J E L L Y E N T
GDPR Enforcement Tracker
AUSTRIA

AUSTRIA Austrian Files Security Authority (dsb) 2018-12-09 4,800 Having a wager feature of residing Paintings. 13 GDPR Insufficient fulfilment of records responsibilities Video surveillance became now no longer sufficiently marked and a gargantuan section of the sidewalk of the vogue became recorded. Surveillance of the overall public house on this system, i.e. on a gargantuan scale by private contributors, is now no longer smartly-most normal. link AUSTRIA

AUSTRIA Austrian Files Security Authority (dsb) 2018 1,800 Kebab restaurant Paintings. 5 GDPR, Paintings. 13 GDPR, Paintings. 14 GDPR Insufficient simply basis for records processing CCTV became unlawfully old-normal. Huge records in terms of the video surveillance became lacking. As smartly to, the storage length of 14 days became too prolonged and resulting from this truth in opposition to the conception of records minimization. Addendum: Honest has been reduced to EUR 1500 by court docket docket, stare link link AUSTRIA

AUSTRIA Austrian Files Security Authority (dsb) 2018-09-27 300 Deepest automobile proprietor Paintings. 5 (1) a) GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing A Dashcam became unlawfully old-normal. link AUSTRIA

AUSTRIA Austrian Files Security Authority (dsb) 2018-12-20 2,200 Deepest particular particular person Paintings. 5 (1) a) GDPR, Paintings. 5 (1) c) GDPR, Paintings. 6 (1) GDPR, Paintings. 13 GDPR Insufficient simply basis for records processing The luminous became imposed in opposition to a non-public one who became the utilization of CCTV at his house. The video surveillance covered areas which may possibly most likely presumably be supposed for the overall squawk of the residents of the multi-birthday party residential advanced, in particular: parking heaps, sidewalks, courtyard, backyard and salvage proper of entry to areas to the residential advanced; along with, the video surveillance covered backyard areas of an adjoining property. The video surveillance discipline of the court docket cases is resulting from this truth now no longer little to areas which may possibly most likely presumably be below the outstanding vitality of withhold a seek on of the controller. Video surveillance is resulting from this truth now no longer proportionate to the blueprint and now no longer little to what’s compulsory. The video surveillance records the hallway of the house and flicks residents coming into and leaving the surrounding residences, thereby intervening of their highly private areas of life with out the consent to document their image records. The video surveillance became now no longer effectively indicated. link BELGIUM

BELGIUM Belgian Files Security Authority (APD) 2019-05-28 2,000 Mayor Paintings. 5 (1) b) GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing The government luminous became imposed for the misuse of non-public records by a mayor for advertising and marketing advertising and marketing campaign capabilities. link BULGARIA

BULGARIA Bulgarian Rate for Deepest Files Security (KZLD) 2018-12-04 500 Bank Paintings. 5 (1) b) GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing A luminous of 1000 BGN (or roughly 500 EUR) became imposed on a monetary institution for calling a consumer for the unresolved bills of his neighbor. This provoked the patron to evoke his luminous to be forgotten. After now no longer receiving any reply from the monetary institution he filed nonetheless yet one more scurry, for which the monetary institution did squawk circulate within the future of the statutory length. Alternatively, the patron filed a criticism to KZLD. The infringement for which the monetary institution became fined became for the processing of the patron’s private records became now no longer linked to his particular person credit rating standing settlement. For the rationale that blueprint for which the solutions had been processed became slightly so a bunch of from that communicated on the time of conclusion of the contract, the monetary institution had, within the future of the stage of belief of KZLD, to predict extra consent from its shopper. link link BULGARIA

BULGARIA Bulgarian Rate for Deepest Files Security (KZLD) 2019-02-26 27,100 Telecommunication provider provider Paintings. 6 GDPR, Paintings. 5 (1) a) GDPR Insufficient simply basis for records processing Repeated registration of pay as you bolt products and companies and merchandise with out the solutions and consent of the solutions discipline Workers of the telecommunications provider possess old-normal private records and registered the complainant with the company’s pay as you bolt provider. The records discipline had now no longer signed the utility and had now no longer consented to the processing of his private records for the acknowledged blueprint. There became furthermore no other simply basis acceptable. The signature of the utility and the complainant worship gorgeous utility weren’t identical and the people private identification quantity became indicated, alternatively the identification card quantity became now no longer the complainants one. link BULGARIA

BULGARIA Bulgarian Rate for Deepest Files Security (KZLD) 2019-01-17 500 Bank Paintings. 6 GDPR, Paintings. 5 (1) a) GDPR Insufficient simply basis for records processing A monetary institution won private records concernign a pupil wihtout a simply basis. link BULGARIA

BULGARIA Bulgarian Rate for Deepest Files Security (KZLD) 2019-02-22 500 Employer Paintings. 15 GDPR Insufficient fulfilment of records matters rights An worker despatched a requirement to his employer for salvage proper of entry to to personal records relating to him. The predict became now no longer answered in time and now no longer in a fleshy formulation. link CYPRUS

CYPRUS Cyprian Files Security Commissioner 2019 5,000 Dispute Sanatorium Paintings. 15 GDPR Insufficient fulfilment of records matters rights A affected particular person complained to the Commissioner that the predict for salvage proper of entry to to her medical file became now no longer chuffed by the sanatorium since the file may possibly most likely presumably now no longer be identified/positioned by the controller. After investigating the case, an administrative luminous of €5,000 became imposed on the sanatorium. link CYPRUS

CYPRUS Cyprian Files Security Commissioner 2019 10,000 Newspaper Paintings. 6 GDPR Insufficient simply basis for records processing The newsletter of the newspaper, each and every in laborious duplicate and in digital make, allegedly full of life catastrophe, pointless and illegal detention of a citizen, and published the names and photos of the two police investigators full of life, along with the explain of a third police investigator. The Commissioner belief to be that the fair will most likely be accomplished by referring most realistic to the initials of their title and/or their faces being blurred and/or publishing photography drawn from a much away distance so that it became now no longer doable to title the people, and these actions would now no longer elevate any alternate within the future of the character of the case. link CZECH REPUBLIC

CZECH REPUBLIC Czech Files Security Auhtority (UOOU) 2019-01-10 388 Employer Paintings. 6 GDPR Insufficient simply basis for records processing A extinct worker of a company requested the deletion of records relating to to him/her which became printed on the Facebook web feature of residing of the employer and which became mute obtainable prolonged after the termination of the employment relationship. The luminous became imposed since the employer did now no longer delete the records relating to to the extinct worker. link CZECH REPUBLIC

CZECH REPUBLIC Czech Files Security Auhtority (UOOU) 2019-02-04 1,165 Automobile renting company Paintings. 5 (1) a) GDPR Insufficient fulfilment of records responsibilities A one who rented a automobile got right here upon out that the auto became tracked by system of GPS by the renting company even supposing there became no records offered on the truth that the auto is being tracked. The Czech Files Security Authority got right here upon that there became no records offered by formulation of Paintings. 13 GDPR and that Paintings. 6 (1) f) GDPR may possibly most likely presumably now no longer be the simply basis below the concrete instances. Thanks to that the UOOU got right here upon that there became a violation of Paintings. 5 (1) a) GDPR for which it imposed the luminous. link CZECH REPUBLIC

CZECH REPUBLIC Czech Files Security Auhtority (UOOU) 2019-02-28 582 Unknown Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security Files became now no longer processed in a formulation that ensures acceptable security of the non-public records, including safety in opposition to unauthorised or illegal processing and in opposition to unintended loss, destruction or atomize, the utilization of acceptable technical or organisational measures (‘integrity and confidentiality’). link CZECH REPUBLIC

CZECH REPUBLIC Czech Files Security Auhtority (UOOU) 2019-02-04 1,165 Credit brokerage Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security Files became now no longer processed in a formulation that ensures acceptable security of the non-public records, including safety in opposition to unauthorised or illegal processing and in opposition to unintended loss, destruction or atomize, the utilization of acceptable technical or organisational measures (‘integrity and confidentiality’). link CZECH REPUBLIC

CZECH REPUBLIC Czech Files Security Auhtority (UOOU) 2018-10-25 388 Unknown Paintings. 15 GDPR Insufficient fulfilment of records matters rights Files became now no longer offered. link CZECH REPUBLIC

CZECH REPUBLIC Czech Files Security Auhtority (UOOU) 2019-02-26 776 Unknown Paintings. 15 GDPR Insufficient fulfilment of records matters rights Files became now no longer offered. link CZECH REPUBLIC

CZECH REPUBLIC Czech Files Security Auhtority (UOOU) 2019-03-21 10,000 Unknown Paintings. 5 (1) GDPR Non-compliance with total records processing principles Files became now no longer most realistic processed if ample, connected and little to what’s compulsory by system of the capabilities for which they are processed (« records minimisation ») and now no longer most realistic saved in a make which enables identification of records matters for now no longer than is compulsory for the capabilities for which the non-public records are processed (« storage limitation »). link CZECH REPUBLIC

CZECH REPUBLIC Czech Files Security Auhtority (UOOU) Unknown 3,140 UniCredit Bank Czech Republic and Slovakia, a.s. Paintings. 6 GDPR Insufficient simply basis for records processing The monetary institution established a non-public monetary institution yarn for an records discipline with out his consent or records. The monetary institution supposedly had his private records obtainable since the topic had disposed of his employer’s company yarn. The monetary institution became now no longer in a scheme to sort The Build of job for Deepest Files Security with the vital documentation to suppose coming into into contract with the solutions discipline. link CZECH REPUBLIC

CZECH REPUBLIC Czech Files Security Auhtority (UOOU) 2019-05-06 194 Unknown Paintings. 15 GDPR Insufficient fulfilment of records matters rights Files became now no longer offered. link DENMARK

DENMARK Danish Files Security Authority (Datatilsynet) 2019 160,000 Taxa 4×35 Paintings. 5(1) e) GDPR Non-compliance with total records processing principles The Danish DPA reported the taxi company to the police and steered a luminous (of 1.2M DKK) for non-adherence to the solutions-minimization conception. Whereas the company deleted the names of its passengers from all its records after two years, the deletion did now no longer encompass the the leisure of the skedaddle records (about 8,873,333 taxi journeys). Therefore, the company persevered to withhold onto specific particular particular person’s cell cell phone numbers.  Please insist: Since Danish regulation doesn’t fresh for administrative fines as within the future of the GDPR (except it be an uncomplicated case and the accused particular particular person consented), fines will most likely be imposed by courts. link DENMARK

DENMARK Danish Files Security Authority (Datatilsynet) 2019-06-03 200,850 IDdesign A / S Paintings. 5 (1) e) GDPR, Paintings. 5 (2) GDPR Non-compliance with total records processing principles The luminous became imposed as a outcomes of an inspection performed in autumn of 2018. IDdesign had processed private records of roughly 385,000 customers for an extended length than principal for the capabilities for which they had been processed. Moreover, the company had now no longer established and documented scale back-off dates for deletion of non-public records of their queer CRM system. The scale back-off dates residing for the feeble system weren’t deleted after the closing date for the records had been reached. Moreover, the controller had now no longer adequately documented its private records deletion procedures. Please insist: Since Danish regulation doesn’t fresh for administrative fines as within the future of the GDPR (except it be an uncomplicated case and the accused particular particular person consented), fines will most likely be imposed by courts. link FRANCE

FRANCE French Files Security Authority (CNIL) 2019-01-21 50,000,000 Google Inc. Paintings. 13 GDPR, Paintings. 14 GDPR, Paintings. 6 GDPR, Paintings. 5 GDPR Insufficient simply basis for records processing The luminous became imposed on the basis of complaints from the Austrian organisation « None Of Your Exchange » and the French NGO « La Quadrature du Salvage ». The complaints had been filed on 25th and 28th of Can furthermore 2018 – in an immediate after the GDPR became acceptable. The complaints concerned the appearance of a Google yarn at some stage within the future of the configuration of a cell cell cell phone the utilization of the Android running system. The CNIL imposed a luminous of fifty million euros for lack of transparency (Paintings. 5 GDPR), insufficient records (Paintings. 13 / 14 GDPR) and absence of simply basis (Paintings. 6 GDPR). The purchased is of the identical concept had now no longer been given « specific » and now no longer « unambigous » (Paintings. 4 nr. 11 GDPR). link FRANCE

FRANCE French Files Security Authority (CNIL) 2019-05-28 400,000 SERGIC (Pleasurable Property) Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security The CNIL generally generally primarily primarily based totally the penalty on two grounds: Lack of total security measures and unsuitable records storage. As to the first, still particular person documents uploaded by condo candidates (including ID cards, health cards, tax notices, certificates issued by the household allowance fund, divorce judgments, yarn statements) had been accessible on-line with out any authentication assignment moderately than residing. No subject the proven truth that the vulnerability became identified to the company since March 2018, it became now no longer one system or the opposite resolved aside from September 2018. As smartly to, the company saved the documentation offered by candidates for longer than principal. The CNIL took into yarn i.a. the seriousness of the breach (lack of due care in addressing vulnerability and the truth that the documents published very intimate substances of purchasers’ lives), the scale of the company and its monetary standing. link GERMANY

GERMANY Files Security Authority of Baden-Wuerttemberg 2018-11-21 20,000 Knuddels.de Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security After a hacker attack in July private records of approx. 330.000 customers, including passwords and e mail addresses had been published. link GERMANY

GERMANY Files Security Authority of Hamburg 2018-12-17 5,000 Kolibri Image Regina und Dirk Maass GbR Paintings. 28 (3) GDPR Insufficient records processing settlement Please insist: According to our records this luminous has been withdrawn within the mean time. Kolibri Image had ship a requirement to the Files Security Authority of Hessen asking easy recommendations to address a provider provider who doesn’t are looking for to feature a processing settlement. After now no longer answering Kolibri Image in more ingredient, the case became forwarded to the within the future of the neighborhood to blame Files Security Authority of Hamburg. This Authority then fined Kolibri Image as controller for now no longer having a processing settlement with the provider provider. Kolibri Image has acknowledged that they’ll anxiety the resolution in front of court docket docket since they are of the conclusion that the provider provider doesn’t act as a processor. link link GERMANY

GERMANY Files Security Authority of Baden-Wuerttemberg 2019-04-12 80,000 Firm within the future of the monetary sector Paintings. 5 GDPR, Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security In an administrative resolution dated 12 April 2019, the authority imposed a luminous of 80,000 euros on a medium-sized monetary products and companies and merchandise company. This company had didn’t squawk the vital care to withhold the integrity and confidentiality of records within the future of the which implies to Paintings. 5 para. 1 lit. f GDPR when inserting off documents containing private records of two customers. Thus, with out prior anonymisation, the papers had been disposed of within the future of the overall atomize paper recycling system, the save the documents had been got right here upon by a neighbour. link GERMANY

GERMANY Files Security Authority of Sachsen-Anhalt 2019-02-05 2,500 Deepest particular particular person Paintings. 6 GDPR, Paintings. 5 GDPR Insufficient simply basis for records processing The luminous became impossed in opposition to a non-public one who despatched a total lot of e-mails between July and September 2018, in which he old-normal private e mail addresses considered to all recipients, from which each and every recipient may possibly most likely presumably learn limitless other recipients. The particular particular person became accused of ten offences between mid-July and the quit of July 2018. According to the authority’s letter, between 131 and 153 private mail addresses had been identifiable in his mailing list. link GERMANY

GERMANY Files Security Authority of Hamburg 2018 20,000 Unknown Paintings. 83 (4) a) GDPR, Paintings. 33 (1) GDPR, Paintings. 34 (1) GDPR Insufficient fulfilment of records breach notification responsibilities Tiresome notification of an records breach and failure to bring the solutions matters. Web page 134 of the system yarn of the Files Security Commissioner of Hamburg, accessible below link GERMANY

GERMANY Files Security Authority of Saarland Unknown 118 Unknown Paintings. 6 GDPR Insufficient simply basis for records processing Illegal disclosure of non-public records relating to to a third birthday party. link GERMANY

GERMANY Files Security Authority of Hamburg 2018 500 Unknown Unknown Unknown Unknown link GERMANY

GERMANY Files Security Authority of Berlin 2019-03 50,000 N26 Paintings. 6 GDPR Insufficient simply basis for records processing The luminous became imposed in opposition to in opposition to a monetary institution (in accordance to a newspaper N26) that had processed « private records of all extinct customers » with out permission.The Bank has acknowledged that it had retained records relating to to extinct customers in bring to squawk care of a blacklist, a more or out of the ordinary less warning file, so that it may possibly now no longer sort a ticket queer yarn obtainable to those people. The monetary institution forward of all of the objects justified this by declaring that it became obliged below the German Banking Act to squawk security measures in opposition to customers suspected of cash laundering. The Berlin supervisory authority judged this to be illegal. The authority argues that in bring to quit a ticket queer monetary institution yarn from being opened, most realistic these affected will most likely be integrated in a comparison file who’re genuinely suspected of cash laundering or for whom there are other plentiful causes for refusing a ticket queer monetary institution yarn. The authority steered a newspaper that the luminous court docket cases initiated in opposition to the monetary institution had « now no longer nonetheless been legally concluded ». Web page 131 of the system yarn of the Files Security Commissioner of Berlin link link HUNGARY

HUNGARY Hungarian National Authority for Files Security and the Freedom of Files (NAIH) 2019-02-08 1,560 Bank Paintings. 5 (1) d) GDPR Non-compliance with total records processing principles A monetary institution mistakenly despatched SMS messages a pair of discipline’s financial institution card debt to the cell cell phone quantity of nonetheless yet one more particular particular person. After receiving an infamous cell cell phone quantity from the patron on the time of contracting, the monetary institution did now no longer apply the solutions discipline’s predict to erase the solutions and persevered to ship SMS message to the infamous cell cell phone quantity. The luminous represents 0.0016% of the annual profit of the monetary institution. link link HUNGARY

HUNGARY Hungarian National Authority for Files Security and the Freedom of Files (NAIH) 2019-02-20 1,560 Debt collector Paintings. 5 (1) a) GDPR, Paintings. 5 (1) c) GDPR Non-compliance with total records processing principles An records discipline requested records about and erasure of the solutions processed, which the debt collector refused declaring that it may possibly most likely most likely most likely most likely presumably now no longer title the topic. For identification capabilities he requested fatherland, mother’s maiden title and extra particulars from the solutions discipline. After the controller succeeded to title the solutions matters he refused to use the deletion predict, arguing he’s legally obliged to wait on backup copies in accordance to the Accountancy Act and interior insurance policies. Since he did now no longer effectively insist about these insurance policies, the NAIH held the controller breached the conception of transparency. The luminous constitutes 0.0025% of the annual profit of the controller. link link HUNGARY

HUNGARY Hungarian National Authority for Files Security and the Freedom of Files (NAIH) 2018-12-18 3,200 Unknown Paintings. 12 (4) GDPR, Paintings. 15 GDPR, Paintings. 18 (1) c) GDPR, Paintings. 13 GDPR Insufficient fulfilment of records matters rights The luminous became imposed for (i) now no longer offering an records discipline with CCTV recordings, (ii) now no longer conserving recordings for added squawk by the solutions discipline, and (iii) now no longer informing the solutions discipline about his luminous to hotel a criticism to the supervisory authority. link HUNGARY

HUNGARY Hungarian National Authority for Files Security and the Freedom of Files (NAIH) 2019-02-28 3,200 Mayor’s Build of job of town of Kecdkemét Paintings. 5 (1) a) GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing The luminous became imposed on the Mayor’s Build of job of town of Kecskemét for illegal disclosure of the non-public records of a whistleblower.NAIH imposed the luminous after an worker of an organisation that it supervised reported a public hobby criticism in an immediate to it in opposition to his employer. After the organisation realized of the criticism, it requested particulars in bring to compare, and the native authorities unintentionally published the complainant’s title. The NAIH belief to be it an demanding ingredient that as a outcomes of the solutions breach, the organisation fired the one who made the parable. link link HUNGARY

HUNGARY Hungarian National Authority for Files Security and the Freedom of Files (NAIH) 2019-03-04 3,200 Unnamed monetary institution Paintings. 5 (1) b) GDPR, Paintings. 5 (1) c) GDPR, Paintings. 13 (3) GDPR, Paintings. 17 (1) GDPR, Paintings. 6 (4) GDRP Insufficient fulfilment of records matters rights The luminous became imposed by system of an records discipline’s predict for records correction and erasure. NAIH levied a luminous in opposition to an unnamed monetary institution for unlawfully rejecting a buyer’s predict to possess his cell cell phone quantity erased after arguing that it became within the future of the company’s plentiful hobby to assignment this records in bring to implement a debt claim in opposition to the patron. In its resolution, the NAIH emphasised that the patron’s cell cell phone quantity is now no longer principal for the blueprint of debt sequence since the creditor can furthermore instruct with the debtor by build up. In final result, keeping the cell cell phone quantity of the debtor became in opposition to the foundations of records minimisation and blueprint limitation. As per the regulation, the assessed luminous became in accordance to 0.025% of the company’s annual uncover earnings. link link HUNGARY

HUNGARY Hungarian National Authority for Files Security and the Freedom of Files (NAIH) 2019-04-05 34,375 Hungarian political birthday party Paintings. 33 (1) GDPR, Paintings. 33 (5) GDPR, Paintings. 34 (1) GDPR Insufficient fulfilment of records breach notification responsibilities NAIH imposed a luminous of HUF 11,000,000 (EUR 34,375) on an undisclosed Hungarian political birthday party for failing to bring the NAIH and connected contributors a pair of records breach, and failing to doc the breach in accordance to GDPR Article 33.5. As mandated by regulation, the luminous became in accordance to 4% of the birthday party’s annual turnover and a pair of.65 % of its anticipated turnover for the upcoming 365 days. The breach became the outcomes of a cyber attack by an anonymous hacker who accessed and disclosed records on the vulnerability of the organisation’s system – a database of better than 6,000 contributors – and the bring old-normal for the attack. The system became inclined to attack resulting from a redirection anxiety with the organisation’s webpage. After the attacker printed the bring, even individuals with low IT records had been in a scheme to retrieve records from the database. link ITALY

ITALY Italian Files Security Authority (Garante) 2019-04-17 50,000 Italian political birthday party Movimento 5 Stelle Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security A appropriate deal of websites affiliated to the Italian political birthday party Movimento 5 Stelle are fade, by formulation of an records processor, by the platform named Rousseau. The platform had suffered an records breach at some stage within the future of the summertime season 2017 that led the Italian records safety authority, the Garante, to require the implementation of a glean of security measures, along with to the accountability to interchange the privateness records note in bring to fresh extra transparency to the solutions processing actions performed.Whereas the replace of the privateness records note became effectively timed accomplished, the Italian records safety authority, raised its considerations as to the dearth of implementation on the Rousseau platform of just a few of GDPR connected security measures. It is price it to narrate that the continuing initiated used to Can furthermore 2018, alternatively the Italian records safety authority issued a luminous below the GDPR for the motive that Rousseau platform had now no longer adopted security measures required by formulation of an bring issued after the 25th of Can furthermore 2018. Curiously, the luminous became now no longer issued in opposition to the Movimento 5 Stelle that is the solutions controller of the platform, alternatively in opposition to the Rousseau association that is the solutions processor. link LITHUANIA

LITHUANIA Lithuanian Files Security Authority (VDAI) 2019-05-16 61,500 Be aware provider provider UAB MisterTango Paintings. 5 GDPR, Paintings. 32 GDPR, Paintings. 33 GDPR Insufficient fulfilment of records breach notification responsibilities Correct by an inspection, the Lithuanian Files Security Supervisory Authority got right here upon that the controller processed more records than principal to sort the capabilities for which he became a controller. As smartly to, it became identified that from 09 – 10 July 2018 rate records had been publicly obtainable on the on-line as a outcomes of insufficient technical and organisational measures. 9,000 funds with 12 banks from slightly so a bunch of countries had been affected. According to the supervisory authority, an records breach notification pursuant to Paintings. 33 GDPR would were principal. The controller did now no longer yarn the Files Breach. link MALTA

