency claims BA’s website was compromised due to poor cyber security arrangements. (The ICO proposed a fine of €204,600,000 / £183,000,000 in July 2019, but a much lower amount was finalized in October 2020. Annual and all-time totals above have been adjusted accordingly.)
The Hamburg representative for data protection and freedom of information (HmbBfDI) imposed a fine of €35,258,707.95 on a German subsidiary of Swedish fashion retailer H&M Hennes & Mauritz AB. HmbBfDl learned that the company had been collecting details since 2014 about employee absences for vacation and illness, recording those details, and discussing them among managers in regard to the employees’ situations at the company. The discovery was made possible because the data was briefly accessible company-wide in 2019. HmbBfDI ruled that “the combination of research into private life and the ongoing recording of what activity they were engaged in led to a particularly intensive interference with the rights of those affected.” The company cooperated with HmbBfDl, apologized to employees, and offered to compensate affected employees.
The CNIL (French Data Protection Authority) set a fine of €250,000 on SPARTOO. The online retailer violated multiple articles of the GDPR, including a) the principle of data minimization (by recording the full calls of customer service reps, and by collecting too much information in multiple redundant formats); b) the obligation to limit data retention (by keeping call recordings permanently, retaining prospect data for 5 years instead of 2, and retaining pseudo-anonymized and non-anonymized email addresses and passwords beyond 5 years); c) the obligation to inform individuals (by saying that ‘consent’ was the reason for data collection, when in fact contracts and business interests were other [unstated] reasons, and by not telling employees about what information they were collecting and why); d) the obligation to secure data (by not requiring strong passwords, and by keeping unencrypted scans of bank cards).
The Danish Data Protection Authority fined Arp-Hansen Hotel Group DKK 1,100,000 (approximately €147,675) because Arp-Hansen stored the personal data of over 500,000 persons, when those data profiles should have been deleted, according to the GDPR. No data breach was known to occur, but the simple fact that the company had stored the data resulted in the DPA recommending a substantial fine.
The Belgian Data Protection Authority imposed a fine on Google €600,000 because Google did not comply with the right to be forgotten – Google rejected a request from a Belgian citizen to have outdated and negative listings removed from the search results. Google argued that the data controller was Google LLC in the US, not Google Belgium, and therefore the complaint targeted the wrong entity and should be dismissed. The DPA ruled that the two entities act as one, and that the complaint was therefore valid.
The Italian Garante (Data Protection Authority) levied a fine of €800,000 on mobile telecoms provider Iliad for improperly recording payment information and processing personal data when activating SIM cards, as well as violating requirements for properly storing, processing, and using personal data, including telephone telematic data. An interesting aspect of the faults found in SIM activation was that Iliad used cameras that could capture images of people passing by, not just images of the person doing the transaction.
A fine of over €16.7 million was imposed on Wind Tre, another mobile telecoms operator, by the Italian Garante (Data Protection Authority). Violations included using personal data without the consent of the data subject, and creating confusing and onerous interfaces for users to give consent – including having many email addresses, some of which did not exist, and some of which may have been provided only to certain data subjects. Wind also used aggressive direct marketing techniques that violated the GDPR, and in fact was the subject of hundreds of complaints about this. Further, Wind Tre did not have proper contracts with partners, and did not do sufficient due diligence on those partners. (See the Merlini entry below for a notable example.) The DPA stated that at least some of Wind Tre’s violations were not just accidental, but the result of willful misconduct.
The Italian DPA fined Merlini €200,000. As a subcontractor to Wind Tre, Merlini operated a call center that recruited new customers for Wind Tre. Merlini was found to lack sufficient basis for processing personal data, and to lack sufficient contractual arrangements with Wind Tre.
The Dutch Data Protection Authority (DPA) imposed a fine of €830,000 on the Dutch Credit Registration Bureau (BKR) for making it overly difficult and expensive for data subjects (i.e., people) to gain access to and have their information deleted. The BKR had required a written request, accompanied by a copy of the person’s passport, allowable only once per year, and even then, the response time would be “within 28 days.” Quicker response times required a paid subscription. The DPA ruled these restrictions unreasonable.
