GDPR Fine Tracker
An overview of fines and penalties which data protection authorities within the EU have imposed under the EU General Data Protection Regulation (GDPR, DSGVO)
Most of the data is based on enforcementtracker.com, provided by CMS Law.Tax
We added additional functionalities such as multiselect filtering.
| id | ID | Date | Country | Authority | Fine in € | Company | Sector | Article | Type | Summary | Link | timestamp | n | c | Link |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1 | ETid-1 | 2018-12-09 | AUSTRIA | Austrian Data Protection Authority (dsb) | 4,800 | Betting place | Industry and Commerce | Art. 13 GDPR | Insufficient fulfilment of information obligations | Video surveillance was not sufficiently marked and a large part of the sidewalk of the facility was recorded. Surveillance of the public space in this way, i.e. on a large scale by private individuals, is not permitted. | link' target='_self'> | 02.10.2024 10:23 | 4,800 | 1 | link |
| 2 | ETid-2 | 2018 | AUSTRIA | Austrian Data Protection Authority (dsb) | 1,800 | Kebab restaurant | Accomodation and Hospitalty | Art. 5 GDPR, Art. 13 GDPR, Art. 14 GDPR | Insufficient legal basis for data processing | CCTV was unlawfully used. Sufficient information about the video surveillance was missing. In addition, the storage period of 14 days was too long and therefore against the principle of data minimization. Addendum: Fine has been reduced to EUR 1500 by court, see link | link' target='_self'> | 02.10.2024 10:23 | 1,800 | 1 | link |
| 3 | ETid-3 | 2018-09-27 | AUSTRIA | Austrian Data Protection Authority (dsb) | 300 | Private car owner | Individuals and Private Associations | Art. 5 (1) a) GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | A Dashcam was unlawfully used. | link' target='_self'> | 02.10.2024 10:23 | 300 | 1 | link |
| 4 | ETid-4 | 2018-12-20 | AUSTRIA | Austrian Data Protection Authority (dsb) | 2,200 | Private person | Individuals and Private Associations | Art. 5 (1) a) GDPR, Art. 5 (1) c) GDPR, Art. 6 (1) GDPR, Art. 13 GDPR | Insufficient legal basis for data processing | The fine was imposed against a private person who was using CCTV at his home. The video surveillance covered areas which are intended for the general use of the residents of the multi-party residential complex, namely: parking lots, sidewalks, courtyard, garden and access areas to the residential complex; in addition, the video surveillance covered garden areas of an adjacent property. The video surveillance subject of the proceedings is therefore not limited to areas which are under the exclusive power of control of the controller. Video surveillance is therefore not proportionate to the purpose and not limited to what is necessary. The video surveillance records the hallway of the house and films residents entering and leaving the surrounding apartments, thereby intervening in their highly personal areas of life without the consent to record their image data. The video surveillance was not properly indicated. | link' target='_self'> | 02.10.2024 10:23 | 2,200 | 1 | link |
| 5 | ETid-5 | 2019-05-28 | BELGIUM | Belgian Data Protection Authority (APD) | 2,000 | Mayor | Public Sector and Education | Art. 5 (1) b) GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The administrative fine was imposed for the misuse of personal data by a mayor for campaign purposes. | link' target='_self'> | 02.10.2024 10:23 | 2,000 | 1 | link |
| 6 | ETid-6 | 2018-12-04 | BULGARIA | Bulgarian Commission for Personal Data Protection (KZLD) | 500 | Bank | Finance, Insurance and Consulting | Art. 5 (1) b) GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | A fine of 1000 BGN (or roughly 500 EUR) was imposed on a bank for calling a client for the unresolved bills of his neighbor. This provoked the client to evoke his right to be forgotten. After not receiving any answer from the bank he filed another motion, for which the bank did take action in the statutory period. Nonetheless, the client filed a complaint to KZLD. The infringement for which the bank was fined was for the processing of the client’s personal data was not linked to his consumer credit agreement. Since the purpose for which the data were processed was different from that communicated at the time of conclusion of the contract, the bank had, in the point of view of KZLD, to request additional consent from its client. | link link' target='_self'> | 02.10.2024 10:23 | 500 | 1 | link link |
| 7 | ETid-7 | 2019-02-26 | BULGARIA | Bulgarian Commission for Personal Data Protection (KZLD) | 27,100 | Telecommunication service provider | Media, Telecoms and Broadcasting | Art. 6 GDPR, Art. 5 (1) a) GDPR | Insufficient legal basis for data processing | Repeated registration of prepaid services without the knowledge and consent of the data subject Employees of the telecommunications provider have used personal data and registered the complainant with the company's prepaid service. The data subject had not signed the application and had not consented to the processing of his personal data for the stated purpose. There was also no other legal basis applicable. The signature of the application and the complainant own genuine application were not identical and the persons personal identification number was indicated, but the identity card number was not the complainants one. | link' target='_self'> | 02.10.2024 10:23 | 27,100 | 1 | link |
| 8 | ETid-8 | 2019-01-17 | BULGARIA | Bulgarian Commission for Personal Data Protection (KZLD) | 500 | Bank | Finance, Insurance and Consulting | Art. 6 GDPR, Art. 5 (1) a) GDPR | Insufficient legal basis for data processing | A bank gained personal data concernign a student wihtout a legal basis. | link' target='_self'> | 02.10.2024 10:23 | 500 | 1 | link |
| 9 | ETid-9 | 2019-02-22 | BULGARIA | Bulgarian Commission for Personal Data Protection (KZLD) | 500 | Employer | Employment | Art. 15 GDPR | Insufficient fulfilment of data subjects rights | An employee sent a request to his employer for access to personal data concerning him. The request was not answered in time and not in a complete way. | link' target='_self'> | 02.10.2024 10:23 | 500 | 1 | link |
| 10 | ETid-10 | 2019 | CYPRUS | Cypriot Data Protection Commissioner | 5,000 | State Hospital | Health Care | Art. 15 GDPR | Insufficient fulfilment of data subjects rights | A patient complained to the Commissioner that the request for access to her medical file was not satisfied by the hospital because the dossier could not be identified/located by the controller. After investigating the case, an administrative fine of €5,000 was imposed on the hospital. | link' target='_self'> | 02.10.2024 10:23 | 5,000 | 1 | link |
| Country | Sector | Type | timestamp |