MALTA Files Security Commissioner of Malta 2019-02-18 5,000 Lands Authority Paintings. 5 GDPR, Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security As a outcomes of the dearth of acceptable security measures on the Lands Authority web feature of residing, over 10 gigabytes of non-public records became with out disorders accessible to the overall public by system of a easy google search. The majority of the leaked records contained highly-still records and correspondence between contributors and the Authority itself. The Lands Authority chosen now no longer to charm. In Malta, within the future of the case of a breach by a public authority or physique, the Files Security Commissioner may possibly most likely presumably furthermore simply impose an administrative luminous of up to €25,000 for every and every violation and have to furthermore impose a on everyday basis luminous of €25 for on each and on every day basis basis such violation persists. link NORWAY

NORWAY Norwegian Supervisory Authority (Datatilsynet) 2019-03 170,000 Bergen Municipality Paintings. 5 (1) f) GDPR, Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security The incident relates to laptop facts with usernames and passwords to over 35000 particular person accounts within the future of the municipality’s laptop system. The particular person accounts connected to each and every pupils within the future of the municipality’s vital faculties, and to the staff of the identical faculties. Thanks to insufficient security measures, these facts were unprotected and overtly accessible. The dearth of security measures within the future of the system made it you may possibly derive for somebody to log in to the college’s slightly so a bunch of records systems, and thereby to salvage proper of entry to slightly so a bunch of categories of non-public records relating to to the pupils and workers of the faculties. The truth that the protection breach encompasses private records to over 35 000 contributors, and that the bulk of these are formative years, had been belief to be to be demanding parts. The municipality had furthermore been warned a total lot of times, each and every by the authority and an interior whistleblower, that the solutions security became insufficient. link POLAND

POLAND Polish National Deepest Files Security Build of job (UODO) 2019-03-26 220,000 Deepest company working with records from publicly obtainable sources Paintings. 14 GDPR Insufficient fulfilment of records responsibilities The luminous concerned the court docket cases connected to the system of a company which processed the solutions matters’ records purchased from publicly obtainable sources, inter alia from the Central Electronic Register and Files on Economic Project, and processed the solutions for commercial capabilities. The authority verified incompliance with the records accountability by system of pure people conducting enterprise process – entrepreneurs who’re for the time being conducting such process or possess suspended it, along with entrepreneurs who conducted such process within the future of the previous. The controller fulfilled the records accountability by offering the records required below Paintings. 14 (1) – (3) of the GDPR most realistic by system of the people whose e mail addresses it had at its disposal. In case of the closing people the controller didn’t use the records accountability – as a result of it outlined at some stage within the future of the court docket cases – as a outcomes of high operational prices. Therefore, it offered the records clause most realistic on its web feature of residing. According to the UODO exact right here is now no longer ample. Addendum: Within the period in-between, the court docket docket has cancelled the luminous as a outcomes of procedural errors. The amount of the luminous have to be apparent by the concrete quantity of records records concerned. However, the Build of job had now no longer submitted any verifiable evidence on this regard, alternatively had simply assumed that 6 million records fashions had been full of life, which the solutions controller had denied. Therefore, compulsory statements had been lacking. In specific, it became infamous to clarify the amount of the luminous on the basis of total preventive considerations. Paintings. 58 GDPR expressly states that a luminous imposed desires to be connected to the categorical records of the case. The Polish records safety authority has already launched that the luminous will most likely be revised in a ticket queer administrative assignment. link POLAND

POLAND Polish National Deepest Files Security Build of job (UODO) 2019-04-25 12,950 Sports actions association Paintings. 6 GDPR Insufficient simply basis for records processing One sports association printed private records in terms of judges who had been granted judicial licenses on-line. However, now no longer most realistic their names had been offered, alternatively furthermore their proper addresses and PESEL numbers. Within the length in-between, there isn’t any such ingredient as a simply basis for the glean of enormous sequence of records on judges to be obtainable on the Net. By making them public, the administrator posed a doable chance of their unauthorized squawk, e.g. to impersonate them for the blueprint of borrowing or other responsibilities. No subject the proven truth that the association itself considered its worship error, as evidenced by the notification of a non-public records safety breach to the President of the PDPA, the truth that makes an strive to eradicate it had been ineffective apparent the imposition of a penalty. When figuring out the amount of the luminous (PLN 55,750.50), the President of UODO furthermore took into yarn, amongst others, the length of the infringement and the truth that it concerned a gargantuan neighborhood of people (585 judges). It concluded that though the infringement became one system or the opposite eradicated, it became of a outrageous nature.However, when imposing a penalty, the President of the Build of job of Competitors and Client Security furthermore took into yarn mitigating instances, corresponding to acceptable cooperation between the controller and the supervisory authority or lack of evidence that atomize had been ended in to the people whose records had been disclosed. link link PORTUGAL

PORTUGAL Portuguese Files Security Authority (CNPD) 2018-07-17 400,000 Public Sanatorium Paintings. 5 (1) f) GDPR, Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security Investigation published that the sanatorium’s crew, psychologists, dietitians and other consultants had salvage proper of entry to to affected particular person records by counterfeit profiles. The profile management system regarded heart-broken – the sanatorium had 985 registered physician profiles whereas most realistic having 296 medical doctors. Moreover, medical doctors had unrestricted salvage proper of entry to to all affected particular person facts, no topic the physician’s uniqueness. link SPAIN

SPAIN Spanish Files Security Authority (aepd) Unknown 5,000 Vodafone España, S.A.U. Paintings. 5 (1) d) GDPR Non-compliance with total records processing principles The spanish telecommunications and informations agancy (SETSI) clear Vodafone needed to reimburse a buyer for prices he became wrongfully charged for. Alternatively, Vodafone reported private records of this respective buyer to a solvency registry (BADEXCUG). The AEPD got right here upon this behaviour violated the conception of accuracy. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2019-06-11 250,000 Expert Football League (LaLiga) Paintings. 5 (1) a), Paintings. 7 (3) GDPR Insufficient fulfilment of records responsibilities The nationwide Football League (LaLiga) became fined for offering an app which as soon as per minute accessed the microphone of purchasers’ cellphones in bring to detect pubs screening soccer suits with out paying a price. Within the conclusion of the AEPD LaLiga did now no longer adequately insist the customers of the app about this prepare. Moreover, the app did now no longer meet the requirements for withdrawal of consent. link SPAIN

SPAIN Spanish Files Security Authority (aepd) Unknown 60,000 Debt collecting agancy (GESTIÓN DE COBROS, YO COBRO SL) Paintings. 5 (1) f) GDPR Insufficient simply basis for records processing After the claimant did alledgedly now no longer pay support a microcredit to an net credit rating standing agany, the claim became assigned to the debt collecting agancy. Which ability that truth, the latter startet sending emails now no longer most realistic to e mail addresses offered by the claimant alternatively furthermore to an institutional e mail address of his feature of residing of job accessible by any co-worker which became by no system offered by the claimant. link SPAIN

SPAIN Spanish Files Security Authority (aepd) Unknown 27,000 Vodafone España, S.A.U. Paintings. 5 (1) d) GDPR Insufficient fulfilment of records matters rights No subject the proven truth that the complainant (a extinct Vodafone buyer) had requested Vodafone to delete his records in 2015 and this predict had been confirmed by the company, he purchased better than 200 SMS from the company from 2018 onwards. Following Vodafone’s assertion, this took place since the complainant’s cell cell cell phone quantity became erroneously old-normal for trying out capabilities and unintentionally regarded in slightly so a bunch of buyer facts belonging to other customers than the complainant. For the rationale that company agreed to each and every rate and admission of accountability the luminous became reduced in accordance to Spanish administrative regulation to EUR 27k. link GERMANY

GERMANY Files Security Authority of Baden-Wuerttemberg 2019-05-09 1,400 Police Officer Paintings. 6 GDPR Insufficient simply basis for records processing The police officer, the utilization of his plentiful particular person ID alternatively with out reference to plentiful responsibilities, queried the proprietor records relating to the license plate of an specific particular particular person that he did now no longer know effectively by system of the Central Web feature website company Files Gadget (ZEVIS) of the Federal Motor Transport Authority. The utilization of the non-public records purchased on this system, he then performed a so-is principal as SARS enquiry with the Federal Neighborhood Firm, in which he requested now no longer proper for the non-public records of the injured events alternatively furthermore for the house and cell cell cell phone numbers saved there. The utilization of the cell cell cell phone quantity purchased on this system, the police officer contacted the injured birthday party by cell cell phone – with out any plentiful blueprint or consent given by the injured birthday party. Thru the ZEVIS and SARS enquiry for private capabilities and the utilization of the cell cell cell phone quantity purchased on this system for private contact, the police officer has processed private records outside the scope of the regulation on his worship authority. This infringement is now no longer attributable to the police officer’s department, since he did now no longer commit the act within the future of the explain of his plentiful responsibilities, alternatively exclusively for private capabilities. The prohibition of punishment below § 28 LDSG, in accordance to which the sanctions of the GDPR can now no longer be imposed on public our our bodies, doesn’t prepare within the future of the scorching case, since it became neither a case of misconduct attributable to the authority nor is the actual particular person concerned to be labeled as a separate public physique within the future of the which implies to § 2 (1) or (2) LDSG within the future of the case of the acts in quiz. link FRANCE

FRANCE French Files Security Authority (CNIL) 2019-06-13 20,000 Employer UNIONTRAD COMPANY Paintings. 5 (1) c) GDPR, Paintings. 12 GDPR, Paintings. 13 GDPR, Paintings. 32 GDPR Insufficient simply basis for records processing Between 2013 and 2017, the CNIL purchased complaints from a total lot of workers of the company who had been filmed at their workstation. On two events, it alerted the company to the foundations to be considered when inserting in cameras within the future of the feature of residing of job, in specific, that workers have to now no longer be filmed continuously and that records in terms of the solutions processing have to be offered. Within the absence of fair appropriate measures on the quit of the closing date residing within the future of the formal note, the CNIL performed a 2nd audit in October 2018 which confirmed that the employer became mute breaching records safety penal complex pointers when recording workers with CCTV. When determening the amount of the luminous, the CNIL took into yarn the scale (9 workers) and the monetary mission of the company, which offered a adverse uncover quit in 2017 (turnover of 885,739 EUR in 2017 and a adverse uncover outcomes of 110,844 EUR), to wait on a dissuasive alternatively proportionate administrative luminous. link HUNGARY

HUNGARY Hungarian National Authority for Files Security and the Freedom of Files (NAIH) 2019-04-17 9,400 Unknown Paintings. 5 (1) a) GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing An records controller old-normal a, within the future of the stage of belief of NAIH, abominable simply basis for processing of non-public records (Paintings. 6.1.b) for the assignment of claims. link HUNGARY

HUNGARY Hungarian National Authority for Files Security and the Freedom of Files (NAIH) 2019-04-05 1,900 Unknown Paintings. 15 GDPR Insufficient fulfilment of records matters rights The records controller did now no longer fulfil the solutions discipline’s salvage proper of entry to predict. link BULGARIA

BULGARIA Files Security Commision of Bulgaria (KZLD) 2019-04-08 510 Clinical products and companies and merchandise Paintings. 5 (1) a) GDPR, Paintings. 9 (1) GDPR, Paintings. 9 (2) GDPR, Paintings. 6 (1) GDPR Insufficient simply basis for records processing The sanction of 510 EUR became imposed on each and every medical center for illegal processing of the non-public records of records discipline G.B. by a medical centre for the blueprint of altering his GP. The medical centre old-normal a application to generate a registration make for alternate of GP which became submitted to the Regional Health Insurance Fund after which to nonetheless yet one more medical centre, which resulting from this truth furthermore unlawfully processed the non-public records of G.B. link BULGARIA

BULGARIA Files Security Commision of Bulgaria (KZLD) 2019-03-26 5,100 A.P. EOOD Paintings. 5 (1) a) GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing The sanction became imposed on private records administrator A.P. EOOD for illegal processing of non-public records. The non-public records of records discipline D.D. became old-normal by A.P. EOOD for making ready an Employment Contract, whereas he became in penal advanced. link SPAIN

SPAIN Spanish Files Security Authority (aepd) Unknown 60,000 ENDESA (vitality supplyer) Paintings. 5 (1) f) GDPR Insufficient simply basis for records processing The complainant’s monetary institution yarn became charged by ENDESA, the beneficiary of which became a third birthday party, who had been convicted below penal complex regulation and imposed with a two-365 days restraining bring in terms of the claimant, her feature of residing house and work. In its feature amending the contract particulars as requested by the claimant ENDESA deleted her records erroneously and fillid within the future of the solutions of the third birthday party. The AEPD got right here upon the disclosure of the claimant’s records to the third birthday party became a outrageous violation of the conception of confidentiality. link ROMANIA

ROMANIA Romanian National Supervisory Authority for Deepest Files Processing (ANSPDCP) 2019-06-27 130,000 UNICREDIT BANK SA Paintings. 25 (1) GDPR, Paintings. 5 (1) c) GDPR Insufficient technical and organisational measures to be apparent records security The luminous became issued as a outcomes of the failure to implement acceptable technical and organisational measures (connected to (1) the dedication of the processing system/operations, and (2) the combination the vital safeguards) ensuing within the future of the on-line-disclosure of IDs and addresses (interla/external transactions) of 337,042 records matters to their respective beneficiary (between 25.05.2018 -10.12.2018). link UNITED KINGDOM

UNITED KINGDOM Files Commissioner (ICO) 2019-07-08 204,600,000 British Airways Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security Please insist: This luminous is now no longer closing alternatively will most likely be chosen when the company and other full of life supervisory authorities of alternative member states possess made their representations. The ICO issued a note of its blueprint to luminous British Airways £183.39M for GDPR infringements which most likely possess a breach of Paintings. 32 GDPR. The proposed luminous relates to a cyber incident notified to the ICO by British Airways in September 2018. This incident partly full of life particular person website website company to the British Airways web feature of residing being diverted to a counterfeit feature of residing. Thru this counterfeit feature of residing, buyer particulars had been harvested by the attackers. Deepest records of roughly 500,000 customers had been compromised on this incident, which is believed to possess begun in June 2018. The ICO’s investigation has got right here upon that a fluctuate of records became compromised by miserable security preparations on the company, including log in, rate card, and slither reserving particulars as effectively title and address records. link ROMANIA

ROMANIA Romanian National Supervisory Authority for Deepest Files Processing (ANSPDCP) 2019-07-02 15,000 WORLD TRADE CENTER BUCHAREST SA Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security The breach of records security became that a broadcast paper list old-normal to verify breakfast customers and containing private records of 46 customers who stayed on the resort’s WORLD TRADE CENTER BUCHAREST SA became photographed by unauthorized people outside the company, which ended within the disclosure of the non-public records of some customers by on-line newsletter. The operator of WORLD TRADE CENTER BUCHAREST SA has been sanctioned attributable to it has now no longer taken steps to be apparent that records is now no longer disclosed to unauthorized events. link UNITED KINGDOM

UNITED KINGDOM Files Commissioner (ICO) 2019-07-09 110,390,200 Marriott World, Inc Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security Please insist: This luminous is now no longer closing alternatively will most likely be chosen when the company and other full of life supervisory authorities of alternative member states possess made their representations. The ICO issued a note of its blueprint to luminous Marriott World Inc which relates to a cyber incident which became notified to the ICO by Marriott in November 2018.GDPR infringements are most likely to possess a breach of Paintings. 32 GDPR. A mannequin of non-public records contained in approximately 339 million visitor records globally had been uncovered by the incident, of which spherical 30 million connected to residents of 31 nations within the future of the European Economic Scheme (EEA). Seven million connected to UK residents. It is believed the vulnerability started when the systems of the Starwood motels neighborhood had been compromised in 2014. Marriott resulting from this truth purchased Starwood in 2016, alternatively the publicity of buyer records became now no longer got right here upon aside from 2018. The ICO’s investigation got right here upon that Marriott didn’t undertake ample due diligence when it offered Starwood and have to furthermore possess performed more to trusty its systems. link HUNGARY

HUNGARY Hungarian National Authority for Files Security and the Freedom of Files (NAIH) 2019-05-23 92,146 Organizer of SZIGET festival and VOLT festival Paintings. 6 GDPR, Paintings. 5 (1) b) GDPR, Paintings. 13 GDPR Insufficient simply basis for records processing The NAIH got right here upon that there were unhealthy simply bases is squawk and that the controller did now no longer apply the conception of blueprint limitation. Moreover, records on the solutions processing became now no longer fully offered to records matters. link ROMANIA

ROMANIA Romanian National Supervisory Authority for Deepest Files Processing (ANSPDCP) 2019-07-05 3,000 LEGAL COMPANY & TAX HUB SRL Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security The luminous became imposed attributable to ample technical and organizational measures to be apparent a stage of security acceptable to the chance of processing weren’t utilized. This has ended in unauthorized disclosure and unauthorized salvage proper of entry to to the non-public records of these who possess made transactions purchased by the avocatoo.ro web feature of residing (title, surname, mailing address, e mail, cell cell phone, job, particulars of transactions made), as a outcomes of publicly accessible documents between tenth of December 2018 and 1st of February 2019. The National Supervisory Authority utilized the sanction following a notification dated 12th of October 2018 indicating that a residing of facts in terms of the particulars of the transactions purchased by the avocatoo.ro web feature of residing which contained the title, surname, address correspondence, e mail, cell cell phone, job and particulars of transactions made, became publicly accessible by two hyperlinks. link THE NETHERLANDS

THE NETHERLANDS Dutch Supervisory Authority for Files Security (AP) 2019-06-18 460,000 Haga Sanatorium Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security The Haga Sanatorium doesn’t possess an actual interior security of affected particular person records moderately than residing. Correct right here is the conclusion of an investigation by the Dutch Files Security Authority. This investigation adopted when it regarded that dozens of sanatorium crew had unnecessarily checked the medical records of a effectively-identified Dutch particular particular person. To stress the sanatorium to beef up the protection of affected particular person records, the AP simultaneously imposes an bring discipline to a penalty. If the Haga Sanatorium has now no longer improved security used to 2nd of October 2019, the sanatorium have to pay 100,000 EUR each and every two weeks, with a most of 300,000 EUR. The Haga Sanatorium has within the period in-between indicated to squawk measures. link FRANCE

FRANCE French Files Security Authority (CNIL) 2019-07-25 180,000 ACTIVE ASSURANCES (automobile insurer) Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security Mountainous amount of buyer accounts, customers’ documents (including copies of driver’s licences, automobile registration, monetary institution statements and documents to solve whether an specific particular particular person had been the topic of a licence withdrawal) and records had been with out disorders accesible on-line. The CNIL, between others, critizised the password management (unauthorized salvage proper of entry to became you may possibly derive with out any authentication). link GREECE

GREECE Hellenic Files Security Authority (HDPA) 2019-07-30 150,000 PWC Exchange Recommendations Paintings. 5 (1) GDPR, Paintings. 5 (2) GDPR, Paintings. 6 (1) GDPR, Paintings. 13 (1) c) GDPR, Paintings. 14 (1) c) GDPR Insufficient simply basis for records processing The processing of worker private records became in accordance to consent. The HDPA got right here upon that consent as simply basis became unhealthy, because the processing of non-public records became supposed to sort acts in an immediate linked to the efficiency of employment contracts, compliance with a simply accountability to which the controller is discipline and the still and appropriate operation of the company, as its plentiful hobby. As smartly to, the company gave workers the misperception that it became processing their private records below the simply basis of consent, whereas genuinely it became processing their records below a slightly so a bunch of simply basis. This became in violation of the conception of transparency and thus in breach of the accountability to sort records below Articles 13(1)(c) and 14(1)(c) of the GDPR. Lastly, in violation of the accountability conception, the company didn’t sort the HDPA with evidence that it had performed a used review of the ideal simply bases for processing worker private records link ROMANIA

ROMANIA Romanian National Supervisory Authority for Deepest Files Processing (ANSPDCP) 2019-10-17 2,500 UTTIS INDUSTRIES SRL Paintings. 12 GDPR, Paintings. 13 GDPR, Paintings. 5 (1) c) GDPR, Paintings. 6 GDPR Insufficient fulfilment of records responsibilities The sanctions had been utilized to the controller attributable to he may possibly most likely presumably now no longer suppose that the solutions matters had been steered in terms of the processing of non-public records / photos by the video surveillance system, which they’ve been running since 2016. And attributable to he made the disclosure of the CNP of the staff, by exhibiting the Delusion for the coaching of the licensed ISCIR personnel for the 365 days 2018 to the company notifier and may possibly most likely presumably now no longer suppose the legality of the processing of the CNP, by disclosure, in accordance to Paintings. 6 GDPR. link SWEDEN

SWEDEN Files Security Authority of Sweden 2019-08-20 18,630 College in Skellefteå Paintings. 5 (1) c) GDPR, Paintings. 9 GDPR, Paintings. 35 GDPR, Paintings. 36 GDPR Insufficient simply basis for records processing A college in Skellefteå made a trial to squawk facial recognition trip. The luminous became imposed in opposition to the college which had old-normal facial recognition trip to uncover show cloak the attendance of students. Even supposing, in total, records processing for the blueprint of monitoring attendance is doable doing so with facial recognition is disproportioned to the blueprint to uncover show cloak attendance. The supervisory authority is of the conclusion that biometric records of students became processed which is why Paintings. 9 GDPR is acceptable. Moreover, the authority argued that consent can now no longer be utilized since students and their guardians can now no longer freely explain within the future of the match that they/their formative years are looking for to be monitored for attendance capabilities. When inspecting if the college board can rely on any of the exemptions listed in Paintings. 9 (2), the supervisory authority got right here upon that this became now no longer the case. The supervisory authority furthermore got right here upon that there became a case of a processing process with high dangers since queer trip became old-normal to assignment still private records relating to formative years who’re in a dependency feature of residing to the high college board and as a outcomes of digicam surveillance being old-normal within the future of the students on each and on every day basis basis atmosphere. Within the conclusion of the authority, the college board became now no longer in a scheme to suppose compliance with Paintings. 35 GDPR and that the college board became required to hunt the advice of the authority in accordance to Paintings. 36 (1) GDPR. link AUSTRIA

AUSTRIA Austrian Files Security Authority (dsb) 2019-08 50,000 Firm within the future of the medical sector Paintings. 13 GDPR, Paintings. 37 GDPR Insufficient fulfilment of records responsibilities The (none-closing) luminous became imposed on a company within the future of the medical sector for non-compliance with records responsibilities and for now no longer appointing an records safety officer. link AUSTRIA

AUSTRIA Austrian Files Security Authority (dsb) 2019-07 11,000 Deepest particular particular person (soccer coach) Paintings. 6 GDPR Insufficient simply basis for records processing The luminous became imposed on a soccer coach who had secretly filmed female avid gamers whereas they had been naked within the future of the bathe cubicle for years. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2019-08-16 60,000 AVON COSMETICS Paintings. 6 GDPR Insufficient simply basis for records processing A particular person claimed that AVON COSMETICS had unlawfully processed his records with out adequately verifying his identification, which ended in his records being erroneously entered in a register of claims, struggling with him from working along along with his monetary institution. As a final result, a third birthday party fraudulently old-normal the customers private records. link BULGARIA

BULGARIA Files Security Commision of Bulgaria (KZLD) 2019-08-28 2,600,000 National Revenue Firm Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security Leakage of non-public records in a hacking attack as a outcomes of insufficient technical and organisational measures to be apparent the protection of records security. It became got right here upon that private records relating to about 6 million people became illegally accessible. link BULGARIA