The Italian Garante (Data Protection Authority) fined a bank €600,000 for several violations that occurred before the GDPR came into force. The violations affected over 700,000 customers between April 2016 and July 2017. The bank reported the violation to the Authority in July 2017. Employees of a commercial partner of the bank were able to access personal and sensitive information about the bank’s customers. This information included personal and contact data, profession, level of study, identification details of an identification document and information relating to employer, salary, loan amount, payment status, “approximation of the customer’s credit rating,” and IBAN code. That is a lot of sensitive information!
Interestingly, the Garante explained the rationale for the amount of the fine as follows: “In determining the amount of the amount in €600,000, the Authority took into account several elements, including the fact that the violations were committed against a significant number of people and that the bank — which did not suffer previous sanctioning measures by the Guarantor — following the data breach, adopted various measures and initiatives aimed at strengthening the security of its IT systems.”
A €1,240,000 fine was imposed on health insurance organization AOK Baden-Württemberg by the Data Protection Authority (DPA) of Baden-Württemberg. The DPA determined that AOK sent marketing messages to 500 persons without consent, and because AOK took insufficient measures to protect personal data.
The Hungarian NAIH (Data Protection Authority) fined an unnamed company service 100,000,000 Hungarian Forint for failing to apply adequate security measures to protect user data. A hacker discovered the vulnerability and reported it to the controller, but the controller did not act. It was possible to reach databases containing personal data through the homepage, and the controlled failed to encrypt the database. Further, a database created for correcting failures was not deleted after task completion.
The Finnish Office of the Data Protection Ombudsman’s sanctions board fined the national postal service for disclosing personal information to organizations that used the personal information to send direct marketing and advertising materials, and for not notifying individuals that their data might be used in such a way. Over 161,000 people were affected in 2019 alone.
The Dutch Data Protection Authority fined an unnamed company for unlawfully using fingerprint scans of its employees for its attendance and timekeeping records. The DPA stated that “A fingerprint cannot be replaced, unlike a password. If something goes wrong, the impact can be huge and have a lifelong negative effect on the person concerned.”
The Personal Data Protection Authority of Croatia fined an unnamed bank for failing to provide access to the personal information of approximately 2,500 individuals who had requested visibility into their data at the bank.
The Data Protection Authority of Sweden fined Google for failing to remove the personal information of various individuals who had requested exclusion from Google search results.
The Dutch Data Protection Authority fined the tennis association for selling the personal data of more than 350,000 association members to sponsors. These sponsors then contacted some of the members by mail and telephone for marketing purposes. The Authority rejected the tennis association’s argument that it had a legitimate business interest in selling the information.
The Spanish Data Protection Agency imposed a fine on Vodafone España because the telephone operator was unable to prove that it had received consent from an individual to process that individual’s personal data, and was unable to prove that the individual had ordered service from the company. Further, the company disclosed the personal data to several credit agencies.
The Italian Data Protection Authority (Garante) fined TIM, a telephone network operator, for a variety of unlawful actions associate with marketing and advertising campaigns affecting several million people. These included making unsolicited promotional calls, enrolling people in prize competitions without their consent, ignoring do-not-call exclusion requests even after 155 calls were made to one individual. TIM lacked policies, systems, and management to properly conduct operations.
2019 Major GDPR Fines
The Hellenic Data Protection Authority imposed a fine because this company did not inform data subjects that their data would be processed and stored on company servers, failed to impose technical measures to secure the processing of this data, and failed to separate the software from the data, possibly allowing companies outside the Aegean Marine Petroleum Group to access these servers and the personal data on those servers.
The Information Commissioner fined this pharmacy operator €320,000 for failing to ensure information security – specifically, storing approximately 500,000 documents containing personal data including medical information in unsealed containers placed behind a building, resulting in water damage to the documents.
The Italian Data Protection Authority (Garante) imposed two fines totaling €11.5 million on Eni Gas and Luce. The €8.5 million fine was imposed because the company unlawfully processed personal data during an advertising campaign and had poor controls over and protections of personal data.
The Italian Data Protection Authority (Garante) imposed two fines totaling €11.5 million on Eni Gas and Luce. The €3 million fine was imposed because the company activated unsolicited contracts, some of which may have included forged signatures.
Personal information was available to anyone who provided the name and data of birth of a customer. The fine would have been much higher, but the company cooperated closely with regulators to quickly address the issue.