BULGARIA Files Security Commision of Bulgaria (KZLD) 2019-08-28 511,000 DSK Bank Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security Leakage of non-public records as a outcomes of insufficient technical and organisational measures to be apparent the protection of records security. Third events had salvage proper of entry to to over 23000 credit rating standing records relating to to over 33000 monetary institution customers including private records corresponding to names, citizenships, identification numbers, adresses, copies of identification cards and biometric records. link LATVIA

LATVIA Files Dispute Inspectorate (DSI) 2019-08-26 7,000 On-line Corporations and merchandise Paintings. 17 GDPR Insufficient fulfilment of records matters rights A merchant who affords products and companies and merchandise in an net retailer has infringed the « luminous to be forgotten » pursuant to Paintings. 17 GDPR when he became regularly requested by an records discipline to delete all his private records, in specific his/her cell cell cell phone quantity, which the merchant had purchased as section of an bring. Alternatively, the merchant regularly despatched promoting messages by SMS to the solutions matters cell cell cell phone quantity. link HUNGARY

HUNGARY Hungarian National Authority for Files Security and the Freedom of Files (NAIH) 2019-06-25 15,150 Unknown Paintings. 33 GDPR Insufficient fulfilment of records breach notification responsibilities The records controller did now no longer fulfil its records breach notification responsibilities when a flash memory with private records became lost. link NORWAY

NORWAY Norwegian Supervisory Authority (Datatilsynet) 2019-04-29 120,000 Oslo Municipal Training Division Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security Honest for security vulnerabilities in a cell messaging app developed for squawk in an Oslo college. The app enables fogeys and students to ship messages to varsity crew. Thanks to insufficient technical and organizational measures to offer protection to records security, unauthorized people had been in a scheme to log in as licensed customers and sort salvage proper of entry to to personal records about students, simply representatives and workers. The luminous has within the period in-between been reduced to EUR 120.000, stare link link PORTUGAL

PORTUGAL Portuguese Files Security Authority (CNPD) 2019-02-05 20,000 Unknown Paintings. 15 GDPR Insufficient fulfilment of records matters rights Denial of the luminous to salvage proper of entry to recorded cell cell phone calls by the Files Topic link PORTUGAL

PORTUGAL Portuguese Files Security Authority (CNPD) 2019-03-25 2,000 Unknown Paintings. 13 GDPR Insufficient fulfilment of records responsibilities Inexistence of signalization in terms of the utilization of CCTV systems link GERMANY

GERMANY Files Security Authority of Berlin 2019-09-19 195,407 Provide Hero Paintings. 15 GDPR, Paintings. 17 GDPR, Paintings. 21 GDPR Insufficient fulfilment of records matters rights According to the findings of the Berlin records safety officer, Provide Hero Germany GmbH had now no longer deleted accounts of extinct customers in ten instances, even supposing these records matters had now no longer been full of life on the company’s provide provider platform for years – in one case even since 2008. As smartly to, eight extinct customers had complained about unsolicited promoting e-mails from the company. An records discipline who had expressly objected to the utilization of his records for promoting capabilities alternatively purchased extra 15 promoting e-mails from the provision provider. In extra 5 instances, the company did now no longer fresh the solutions matters with the vital records or most realistic after the Berlin records safety officer had intervened. link POLAND

POLAND Polish National Deepest Files Security Build of job (UODO) 2019-09-10 645,000 Morele.uncover Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security The Polish records safety authority imposed a luminous of over PLN 2.8 million (approx. €644,780) on Morele.uncover for insufficient organisational and technical safeguards, which ended in unauthorised salvage proper of entry to to the non-public records of two.2 million people. link BELGIUM

BELGIUM Belgian Files Security Authority (APD) 2019-09-17 10,000 Provider provider Paintings. 5 (1) c) GDPR Non-compliance with total records processing principles The Belgian records safety authority has imposed a luminous of 10,000 euros on a merchant who desired to squawk an digital identification card (eID) to glean a buyer card. The DPA’s investigation published that the merchant required salvage proper of entry to to personal records positioned on the eID, including the describe and barcode which is linked to the solutions discipline’s identification quantity. Within the period in-between, the resolution of the solutions safety authority has been annulled by a court docket docket: link link SPAIN

SPAIN Spanish Files Security Authority (aepd) Unknown 9,600 Restaurant (SANTI 3000, S.L.) Paintings. 5 (1) a) GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing A cafe desired to impose disciplinary sanctions on an worker the utilization of photos from a cell cell cell phone video which became recorded by nonetheless yet one more worker within the future of the restaurant for evidence capabilities. The preliminary luminous of EUR 12.000 became reduced to EUR 9.600. link GREECE

GREECE Hellenic Files Security Authority (HDPA) 2019-10-07 200,000 Telecommunication Provider Vendor Paintings. 5 (1) c) GDPR, Paintings. 25 GDPR Non-compliance with total records processing principles A gargantuan quantity of purchasers had been discipline to telemarketing calls, though they’d declared an decide-out for this. This became overpassed as a outcomes of technical errors. link GREECE

GREECE Hellenic Files Security Authority (HDPA) 2019-10-07 200,000 Telecommunication Provider Vendor Paintings. 21 (3) GDPR, Paintings. 25 GDPR Non-compliance with total records processing principles Imperfect technical measures resulted within the future of the solutions of 8,000 customers now no longer being deleted upon predict. link ROMANIA

ROMANIA Romanian National Supervisory Authority for Deepest Files Processing (ANSPDCP) 2019-10-09 150,000 Raiffeisen Bank SA Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security Raiffeisen Bank Romania performed scoring assessments on the basis of non-public records of contributors registered on the Vreau Credit platform offered by the platform’s crew by system of WhatsApp after which returned the final result to Vreau Credit the utilization of the identical ability to dialog. link ROMANIA

ROMANIA Romanian National Supervisory Authority for Deepest Files Processing (ANSPDCP) 2019-10-09 20,000 Vreau Credit SRL Paintings. 32 GDPR, Paintings. 33 GDPR Insufficient technical and organisational measures to be apparent records security Raiffeisen Bank Romania performed scoring assessments on the basis of non-public records of contributors registered on the Vreau Credit platform offered by the platform’s crew by system of WhatsApp after which returned the final result to Vreau Credit the utilization of the identical ability to dialog. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2019-10-01 30,000 Vueling Airways Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing The Spanish Files Security Firm (AEPD) has sanctioned Vueling Airways with 30,000 euros for now no longer giving customers the vogue to refuse their cookies and stress them to squawk them within the future of the match that they are looking for to browse its web feature of residing. In other phrases, it became now no longer you may possibly derive to browse the Vueling web pronounce with out accepting their cookies. AEDP issued a sanctioning resolution for the amount of 30,000 euros, that will most likely be reduced to 18,000 for immediate rate. link CYPRUS

CYPRUS Cyprian Files Security Commissioner 2019 14,000 Doctor Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing A affected particular person complained to the Commissioner that the predict for salvage proper of entry to to her medical file became now no longer chuffed by the sanatorium since the file may possibly most likely presumably now no longer be identified/positioned by the controller. After investigating the case, an administrative luminous of €5,000 became imposed on the sanatorium. link ROMANIA

ROMANIA Romanian National Supervisory Authority for Deepest Files Processing (ANSPDCP) 2019-09-26 9,000 Inteligo Media SA Paintings. 5 (1) a) GDPR, Paintings. 6 (1) a) GDPR Insufficient simply basis for records processing As section of the registration assignment on the webseite avocatnet.ro, the operator old-normal an unfilled checkbox, by formulation of which customers may possibly most likely presumably insist that they did now no longer are looking for to fetch records letters by system of e mail (decide-out). Without any circulate, the actual person became robotically despatched records letters by system of e mail. This did now no longer fulfil the requirements for a GDPR-compliant consent. link SLOVAKIA

SLOVAKIA Slovak Files Security Build of job Unknown Unknown Unknown Paintings. 15 GDPR Insufficient fulfilment of records matters rights A Files Controller didn’t use records discipline´s predict to salvage proper of entry to his/her private records processed by audio recordings. link SLOVAKIA

SLOVAKIA Slovak Files Security Build of job Unknown Unknown Unknown Paintings. 5 (1) f) GDPR, Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security Paperwork containing private records had been disposed of within the future of the residing of the municipal garbage dump. link SLOVAKIA

SLOVAKIA Slovak Files Security Build of job Unknown Unknown Unknown Paintings. 5 (1) f) GDPR, Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security Violation of records security measures (no extra records obtainable within the mean time) link SLOVAKIA

SLOVAKIA Slovak Files Security Build of job Unknown Unknown Unknown Paintings. 5 (1) a) GDPR, Paintings. 6 (1) a) GDPR Insufficient simply basis for records processing Deepest records were unlawfully printed on the on-line feature of residing of a city within the future of the framework of tremendous its disclosure accountability below the Freedom of Files Act. However, the Files Security Authority acknowledged that the Metropolis had printed the non-public records in violation of the regulation and with out the consent of the actual particular person concerned. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2019-10-16 60,000 Xfera Moviles S.A. Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing Xfera Movile has old-normal private records with out a simply basis for the conclusion of a cell cell phone contract and has persevered to assignment private records even when the solutions discipline requested that the processing be discontinued. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2019-10-16 8,000 Iberdrola Clientes Paintings. 31 GDPR Insufficient cooperation with supervisory authority Iberdrola Clientes, an electricity company, had refused to sort a requirement to an specific particular particular person to alternate its electricity provider attributable to it claimed that its records may possibly be integrated within the future of the solvency list. As a final result, the AEPD requested that Iberdola Clientes fresh records in terms of the chance of including the actual particular person’s records to the solvency list to which the company did now no longer reply. This lack of cooperation with the AEPD became a violation of Article 31 of the GDPR. link SLOVAKIA

SLOVAKIA Slovak Files Security Build of job Unknown 40,000 Slovak Telekom Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security The controller did now no longer squawk ample security measures when processing private records, thereby breaching the accountability to offer protection to the processed private records. link AUSTRIA

AUSTRIA Austrian Files Security Authority (dsb) 2019-10-23 18,000,000 Austrian Build up Paintings. 5 (1) a) GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing The Austrian Build up had created profiles of better than three million Austrians, which integrated records about their house addresses, private preferences, habits and you may possibly derive birthday party affinity – which had been resulting from this truth resold, for occasion to political events and corporations. (Within the case, furthermore a civil court docket docket judgement about compensation claims at a rate of 800 € has been issued: link – alternatively, this court docket docket resolution has already been overturned as a outcomes of shortcoming of evidence of proper atomize: link link POLAND

POLAND Polish National Deepest Files Security Build of job (UODO) 2019-10-18 9,380 Predominant of Aleksandrów Kujawski Paintings. 28 GDPR Insufficient records processing settlement No records processing settlement has been concluded with the company whose servers contained the sources of the Public Files Bulletin (BIP) of the Municipal Build of job in Aleksandrów Kujawski. For this blueprint, a luminous of 40.000 PLN (9400 EUR) became imposed on the mayor of town. link GERMANY

GERMANY Files Security Authority of Berlin 2019-10-30 14,500,000 Deutsche Wohnen SE Paintings. 5 GDPR, Paintings. 25 GDPR Non-compliance with total records processing principles The company old-normal an archiving system for the storage of non-public records of tenants that did now no longer fresh for the chance of taking away records that became now no longer required. Deepest records of tenants had been saved with out checking whether storage became permissible or even principal. It became resulting from this incontrovertible truth you may possibly derive to salvage proper of entry to personal records of affected tenants which had been saved for years with out this records mute serving the blueprint of its normal sequence. This full of life records on the non-public and monetary instances of tenants, corresponding to wage statements, self-disclosure kinds, extracts from employment and coaching contracts, tax, social security and health insurance coverage records along with monetary institution statements. As smartly to to sanctioning this structural violation, the Berlin records safety commissioner imposed extra fines of between 6,000 and 17,000 euros on the company for the inadmissible storage of non-public records of tenants in 15 specific specific particular particular person instances. Survey the separate entry. link GERMANY

GERMANY Files Security Authority of Berlin 2019-10-30 Unknown Deutsche Wohnen SE Paintings. 5 GDPR Non-compliance with total records processing principles As smartly to to sanctioning violations of privateness by glean principles (Paintings. 5 GDPR, Paintings. 25 GDPR – stare separate entry), the Berlin records safety commissioner imposed extra fines of between 6,000 and 17,000 euros on the company for the inadmissible storage of non-public records of tenants in 15 specific specific particular particular person instances. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2019-10-25 36,000 Vodafone España, S.A.U. Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing The claimant, whose records had been offered to the company by his daughter, as fresh by him, purchased a name from the company offering its products and companies and merchandise, which he refused. However, Vodafone España proceeded to offering him products and companies and merchandise and trying out for rate from him, so Vodafone España had processed the claimant’s private records with out his consent. link GERMANY

GERMANY Files Security Authority of Baden-Wuerttemberg 2019 80,000 Unknown Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security In a digital newsletter, health records became unintentionally printed as a outcomes of insufficient interior withhold a seek on mechanisms. link POLAND

POLAND Polish National Deepest Files Security Build of job (UODO) 2019-10-16 47,000 ClickQuickNow Paintings. 5 GDPR Non-compliance with total records processing principles The UODO imposed a luminous of EUR 47000 for obstructing the explain of the luminous of withdrawal for the processing of non-public records. The company has now no longer taken acceptable technical and organisational measures that enable the easy and appropriate withdrawal of consent to the processing of non-public records and the explain of the luminous to predict the erasure of non-public records. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2019-11-07 900 TODOTECNICOS24H S.L. Paintings. 13 GDPR Insufficient fulfilment of records responsibilities TODOTECNICOS24H had mute private records with out offering luminous records about records sequence in its records safety declaration pursuant to Article 13 of the GDPR. link SPAIN

SPAIN Spanish Files Security Authority (aepd) Unknown 12,000 Madrileña Crimson de Fuel Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security The fuel company did now no longer possess acceptable measures moderately than residing to verify the identification of the solutions discipline. The specific particular particular individual that filed the criticism alleges that the company e-mailed his records to a third birthday party in accordance to a requirement. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2019-11-06 900 Cerrajero On-line Paintings. 13 GDPR Insufficient fulfilment of records responsibilities The company had mute private records with out offering luminous records about records sequence in its records safety declaration pursuant to Article 13 of the GDPR. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2019-10-31 6,000 Jocker Top class Invex Paintings. 6 GDPR Insufficient simply basis for records processing After registering for a local census, Jocker Top class Invex had despatched the applicant postal ads and commercial gives, though records corresponding to first title, surname and postal address had been most realistic communicated to the overall public administration. link THE NETHERLANDS

THE NETHERLANDS Dutch Supervisory Authority for Files Security (AP) 2019-10-31 900,000 UWV (Dutch worker insurance coverage provider provider) Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security As the UWV (the Dutch worker insurance coverage provider provider – « Uitvoeringsinstituut Werknemersverzekeringen ») did now no longer squawk multi-ingredient authentication when accessing the on-line employer portal, security became insufficient. Employers and health and safety products and companies and merchandise had been in a scheme to glean and demonstrate health records from workers in an absence system. link PORTUGAL

PORTUGAL Portuguese Files Security Authority (CNPD) 2019-03-19 2,000 Unknown Paintings. 13 GDPR Insufficient fulfilment of records responsibilities Inexistence of signalization in terms of the utilization of CCTV systems link SLOVAKIA

SLOVAKIA Slovak Files Security Build of job Unknown 50,000 Social Insurance Firm Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security Functions for social advantages from Slovak voters had been despatched by build up to foreign authorities. These had been lost by build up, with the final result that the whereabouts of these private records may possibly most likely presumably now no longer be clarified. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2019-11-13 3,000 Overall Confederation of Labour (‘CGT’) Paintings. 6 GDPR Insufficient simply basis for records processing The CGT, with the fair of convening a gathering, e-mailed private records of the complainant, including her house address, household relationship, being pregnant save of residing and the date of an ongoing verbal abuse and harassment case, to 400 union individuals with out her consent. link CZECH REPUBLIC

CZECH REPUBLIC Czech Files Security Auhtority (UOOU) Unknown 588 Alza.cz a.s. Paintings. 6 GDPR, Paintings. 7 GDPR Insufficient simply basis for records processing The company purchased a duplicate of photographic ID of the non-public records discipline along along with his consent, alternatively did now no longer react to his consent withdrawal and persevered in processing of his private records. link CZECH REPUBLIC

CZECH REPUBLIC Czech Files Security Auhtority (UOOU) Unknown 980 Particular particular person entrepreneur – no extra particulars printed Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security The operator of an net sport became uncovered to an total lot of DDoS assaults which ended within the malfunctioning of the servers. The attacker blackmailed the operator declaring that the assaults will now no longer quit except he’ll pay cash. As section of the blackmail, the attacker offered the operator that he’ll glean an upgraded and better firewall safety to the servers of the operator. The operator agreed and paid the attacker. The operator utilized the queer code from the attacker which proved better than the feeble one alternatively there became a « backdoor » within the future of the code. The attacker old-normal the backdoor to determine on all of the solutions from the server in terms of the avid gamers and uploaded these particulars to his web feature of residing. The Build of job for Deepest Files Security concluded that the operator did now no longer squawk apropriate security measures. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2019-11-19 60,000 Corporación radiotelevisión espanola Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security CORPORACIÓN RADIOTELEVISIÓN ESPAÑOLA and the alternate union possess reported a security breach to the AEPD after six unencrypted USB sticks containing private records had been lost. The violation affected about 11,000 people, including identification records, employment records, records about penal complex convictions and health records. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2019-11-21 60,000 Viaqua Xestión Integral Augas de Galicia Paintings. 6 GDPR Insufficient simply basis for records processing Processing (modification) of the non-public records of a buyer integrated in a contract by a third birthday party with out the consent of the patron. link ROMANIA

ROMANIA Romanian National Supervisory Authority for Deepest Files Processing (ANSPDCP) 2019-11-25 11,000 Courier Corporations and merchandise Firm Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security The luminous became imposed since the controller didn’t squawk acceptable technical and organisational measures ensuing within the future of the loss and unauthorised salvage proper of entry to to personal records (title, monetary institution card quantity, CVV code, cardholder’s address, private identification quantity, serial and identification card quantity, monetary institution yarn quantity, fresh credit rating standing restrict) of roughly 1,100 records matters. link ROMANIA

ROMANIA Romanian National Supervisory Authority for Deepest Files Processing (ANSPDCP) 2019-11-22 2,000 BNP Paribas Deepest Finance S.A. Paintings. 12 GDPR, Paintings. 17 GDPR Insufficient fulfilment of records matters rights BNP Paribas Deepest Finance did now no longer react to a requirement for erasure within the future of the length residing by the GDPR. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2019-11-14 30,000 Telefónica SA Paintings. 5 GDPR Non-compliance with total records processing principles Telefónica had charged the complainant slightly so a bunch of costs in connection with the operation of a cell cell phone line which the complainant had by no system owned. The clarification for this became that the complainant’s monetary institution yarn became linked to nonetheless yet one more Telefónica buyer, which ended within the costs being debited from the complainant’s yarn. According to the AEPD, exact right here is opposite to the conception of accuracy as required by Article 5(1)(d) GDPR. link FRANCE

FRANCE French Files Security Authority (CNIL) 2019-11-21 500,000 Futura Internationale Paintings. 5 GDPR, Paintings. 6 GDPR, Paintings. 13 GDPR, Paintings. 14 GDPR, Paintings. 21 GDPR Insufficient fulfilment of records matters rights Futura Internationale became fined for frigid calls after a total lot of complainants purchased frigid calls, despite having declared in an immediate to the caller and by build up that this became now no longer wanted. In specific, the resolution identified that the CNIL’s on-feature of residing investigation of Futura Internationale published, inter alia, that Futura Internationale had purchased a total lot of letters objecting to frigid calling, that it had saved unsuitable records about customers and their health and that Futura Internationale had now no longer steered contributors in terms of the processing of their private records or the recording of cell cell phone conversations. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2019-11-19 60,000 Xfera Moviles S.A. Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security A particular particular person complainant had purchased an SMS from Xfera Móviles which became to be addressed to a third birthday party and which allowed him to salvage proper of entry to the parable and private records of this third birthday party on the Xfera Móviles web feature of residing by system of the cell cell phone quantity and password purchased by SMS. link LATVIA

LATVIA Files Dispute Inspectorate (DSI) 2019-11 150,000 Unknown Paintings. 6 GDPR Insufficient simply basis for records processing Illegal records processing. No extra records obtainable nonetheless. link SPAIN

SPAIN Spanish Files Security Authority (aepd) Unknown 10,000 Ikea Ibérica Paintings. 6 GDPR Insufficient simply basis for records processing The company build in cookies on an quit customers terminal machine with out prior consent of the solutions discipline. link GERMANY

GERMANY Files Security Authority of Rheinland-Pfalz 2019-12-03 105,000 Sanatorium Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security The luminous is in accordance to an total lot of breaches of the GDPR in connection with a affected particular person combine-up on the admission of the affected particular person. This resulted in infamous invoicing and published structural technical and organisational deficits within the future of the sanatorium’s affected particular person management. link BELGIUM

BELGIUM Belgian Files Security Authority (APD) 2019-11-28 5,000 Mayor Paintings. 6 GDPR Insufficient simply basis for records processing Honest for sending election mailings with out a ample simply basis. The e-mail addresses old-normal possess now no longer been mute for this blueprint. link BELGIUM

BELGIUM Belgian Files Security Authority (APD) 2019-11-28 5,000 Municipal alderman Paintings. 6 GDPR Insufficient simply basis for records processing Honest for sending election mailings with out a ample simply basis. The e-mail addresses old-normal possess now no longer been mute for this blueprint. link ROMANIA

ROMANIA Romanian National Supervisory Authority for Deepest Files Processing (ANSPDCP) 2019-12-04 20,000 S CNTAR TAROM SA (Airline) Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security The Romanian records safety authority imposed a sanction on an airline attributable to it has now no longer taken acceptable measures to be apparent that any pure particular particular person acting below its supervision processes private records in accordance to its instructions (Article 32(4) of the GDPR). This resulted in an worker having unauthorized salvage proper of entry to to the reserving utility and being in a scheme to explain a checklist with the non-public records of 22 passengers/customers to bring this list on the Net. link ROMANIA

ROMANIA Romanian National Supervisory Authority for Deepest Files Processing (ANSPDCP) 2019-11-28 80,000 ING Bank N.V. Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security ING Bank has now no longer taken acceptable technical and organisational measures for an computerized records processing system at some stage within the future of the settlement scheme of card transactions affecting 225,525 customers, ensuing in double transactions being accomplished between 8 and 10 October. link ROMANIA

ROMANIA Romanian National Supervisory Authority for Deepest Files Processing (ANSPDCP) 2019-11-29 2,500 Royal President S.R.L. Paintings. 15 GDPR, Paintings. 6 GDPR, Paintings. 32 GDPR Insufficient fulfilment of records matters rights Royal President refused a requirement for salvage proper of entry to to personal records pursuant to Article 15 of the GDPR and disclosed private records with out the consent of the solutions matters. As smartly to, Royal President has now no longer taken acceptable technical or organisational measures to be apparent the protection of the solutions processed. link GERMANY

GERMANY The Federal Commissioner for Files Security and Freedom of Files (BfDI) 2019-12-09 9,550,000 Telecoms provider (1&1 Telecom GmbH) Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security The Controller is a company offering telecommunication products and companies and merchandise. A caller may possibly most likely presumably fabricate intensive records on private buyer records from the company’s buyer provider department fair by coming into a buyer’s title and date of commencing. On this authentication assignment, the BfDI aws a violation of Article 32 GDPR, in accordance to which a company is obliged to squawk acceptable technical and organisational measures to systematically protect the processing of non-public records. Due to the the company’s cooperation with the solutions safety authority, the luminous imposed became on the decrease quit of the scale. link GERMANY

GERMANY The Federal Commissioner for Files Security and Freedom of Files (BfDI) 2019-12-09 10,000 Rapidata GmbH Paintings. 37 GDPR Lack of appointment of records safety officer No subject repeated requests of the BfDI the company (an net provider) did now no longer apply its simply accountability below Article 37 GDPR to appoint an records safety officer. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2019 21,000 Vodafone España, S.A.U. Paintings. 6 (1) GDPR Insufficient simply basis for records processing Vodafone had processed private records of the claimant (monetary institution particulars, title, surname and nationwide identification quantity) years after the contractual relationsid had ended. The luminous of EUR 35.000 became reduced to EUR 21.000. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2019 36,000 VODAFONE ONO, S.A.U. Paintings. 5 (1) f) GDPR Non-compliance with total records processing principles The company despatched a advertising and marketing e mail to a gargantuan quantity of recipients (customers) with out the utilization of the blind duplicate characteristic. The preliminary luminous of EUR 60.000 became reduced to EUR 36.000. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2019 Forty eight,000 VODAFONE ONO, S.A.U. Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security Customers may possibly most likely presumably salvage proper of entry to personal records of alternative customers within the future of the patron residing. The preliminary luminous of EUR 60.000 became reduced to EUR Forty eight.000. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2019 Forty eight,000 TELEFONICA MOVILES ESPAÑA, S.A.U. Paintings. 5 (1) a) GDPR Non-compliance with total records processing principles The claimant’s monetary institution yarn became charged by the company with two invoices for the products and companies and merchandise he had reduced in measurement, alternatively, exhibiting private records of nonetheless yet one more buyer. The preliminary luminous of EUR 60.000 became reduced to EUR Forty eight.000. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2019 30,000 Vodafone España, S.A.U. Paintings. 5 (1) f) GDPR, Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security Disclosure of buyer private records (i.a. decide historic previous) by system of an SMS to nonetheless yet one more buyer. The preliminary luminous of EUR 50.000 became reduced to EUR 30.000. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2019 40,000 Vodafone España, S.A.U. Paintings. 6 GDPR Insufficient simply basis for records processing The company had charged a Netflix provider that had now no longer been solicited by the claimant. The claimant may possibly most likely presumably suppose that the provider had been old-normal by nonetheless yet one more household which allegedly had purchased the claimant’s monetary institution yarn and cell cell phone quantity from Vodafone. Since Vodafone may possibly most likely presumably now no longer suppose that the claimant had consented to the conclusion of the contract relating to the Netflix products and companies and merchandise, the AEPD imposed a luminous of EUR 40.000. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2019 20,000 specific particular particular person Paintings. 5 (1) c) GDPR Non-compliance with total records processing principles Video surveillance cameras possess now no longer most realistic been old-normal to offer protection to property, alternatively possess furthermore monitored workers (violation of conception of records minimisation). link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2019 9,000 specific particular particular person Paintings. 5 (1) c) GDPR Non-compliance with total records processing principles Video surveillance cameras possess now no longer most realistic been old-normal to offer protection to property, alternatively possess furthermore monitored workers (violation of conception of records minimisation). link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2019 3,600 AMADOR RECREATIVOS, S.L Paintings. 5 (1) c) GDPR Non-compliance with total records processing principles Surveillance of the overall public house by video surveillance cameras in opposition to violation of the foundations of records minimisation. link HUNGARY

HUNGARY Hungarian National Authority for Files Security and the Freedom of Files (NAIH) 2019-10 15,100 Town of Kerepes Paintings. 6 (1) GDPR Insufficient simply basis for records processing Town generally generally primarily primarily based totally its video surveillance prepare on its plentiful pursuits (Paintings. 6 (1) f GDPR). However, accordingt to Paintings. 6 (1) subparagraph 2 this simply basis shall now no longer prepare to processing performed by public authorities within the future of the efficiency of their tasks. The processing may possibly most likely presumably now no longer be in accordance to nonetheless yet one more simply basis. link BULGARIA

BULGARIA Files Security Commision of Bulgaria (KZLD) 2019-09-03 28,100 National Revenue Firm Paintings. 6 (1) GDPR, Paintings. 58 (2) e) GDPR, Paintings. 83 (5) a) GDPR Insufficient simply basis for records processing The pecuniary sanction of EUR 28, 121 became imposed on the National Revenue Firm for illegal processing of the non-public records of records discipline G.B.I. The non-public records of G.B.I. became unlawfully mute and resulting from this truth old-normal to make an enforcement case in opposition to her for recovery of the sum of EUR ca. 86, 569. Within the case of the enforcement case normal, extra records relating to the monetary institution accounts of G.B.I became mute by the National Revenue Firm from the register of the Bulgarian National Bank. The extra mute records became furthermore unlawfully processed by the National Revenue Firm in sending distraint orders to the banks with which G.B.I. had monetary institution accounts. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2019-11-28 75,000 Curenergía Comercializador de último recurso Paintings. 6 GDPR Insufficient simply basis for records processing A particular particular person filed a criticism in opposition to the company alleging that the company had old-normal its private records as a extinct buyer, corresponding to first and shutting title, VAT identification quantity and address, to enter into an electricity provide contract. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2019-12-03 1,500 Cerrajeria Verin S.L. Paintings. 13 GDPR Insufficient fulfilment of records responsibilities The company mute private records with out offering luminous records on their records processing actions of their privateness coverage printed on their web feature of residing. link GERMANY

GERMANY Files Security Authority of Mecklenburg-Vorpommern 2019 800 Police Officer Paintings. 6 GDPR Insufficient simply basis for records processing A police officer old-normal a view’s private records to contact her for my section. link SWEDEN

SWEDEN Files Security Authority of Sweden 2019-12-16 35,000 Nusvar AB Paintings. 6 GDPR Insufficient simply basis for records processing Nusvar AB, operator of the on-line feature of residing Mrkoll.se, which affords records on all Swedes over 16 years of age, had printed records on these who’re slack. link ROMANIA

ROMANIA Romanian National Supervisory Authority for Deepest Files Processing (ANSPDCP) 2019-12-16 2,000 Globus Obtain SRL Paintings. 58 GDPR Insufficient cooperation with supervisory authority The company did now no longer apply measures ordered by the National Supervisory Authority. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2019-12-03 5,000 Linea Directa Aseguradora Paintings. 6 GDPR Insufficient simply basis for records processing The insurance coverage company has despatched promoting e-mails for the « Reto Nuez » platform with out the vital consent. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2019-12-10 1,600 Extensive title SL Paintings. 5 (1) c) GDPR, Paintings. 13 GDPR Non-compliance with total records processing principles The company operated a video surveillance system in which the converse attitude of the cameras prolonged unnecessarily a ways into the overall public website website company residing. Moreover, no feature with records safety notices became affixed. ROMANIA

ROMANIA Romanian National Supervisory Authority for Deepest Files Processing (ANSPDCP) 2019-11-26 3,000 Up-to-the-minute Barber Paintings. 58 GDPR Insufficient cooperation with supervisory authority The company did now no longer apply measures ordered by the National Supervisory Authority. link ROMANIA

ROMANIA Romanian National Supervisory Authority for Deepest Files Processing (ANSPDCP) 2019-12-02 2,000 Nicola Clinical Group 17 SRL Paintings. 58 GDPR Insufficient cooperation with supervisory authority The company did now no longer apply measures ordered by the National Supervisory Authority. link HUNGARY

HUNGARY Hungarian National Authority for Files Security and the Freedom of Files (NAIH) 2019-10-24 7,400 Navy Sanatorium Paintings. 32 GDPR, Paintings. 33 GDPR Insufficient fulfilment of records breach notification responsibilities A militia sanatorium did now no longer meet the reporting closing date for records breaches. One other section of the luminous relates to a lack of technical and organisational measures. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2019-11-19 6,000 Sports actions Bar Paintings. 5 (1) c) GDPR Non-compliance with total records processing principles The sports bar operated a video surveillance system in which the converse attitude of the cameras prolonged into the overall public website website company residing. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2019-11-06 60,000 Vodafone España, S.A.U. Paintings. 6 GDPR Insufficient simply basis for records processing Vodafone has despatched the patron’s invoice records to unauthorised third events following a buyer invoice criticism. Within the commencing, a luminous of EUR 75,000 became threatened, alternatively became reduced to EUR 60,000 in opposition to immediate rate and waiver of charm. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2019-10-23 60,000 Vodafone España, S.A.U. Paintings. 5 (1) f) GDPR Non-compliance with total records processing principles Vodafone despatched an invoice historic previous to the subscriber as section of the invoice criticism by the subscriber. The historic previous furthermore contained invoice records of an unknown third birthday party. link THE NETHERLANDS

THE NETHERLANDS Dutch Supervisory Authority for Files Security (AP) 2019-10-31 50,000 Menzis (Health Insurance Firm) Paintings. 5 GDPR Non-compliance with total records processing principles Marketing crew had salvage proper of entry to to affected particular person records. Amongst other things, this violated the blueprint limitation conception. link GREECE

GREECE Hellenic Files Security Authority (HDPA) 2019-10-18 20,000 Wind Hellas Telecommunications Paintings. 21 GDPR Insufficient fulfilment of records matters rights Amongst other things, the company has overpassed objections raised by affected events in opposition to promoting calls. link ROMANIA

ROMANIA Romanian National Supervisory Authority for Deepest Files Processing (ANSPDCP) 2019-12-18 2,000 Telekom Romania Cell Communications SA Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security The company has didn’t be apparent the accuracy of the processing of non-public records which resulted in a disclosure of a customers private records to nonetheless yet one more shopper. link HUNGARY

HUNGARY Hungarian National Authority for Files Security and the Freedom of Files (NAIH) 2019-12-11 1,430 Unknown Firm Paintings. 5 GDPR, Paintings. 6 GDPR, Paintings. 13 GDPR, Paintings. 24 GDPR, Paintings. 25 GDPR Non-compliance with total records processing principles The employer restored the mailbox of a director who had left the company a 365 days used to and got right here upon an e mail containing a bit-connected doc. The director purchased no warning that his extinct inbox may possibly be activated and did now no longer possess nonetheless yet one more to duplicate / delete his private records (passwords and monetary records). According to NAIH, an worker or a manual may possibly still be fresh when the worker’s records is being accessed, even when the employment has been terminated. Workers may possibly still be in a scheme to predict a duplicate or the deletion of their private records. Employers have to document the salvage proper of entry to with minutes and photos; when the worker can now no longer be fresh, then within the future of the presence of ideal witnesses. Employers have to undertake interior insurance policies on archiving and the utilization of IT sources and e mail accounts, including procedural principles corresponding to the steps of an inspection and the officials fresh to raise it out. link UNITED KINGDOM

UNITED KINGDOM Files Commissioner (ICO) 2019-12-17 320,000 Doorstep Dispensaree Ltd. (Pharmacy) Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security The company had saved some 500,000 documents containing names, addresses, dates of commencing, NHS numbers and medical records and prescriptions in unsealed containers on the aid of the organising and didn’t offer protection to these documents from the parts, ensuing in water atomize to the documents. link BELGIUM

BELGIUM Belgian Files Security Authority (APD) 2019-12-17 2,000 Nursing Care Organisation Paintings. 12 GDPR, Paintings. 15 GDPR, Paintings. 17 GDPR Insufficient fulfilment of records matters rights The company didn’t act on requests from the solutions discipline to salvage salvage proper of entry to to his records and to possess his records erased. link ROMANIA

ROMANIA Romanian National Supervisory Authority for Deepest Files Processing (ANSPDCP) 2019-11-29 500 Dwelling owners Association Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security The association old-normal video surveillance systems with out proper records in accordance to Paintings. 13 GDPR and with out ample security measures in terms of the people having salvage proper of entry to to the system. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2019-12-10 5,000 Retailer Macoyn, S.L. Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security The company has despatched promoting e-mails to an total lot of recipients the save the e mail addresses of all other recipients had been considered to all recipients, since the recipient addresses had been inserted as CC and now no longer as BCC. link BULGARIA

BULGARIA Rate for Deepest Files Security (KZLD) 2019-09-03 1,022 Telecommunication provider fresh Paintings. 6 (1) GDPR, Paintings. 25 (1) GDPR Insufficient simply basis for records processing The pecuniary sanctions of EUR 1, 022 and EUR 5, 113 had been imposed on a telecommunications provider provider and its commercial manual in Bulgaria for illegal processing of the non-public records of an records discipline. The non-public records of the solutions discipline became unlawfully processed for the conclusion of provider contracts with out his records or consent. link BULGARIA

BULGARIA Rate for Deepest Files Security (KZLD) 2019-09-03 5,113 Telecommunication provider fresh Paintings. 6 (1) GDPR, Paintings. 25 (1) GDPR Insufficient simply basis for records processing The pecuniary sanctions of EUR 1, 022 and EUR 5, 113 had been imposed on a telecommunications provider provider and its commercial manual in Bulgaria for illegal processing of the non-public records of an records discipline. The non-public records of the solutions discipline became unlawfully processed for the conclusion of provider contracts with out his records or consent. link BULGARIA

BULGARIA Rate for Deepest Files Security (KZLD) 2019-09-03 11,760 Industrial manual of telecommunication provider provider Paintings. 6 (1) GDPR Insufficient simply basis for records processing The pecuniary sanction of EUR 11, 760 became imposed on the commercial manual of telecommunications provider provider for illegal processing of the non-public records of an records discipline. The non-public records of the solutions discipline became unlawfully processed for the conclusion of a contract for cell products and companies and merchandise and leasing contracts. link BULGARIA

BULGARIA Rate for Deepest Files Security (KZLD) 2019-09-03 1,121 Deepest enforcement agent Paintings. 12 (4) GDPR, Paintings. 15 GDPR Insufficient fulfilment of records matters rights The luminous of EUR 1, 121 became imposed on a non-public enforcement agent for processing of the non-public records of records discipline by recording by technical system for video surveillance and for refusal to grant salvage proper of entry to to the mute records. The records discipline submitted an utility for salvage proper of entry to to his private records to the non-public enforcement agent, who didn’t insist him of the causes for the rejection of his predict. link BULGARIA

BULGARIA Rate for Deepest Files Security (KZLD) 2019-10-28 511 Employer Paintings. 12 (3) GDPR, Paintings. 15 (1) GDPR Insufficient fulfilment of records matters rights The pecuniary sanction of EUR 511 became imposed on an employer for refusal to grant salvage proper of entry to to the non-public records of an records discipline who submitted an utility for salvage proper of entry to to his private records to his extinct employer. link BULGARIA

BULGARIA Rate for Deepest Files Security (KZLD) 2019-10-07 511 B.D. Paintings. 31 GDPR Insufficient cooperation with supervisory authority The luminous of EUR 511 became imposed on B.D. for failure to sort salvage proper of entry to to records which the Rate for Deepest Files Security wanted for efficiency of its tasks and execution of a disposition. link BULGARIA

BULGARIA Rate for Deepest Files Security (KZLD) 2019-10-08 5,112 The Ministry of Inside Affairs Paintings. 5 (1) GDPR, Paintings. 6 (1) GDPR Insufficient simply basis for records processing The luminous of EUR 5,112 became imposed on the Ministry of Inside Affairs for unlawfully processing the non-public records of records discipline A.Okay. The Ministry of Inside despatched the non-public records of A.Okay. to the Togolese Republic (Togo). link BELGIUM

BELGIUM Belgian Files Security Authority (APD) 2019-12-17 15,000 Web feature of residing offering simply records Paintings. 6 GDPR, Paintings. 12 GDPR, Paintings. 13 GDPR Insufficient fulfilment of records responsibilities An operator of an net feature of residing for simply records had the privateness assertion most realistic obtainable in English, though it became furthermore addressed to a Dutch and French speaking viewers. As smartly to, the first model of the privateness assertion became now no longer with out disorders accessible and did now no longer demonstrate the simply basis for records processing below the GDPR. Moreover, with regards to the ECJ ruling on Planet 49, it became apparent that appropriate consent became required for the utilization of Google Analytics. link GERMANY

GERMANY Files Security Authority of Niedersachsen 2019 294,000 Unknown Paintings. 5 GDPR Non-compliance with total records processing principles An organization became fined EUR 294 000 for ‘unnecessarily prolonged’ storage and retention of personnel facts and for ‘unsuitable’ records sequence within the future of the personnel replacement assignment, within the future of which furthermore health records had been requested. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-01-07 44,000 Vodafone España, S.A.U. Paintings. 5 (1) f) GDPR Non-compliance with total records processing principles The company had despatched a contract with private records, including the applicant’s title, address and cell cell phone quantity, to the abominable recipient. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-01-09 3,000 Vodafone España, S.A.U. Paintings. 58 GDPR Insufficient cooperation with supervisory authority Failure to sort records to the AEPD within the future of the vital timeframe in violation of Article 58 link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-01-07 75,000 EDP España S.A.U. Paintings. 6 GDPR Insufficient simply basis for records processing The company processed private records corresponding to first and shutting title, tax quantity, address and cell cell cell phone quantity with out the consent of the solutions discipline link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-01-07 75,000 EDP Comercializadora, S.A.U. Paintings. 6 GDPR Insufficient simply basis for records processing The company processed private records in connection with a fuel contract with out the consent of the applicant. The resolution finds that the applicant purchased an invoice for a fuel contract which he did now no longer feature and that EDP Comercializadora claims that the applicant is birthday party to a contract with nonetheless yet one more vitality company which has a provide contract with EDP Comercializadora and that the processing of records is resulting from this truth justified. The AEPD acknowledged that EDP Comercializadora needed to suppose that the plaintiff had agreed to a contract with a 2nd entity and now no longer most realistic with its explain vitality provider. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-01-07 10,000 Asociación de Médicos Demócratas Paintings. 6 GDPR Insufficient simply basis for records processing The Asociación de Médicos Demócratas has processed private records of its people, despite having been warned by the AEPD that it performed the processing with out the consent of the solutions matters. link ROMANIA

ROMANIA Romanian National Supervisory Authority for Deepest Files Processing (ANSPDCP) 2019-12-10 14,000 Hora Credit IFN SA Paintings. 5 GDPR, Paintings. 25 GDPR, Paintings. 32 GDPR, Paintings. 33 GDPR Insufficient technical and organisational measures to be apparent records security The sanctions had been utilized as a outcomes of a criticism alleging that Hora Credit IFN SA transmitted documents containing private records of nonetheless yet one more particular particular person to a foul e mail address. Following the investigation it became got right here upon that Hora Credit IFN SA processed the solutions with out offering appropriate mechanisms for verifying and validating the accuracy of the solutions mute processed in accordance to the foundations residing out in artwork work. 5 of the GDPR. It became furthermore got right here upon that the operator did now no longer squawk ample security measures for private records, in accordance to artwork work. 25 and 32 of the GDPR, with a belief to handbook clear of unauthorized and accessible disclosure of non-public records to third events. At the identical time, Hora Credit IFN SA did now no longer insist the Supervisory Authority of the protection incident that became introduced to its note, in accordance to artwork work. 33 of the GDPR, inside 72 hours from the date it became responsive to it. The luminous contains three partial fines of EUR 3000, EUR 10000 and EUR 1000. link ROMANIA

ROMANIA Romanian National Supervisory Authority for Deepest Files Processing (ANSPDCP) 2019-12-16 6,000 SC Enel Energie S.A. (Electricity Distributor) Paintings. 5 GDPR, Paintings. 6 GDPR, Paintings. 7 GDPR, Paintings. 21 GDPR Insufficient simply basis for records processing The sanctions had been imposed following a criticism alleging that Enel Energie had unlawfully processed an specific particular particular person’s private records and became unable to suppose that it had purchased the specific particular particular person’s consent to ship e mail notifications. As smartly to, the ANSPDCP identified that the operator had now no longer taken the vital measures to quit the transmission of notifications, despite the truth that the actual particular person had regularly exercised his luminous to object. The operator of SC Enel Energie SRL became sanctioned contraventionally with two fines, each and every amounting to 14,334.30 lei, the a connected of the amount of 3000 EUR. link CYPRUS

CYPRUS Cyprian Files Security Commissioner 2020-01-13 9,000 Social Insurance Corporations and merchandise of the Ministry of Labor, Welfare and Social Insurance Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security Granting the police salvage proper of entry to to personal records and failing to squawk ample measures to trusty the solutions, despite the warnings of the Supervisor, constituted a breach of Article 32 of the GPPR. link CYPRUS

CYPRUS Cyprian Files Security Commissioner 2019-10-25 70,000 LGS Facing Ltd, Louis Flee backward and forward Ltd, and Louis Aviation Ltd Paintings. 6 GDPR, Paintings. 9 GDPR Insufficient simply basis for records processing The resolution got right here upon that the utilization of the Bradford ingredient for profiling and monitoring in miserable health trail away constituted illegal processing of non-public records in breach of Article 6 and Article 9 of the GDPR. Three fines of EUR 70,000, EUR 10,000 and EUR 2,000 had been imposed for this infringement. The resolution became launched on 2020/10/13. link CYPRUS

CYPRUS Cyprian Files Security Commissioner 2019-10-25 10,000 LGS Facing Ltd, Louis Flee backward and forward Ltd, and Louis Aviation Ltd Paintings. 6 GDPR, Paintings. 9 GDPR Insufficient simply basis for records processing The resolution got right here upon that the utilization of the Bradford ingredient for profiling and monitoring in miserable health trail away constituted illegal processing of non-public records in breach of Article 6 and Article 9 of the GDPR. Three fines of EUR 70,000, EUR 10,000 and EUR 2,000 had been imposed for this infringement. The resolution became launched on 2020/10/13. link CYPRUS

CYPRUS Cyprian Files Security Commissioner 2019-10-25 2,000 LGS Facing Ltd, Louis Flee backward and forward Ltd, and Louis Aviation Ltd Paintings. 6 GDPR, Paintings. 9 GDPR Insufficient simply basis for records processing The resolution got right here upon that the utilization of the Bradford ingredient for profiling and monitoring in miserable health trail away constituted illegal processing of non-public records in breach of Article 6 and Article 9 of the GDPR. Three fines of EUR 70,000, EUR 10,000 and EUR 2,000 had been imposed for this infringement. The resolution became launched on 2020/10/13. link CYPRUS

CYPRUS Cyprian Files Security Commissioner 2020-01-13 1,000 eShop for Sports actions (M.L. PRO.FIT SOLUTIONS LTD) Paintings. 6 GDPR Insufficient simply basis for records processing Sending SMS advertising and marketing messages with out consent. In specific, no acceptable measures had been taken, corresponding to the chance for cell cell phone customers to block advertising and marketing messages from the eShop for Sports actions by opting out of receiving SMS advertising and marketing messages. link GREECE

GREECE Hellenic Files Security Authority (HDPA) 2020-01-13 15,000 Allseas Marine S.A. Paintings. 5 (1) a), (2) GDPR Non-compliance with total records processing principles The records safety supervisory authority has fined the extent to which worker records are processed by a video surveillance system within the future of the feature of residing of job, the truth that the introduction of the video surveillance system became illegal and the truth that the company did now no longer sufficiently insist its workers about it. link ROMANIA

ROMANIA Romanian National Supervisory Authority for Deepest Files Processing (ANSPDCP) 2019-12-13 5,000 Solely Transport & Shopping and promoting S.R.L. Paintings. 5 (1) GDPR, Paintings. 6 GDPR, Paintings. 7 GDPR Non-compliance with total records processing principles The company has excessively processed the non-public records of his workers by the video cameras build in within the future of the locations of work and within the future of the locations the save there are cabinets the save the staff retailer their spare garments (altering rooms) (violation of conception of « records minimization ») link ROMANIA