An unnamed hospital sent invoices to the wrong patients, exposing personal information of other patients.
A 2016 data breach concerning 57 million Uber users, of which 174,000 were Dutch citizens, was not reported within 72 hours.
Cell center operators entered data into a CRM system. Some of those operators were located outside the EU, so there was unlawful data storage in countries that did not provide an adequate level of protection of personal data. Some of the data related to the health status of the people contacted, as well as offensive language. Further, the data subjects were not informed of the recording of the calls, or of any other processing of their personal data.
Dutch employee insurance service provider UWV did not apply multi-factor authentication when granting access to the online employer portal, so security was deemed insufficient.
Unlawful storage of personal information in an archive system that did not have an option to delete old data. The system contained sensitive information about former and current tenants.
The Austrian Post sold detailed personal profiles of approximately 3 million Austrians to various companies and political parties.
Bank employees sent personal information, without requesting permission from the affected individuals, to Vreau Credit (which was also fined €20,000), and did not evaluate the risks of taking these actions.
Did not delete personal information, and continued telemarketing after being notified by consumers to stop.
2.2 million people’s personal information was accessed because it was poorly protected.
The company did not delete information of dormant customers, and continued sending unsolicited advertising emails.
Records of 6 million people was accessed in a security breach.
Tens of thousands of bank customer records were stolen because of poor system design and process execution.
PWC required its employees to sign a blanket consent for PWC to process their data. The regulator determined that there was an imbalance of power in the company-employee relationship, and that the consent was therefore not binding. Further, the regulator determined that the company gave the false impression that it was processing the data legally.
Exposed personal information through poor security. This was discovered by a customer, who found that personal data of other customers, including their driver’s licenses, registration cards and bank identification records, could be seen by simply changing the numbers at the end of the URL.
After acquiring its competitor Starwood, Marriott discovered Starwood’s central reservation database had been hacked. This included 5 million unencrypted passwords and 8 million credit card records. The hack was ongoing from 2014 to 2018. The breach impacted 30 million EU residents.
UPDATED IN OCTOBER 2020: As a result of an attack on British Airways’ website, about 500,000 customer records were extracted by a malicious third party. The UK’s data protection agency claims BA’s website was compromised due to poor cyber security arrangements. This would represent the largest GDPR fine to date.
Revealed personal information such as the national identification number and the postal address of the payment issuers to the payment recipients. 337,042 individuals were affected between February and December 2018.
A Dutch hospital was fined over lax controls over logging and access to patient records. In one instance, 197 employees accessed one Dutch celebrity’s medical records.
The soccer league was accused of listening for piracy through its smartphone application. La Liga turned on user microphones in order to listen for sounds of the soccer game and match to any pirated stream using geolocaton. La Liga used the information to sue 600 bars for pirating soccer games.
Did not delete personal information of 385,500 dormant customers.
The real estate company’s website easily allowed accessing other individual’s information by changing the URL, making ID cards, tax notices, and other important documents available. The lack of user authentication resulted in the fine.
The personal data of 35,000 student accounts was stolen even after warnings were issued to the organization.
Exposed 63,000 students’ information in a mobile app that was not designed or tested to secure personal information.
This data process was fined because they scraped the internet for public contacts, amassing data on 6 million people. They did not inform these people that their data would be processed, and the company conducted commercial outreach to over 90,000 people, 12,000 of which objected to unauthorized use of their data.
As a result of a random audit, this taxi operator was found to have over 9 million personal records the company had stored unnecessarily. The fine came as a result of a failure to delete this unused contact information.
Google was fined from France’s data regulator, citing a lack of transparency and consent in advertising personalization, including a pre-checked option to personalize ads.
2018 Major GDPR Fines
Staff at the hospital used bogus accounts to access patient records.
October, 2018 (UPDATE May, 2020)
We include this small fine, since it was the first. A local business had a CCTV camera capturing too much public space.
However, in May, 2020, the company succeeded in appealing the decision, and the Austrian Federal Administrative Court annulled the administrative penalty imposed by the Austrian Data Protection Authority due to procedural irregularities.
CoreView helps companies discover and manage their SaaS vendors. As part of that effort, we work to track the GDPR compliance status of a large number of vendors, so that you can see if your vendor are compliant. And we stay up-to-date on GDPR news, too.