ROMANIA Romanian National Supervisory Authority for Deepest Files Processing (ANSPDCP) 2019-12-13 5,000 Solely Transport & Shopping and promoting S.R.L. Paintings. 5 (1) GDPR, Paintings. 6 GDPR, Paintings. 7 GDPR, Paintings. 9 GDPR Non-compliance with total records processing principles The company processed biometric records (fingerprints) of the staff for salvage proper of entry to to apparent rooms no longer easy out of the ordinary less intrusive system for the privateness of the solutions matters will most likely be old-normal (violation of conception of « records minimization ») link ITALY

ITALY Italian Files Security Authority (Garante) 2019-12-11 8,500,000 Eni Fuel e Luce Paintings. 5 GDPR, Paintings. 6 GDPR, Paintings. 17 GDPR, Paintings. 21 GDPR Insufficient simply basis for records processing The Italian supervisory authority imposed two fines totalling EUR 11,5 million on Eni Fuel and Luce (Egl) for illegal processing of non-public records within the future of the context of advertising and marketing actions and activation of unsolicited contracts. The conception luminous of EUR 8.5 million relates to the illegal processing in connection with telemarketing and telesales actions. Amongst others, promotional calls had been made with out the consent of the actual particular person contacted or despite that particular particular person’s refusal to fetch promotional calls, or with out triggering the specific procedures for checking the overall public decide-out register. As smartly to, there became lack of technical and organisational measures to squawk yarn of the records offered by customers; records became processed longer than the smartly-most normal records retention classes; and records on doable customers became mute from entities (list suppliers) who had now no longer purchased consent to the disclosure of such records. link ITALY

ITALY Italian Files Security Authority (Garante) 2019-12-11 3,000,000 Eni Fuel e Luce Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing The Italian supervisory authority imposed two fines totalling EUR 11,5 million on Eni Fuel and Luce (Egl) for illegal processing of non-public records within the future of the context of advertising and marketing actions and activation of unsolicited contracts. The 2nd luminous of EUR 3 million considerations infringements attributable to the conclusion of unsolicited contracts for the provision of electricity and fuel below ‘market economy’ instances. Many people complained to the Authority that they most realistic realized of the conclusion of a ticket queer contract after receiving the letter of termination of the contract with the used provider or the first Egl invoices. In some instances, the complaints reported counterfeit records within the future of the contracts and solid signatures. link GREECE

GREECE Hellenic Files Security Authority (HDPA) 2019-12-19 150,000 Aegean Marine Petroleum Neighborhood Inc. Paintings. 5 GDPR, Paintings. 6 GDPR, Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security Corporations outside the Aegean Marine Petroleum Neighborhood had salvage proper of entry to to its servers containing private records and copied the contents of the servers, since Aegean Marine Petroleum didn’t squawk the vital technical measures to trusty the processing of gargantuan portions of records and to squawk care of the connected application scale back free the non-public records saved on the servers. Moreover, Aegean Marine Petroleum had now no longer steered the solutions matters of the processing of their private records saved on the servers. link ITALY

ITALY Italian Files Security Authority (Garante) 2020-01-15 27,800,000 TIM (telecommunications operator) Paintings. 5 GDPR, Paintings. 6 GDPR, Paintings. 17 GDPR, Paintings. 21 GDPR, Paintings. 32 GDPR Insufficient simply basis for records processing Between January 2017 and 2019, the solutions safety authority purchased loads of of notifications, in specific relating to the receipt of unsolicited commercial communications made with out the consent of the solutions matters or despite their registration within the future of the overall public register of objections. Moreover, irregularities in records processing in connection with competitions had been furthermore complained about. As smartly to, infamous and non-clear records on records processing became offered in Apps offered by the Firm and invalid recommendations of consent had been old-normal. In some instances, paper kinds asking for one single consent had been old-normal for replacement capabilities, including advertising and marketing. Moreover, records became saved longer than principal and thus violated deletion classes. For these violations, the telecommunications company purchased a luminous of EUR 27.8 million. Amongst other things, the luminous became imposed for: lack of consent for advertising and marketing actions (telemarketing and frigid calling), addressing of records matters who requested now no longer to be contacted with advertising and marketing gives, invalid is of the identical concept mute in TIM apps, lack of acceptable security measures to offer protection to private records (including infamous alternate of blacklists with name centres), lack of clear records retention classes. The supervisory authority furthermore imposed 20 corrective measures on TIM, prohibiting the utilization of non-public records for advertising and marketing capabilities from these who had refused to fetch promotional calls from the name centres. link GERMANY

GERMANY Files Security Authority of Baden-Wuerttemberg 2019-10-24 100,000 Meals company Paintings. 5 GDPR, Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security The company had residing up an applicant portal on its web feature of residing the save alive to events may possibly most likely presumably build up their utility documents on-line. However, the company did now no longer provide an encrypted transmission of the solutions, nor did it retailer the applicant records in an encrypted or password-licensed formulation. As smartly to, the unsecured applicant records became linked to Google, so that anyone procuring for the respective applicant names on Google may possibly most likely presumably grasp their utility documents and retrieve them with out salvage proper of entry to restrictions. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-01-14 3,600 Zhang Bordeta 2006, S.L. (Retailer and Restaurant) Paintings. 5 GDPR Non-compliance with total records processing principles The retailer and restaurant proprietor build in a video surveillance system which, amongst others, furthermore took photography of the sidewalk and thus of the overall public house, which violates the standard conception of records minimization. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-02-03 60,000 Xfera Moviles S.A. Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing According to the solutions safety authority, XFERA MOVILES has violated Article 6(1) of the GDPR, because the company has unlawfully processed records, including monetary institution particulars, buyer address and title of the solutions matters. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-02-03 75,000 Vodafone España, S.A.U. Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing The luminous preceded the criticism by the solutions discipline, who argued that Vodafone España had signed a contract for the switch of a cell cell phone subscription with a third birthday party with out the solutions discipline’s records or consent and that, as a result, he, the solutions discipline, had purchased an e mail from the third birthday party for a decide bring made by him. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-02-03 60,000 Vodafone España, S.A.U. Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing The luminous became preceded by a criticism from the solutions discipline, who argued that he had purchased an e mail from Vodafone España, which contained the billing of a cell cell phone line that the solutions discipline had by no system requested, which ended in his private records being processed with out his consent. As a final result, the solutions discipline’s private records had been integrated into the records systems of Vodafone España with out Vodafone being in a scheme to suppose that the solutions discipline had consented to the sequence and subsequent processing of his private records. The luminous of 100,000 EUR became reduced to 60,000 EUR as a outcomes of a voluntary rate. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-02-03 50,000 Vodafone España, S.A.U. Paintings. 5 GDPR Non-compliance with total records processing principles The luminous became preceded by a criticism from an records discipline who argued that Vodafone España had despatched invoices containing his private records, corresponding to title, identification card and address, to its neighbour. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-02-03 20,000 Iberia Lineas Aereas de Espana, S.A. Operadora Unipersonal Paintings. 5 GDPR, Paintings. 6 GDPR, Paintings. 21 GDPR Insufficient simply basis for records processing Iberia persevered to ship e-mails to the solutions discipline, despite the solutions discipline had requested the withdrawal of his consent and the erasure of his private records and that the execution of these measures had already been confirmed to him. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-02-03 75,000 Vodafone España, S.A.U. Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing The records discipline, a extinct buyer of the company, persevered to fetch invoice notifications, though within the mean time there became neither a contractual relationship nor any rate slack from the expired contractual relationship. As a clarification for the infamous mailings Vodafone indicated a technical error. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-02-03 6,670 Banco Bilbao Vizcaya Argentaria S.L. Paintings. 5 GDPR, Paintings. 6 GDPR, Paintings. 21 GDPR Insufficient simply basis for records processing The company regularly despatched promoting messages to an records discipline, though the solutions discipline had objected to the processing of his records. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-02-03 5,000 Queseria Artesenal Ameco S.L. Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing The company processed private records of purchasers with out required consent. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-02-03 800 Automoción Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing An worker created a faux profile a pair of female colleague on an erotic portal, which contained, amongst other things, her contact particulars, a photograph of her and records about her sexual nature. According to the profile, the solutions discipline purchased a total lot of cell cell phone calls from these who desired to contact her in terms of the records offered on the on-line feature of residing. As the non-public particular particular person became got right here upon to possess a personality disorder, the luminous became reduced from preliminary EUR 1000 to EUR 800. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-02-04 1,500 Cafetería Nagasaki Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing The AEPD got right here upon that the Nagasaki Cafetería did now no longer apply its responsibilities below the GDPR, as a result of it placed its surveillance cameras within the future of the glean of formulation as to uncover show cloak the overall public house outside its premises, which disproportionately affected pedestrians. link ITALY

ITALY Italian Files Security Authority (Garante) 2020-01-15 10,000 Neighborhood of Francavilla Fontana Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing The community printed on its web feature of residing records a pair of court docket docket trial, including private records corresponding to health records a pair of records discipline. link GERMANY

GERMANY Files Security Authority of Hamburg 2019 51,000 Facebook Germany GmbH Paintings. 37 GDPR Lack of appointment of records safety officer Whereas Facebook Eire had appointed an records proteciton officer for all neighborhood corporations positioned within the future of the EU, this appontment became now no longer notfied to the DPA Hamburg, competent for Facebook Germany GmbH. The luminous became calculated on the basis of the turnover of the German branch (EUR 35 million). Linked parts for the calculation had been i.a. that the overpassed notification became in an immediate made up for, Facebook acted negligently and did now no longer violate the accountability to appoint an records safety officer alternatively most realistic the notification accountability. link GERMANY

GERMANY Files Security Authority of Hamburg 2019 20,000 Hamburger Verkehrsverbund GmbH (HVV GmbH) Paintings. 33 GDPR, Paintings. 34 GDPR Insufficient fulfilment of records breach notification responsibilities On July 6, 2018, HVV GmbH became steered by a buyer a pair of security gap on the on-line feature of residing www.hvv.de, which became ended in by an replace on February 5, 2018 and anxious the so-is principal as Buyer E-Provider (CES). The safety gap consisted within the future of the truth that customers logged in to the CES who had an HVV Card and linked their CES buyer yarn to no decrease than one full of life contractual relationship in background systems may possibly most likely presumably, by altering the URL, demonstrate records of alternative customers who had an HVV Card. This records breach became now no longer reported to the solutions safety authority in a effectively timed formulation. link GERMANY

GERMANY Files Security Authority of Hamburg 2019 Unknown Hamburger Volksbank eG Paintings. 21 GDPR Insufficient fulfilment of records matters rights The company had despatched a buyer a e-e-newsletter with promoting screech by e mail, though this buyer had beforehand expressly objected to the sending of extra promoting letters. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-02-14 2,500 Grupo Valsor Y Losan, S.L. Paintings. 5 (1) f) GDPR Insufficient technical and organisational measures to be apparent records security The controller had disclosed private records to a third birthday party in a property decide settlement (breach of principles of integrity and confidentiality of non-public records) link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-02-14 3,000 Colegio Arenales Carabanchel (College) Paintings. 6 GDPR Insufficient simply basis for records processing The resolution of the solutions safety authority states that the college transferred photography (and resulting from this truth private records) to third events, who printed them with out simply basis. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-02-18 1,500 Mymoviles Europa 2000, S.L. Paintings. 13 GDPR Insufficient fulfilment of records responsibilities The AEPD got right here upon that the company did now no longer build up a privateness assertion on its web feature of residing and that its simply note did now no longer sufficiently title itself. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-02-14 80,000 Iberdrola Clientes Paintings. 6 GDPR Insufficient simply basis for records processing Iberdola Clientes, an electricity company, terminated the solutions discipline’s contract with out its consent, concluded three queer contracts with the solutions discipline, processed his private records unlawfully and transferred the plaintiff’s private records to a third birthday party with out simply basis. As smartly to to this luminous the AEPD furthermore imposed nonetheless yet one more luminous within the future of the amount of EUR 50.000 below the feeble Spanish Files Security Legislation. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-02-14 42,000 Vodafone España, S.A.U. Paintings. 5 (1) f) GDPR, Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security The complainant had salvage proper of entry to to third birthday party records in his private Vodafone profile. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-02-14 30,000 Xfera Moviles S.A. Paintings. 5 (1) f) GDPR, Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security The AEPD got right here upon that a third birthday party had salvage proper of entry to to the title, cell cell phone quantity and address of nonetheless yet one more buyer. link ITALY

ITALY Italian Files Security Authority (Garante) 2020-01-23 30,000 Azienda Ospedaliero Universitaria Integrata di Verona (Sanatorium) Paintings. 5 (1) f) GDPR, Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security The luminous became preceded by salvage proper of entry to to health records by unauthorised people, permitting a trainee and a radiologist to sort salvage proper of entry to to the health records of their colleagues. The investigations published that the technical and organisational measures taken by the sanatorium to offer protection to health records had proved to be insufficient to be apparent ample safety of sufferers’ private records, ensuing in illegal records processing. According to the solutions safety authority, the breach can were averted if the sanatorium had simply adopted the pointers for health records issued by the solutions safety authority in 2015, which stipulate that salvage proper of entry to to health records desires to be restricted most realistic to health personnel exasperated by affected particular person care. link ITALY

ITALY Italian Files Security Authority (Garante) 2020-01-23 30,000 Sapienza Università di Roma Paintings. 5 (1) f) GDPR, Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security The luminous is in accordance to the truth that, in accordance to the solutions safety authority, the Sapienza Università made obtainable on-line identification records of two these who had reported you may possibly derive illegal behaviour to the university. This became as a outcomes of the dearth of ample technical salvage proper of entry to withhold a seek on measures within the future of the whisleblowing management system, which had now no longer little salvage proper of entry to to such records to licensed personnel most realistic. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-02-27 120,000 Vodafone España, S.A.U. Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing Vodafone España became unable to explain to the solutions safety authority that the solutions discipline had given his consent to the processing of his private records for the provision of a cell cell phone contract. Moreover, the resolution of the solutions safety authority emphasises that Vodafone España furthermore unlawfully disclosed the non-public records of the solutions discipline to slightly so a bunch of credit rating standing businesses. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-02-28 Forty eight,000 Vodafone ONO, S.A.U. Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security The resolution became taken as a outcomes of a total lot of deficiencies in records security. As an example, two people had been given the identical security salvage proper of entry to key. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-02-25 Forty eight,000 HM Hospitales Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing The records discipline acknowledged that on the time of his admission to sanatorium he needed to personal in a make containing a checkbox indicating that, if he did now no longer tick it, he agreed to the switch of his records to third events. This make, offered by HM, became now no longer worship minded with the GDPR, since consent became to be purchased by the narrate of being inactive of the solutions discipline. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-02-25 6,000 Casa Gracio Operation Paintings. 5 (1) c) GDPR Non-compliance with total records processing principles The company old-normal CCTV cameras within the future of the premises of a resort which furthermore captured the overall public roads outside the resort ensuing in a violation of the so is principal as conception of records minimisation. link THE NETHERLANDS

THE NETHERLANDS Dutch Supervisory Authority for Files Security (AP) 2020-03-03 525,000 Royal Dutch Tennis Association (« KNLTB ») Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing The Dutch Files Security Authority has fined the Royal Dutch Tennis Association (« KNLTB ») with EUR 525,000 for promoting the non-public records of better than 350,000 of its people to sponsors who had contacted just some of the principal people by mail and cell cell phone for explain advertising and marketing capabilities. It became got right here upon that the KNLTB offered private records corresponding to title, gender and address to third events with out shopping the consent of the solutions matters. The records safety authority furthermore rejected the existence of a plentiful hobby for the sale of the solutions and resulting from this truth clear that there became no simply basis for the switch of the non-public records to the sponsors. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-02-28 3,600 AEMA Hispánica Paintings. 5 (1) f) GDPR Non-compliance with total records processing principles The company had despatched the payroll of an worker to nonetheless yet one more worker and resulting from this truth disclosed private records to an unauthorised birthday party. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-03-03 1,800 Solo Embrague Paintings. 13 GDPR Insufficient fulfilment of records responsibilities The company web feature of residing did now no longer fresh a privateness coverage or a cookie banner on its vital web pronounce. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-03-03 42,000 Vodafone España, S.A.U. Paintings. 5 (1) f) GDPR, Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security According to the AEPD, the company had now no longer been in a scheme to suppose ample measures to be apparent records security, ensuing in unauthorized salvage proper of entry to to personal records of a consumer. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-03-03 40,000 Vodafone España, S.A.U. Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing According to the AEPD, the company despatched an SMS to an customers cell quantity confirming that a cell cell phone contract with that quantity had been signed even supposing the patron became now no longer a Vodafone shopper, ensuing within the future of the processing of non-public records with out the solutions matters consent or other plentiful pursuits of the company. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-03-03 24,000 Vodafone España, S.A.U. Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing According to the AEPD, the company despatched two SMS to an customers cell quantity informing a pair of price alternate in its contract and confirming the acquisition of a ticket queer cell cell cell phone, ensuing within the future of the processing of non-public records with out the solutions matters consent or other plentiful pursuits of the company. link POLAND

POLAND Polish National Deepest Files Security Build of job (UODO) 2020-03-04 4,600 College in Gdansk (Danzig) (luminous imposed in opposition to town of Gdansk) Paintings. 5 GDPR, Paintings. 9 GDPR Insufficient simply basis for records processing A college in Gdansk old-normal biometric fingerprint scanners to authenticate students for the rate assignment within the future of the college canteen. No subject the proven truth that the fogeys had given their written consent to such records processing, the solutions safety authority belief to be the processing of the student records to be illegal, because the consent to records processing became now no longer given voluntarily. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-03-04 60,000 Vodafone España, S.A.U. Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing According to the AEPD, the solutions discipline has purchased a total lot of SMS from a separate operator indicating the activation of a ticket queer contract. The clarification for this became that an worker of Vodafone España activated a contract with a third operator on behalf of the solutions discipline. Vodafone may possibly most likely presumably now no longer suppose consent or ample plentiful pursuits for this processing of non-public records. link ITALY

ITALY Italian Files Security Authority (Garante) 2020-03-06 4,000 Liceo Artistico Statale di Napoli Paintings. 5 GDPR, Paintings. 6 GDPR, Paintings. 9 GDPR Insufficient simply basis for records processing The AEPD’s resolution finds that the high college unlawfully printed health records and other records within the future of the instructor rankings printed on the Institute’s web feature of residing. This newsletter became made in violation of the foundations of lawfulness, equity, transparency and records minimization. link ITALY

ITALY Italian Files Security Authority (Garante) 2020-03-06 4,000 Liceo Scientifico Nobel di Torre del Greco Paintings. 5 GDPR, Paintings. 6 GDPR, Paintings. 9 GDPR Insufficient simply basis for records processing The AEPD’s resolution finds that the high college unlawfully printed health records and other records of better than 2000 academics within the future of the instructor rankings printed on the Institute’s web feature of residing. This newsletter became made in violation of the foundations of lawfulness, equity, transparency and records minimization. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-03-06 4,000 Deepest particular particular person Paintings. 5 GDPR Non-compliance with total records processing principles Illegal utilization of video surveillance cameras which furthermore monitored parts of the overall public house (violation of conception of records minimization). link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-03-09 15,000 Gesthotel Activos Balagares Paintings. 5 (1) f) GDPR Non-compliance with total records processing principles The records discipline argued that he had despatched a non-public letter to the resort management and union delegates containing records about an episode of harassment he had suffered, describing a particular medical situation. In violation of the conception of integrity and confidentiality, the resort management and union delegates resulting from this truth learn the contents of this letter in a gathering with other workers. link DENMARK

DENMARK Danish Files Security Authority (Datatilsynet) 2020-03-10 7,000 Hørsholm Municipality Paintings. 5 (1) f) GDPR, Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security A city authorities worker had his work laptop stolen, which contained the non-public records of about 1,600 city authorities workers, including still records and records about social security numbers. link DENMARK

DENMARK Danish Files Security Authority (Datatilsynet) 2020-03-10 14,000 Gladsaxe Municipality Paintings. 5 (1) f) GDPR, Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security A laptop, containing private records that became now no longer licensed by encryption, has been stolen, including still records and private identification numbers of 20,620 city residents. link SWEDEN

SWEDEN Files Security Authority of Sweden 2020-03-11 7,000,000 Google LLC Paintings. 5 GDPR, Paintings. 6 GDPR, Paintings. 17 GDPR Insufficient fulfilment of records matters rights The Swedish records safety authority has fined Google LLC €7 million for failing to adequately apply its responsibilities in terms of the luminous of records matters to possess search outcomes a ways flung from the outcomes list. Datainspektionen had already accomplished a overview in 2017 of the mannequin in which Google gives with the luminous of contributors to possess search outcomes a ways flung from Google’s search engine and that Datainspektionen had steered Google to eradicate a glean of search outcomes. As smartly to, records inspections acknowledged that it had initiated a extra overview of Google’s practices in 2018 after it purchased indications that a total lot of of the outcomes that will have to were eradicated mute regarded in search outcomes. Datainspektionen furthermore objected to Google’s fresh prepare of informing web feature of residing owners about which outcomes Google is taking a ways flung from search outcomes, in particular which link has been eradicated and who’s within the future of the aid of the predict for elimination from the list, as exact right here is with out simply basis. link ICELAND

ICELAND Icelandic records safety authority (‘Persónuvernd’) 2020-03-10 20,600 National Center of Dependancy Therapy (‘SAA’) Paintings. 5 (1) f) GDPR, Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security Persónuvernd frightful that a extinct worker of the SAA purchased bins of allegedly private property that he had left there, alternatively which furthermore contained affected particular person records, including the health records of 252 extinct sufferers and documents with the names of about 3,000 these who had participated in rehabilitation for alcohol and drug abuse. link ICELAND

ICELAND Icelandic records safety authority (‘Persónuvernd’) 2020-03-10 9,000 Breiðholt Higher Secondary College Paintings. 5 (1) f) GDPR, Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security In violation of Paintings. 32 GDPR, a trainer had despatched an e mail to his students and their fogeys with an attachment containing records on their effectively-being, tutorial efficiency and social instances. link NORWAY

NORWAY Norwegian Supervisory Authority (Datatilsynet) 2020-02-26 73,600 Rælingen Municipality Paintings. 5 (1) f) GDPR, Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security Health records on 15 formative years with bodily and psychological disabilities became processed within the future of the Showbie digital studying platform, for the switch of health-connected private records between faculties and their properties. Datatilsynet got right here upon that no principal chance assessments, privateness possess an impact on assessments or assessments had been performed used to the utilization of the utility and that a lack of security when logging into the utility allowed salvage proper of entry to to the records of alternative students within the future of the neighborhood. link GERMANY

GERMANY Files Security Authority of Saarland 2019 2,000 Restaurant Paintings. 5 (1) c) GDPR Non-compliance with total records processing principles Video surveillance cameras were old-normal in violation of conception of records minimisation (monitoring furthermore of buyer areas in restaurants). link NORWAY

NORWAY Norwegian Supervisory Authority (Datatilsynet) 2020-02-28 36,800 Coop Finnmark SA Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing The company had disbursed video surveillance photos of formative years below 16 who had allegedly stolen from a retailer. There became no ample simply basis for this records processing. link GERMANY

GERMANY Files Security Authority of Nordrhein-Westfalen 2019-08-05 200 Deepest particular particular person (YouTube-Channel) Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing The non-public particular particular person old-normal a dashcam to sort recordings of public avenue website website company after which printed them on YouTube as a compilation. link CROATIA

CROATIA Croatian Files Security Authority (azop) 2020-03-13 Unknown Bank (title now no longer obtainable within the mean time) Paintings. 15 (1), (3) GDPR Insufficient fulfilment of records matters rights Within the length from Can furthermore 2018 to April 2019, the monetary institution (title now no longer obtainable within the mean time) refused to sort its customers with copies of credit rating standing documentation (e.g. reimbursement blueprint, loan settlement annex, hobby rates adjustments overview etc.). The monetary institution insisted with the argument that the documentation is expounded to repaid loans and represents loan documentation that may possibly most likely now no longer be discipline to the purchasers’ luminous of salvage proper of entry to. Correct by the assignment initiated in accordance to records discipline’s complaints, the DPA ordered the monetary institution to enable the luminous of salvage proper of entry to and fresh copies of the requested loan documentation. When imposing the luminous, the DPA took into consideration especially that the monetary institution didn’t use the ordered measures, that it persevered with such prepare for practically a 365 days and denied the luminous of salvage proper of entry to to better than 2500 of its customers. The amount of the luminous is now identified within the mean time, alternatively because the DPA kindly the breach as “outrageous”, a high luminous is anticipated. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-03-18 30,000 Telefónica Paintings. 58 GDPR Insufficient cooperation with supervisory authority Telefonica had didn’t use resolution TD / 00127/2019 of the Director of the AEPD, which states that it needed to answer to to records matters’ predict for luminous of salvage proper of entry to and erasure of records. link ROMANIA

ROMANIA Romanian National Supervisory Authority for Deepest Files Processing (ANSPDCP) 2020-02-11 3,000 Vodafone Romania Paintings. 5 (1) f) GDPR, Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security Vodafone Romania had incorrectly processed private records of an specific particular particular person in bring to assignment a criticism, which became resulting from this truth despatched to a foul e mail address. The clarification for this became that there were insufficient security measures moderately than residing to quit such faux records processing. link GREECE

GREECE Hellenic Files Security Authority (HDPA) 2020-02-21 5,000 Public Vitality Firm S.A. Paintings. 15 GDPR Insufficient fulfilment of records matters rights The Decision clarified that records matters possess an very ideal proper of salvage proper of entry to to the processing of their private records and that they have to furthermore be equipped with a duplicate of the non-public records processed. No causes are looking for to be given for the predict. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-03-16 5,000 Centro De Estudio Dirigidos Delta, S.L. Paintings. 5 (1) f) GDPR Non-compliance with total records processing principles Centro De Estudio Dirigidos Delta despatched a message containing private records corresponding to first and shutting title and ID numbers to a third birthday party by system of WhatsApp with out the consent of the solutions matters. This constitutes a violation of the foundations of integrity and confidentiality below Article 5(1)(f) GDPR. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-03-16 4,000 Deepest Person Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing On a seaside, a non-public particular particular person secretly photographed female bathers. The incident became reported to the AEPD by the native police. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-03-06 3,200 Retailer Paintings. 13 GDPR, Paintings. 14 GDPR Insufficient fulfilment of records responsibilities Insufficient declaration of video surveillance. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-03-12 2,000 Dwelling owners Association Paintings. 5 GDPR, Paintings. 13 GDPR, Paintings. 14 GDPR Non-compliance with total records processing principles Video surveillance of public house and thus violation of the conception of records minimization. Moreover: Violation of records responsibilities, as insufficient records has been offered about video surveillance. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-03-16 6,000 Amalfi Servicios de Restauracion S.L. Paintings. 5 GDPR, Paintings. 13 GDPR, Paintings. 14 GDPR Non-compliance with total records processing principles Video surveillance of public house and thus violation of the conception of records minimization. Moreover: Violation of records responsibilities, as insufficient records has been offered about video surveillance. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-03-19 6,000 Oliveros Ustrell, S.L. Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing The company forwarded an unsigned porting contract to the operator Vodafone. However, the solutions controller became unable to sort evidence of the bring. For this blueprint, the non-public records of the solutions discipline has been processed with out ample simply basis. link ITALY

ITALY Italian Files Security Authority (Garante) 2020-02-06 20,000 RTI – Reti Televisive Italiane s.p.a. Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing The tv feature broadcasted a documentary about prostitution in Switzerland, in which the people interviewed weren’t made sufficiently anonymous. link GREECE

GREECE Hellenic Files Security Authority (HDPA) 2020-03-20 8,000 Speech and Particular Training Centre – Mihou Dimitra Paintings. 15 GDPR, Paintings. 58 GDPR Insufficient fulfilment of records matters rights The complainant had requested salvage proper of entry to to his kid’s records and to tax records. This predict became rejected by the solutions controller. As smartly to, the solutions controller had violated an bring of the solutions safety authority in terms of salvage proper of entry to to the solutions. For this, a luminous of EUR 8000 became imposed: EUR 3000 for now no longer granting salvage proper of entry to to the solutions and EUR 5000 for violating orders of the solutions safety authority. link HUNGARY

HUNGARY Hungarian National Authority for Files Security and the Freedom of Files (NAIH) 2019-05-21 286 Directorate of Social and Child Welfare Institutions of the Ferencvaros District of Budapest Paintings. 33 GDPR Insufficient fulfilment of records breach responsibilities The worker of the Directorate despatched by mistake 9 letters to the abominable recipient, which contained private records of 18 records matters (including records of formative years, penal complex records and records connected to the non-public lifetime of the solutions matters). The recipient steered the Directorate by cell cell phone 5 days after the posting that it purchased apparent letters by mistake. The Directorate notified NAIH on the solutions breach most realistic weeks later. link HUNGARY

HUNGARY Hungarian National Authority for Files Security and the Freedom of Files (NAIH) 2019-05-31 2,000 Native monetary institution Paintings. 12 (3), (4), (5) GDPR, Paintings. 15 GDPR, Paintings. 18 GDPR Insufficient fulfilment of records matters rights Buyer of a local monetary institution requested salvage proper of entry to to cell cell phone dialog recordings along with to CCTV recordings. The monetary institution offered the copies of the recordings of cell cell phone conversations and furthermore offered the chance of reviewing the recordings at monetary institution alternatively rejected to sort copies of the CCTV recordings for the motive that recordings furthermore contained third events private records. The NAIH clear on this case that the monetary institution didn’t fulfil records matters rights since it did now no longer reply in due time and furthermore didn’t sort copies of the requested recordings. According to the NAIH, the controller may possibly most likely presumably now no longer refer the protection of third birthday party records for the motive that CCTV recordings affected public house accomplish for every and every buyer and the monetary institution furthermore can possess anonymised apparent parts of the recordings. link HUNGARY

HUNGARY Hungarian National Authority for Files Security and the Freedom of Files (NAIH) 2019-06-03 2,850 Repeat management company Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing The complainants acknowledged at some stage within the future of the case that they concluded a credit rating standing settlement with the monetary institution, which offered its claim in opposition to the complainants and transferred their respective records to a third-birthday party company (controller). NAIH apparent within the future of the case that the controller can neither rely on the consent of the solutions matters nor the efficiency of the credit rating standing contract because the simply basis of the solutions processing, for the motive that records matters concluded such contract with the monetary institution, now no longer with the controller. The suitable simply basis for processing can were the plentiful hobby of the controller. link HUNGARY

HUNGARY Hungarian National Authority for Files Security and the Freedom of Files (NAIH) 2019-06-26 2,850 Unknown Paintings. 5 GDPR, Paintings. 6 GDPR, Paintings. 17 GDPR Insufficient simply basis for records processing The specific particular particular person requested the deletion of his contact records (including his cell cell phone quantity), alternatively the controller extra processed his contact records for claim enforcement capabilities on the basis of its plentiful hobby. NAIH apparent that the controller had no compelling plentiful grounds for processing the cell cell phone quantity of the solutions discipline, since his address became furthermore at hand, which is ample for claim enforcement capabilities and for relating to dialog with the solutions discipline. link HUNGARY

HUNGARY Hungarian National Authority for Files Security and the Freedom of Files (NAIH) 2019-06-26 2,850 Financial Endeavor Paintings. 5 GDPR, Paintings. 6 GDPR, Paintings. 21 GDPR Insufficient simply basis for records processing A consumer of a monetary mission complained that the monetary mission transferred his records after he objected in opposition to the processing and did now no longer fresh records on the processing of his records at his predict. According to the monetary mission, it offered its claim stemming from the contract concluded with its shopper to a third birthday party, resulting from this truth such transaction necessitated the switch of the connected shopper records. NAIH highlighted that the monetary mission offered the relating to teach and transferred the respective records after the non-fulfilment of the relating to contract by the patron; this furthermore system that the monetary mission can now no longer rely on the efficiency of the contract concluded with the patron. The connected simply basis would were the plentiful hobby of the controller, the save a balancing decide a take a examine is furthermore principal, describing its hobby in transferring the claim and the connected records to a third birthday party. link HUNGARY

HUNGARY Hungarian National Authority for Files Security and the Freedom of Files (NAIH) 2019-07-17 8,575 Budapest Environs Regional Courtroom docket Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing The chairman of the Budapest Environs Regional Courtroom docket organised a gathering for court docket docket officials, within the future of which he acknowledged that he quit from the Hungarian Association of Judges and requested the scorching court docket docket officials to handbook their colleagues to sort in repeat effectively. The chairman furthermore offered a checklist on the people of the Association in Pest county, which furthermore integrated records on the amount of membership costs deducted from the wage of judges. The list consisted of records mute from the judges’ payroll records. NAIH apparent that the Budapest Environs Regional Courtroom docket may possibly most likely presumably furthermore simply most realistic assignment such records for the blueprint of deduction and payroll management. NAIH furthermore apparent that the Budapest Environs Regional Courtroom docket lacked a simply basis for records processing, when it offered salvage proper of entry to to records of workers in terms of their membership in an association, to people. link HUNGARY

HUNGARY Hungarian National Authority for Files Security and the Freedom of Files (NAIH) 2019-08-02 4,290 Public residing upkeep company Paintings. 5 GDPR, Paintings. 6 GDPR, Paintings. 13 GDPR Non-compliance with total records processing principles An ex-worker complained that his employer unlawfully monitored his work by its CCTV. The employer argued that CCTV monitoring became principal to overview, whether the worker fulfilled his employment connected responsibilities (i.e. monitoring apparent public areas and signalling any outstanding tournament to his colleagues) and that the monitoring furthermore served the protection of its surveillance system from illegal salvage proper of entry to or utilization. NAIH got right here upon that monitoring of the worker by CCTV is now no longer an acceptable formulation of assessing his work efficiency and the employer relied on a decrease than ideal simply basis (public hobby, plentiful authority) in terms of the CCTV operations. The employer can possess licensed its public residing surveillance system by other recommendations (e.g. by inserting in firewalls or other security upgrades to its systems). The employer furthermore placed most realistic a transient note sheet on the entrance of the workstation of the worker in terms of the CCTV monitoring, which NAIH deemed insufficient. link HUNGARY

HUNGARY Hungarian National Authority for Files Security and the Freedom of Files (NAIH) 2019-08-08 1,715 Authorities Build of job Managing the Pleasurable Property Register Paintings. 5 GDPR, Paintings. 14 GDPR Non-compliance with total records processing principles The owners of a proper property complained that the authorities feature of residing of job posted its resolution on the alternate within the future of the actual particular person of the lessee (which concluded a hire settlement with proper property owners) to other owners of 40 proper estates reduced in measurement by the identical lessee. The resolution contained private records of all of the owners, who had a hire settlement with the identical lessee. link HUNGARY

HUNGARY Hungarian National Authority for Files Security and the Freedom of Files (NAIH) 2019-10-15 2,860 Unknown Firm Paintings. 5 GDPR, Paintings. 6 GDPR, Paintings. 13 GDPR, Paintings. 24 GDPR, Paintings. 25 GDPR Non-compliance with total records processing principles An worker became on in miserable health trail away when his employer checked his desktop, notebook laptop and emails to be apparent that his work-connected responsibilities had been being covered in his absence. The employer then suspended his yarn. The worker did now no longer fetch pre-notification and did now no longer possess the chance to duplicate / delete his private records (cell cell phone numbers, messages). According to NAIH, employers have to document the salvage proper of entry to with minutes and photos. Employment agreements have to withhold a seek on whether workers can squawk work tools for private capabilities. Privacy notices will have to possess the causes for worker monitoring (e.g. enterprise continuity, interior investigation, disciplinary capabilities, and the categorical retention length of worker records – including the length and recurrence of backup copies. Employers have to furthermore prepare ”balancing assessments” to suppose their plentiful pursuits for total worker monitoring and specific instances. link HUNGARY

HUNGARY Hungarian National Authority for Files Security and the Freedom of Files (NAIH) 2020-03-04 290 Handbook of a local authorities Paintings. 5 GDPR, Paintings. 6 GDPR, Paintings. 12 GDPR, Paintings. 15 GDPR, Paintings. 17 GDPR Insufficient simply basis for records processing A local manual took a photograph of the director of a company fully owned by the native authorities depicting the director allegedly tearing off an election poster of the opposition within the future of the company of his little one. The native manual uploaded the describe to his Facebook web pronounce. The little one’s image became blurred, nonetheless it became hinted within the future of the build up that she became the daughter of the director. The director steered the native manual on the scene that he doesn’t consent to the taking of the describe. NAIH apparent that the act of the director became now no longer public records and the describe doesn’t suppose that the director torn off an election poster. NAIH furthermore underpinned that most realistic the title of the director of the company fully owned by the native authorities became public records. link ROMANIA

ROMANIA Romanian National Supervisory Authority for Deepest Files Processing (ANSPDCP) 2020-03-25 2,000 SOS Infertility Association Paintings. 58 GDPR Insufficient cooperation with supervisory authority The Association did now no longer fresh the solutions safety authority with the records requested by the latter after the Association had processed private records with out a ample simply basis. link ROMANIA

ROMANIA Romanian National Supervisory Authority for Deepest Files Processing (ANSPDCP) 2020-03-25 3,000 Enel Energie Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security The company has despatched an e mail to a consumer which contained private records of nonetheless yet one more shopper for the motive that company didn’t implement ample technical and organisational measures to be apparent an ample stage of records security. link ROMANIA

ROMANIA Romanian National Supervisory Authority for Deepest Files Processing (ANSPDCP) 2020-03-25 4,150 Vodafone Romania Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security The company has despatched an e mail to a buyer which contained private records of nonetheless yet one more buyer as a outcomes of insufficient technical and organisational measures to be apparent records security. link ROMANIA

ROMANIA Romanian National Supervisory Authority for Deepest Files Processing (ANSPDCP) 2020-03-25 3,000 Dante World Paintings. 6 GDPR, Paintings. 21 GDPR Insufficient simply basis for records processing The company has despatched a commercial e mail to a consumer though the patron had beforehand unsubscribed from commercial communications. link ITALY

ITALY Italian Files Security Authority (Garante) 2020-02-13 4,000 Comune di Urago Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing The native council has printed on its web feature of residing records containing an specific particular particular person’s private records, including health records. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-03-25 5,000 Xfera Moviles S.A. Paintings. 58 GDPR Insufficient cooperation with supervisory authority The company did now no longer fresh the solutions safety authority with the requested records in a effectively timed formulation. The AEPD’s predict became preceded by a requirement from an records discipline for salvage proper of entry to to its private records. link POLAND

POLAND Polish National Deepest Files Security Build of job (UODO) 2020-03-09 4,400 Vis Consulting Sp. z o.o. Paintings. 31 GDPR, Paintings. 58 GDPR Insufficient cooperation with supervisory authority The company averted an inspection by the solutions safety authority. As a final result, the company has violated Article 31 along with Article 58(1)(e) and (f) of the GDPR. link BULGARIA

BULGARIA Files Security Commision of Bulgaria (KZLD) 2020-02-20 2,560 T.Okay. EOOD Paintings. 25 (1) GDPR, Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security The luminous of ca. EUR 2,557 became imposed on T.Okay. EOOD for illegal processing of non-public records of records discipline I.S. by failure to undertake technical and organizational measures to be apparent the records security. T.Okay. EOOD processed the non-public records of I.S. unlawfully 9 times in length of 5 months. The breaches ended in damages to the solutions discipline. link BULGARIA

BULGARIA Files Security Commision of Bulgaria (KZLD) 2020-02-20 2,560 L.E. EOOD Paintings. 25 (1) GDPR, Paintings. 32 GDPR, Paintings. 6 GDPR Insufficient technical and organisational measures to be apparent records security The luminous of ca EUR 2,557 became imposed on L.E. EOOD for illegal processing of non-public records of records discipline I.S. with out the involved and the consent of the solutions discipline and furthermore with out a plentiful contractual relationship between L.E. EOOD and I.S. The mission processed the non-public records of I.S. unlawfully seven times in length of three months by failure to undertake technical and organizational measures to be apparent the records security. As smartly to to the luminous, the Rate for Deepest Files Security (“KZLD”) steered L.E. EOOD to sort frequent inspections of its records processing actions, to sort chance prognosis in terms of customers and workers and to habits periodic trainings of the staff. The KZLD furthermore ordered L.E. EOOD to archive and withhold the documents containing the non-public records proper for little capabilities and the timeframe as required by regulation. link BULGARIA

BULGARIA Files Security Commision of Bulgaria (KZLD) 2020-01-06 5,110 Utility Firm Paintings. 6 (1) GDPR Insufficient simply basis for records processing The luminous of EUR ca. 5,113 became imposed on a Bulgarian utility company for illegal processing of the non-public records of the solutions discipline V.V. The non-public records of V.V. became unlawfully processed and resulting from this truth old-normal for initiating an enforcement case in opposition to him for prominent rate responsibilities. Correct by the enforcement case, the bailiff seized the solutions discipline’s wage, and the latter suffered damages as a outcomes of the illegal processing. link GERMANY

GERMANY Files Security Authority of Brandenburg 2019 50,000 Unknown Firm Paintings. 15 GDPR, Paintings. 28 GDPR Insufficient fulfilment of records matters rights The records controller had engaged an external company to sort the responsibilities of salvage proper of entry to to records in accordance to Paintings. 15 GDPR. However, the engaged company conducted the correspondence with the solutions matters below its worship feature and in English language, so that it became now no longer apparent to the solutions matters who became to blame for the solutions processing. As a final result, the solutions controller infringed the conception of transparency laid down in Paintings. 12 GDPR and did now no longer sufficiently fulfil its responsibilities to sort records in accordance to Paintings. 15 GDPR. As smartly to, the solutions safety supervisory authority got right here upon that no written contract for records processing had been concluded between the solutions controller and the external company, thus constituting a extra breach of Paintings. 28 (9) GDPR. link BELGIUM

BELGIUM Belgian Files Security Authority (APD) 2020-04-28 50,000 Proximus SA Paintings. 31 GDPR, Paintings. 58 GDPR, Paintings. 37 GDPR Lack of appointment of records safety officer According to the solutions safety authority, the company’s records safety officer became now no longer sufficiently exasperated by the processing of non-public records breaches and the company did now no longer possess a system moderately than residing to quit a war of hobby of the DPO, who furthermore held an helpful quantity of alternative positions within the future of the company (head of compliance and audit department), which led the DPA to the conclusion that the company’s DPO became now no longer in a scheme to work independently. link SWEDEN

SWEDEN Files Security Authority of Sweden 2020-04-29 18,700 National Authorities Provider Centre (NGSC) Paintings. 33 GDPR, Paintings. 34 GDPR Insufficient fulfilment of records breach notification responsibilities The DPA’s resolution shows that it took practically 5 months for the company to bring the solutions matters of an records breach and practically three months for the DPA to fetch a notification of an records breach relating to an security lack of IT systems of the company. link THE NETHERLANDS

THE NETHERLANDS Dutch Supervisory Authority for Files Security (AP) 2020-04-30 725,000 Unknown Organisation Paintings. 5 GDPR, Paintings. 9 GDPR Insufficient simply basis for records processing The organisation had required its crew to possess their fingerprints scanned to document attendance. However, because the resolution of the solutions safety authority acknowledged, the organisation may possibly most likely presumably now no longer rely on exceptions to the processing of this specific class of non-public records and the company may possibly most likely presumably furthermore now no longer fresh any evidence that the staff had given their consent to this records processing. link ROMANIA

ROMANIA Romanian National Supervisory Authority for Deepest Files Processing (ANSPDCP) 2020-05-05 5,000 Banca Comercială Română SA Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security The records safety authority finds that the company has now no longer taken ample technical and organisational measures to be apparent an ample stage of records security. This is applicable in specific to the sequence and transmission of copies of purchasers’ identification documents by system of WhatsApp. link SWEDEN

SWEDEN Files Security Authority of Sweden 2020-05-12 11,200 Health and Clinical Board of the Diagram of Örebro County Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing E-e-newsletter of non-public records of a affected particular person with out ample simply basis. link DENMARK

DENMARK Danish Files Security Authority (Datatilsynet) 2020-05-15 6,700 JobTeam A/S DKK Paintings. 15 GDPR Insufficient fulfilment of records matters rights The company has deleted private records tormented by a requirement for salvage proper of entry to with out simply blueprint. link IRELAND

IRELAND Files Security Authority of Eire 2020-05-17 75,000 Tusla Child and Family Firm Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing The company has erroneously disclosed private records, including records about formative years, to unauthorized people. In a single case, the contact and save records of a mother and a little bit of 1 had been disclosed to an alleged perpetrator, and in two other instances, records about formative years in foster care had been improperly disclosed to blood relatives, including in one case to a father in penal advanced. link FINLAND

FINLAND Deputy Files Security Ombudsman 2020-05-22 100,000 Posti Neighborhood Oyj Paintings. 12 GDPR, Paintings. 13 GDPR, Paintings. 14 GDPR, Paintings. 15 GDPR Insufficient fulfilment of records matters rights The resolution relates to complaints alleging that records matters purchased explain advertising and marketing from the company though they’d requested that their postal records be deleted. Investigations furthermore published that the solutions safety records offered by the company became now no longer clear huge. link FINLAND

FINLAND Deputy Files Security Ombudsman 2020-05-22 16,000 Kymen Vesi Oy Paintings. 35 GDPR Non-compliance with total records processing principles Honest for failure to sort an records safety possess an impact on review (« DPIA ») for the processing of save records of workers with a automobile records system link FINLAND

FINLAND Deputy Files Security Ombudsman 2020-05-22 12,500 Unknown Firm Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing Processing of worker records with out ample simply basis. link BELGIUM

BELGIUM Belgian Files Security Authority (APD) 2020-05-29 1,000 Non-profit organisation Paintings. 6 GDPR, Paintings. 21 GDPR Insufficient fulfilment of records matters rights The Belgian records safety authority has imposed a luminous of EUR 1000 on a non-profit organisation for sending out explain advertising and marketing messages, despite the truth that records matters had exercised their luminous to erasure and objection. The organisation claimed that it became counting on plentiful pursuits as a simply basis and now no longer on the categorical consent of the solutions matters. The records safety authority, alternatively, denied the existence of any outweighing of plentiful pursuits. link FINLAND

FINLAND Deputy Files Security Ombudsman 2020-05-29 72,000 Taksi Helsinki Paintings. 5 GDPR, Paintings. 6 GDPR, Paintings. 35 GDPR Non-compliance with total records processing principles Amongst other things, the company had now no longer assessed the dangers and consequences of processing private records used to introducing a digicam surveillance system that records audio and video in its taxis and had furthermore didn’t habits records safety possess an impact on assessments of its processing actions, including the surveillance of security cameras, the processing of save records, computerized resolution making and profiling as section of its loyalty program. Moreover, the processing of audio records became now no longer generally generally primarily based totally totally on the GDPR conception of records minimization. link HUNGARY

HUNGARY Hungarian National Authority for Files Security and the Freedom of Files (NAIH) 2020-03-09 870 Creditor Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing Sending of SMS to an records discipline as a reminder for a debt, even when the debt has already been paid. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-06-09 5,000 Consulting de Seguridad e Investigacion Mira Dp Madrid S.L. Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing An records discipline has purchased advertising and marketing messages with out having consented. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-06-09 540 Chenming Ye (Bazar Pleasurable) Paintings. 13 GDPR, Paintings. 14 GDPR Insufficient fulfilment of records responsibilities Utilization of CCTV digicam in a store with out proper records. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-06-09 1,000 Property Owner Paintings. 5 (1) c) GDPR Non-compliance with total records processing principles Utilization of CCTV digicam which furthermore captured the overall public roads outside in a violation of the so is principal as conception of records minimisation. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-06-09 75,000 Equifax Iberica, S.L. Paintings. 15 GDPR Insufficient fulfilment of records matters rights The Files Topic has requested by e mail the deletion of his records from the file of the National Association of Financial Credit Institutions (« ASNEF »). Equifax Iberica had spoke support that the explain of the complainant’s luminous became unsuitable as a outcomes of an earlier predict and that resulting from this truth the deletion would now no longer be performed. This became considered as a breach of records matters rights for erasure below the GDPR along with a breach of blockading responsibilities below nationwide records safety penal complex pointers. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-06-09 39,000 Xfera Moviles S.A. Paintings. 5 (1) f) GDPR Insufficient simply basis for records processing A buyer claimed to possess gotten an SMS from Xfera Móviles informing in terms of the non-rate and the following suspension of the provider by system of the parable of nonetheless yet one more records discipline. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-06-09 25,000 Glovoapp23 Paintings. 37 GDPR Lack of appointment of records safety officer The company had now no longer appointed a Files Security Officer (‘DPO’) to whom requests from records matters will most likely be addressed, and the company’s web feature of residing did now no longer possess records about an appointed DPO. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-06-04 4,000 Iberdrola Clientes Paintings. 58 GDPR Insufficient cooperation with supervisory authority The company became requested to sort the AEPD with specific records by system of a criticism. However, the company had now no longer spoke support to the solutions safety authorities predict for records inside a apparent timeframe, in breach of Paintings. 58 of the GDPR. link NORWAY

NORWAY Norwegian Supervisory Authority (Datatilsynet) 2020-05-19 283,000 Bergen Municipality Paintings. 5 (1) f) GDPR, Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security Honest as a outcomes of a total lot of security shortcomings and non-compliance with total records processing principles in a module for dialog between faculties and dad and mother. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-06-09 40,000 TELEFONICA MOVILES ESPAÑA, S.A.U. Paintings. 6 GDPR Insufficient simply basis for records processing A corrupt sales manual didn’t fastidiously decide a take a look on the identification of a claimant so that he may possibly most likely presumably appear within the future of the title of the solutions discipline and bring a cell cell phone connection for four cell cell phone lines in his title. link NORWAY

NORWAY Norwegian Supervisory Authority (Datatilsynet) 2020-05-03 134,000 Telenor Norge AS Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security Fines for security breaches in a insist mailbox characteristic. link BULGARIA

BULGARIA Files Security Commision of Bulgaria (KZLD) 2020-04-14 2,000 Political Birthday celebration Paintings. 6 GDPR Insufficient simply basis for records processing Forging signatures on a voters’ list. link BELGIUM

BELGIUM Belgian Files Security Authority (APD) 2020-05-14 50,000 Social Media Vendor Paintings. 6 GDPR Insufficient simply basis for records processing The company has despatched invitations to contacts uploaded by its customers with out their consent or every other simply basis. link ROMANIA

ROMANIA Romanian National Supervisory Authority for Deepest Files Processing (ANSPDCP) 2020-04-23 3,000 Estee Lauder Romania Paintings. 6 GDPR, Paintings. 7 GDPR, Paintings. 9 GDPR Insufficient simply basis for records processing Processing of non-public records with out ample simply basis including health records. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-06-09 3,000 Salad Market S.L. (Catering Firm) Paintings. 13 GDPR, Paintings. 14 GDPR Insufficient fulfilment of records responsibilities Fines for lack of ample records processing records by system of video surveillance on enterprise premises and for insufficient records when cookies had been old-normal on its web feature of residing. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-06-09 2,000 Authorized expert Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security At some stage of court docket cases, an lawyer submitted documents whose backs contained private records of alternative events. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-06-09 2,000 Property Owner Paintings. 5 (1) c) GDPR Non-compliance with total records processing principles Utilization of CCTV digicam which furthermore captured the overall public roads outside in a violation of the so is principal as conception of records minimisation. link ROMANIA

ROMANIA Romanian National Supervisory Authority for Deepest Files Processing (ANSPDCP) 2020-04-23 3,000 Telekom Romania Communications SA Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security The company had now no longer taken ample technical and organizational measures to be apparent the accuracy of non-public records transmitted by cell cell phone for the conclusion of contracts. This ended in contracts being concluded by cell cell phone on behalf of alternative records matters link ESTONIA

ESTONIA Estonian Files Security Authority (aepd) 2020-04-30 500 Housing Association Paintings. 6 GDPR Insufficient simply basis for records processing Honest of EUR 500 in opposition to a housing association for publishing photos exhibiting people of the association with out their consent. link HUNGARY

HUNGARY Hungarian National Authority for Files Security and the Freedom of Files (NAIH) 2020-03-26 2,890 Bank Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing Thanks to an administrative error, the non-public records of the solutions discipline had been registered and transferred to the Central Credit Files Gadget (CCI) in connection with a loan settlement, with out the solutions discipline being a celebration to the settlement. link HUNGARY

HUNGARY Hungarian National Authority for Files Security and the Freedom of Files (NAIH) 2020-03-19 5,800 Unknown Firm Paintings. 6 GDPR, Paintings. 15 GDPR Insufficient fulfilment of records matters rights The records controller has now no longer complied with its accountability in terms of the luminous of salvage proper of entry to to video recordings and became furthermore unable to suppose that his records processing actions had been in compliance with records safety penal complex pointers. link HUNGARY

HUNGARY Hungarian National Authority for Files Security and the Freedom of Files (NAIH) 2020-01-24 1,450 Accounting company Paintings. 24 GDPR, Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security A published buyer list of an accounting company, which furthermore contained private records, will most likely be accessed by unauthorized people. link GERMANY

GERMANY Files Security Authority of Baden-Wuerttemberg 2020-06-30 1,240,000 Allgemeine Ortskrankenkasse (« AOK ») (health insurance coverage company) Paintings. 5 GDPR, Paintings. 6 GDPR, Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security From 2015 to 2019, AOK Baden-Württemberg (insurance coverage group) organized competitions on slightly so a bunch of events and mute private records of the contributors, including their contact particulars and health insurance coverage affiliation. The AOK furthermore desired to squawk this records for promoting capabilities, offered the contributors had given their consent. With the slash value of technical and organizational measures, including interior pointers and records safety coaching, the AOK desired to be apparent that most realistic records of these contest contributors who had beforehand given their appropriate consent may possibly be old-normal for promoting capabilities. However, the measures outlined by the AOK did now no longer meet the simply requirements. As a final result, the non-public records of better than 500 lottery contributors had been old-normal for promoting capabilities with out their consent. Straight away after this became identified, the AOK Baden-Württemberg stopped all advertising and marketing measures in bring to totally view all processes. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-06-23 7,500 Miraclia (telecommunications company) Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing The recording of cell cell phone jokes by system of an app constitutes processing of non-public records in accordance to the acceptable records safety regulation, because the voices of contributors may possibly most likely presumably furthermore simply insist private records within the future of the match that they’re connected with other records, corresponding to the cell cell phone quantity. The consent of the customers on the quit of the dialog became now no longer ample on this case. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-06-22 2,000 Unknown Paintings. 5 GDPR, Paintings. 6 GDPR, Paintings. 13 GDPR, Paintings. 14 GDPR Non-compliance with total records processing principles Illegal squawk of CCTV cameras as a outcomes of coverage of public house and recording of passing pedestrians. Moreover, insufficient fulfilment of records responsibilities. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-06-16 2,000 Café Bar Paintings. 5 GDPR, Paintings. 6 GDPR, Paintings. 13 GDPR, Paintings. 14 GDPR Non-compliance with total records processing principles Illegal squawk of CCTV cameras (recording of third events) and insufficient fulfilment of records responsibilities. link ROMANIA

ROMANIA Romanian National Supervisory Authority for Deepest Files Processing (ANSPDCP) 2020-06-18 4,000 Enel Energie Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security Failure to squawk ample measures to quit unauthorised disclosure of non-public records. The luminous became preceded by a criticism in terms of the disclosure of non-public records of the solutions discipline to nonetheless yet one more buyer by e mail. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-06-15 75,000 Xfera Moviles S.A. Paintings. 6 GDPR Insufficient simply basis for records processing The records discipline purchased a note from a debt sequence company tense funds in connection with Xfera Móviles’ products and companies and merchandise, even supposing the claimant had now no longer been a buyer of Xfera Móviles since September 2017. Moreover, the resolution states that Xfera Móviles performed the processing of the non-public records of the plaintiff with out his consent, which constitutes a violation of Article 6 of the GDPR. link ROMANIA

ROMANIA Romanian National Supervisory Authority for Deepest Files Processing (ANSPDCP) 2020-06-11 3,000 Telekom Romania Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security Insufficient security measures of the company had ended in illegal processing of non-public records with out verifying their accuracy. For this blueprint, a luminous became imposed on Telekom Romania for violation of Article 32 of the GDPR, and the introduction of appropriate mechanisms to title and protect records from unauthorised disclosure and illegal processing is ordered to be apparent compliance with the GDPR. link HUNGARY

HUNGARY Hungarian National Authority for Files Security and the Freedom of Files (NAIH) 2020-06-12 288,000 Digi Távközlési Szolgáltató Kft. (« Digi ») (digital dialog provider provider) Paintings. 5 (1) b), (e) GDPR, Paintings. 32 (1), (2) GDPR Insufficient technical and organisational measures to be apparent records security The company had infringed the foundations of blueprint limitation and storage restriction attributable to its database contained a gargantuan amount of buyer records which had been now no longer connected for the actual blueprint of sequence and for which no retention length had been residing. Moreover, the NAIH identified that the defendant had now no longer taken proportionate measures to slash support the dangers within the future of the residing of records management and records security, arguing, inter alia, that it had now no longer old-normal encryption mechanisms. link SWEDEN

SWEDEN Files Security Authority of Sweden 2020-06-16 1,900 Housing Association Paintings. 5 GDPR, Paintings. 6 GDPR Non-compliance with total records processing principles Illegal utilization of surveillance cameras. Within the resolution, the solutions safety authority pressured that sound recordings possess extra privateness implications, especially in a residential organising, and that on this case there’s nothing to clarify sound recording. As smartly to, the resolution orders the housing association to quit the cameras recording staircases and entrances, to quit sound recording and to beef up the records on digicam surveillance. link BELGIUM

BELGIUM Belgian Files Security Authority (APD) 2020-06-19 10,000 Unknown Paintings. 5 GDPR, Paintings. 6 GDPR, Paintings. 15 GDPR Insufficient fulfilment of records matters rights The company despatched an e mail to the actual particular person exasperated about out his consent. Thereupon the actual particular person concerned requested effectively timed records in terms of the entries within the future of the database relating to his particular particular person, which remained unanswered. link BELGIUM

BELGIUM Belgian Files Security Authority (APD) 2020-06-16 1,000 Unknown Paintings. 17 GDPR, Paintings. 21 GDPR, Paintings. 31 GDPR Insufficient fulfilment of records matters rights The records discipline regularly purchased e-mails with promoting screech from a company, though the solutions discipline had objected to the processing of his private records and requested the deletion of his records. As smartly to, the company did now no longer reply to any inquiries from the solutions safety authority on this regard. link BELGIUM

BELGIUM Belgian Files Security Authority (APD) 2020-06-08 5,000 Municipal worker Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing Within the context of a municipal election in 2018, the solutions controller had despatched election ads to a neighborhood of workers of the identical municipal administration, unlawfully the utilization of a checklist of contact records to which he had no salvage proper of entry to. link ISLE OF MAN

ISLE OF MAN Files Commissioner of Isle of Man 2020-06-25 13,500 Division of Predicament Affairs Paintings. 12 GDPR, Paintings. 15 GDPR Insufficient fulfilment of records matters rights Fines for failure to use the luminous of salvage proper of entry to to personal records below Articles 12 and 15 GDPR. The Isle of Man has declared the GDPR – though it be now no longer an EU statement – to be acceptable. link DENMARK

DENMARK Danish Files Security Authority (Datatilsynet) 2020-06-30 6,700 Lejre Municipality Paintings. 5 GDPR, Paintings. 6 GDPR, Paintings. 33 GDPR, Paintings. 34 GDPR Non-compliance with total records processing principles The records safety authority had got right here upon that the Lejre Municipal Child and Formative years Centre had on a frequent basis uploaded minutes of conferences with significantly still and still private records, including on voters below 18 years of age, to the Lejre Municipal Personnel Portal, which became accessible to workers of the Lejre Municipality, no topic whether the staff in quiz had been working with these instances. As smartly to, the solutions safety authority denied the failure to use the accountability to insist the people concerned of the solutions breach. link IRELAND

IRELAND Files Security Authority of Eire 2020-06-30 40,000 Tusla Child and Family Firm Paintings. 33 GDPR Insufficient fulfilment of records breach notification responsibilities The group despatched a letter with abuse allegations to a third birthday party who then uploaded it to social networks. link NORWAY

NORWAY Norwegian Supervisory Authority (Datatilsynet) 2020-06-22 112,000 Østfold HF Sanatorium Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security It became got right here upon that Østfold HF Sanatorium had saved affected particular person records, including still records corresponding to the clarification for hospitalisation, at some stage within the future of the length 2013-2019 with out controlling salvage proper of entry to to the folders the save the solutions became saved. Datatilsynet resulting from this truth clear that the sanatorium had now no longer taken ample technical and organisational measures to offer protection to private records and became resulting from this truth in breach of the GDPR and the Affected particular person Records Act. link NORWAY

NORWAY Norwegian Supervisory Authority (Datatilsynet) 2020-06-19 28,000 Aquateknikk AS Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing Question for records from a credit rating standing company with out simply basis. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-06-19 6,000 National Police Brigade Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing Making copies of a company’s enterprise records within the future of the context of investigations which contained records from third events and for which there became no simply basis for processing. link ITALY

ITALY Italian Files Security Authority (Garante) 2020-01-30 4,000 Comune di Colledara Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing E-e-newsletter of documents relating to to a public relaxed with private records on an net feature of residing link ITALY

ITALY Italian Files Security Authority (Garante) 2020-03-05 3,000 San Giorgio Jonico Paintings. 5 GDPR, Paintings. 6 GDPR, Paintings. 17 GDPR Insufficient simply basis for records processing E-e-newsletter of a citizen’s private records on an net feature of residing and failure to use requests for deletion. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-07-02 24,000 Iberdrola Clientes Paintings. 5 GDPR Non-compliance with total records processing principles A third particular particular person had purchased an electricity invoice with private particulars corresponding to title, address and monetary institution yarn of nonetheless yet one more buyer. The clarification for this became that Iberdola Clientes became now no longer in a scheme to narrate ample security measures within the future of the processing of the non-public records of the solutions discipline, in violation of the foundations of records integrity and confidentiality. The luminous of €40,000 has been reduced to €24,000 as a outcomes of voluntary rate. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-07-02 4,000 De Vere Spain S.L. Paintings. 21 GDPR Insufficient fulfilment of records matters rights The company did now no longer reply to the solutions discipline’s predict to quit processing his or her records, and resulting from this truth records discipline persevered to fetch commercial calls. link NORWAY

NORWAY Norwegian Supervisory Authority (Datatilsynet) 2020-07-02 28,000 Odin Flissenter AS Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing The company assessed the credibility of nonetheless yet one more company and thereby, in accordance to Datatilsynet, processed private records relating to to a pure particular particular person (the proprietor of the company assessed) with obtainable being a ample simply basis for doing so. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-07-02 3,600 Saunier-Tec Mantenimientos de Calor y Frio, SL. Paintings. 33 GDPR Insufficient fulfilment of records breach notification responsibilities No subject the proven truth that the company had taken steps to solve an records breach, it had now no longer steered the AEPD sufficiently. As a final result, the AEPD imposed a luminous of EUR 4,800, which became reduced to EUR 3,600 as a outcomes of voluntary rate. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-07-02 5,000 Xfera Moviles S.A. Paintings. 31 GDPR, Paintings. 58 GDPR Insufficient cooperation with supervisory authority The company had now no longer cooperated sufficiently with the solutions safety authority. link ROMANIA

ROMANIA Romanian National Supervisory Authority for Deepest Files Processing (ANSPDCP) 2020-07-09 15,000 Proleasing Motors SRL Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security The company had didn’t squawk ample technical and organisational measures to be apparent records security, which ended within the newsletter on Facebook of a doc containing a password for salvage proper of entry to to personal records of 436 customers. link POLAND

POLAND Polish National Deepest Files Security Build of job (UODO) 2020-07-10 3,400 East Vitality Sp. z o.o. Paintings. 31 GDPR, Paintings. 58 GDPR Insufficient cooperation with supervisory authority After three subpoenas to East Vitality, in which the latter didn’t sort ample explanations on an immediate advertising and marketing criticism, the solutions safety authority got right here upon that East Vitality had intentionally obstructed the route of the assignment or no decrease than didn’t use its responsibilities to cooperate with the supervisory authority. link NORWAY

NORWAY Norwegian Supervisory Authority (Datatilsynet) 2020-07-10 46,660 Municipality of Rælingen Paintings. 32 GDPR, Paintings. 35 GDPR Insufficient technical and organisational measures to be apparent records security Honest for the processing of formative years’s health records in connection with incapacity by the digital studying platform « Showbie ». The Municipality had didn’t sort a Files Security Comprise an impact on Evaluation (« DPIA ») in accordance to Article 35 of the Overall Files Security Legislation (Legislation (EU) 2016/679) (« GDPR ») used to the accomplish of the processing and had now no longer taken ample technical and organisational measures in accordance to Article 32 of the GDPR, ensuing in an elevated chance of unauthorised salvage proper of entry to to the non-public records of the pupils. link THE NETHERLANDS

THE NETHERLANDS Dutch Supervisory Authority for Files Security (AP) 2020-07-06 830,000 Bureau Krediet Registration (‘BKR’) Paintings. 12 GDPR, Paintings. 15 GDPR Insufficient fulfilment of records matters rights BKR had required the rate of a price when contributors requested salvage proper of entry to to their private records and most realistic offered salvage proper of entry to to their records as soon as a 365 days free of tag by build up. link ITALY

ITALY Italian Files Security Authority (Garante) 2020-07-13 200,000 Merlini s.r.l. Paintings. 5 GDPR, Paintings. 6 GDPR, Paintings. 7 GDPR, Paintings. 28 GDPR, Paintings. 29 GDPR Insufficient simply basis for records processing The company had performed telemarketing actions on behalf of Wind Tre S.p.A. by a third birthday party provider as records processor with out ample simply basis fpr records processing (Paintings. 5-7 GDPR) and with out ample contractual agreements (Paintings. 28, 29 GDPR) with the third birthday party provider. link ITALY

ITALY Italian Files Security Authority (Garante) 2020-07-13 16,700,000 Wind Tre S.p.A. Paintings. 5 GDPR, Paintings. 6 GDPR, Paintings. 12 GDPR, Paintings. 24 GDPR, Paintings. 25 GDPR Insufficient simply basis for records processing Fines for a total lot of illegal records processing actions relating to to coach advertising and marketing. Hundreds of records matters claimed to possess gotten unsolicited communications despatched with out their prior consent by SMS, e mail, cell cell phone calls and computerized calls. The records matters weren’t in a scheme to explain their luminous to withdraw their consent and object to processing for explain advertising and marketing capabilities since the records contained within the future of the Files Security Protection became incomplete by system of the contact particulars. Moreover, the solutions safety authority acknowledged that the solutions of the solutions matters had been printed on public cell cell phone lists despite their objection. As smartly to, a total lot of apps disbursed by the company had been residing up within the future of the glean of formulation that the actual person needed to fresh his consent to slightly so a bunch of processing actions at any time when he accessed them, with the chance of withdrawing consent given most realistic after 24 hours. link ITALY

ITALY Italian Files Security Authority (Garante) 2020-07-13 800,000 Iliad Italia S.p.A. Paintings. 5 GDPR, Paintings. 25 GDPR Non-compliance with total records processing principles The luminous relates to records safety infringements relating to the processing of buyer records for the activation of SIM cards and the mannequin in which rate records became recorded. As smartly to, the solutions safety authority acknowledged that the company had violated the foundations of lawfulness, equity and transparency along with the integrity and confidentiality with regards to the processing of non-public records for explain advertising and marketing capabilities and the storage of buyer records within the future of the non-public residing of its web feature of residing. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-07-10 1,500 Auto Desguaces Iglesias S.L. Paintings. 5 GDPR Non-compliance with total records processing principles The company had build in surveillance cameras that recorded the overall public avenue and resulting from this truth violated the conception of records minimization. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-07-10 1,000 Centro Internacional De Crecimiento Laboral Y Profesional S.L. Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing Sending commercial messages with out consent and with out the chance to object. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-07-10 12,000 Vodafone España, SAU Paintings. 5 GDPR Non-compliance with total records processing principles Fines for violation of Paintings. 5 (1) d) GDPR for altering the patron’s grasp records into the title of a third birthday party, the ex-confederate of the patron. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-07-10 5,000 World Exchange Flee backward and forward Spain SLU Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security The luminous became preceded by an worker’s salvage proper of entry to to health records of an specific particular particular person concerned. At some stage of its investigations, the Files Security Authority got right here upon that World Exchange Flee backward and forward Spain, as records controller, had infringed Article 32(2) and (4) of the GDPR by failing to squawk ample technical and organisational measures to offer protection to the solutions from unauthorised disclosure. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-07-10 5,000 College Health Vacation & Franchising S.L. Paintings. 5 GDPR Non-compliance with total records processing principles Breach of transparency conception. No extra records obtainable within the mean time. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-07-10 55,000 Xfera Moviles S.A. Paintings. 5 GDPR, Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security The company had changed a contract for a cell cell cell phone connection to a ticket queer proprietor, whereby the non-public records of an records discipline corresponding to his address and cell cell phone numbers had been freely accessible. This constituted a violation of the foundations of confidentiality and integrity. link BELGIUM

BELGIUM Belgian Files Security Authority (APD) 2020-07-14 600,000 Google Belgium SA Paintings. 5 GDPR, Paintings. 6 GDPR, Paintings. 17 (1) a) GDPR, Paintings. 12 GDPR Insufficient fulfilment of records matters rights The Belgian records safety authority has fined Google Belgium SA, a subsidiary of Google, 600,000 euros. The explanations for the luminous had been the rejection of an utility by an records discipline for dereferencing old-normal-normal articles that the solutions discipline had belief to be to be detrimental to its recognition, and absence of transparency in Google’s make for dereferencing capabilities. The Belgian records safety authority got right here upon that articles relating to to unsuitable harassment complaints can possess outrageous consequences for the solutions matters, and pure people had been resulting from this truth entitled to possess articles deleted/dereferenced. This furthermore applies to those that withhold political feature of residing of job, even supposing these locations of work possess a propensity to be out of the ordinary less obliging of safety as a outcomes of their public save of residing and articles relating to to political people may possibly most likely presumably furthermore simply resulting from this truth be saved for an extended timeframe. Google’s rejection of the utility became resulting from this truth in breach of Article 17 of the GDPR (luminous for this breach: €500,000). As smartly to, a extra €100,000 became imposed for breach of the conception of transparency, as Google’s rejection of the predict for deletion became now no longer sufficiently justified link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-07-20 24,000 Banco Bilbao Vizcaya Argentaria, SA Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing BBVA had no plentiful basis for processing the solutions of the solutions discipline and had resulting from this truth infringed Article 6(1) of the GDPR, for the motive that company processed solvency and credit rating standing records facts with out a used contractual relationship with the solutions discipline. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-07-20 40,000 Iberia Lae SA Operadora Unipersonal Paintings. 58 GDPR Insufficient cooperation with supervisory authority The company did now no longer grant the solutions discipline salvage proper of entry to to cell cell phone records. The applicant’s predict for salvage proper of entry to did now no longer fetch a reply, despite the prior bring of the AEPD. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-07-20 1,500 Comercial Vigobrandy, SL Paintings. 12 GDPR, Paintings. 13 GDPR, Paintings. 14 GDPR Insufficient fulfilment of records responsibilities Predicament up of CCTV surveillance with out ample records by the utilization of a feature link GREECE

GREECE Hellenic Files Security Authority (HDPA) 2020-06-29 5,000 Novel York College S.A. Paintings. 5 GDPR Non-compliance with total records processing principles The College had contacted the complainant in an immediate by cell cell phone with regards to an academic programme and had processed private records in a non-clear formulation. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-07-20 80,000 Orange Espagne S.A.U. Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing The company had unlawfully activated a total lot of cell cell phone line contracts the utilization of the non-public records of an records discipline. This constituted an illegal processing operation, for the motive that records of the solutions discipline became entered into the company’s database and processed there with out a plentiful simply basis. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-07-20 70,000 Xfera Moviles S.A. Paintings. 5 GDPR Non-compliance with total records processing principles An records discipline had purchased a name from nonetheless yet one more Xfera Móviles buyer who acknowledged that the company had charged his monetary institution yarn with an invoice, disclosing the non-public particulars of the replacement records discipline. This became as a outcomes of an error on the section of Xfera Móviles and became resulting from this truth a violation of the foundations of integrity and confidentiality. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-07-23 10,000 El Periódico de Catalunya, S.L.U. Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing Following a requirement for erasure addressed to the company, the solutions discipline purchased nonetheless yet one more e-e-newsletter from the newspaper, though El Periódico de Catalunya claimed to possess granted the predict. This became as a outcomes of a failure of an external provider provider of the company. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-07-23 55,000 Telefónica Móviles España, SAU Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing Telefónica Móviles España has processed the non-public records of an records discipline, corresponding to first and shutting title and monetary institution particulars, in bring to activate three cell cell phone lines that had been by no system requested. This constitutes a breach of the conception of lawfulness of the processing. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-07-23 70,000 Telefónica Móviles España, SAU Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing The records discipline’s yarn became debited for two cell cell phone lines that he had by no system ordered or smartly-most normal. This constituted illegal processing of non-public records, for the motive that records discipline’s records became saved within the future of the records systems of Telefónica Móviles España with out a simply basis for invoicing. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-07-23 75,000 Telefónica Móviles España, SAU Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing The company had performed the amount porting of his cell cell phone line from his fresh company with out his consent. Deepest records became transferred from the extinct cell cell phone operator to Telefónica Móviles España in bring to alternate the possession of the cell cell phone line with out ample simply basis. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-07-23 5,000 Xfera Moviles S.A. Paintings. 58 GDPR Insufficient cooperation with supervisory authority Following a criticism, Xfera Móviles became requested by the AEPD to construct up apparent records and documents, alternatively did now no longer sort so within the future of the offered closing date. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-07-23 5,000 El Pleasurable Carrying de Gijón S.A.D. Paintings. 6 GDPR, Paintings. 7 GDPR Insufficient simply basis for records processing Fines for sending explain advertising and marketing communications with out ample consent, because the make Pleasurable Carrying de Gijón submitted to membership people did now no longer apply the GDPR (decide-out as nonetheless yet one more of decide-in). link BELGIUM

BELGIUM Belgian Files Security Authority (APD) 2020-07-14 5,000 Operator of CCTV of a residential organising Paintings. 6 GDPR, Paintings. 7 GDPR Insufficient simply basis for records processing The operator of video cameras on a residential property had build in cameras there to uncover show cloak the shared residing of two blocks of residences. The records controller argued that the owners had given their consent to this by signing the notarised decide contracts. However, the solutions safety authority had denied this after checking the contracts. link ROMANIA

ROMANIA Romanian National Supervisory Authority for Deepest Files Processing (ANSPDCP) 2020-07-30 2,000 SC Viva Credit IFN SA Paintings. 17 GDPR Insufficient fulfilment of records matters rights The company had now no longer steered the solutions discipline inside one month (or up to a pair months if a clarification for the extend is given) of the measures taken following the predict for deletion of records. link ROMANIA

ROMANIA Romanian National Supervisory Authority for Deepest Files Processing (ANSPDCP) 2020-07-30 2,000 Romanian Build up National Firm Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security Processing of non-public records, in particular the cell cell phone numbers and e mail addresses of 81 records matters, by the Romanian Build up as records controller, failing acceptable technical and organisational measures, corresponding to pseudonymisation. link ROMANIA

ROMANIA Romanian National Supervisory Authority for Deepest Files Processing (ANSPDCP) 2020-07-27 5,000 SC Cntar Tarom SA Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security Unauthorised disclosure of the solutions of 5 Tarom passengers as a outcomes of insufficient technical and organisational measures for trusty records processing. Amongst other things, the company became required to squawk corrective circulate, including coaching its workers and conducting chance review procedures. link DENMARK

DENMARK Danish Files Security Authority (Datatilsynet) 2020-07-28 147,800 Arp Hansen Resort Neighborhood A/S Paintings. 5 (1) e) GDPR Non-compliance with total records processing principles Correct by an inspection, the supervisory authority reviewed a glean of IT systems to view whether Arp-Hansen had ample procedures moderately than residing to be apparent that private records weren’t saved longer than principal for the capabilities of sequence. It became got right here upon that one of many reservation systems contained a gargantuan amount of non-public records that have to already were deleted in accordance to the deletion scale back-off dates residing by Arp-Hansen itself. link FRANCE

FRANCE French Files Security Authority (CNIL) 2020-08-05 250,000 Spartoo Paintings. 5 (1) GDPR, Paintings. 13 GDPR, Paintings. 14 GDPR Non-compliance with total records processing principles A luminous of EUR 250000 became imposed on the on-line retailer Spartoo. The clarification for this became that the company, which has its headquarters in France alternatively affords a gargantuan quantity of European nations, fully recorded all cell cell phone hotline conversations (including private records corresponding to address and monetary institution particulars of orders) and along with saved monetary institution particulars partly unencrypted. Amongst other things, this represents a violation of the conception of records minimization. Moreover, the supervisory authority furthermore got right here upon a violation of the records responsibilities in accordance to Paintings. 13 GDPR, because the company’s records safety records became partly infamous. link DENMARK

DENMARK Danish Files Security Authority (Datatilsynet) 2020-08-04 20,100 PrivatBo A.M.B.A. Paintings. 5 GDPR, Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security The company had disbursed USB sticks to tenants within the future of the context of a sale of proper property, which contained now no longer most realistic non-private records on the actual property objects in quiz alternatively furthermore private records of people corresponding to rent agreements and other documents containing confidential private records. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-08-06 3,000 GROW BEATS SL Paintings. 12 GDPR, Paintings. 13 GDPR, Paintings. 14 GDPR Insufficient fulfilment of records responsibilities The company had printed a cookie coverage on its web feature of residing, which on the one hand contained no records in terms of the blueprint of the utilization of cookies and on the replacement hand no records in terms of the properties of the build in cookies and the time length for which they dwell full of life within the future of the quit particular person’s terminal tools. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-08-04 60,000 Vodafone España, SAU Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing The records discipline purchased affirmation from Vodafone of a quantity porting, which the latter had by no system commissioned. link ITALY

ITALY Italian Files Security Authority (Garante) 2020-08-10 10,000 Cavauto S.R.L. Paintings. 5 GDPR, Paintings. 6 GDPR, Paintings. 7 GDPR Insufficient simply basis for records processing Salvage admission to to personal records of a extinct worker (containing his browser historic previous) on his work laptop. link ITALY

ITALY Italian Files Security Authority (Garante) 2020-08-10 10,000 Neighborhood of Baronissi Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing The community printed on its web feature of residing private records of records matters including names, commencing dates, fatherland, feature of residing of save of residing, etc. link ITALY

ITALY Italian Files Security Authority (Garante) 2020-08-06 3,000 GTL S.R.L. Paintings. 12 GDPR, Paintings. 15 GDPR Insufficient fulfilment of records matters rights Failure to graint salvage proper of entry to to personal records of an records discipline in accordance to Paintings. 15 GDPR. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-08-06 3,000 Upright Landed S.L. Paintings. 13 GDPR Insufficient fulfilment of records responsibilities Upright Landed became fined with EUR 3000 for insufficient cookie records in accordance to nationwide records safety penal complex pointers and on the identical time warned as a outcomes of insufficient fulfilment of records responsibilities in accordance to Paintings. 13 GDPR (privateness coverage most realistic in English language). link FINLAND

FINLAND Deputy Files Security Ombudsman 2020-08-05 7,000 Acc Consulting Varsinais-Suomi Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing Unsolicited advertising and marketing SMS with out prior consent link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-08-05 3,000 Restaurant Paintings. 5 (1) c) GDPR, Paintings. 12 GDPR, Paintings. 13 GDPR Non-compliance with total records processing principles Predicament up of CCTV surveillance cameras that had been furthermore monitoring the overall public house and with out proper records. link AUSTRIA

AUSTRIA Austrian Files Security Authority (dsb) 2020-08-05 100 Bank Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing A monetary institution worker made a duplicate of the identification card of a monetary institution shopper who desired to alternate EUR 100 in foreign substitute and justified this with cash laundering prices. However, these most realistic prepare to a sum of EUR 1000 and above. link ITALY

ITALY Italian Files Security Authority (Garante) 2020-08-05 2,000 College Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing Placing private records of pupils on a public note board. link ITALY

ITALY Italian Files Security Authority (Garante) 2020-08-04 15,000 Mapei S.p.A. Paintings. 5 GDPR, Paintings. 6 GDPR, Paintings. 12 GDPR, Paintings. 13 GDPR, Paintings. 15 GDPR, Paintings. 17 GDPR Insufficient simply basis for records processing The company had left the e mail yarn of the solutions discipline full of life even after the termination of his employment and had robotically forwarded incoming e-mails. The company did now no longer fresh ample records about this. As smartly to, the company did now no longer react to claims for salvage proper of entry to and erasure. link ITALY

ITALY Italian Files Security Authority (Garante) 2020-08-04 5,000 National Institute for Social Security – Division of the Province of Brescia Paintings. 15 GDPR Insufficient fulfilment of records matters rights Failure to graint salvage proper of entry to to personal health records of an records discipline in accordance to Paintings. 15 GDPR. link ITALY

ITALY Italian Files Security Authority (Garante) 2020-08-04 1,000 Grocery retailer Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing The operator of a grocery retailer displayed the letter of dismissal to the personnel supervisor on the publicly considered note board of the grocery retailer. link ITALY

ITALY Italian Files Security Authority (Garante) 2020-07-30 2,000 Neighborhood of Manduria Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing The community transmitted private records of a community worker to the clicking with out ample simply basis. link ITALY

ITALY Italian Files Security Authority (Garante) 2020-07-29 3,000 Neighborhood of San Giorgio Jonico Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing E-e-newsletter of non-public records on the municipal web feature of residing with regards to simply court docket cases. link ITALY

ITALY Italian Files Security Authority (Garante) 2020-07-29 4,000 Diagram of Campania Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing E-e-newsletter of an enforcement herald civil court docket cases on the Diagram’s web feature of residing. The doc listed the names and possess of residing of save of residing and the amount of the claim. link BELGIUM

BELGIUM Belgian Files Security Authority (APD) 2020-07-28 3,000 Communal political association Paintings. 5 GDPR, Paintings. 6 GDPR, Paintings. 14 GDPR Insufficient simply basis for records processing A local political association has despatched out election ads to the residents of the municipality for the native elections in 2018. For this blueprint, the association old-normal the electoral roll from 2012 and compared it with that of 2018, with out a ample simply basis and with out acceptable records in accordance to Paintings. 14 GDPR. link POLAND

POLAND Polish National Deepest Files Security Build of job (UODO) 2020-07-15 22,300 Build of job for geodesy and cartography Paintings. 31 GDPR, Paintings. 58 GDPR Insufficient cooperation with supervisory authority Refusal of salvage proper of entry to to the premises by the supervisory authority within the future of an audit. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-07-31 45,000 Vodafone España SAU Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing Unlawfull processing of a cell cell phone quantity for advertising and marketing capabilities even after the solutions discipline had exercised its luminous to erasure link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-08-17 5,000 Birthday celebration of the Socialists of Catalonia Paintings. 5 (1) b) GDPR Non-compliance with total records processing principles The Socialist Birthday celebration of Catalonia has old-normal the non-public records offered by a gifted physician to ship a letter to the complainant’s relative asking for political give a grasp to. This constitutes a slightly so a bunch of blueprint from the normal blueprint of the sequence and resulting from this truth violates the conception of blueprint limitation. link ESTONIA

ESTONIA Estonian Files Security Authority (aepd) 2020-08-17 Forty eight Police Officer Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing Acess to personal records in a police database for private evaluation actions. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-08-28 50,000 Bankia S.A. Paintings. 5 (1) b) GDPR Non-compliance with total records processing principles The monetary institution saved private records of an records discipline for a total lot of years, even after the solutions discipline became now no longer a buyer. The records became furthermore accessible to monetary institution workers at some stage on this time. This constituted a violation of the conception of blueprint limitation. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-08-28 5,000 Basketball Federation of Castilla and Leon Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing The Basketball Association transmitted private records to third events, which had been resulting from this truth printed on the Net with out consent of the solutions matters. As smartly to, the solutions safety authority got right here upon that the Basketball Federation furthermore disclosed private records to a newspaper, violating – along with – the conception of integrity and confidentiality (Paintings. 5 (1) f) GDPR). link POLAND

POLAND Polish National Deepest Files Security Build of job (UODO) 2020-08-31 22,700 Surveyor Overall of Poland (‘GKK’) Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing Processing of non-public records on the GEOPORTAL2 platform within the future of the make of land and mortgage registers (including names, surnames and other private records) with out ample simply basis. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-07-31 1,500 Tour & Of us Max S.L. Paintings. 21 GDPR Insufficient fulfilment of records matters rights Unsolicited advertising and marketing calls though records matters had expressed their objection to records processing. As smartly to to the GDPR, this became furthermore considered as a violation of Article Forty eight(1)(b) of Overall Legislation 9/2014 (Spanish nationwide regulation). link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-09-01 75,000 Telefónica Móviles España, SAU Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing According to the supervisory authority, the company processed private records with out ample simply basis, with the final result that the solutions discipline purchased a total lot of hundred unsolicited calls and SMS messages. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-09-07 3,000 Barcelona Airport Security Guard Association (‘AVSAB’) Paintings. 5 (1) f) GDPR Non-compliance with total records processing principles A member of the AVSAB security committee old-normal WhatsApp to ship messages to personal cell cell phone numbers containing private records about workers. This became a violation of the confidentiality conception that, in accordance to the AEPD, desires to be revered now no longer most realistic by the solutions controller, alternatively furthermore by every other discipline exasperated by any section of the processing. link ITALY

ITALY Italian Files Security Authority (Garante) 2020-07-02 15,000 Mapei S.p.A. Paintings. 5 GDPR, Paintings. 12 GDPR, Paintings. 13 GDPR, Paintings. 15 GDPR Insufficient fulfilment of records matters rights Mapei didn’t answer to to the predict for salvage proper of entry to to personal records of the solutions discipline. As smartly to, Mapei had left the e mail yarn of the actual particular person concerned full of life even after the termination of the contract. link POLAND

POLAND Polish National Deepest Files Security Build of job (UODO) 2020-09-08 11,200 Warsaw College of Existence Sciences Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security Theft of a non-public notebook belonging to a school worker who furthermore old-normal this machine for enterprise capabilities and on which private records of candidates for uncover about at SGGW became contained for recruitment actions. link GREECE

GREECE Hellenic Files Security Authority (HDPA) 2020-08-03 3,000 Candidate for parliamentary elections Paintings. 15 GDPR Insufficient fulfilment of records matters rights The records discipline purchased cell cell phone calls in terms of a candidacy for parliamentary elections. When the solutions discipline made squawk of its luminous to salvage proper of entry to in accordance to Paintings. 15 GDPR, it did now no longer fetch the glean of records. link HUNGARY

HUNGARY Hungarian National Authority for Files Security and the Freedom of Files (NAIH) 2020-07-23 560 Forbes Hungary Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing Honest imposed on Forbes Hungary for publishing a checklist of the 50 wealthiest Hungarians and a checklist of the best household corporations with out a ample steadiness of pursuits (Paintings. 6 (1) f) GDPR). link ROMANIA

ROMANIA Romanian National Supervisory Authority for Deepest Files Processing (ANSPDCP) 2020-09-01 500 Web site organising owners association Paintings. 5 GDPR, Paintings. 6 GDPR, Paintings. 12 GDPR, Paintings. 13 GDPR, Paintings. 25 GDPR, Paintings. 32 GDPR Insufficient simply basis for records processing Export of a mute image from a video surveillance system and posting of the image on the billboard of the organising with out ample simply basis. As smartly to, violation of the records responsibilities below Paintings. 12, 13 GDPR and violation of Paintings. 25 and 32 GDPR, attributable to no ample records in terms of the CCTV became given and attributable to no ample technical and organizational security measures had been taken to offer protection to the non-public records mute by the video surveillance system. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-09-17 60,000 Vodafone España, SAU Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing A extinct buyer had purchased e-mails containing digital bills even after he had terminated his contract with the company ensuing in a processing of non-public records with out ample simply basis. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-09-17 3,000 Grupo Carolizan Paintings. 5 GDPR Non-compliance with total records processing principles Operation of CCTV digicam systems in an arcade residing in front of a organising, i.e. furthermore maintaining public house. This violated the foundations of records minimization, because the surveillance cameras can were operated in a formulation that have to no longer possess affected the overall public house. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-09-16 10,000 Property owners community Paintings. 5 GDPR Non-compliance with total records processing principles E-e-newsletter of a doc containing private records (records about identification of the solutions discipline along with about cash owed) on a community note billboard. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-09-11 1,500 Political Birthday celebration Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing Sending of an e mail to a extinct birthday party member who had since resigned, with the predict to act as an election manual with out ample simply basis to assignment the non-public records required for this blueprint link GREECE

GREECE Hellenic Files Security Authority (HDPA) 2020-09-11 8,000 Deepest Person Paintings. 5 GDPR Non-compliance with total records processing principles Operation of a CCTV digicam that furthermore monitored public house outside the premises of the solutions controller. link ROMANIA

ROMANIA Romanian National Supervisory Authority for Deepest Files Processing (ANSPDCP) 2020-09-08 2,000 Sanatatea Press Neighborhood S.R.L. Paintings. 5 (1) f) GDPR, Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security Sending the non-public records mute for the registration for an net path to other contributors as a outcomes of a technical failure. link ITALY

ITALY Italian Files Security Authority (Garante) 2020-09-07 2,000 Istituto Comprensivo Statale Crucoli Torretta Paintings. 5 (1) f) GDPR, Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security E-e-newsletter of non-public records of students on the on-line feature of residing of the Institute with, inter alia, notes about health and trend in college as a outcomes of technical failure. link BELGIUM

BELGIUM Belgian Files Security Authority (APD) 2020-09-07 5,000 Gentle mayor of a community Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing Sending election promoting to voters with out ample simply basis. link SPAIN

SPAIN Spanish Files Security Authority (aepd) 2020-09-22 60,000 GLP Instalaciones 86, SL Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing In bring to manufacture aid for the set up of an aircon system, the solutions discipline had contacted Naturgy Vitality Neighborhood S.A. Which ability that truth, he became contacted by two slightly so a bunch of corporations, one of which became GLP Instalaciones 86, who pretended to be Naturgy workers. Naturgy denied this and claimed that the corporations had been neither licensed installers nor workers of Naturgy ensuing within the future of the processing of non-public records of the solutions discipline, including his/her title, surname, cell cell phone quantity, monetary institution particulars and e mail, with out a plentiful simply basis. link GERMANY

GERMANY Files Security Authority of Hamburg 2020-10-01 35,258,708 H&M Hennes & Mauritz On-line Retailer A.B. & Co. KG Paintings. 5 GDPR, Paintings. 6 GDPR Insufficient simply basis for records processing The vogue company with seat in Hamburg operates a provider center in Nuremberg. Correct right here, in accordance to the findings of the Hamburg records safety officer, since no decrease than 2014 private life instances of just some of the principal workers were comprehensively recorded and this records saved on a network stress. As an example, the company conducted a « Welcome Abet Discuss » after workers returned to work after dart or sickness. The records that became identified on this context – including records on the signs of sickness and diagnoses of the staff – became recorded and saved. As smartly to, in accordance to the Hamburg records safety authority, some supervisors furthermore old-normal the « Flurfunk » [meaning to hear something through the grapevine] to sort an helpful records of specific particular particular person workers, for occasion about household disorders and non secular beliefs. The records saved on the network stress became accessible to up to 50 managers of the company and became old-normal, amongst other things, to determine on into yarn the work efficiency of the staff and to sort employment selections.The records sequence became identified as a outcomes of a technical configuration error in October 2019, in accordance to which the solutions saved on the network stress became accessible company-enormous for a total lot of hours. After the violation became identified, the management apologized to the staff and offered monetary compensation. As smartly to, furthermore extra maintaining measures had been launched along with the solutions safety authority. [Note: Concrete legal basis of the fine not yet published – we assume this will mainly be Art. 5 and 6 GDPR] link ITALY

ITALY Italian Files Security Authority (Garante) 2020-09-30 80,000 Azienda Ospedaliera di Rilievo Nazionale ‘Antonio Cardarelli’ (Deepest Sanatorium) Paintings. 5 (1) a) GDPR, Paintings. 6 GDPR, Paintings. 13 GDPR, Paintings. 28 GDPR, Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security According to the solutions safety authority, private records about contributors in a public competition had been unlawfully disclosed on-line. The clarification for this became that, as a outcomes of a configuration error, a checklist of the codes assigned to the candidates became speedily accessible on the platform, which allowed salvage proper of entry to to the documents submitted by the candidates with their private records. This became a violation of the conception of safety of records security. As smartly to, the solutions safety authority got right here upon that the records responsibilities had been furthermore now no longer complied with and that the sanatorium had furthermore now no longer offered a ample records processing settlement with the solutions processor [which was also fined, see fine for « Scanshare »] in accordance to Paintings. 28 GDPR. link ITALY

ITALY Italian Files Security Authority (Garante) 2020-09-30 60,000 Scanshare s.r.l. Paintings. 5 (1) a) GDPR, Paintings. 6 GDPR, Paintings. 9 GDPR, Paintings. 32 GDPR Insufficient technical and organisational measures to be apparent records security According to the solutions safety authority, private records about contributors in a public competition had been unlawfully disclosed on-line. The clarification for this became that, as a outcomes of a configuration error, a checklist of the codes assigned to the candidates became speedily accessible on the platform, which allowed salvage proper of entry to to the documents submitted by the candidates with their private records. This became a violation of the conception of safety of records security for which Scanshare – which became the processor of the solutions on behalf of the controller « Azienda Ospedaliera di Rilievo Nazionale ‘Antonio Cardarelli' » (a non-public sanatorium) – had been fined with EUR 60.000. [Also see the main fine on the hospital!] link

Read More

4 Commentaires

Leave a Comment

Recent Posts

An oil tanker with 60M gallons of oil aboard is all thru the meantime sinking [video]
Amazon’s $23M book about flies (2011)
Google Coral Dev Board mini SBC is now on hand for $100
Glow: Markdown reader for the terminal with a TUI and encrypted cloud stash
The manner you would possibly well abolish your occupation, one entirely extremely contented one year at a time

Recent Posts

An oil tanker with 60M gallons of oil aboard is all thru the meantime sinking [video]
Amazon’s $23M book about flies (2011)
Google Coral Dev Board mini SBC is now on hand for $100
Glow: Markdown reader for the terminal with a TUI and encrypted cloud stash
The manner you would possibly well abolish your occupation, one entirely extremely contented one year at a time
fr_FRFrench
en_USEnglish fr_FRFrench