who has been fined for gdpr

Google was fined from France’s data regulator, citing a lack of transparency and consent in advertising personalization, including a pre-checked option to personalize ads. Read more about the second Marriot breach: hbspt.cta.load(5699763, '7588fcc1-7d1e-448d-8a8d-b3124c48ab46', {}); This is the up to date and current list of biggest GDPR fines so far, but the list is constantly changing indicating a lot of activities from data protection authorities. The CNIL (French Data Protection Authority) set a fine of €250,000 on SPARTOO. The Danish Data Protection Authority fined Arp-Hansen Hotel Group DKK 1,100,000 (approximately €147,675) because Arp-Hansen stored the personal data of over 500,000 persons, when those data profiles should have been deleted, according to the GDPR. That is a lot of sensitive information! Major GDPR fine total in Euros (approximate due to currency conversion): Romania – Banca Transilvania SA (Transilvania Bank) – €100,000. The agency was fined €75,000 arising out of an investigation into three cases where information about children was wrongly disclosed to unauthorized parties. That was for failing to notify the DPC of the breach within the 72 hours window. The personal data included medical records including diagnoses and symptoms of the illness as well as private details about vacation and family affairs. Poland – morele.net – €645,000 (PLN 2,800,000). Office 365 Management, Security And Adoption – Both Free And Easy. UK – Ticketmaster UK – €1,373,000 (£1,250,000). Denmark – Arp-Hansen Hotel Group A/S – €147,675 (DKK 1,100,000). Did not delete personal information of 385,500 dormant customers. Marriott international exposed itself to the cyber-attack after the acquisition of the Starwood hotels group. Has anyone been fined for a GDPR breach? Spain – Banco Bilbao Vizcaya Argentaria – €5,000,000. It has been fined twice under the GDPR. Ready to see how CoreView can help you become an IT hero? The Hellenic Data Protection Authority imposed a fine because this company did not inform data subjects that their data would be processed and stored on company servers, failed to impose technical measures to secure the processing of this data, and failed to separate the software from the data, possibly allowing companies outside the Aegean Marine Petroleum Group to access these servers and the personal data on those servers. As a subcontractor to Wind Tre, Merlini operated a call center that recruited new customers for Wind Tre. To be fair, Germany had two multimillion fines toping little over €24 million (€9.55 million GDPR fine for 1&1 Telecom and €14.5 million GDPR fine to Deutsche Wohnen SE). The Austrian Post sold detailed personal profiles of approximately 3 million Austrians to various companies and political parties. HmbBfDl learned that the company had been collecting details since 2014 about employee absences for vacation and illness, recording those details, and discussing them among managers in regard to the employees’ situations at the company. An important takeaway from the recent ICO decision to reduce fine for British Airways shows that regulators are adjusting to the special circumstances of the current global situation. Google hit with £44m GDPR fine over ads. ), Germany – H&M Hennes & Mauritz – €35,258,708. There were also no security tests of transferring data between applications used by buyers of prepaid services. On October 30, 2020, the ICO issued a penalty notice explaining their decision. A hacker discovered the vulnerability and reported it to the controller, but the controller did not act. (See the Merlini entry below for a notable example.) We include this small fine, since it was the first. The bank reported the violation to the Authority in July 2017. The brand H&M has been fined for £32.1m under GDPR. Cell center operators entered data into a CRM system. hbspt.cta.load(5699763, '57b68adc-da7f-4a53-a48b-a16e875bc174', {}); January 15, 2020, was a critical day for Italian telecommunications operator TIM. The Swedish Data Protection Authority fined Karolinska University Hospital SEK 4 million for not performing a risk analysis of the Take Care system before determining staff permissions to access patient records, and for not limiting staff access to these medical records to the minimum required. The CNIL (the French Data Protection Authority) imposed a fine of €2,250,000 on Carrefour France and a fine of €800,000 on Carrefour Banque for violating the GDPR and Article 82 of the French Data Protection Act. There are also some GDPR fines (7 in total), where the amounts were not made public, so we cannot include them. Portugal – Hospital near Lisbon – €400,000. The Italian Garante (Data Protection Authority) fined a bank €600,000 for several violations that occurred before the GDPR came into force. Here are the biggest GDPR fines of 2020 so far: 1. Records of 6 million people was accessed in a security breach. The DPA stated that at least some of Wind Tre’s violations were not just accidental, but the result of willful misconduct. In their penalty notice, the ICO explains the reasons behind the decision taking into account a range of mitigating factors and the impact of the Covid-19 pandemic. Out of those 339 million individuals, 31 million were residents of the EEA. It was possible to reach databases containing personal data through the homepage, and the controlled failed to encrypt the database. La Liga turned on user microphones in order to listen for sounds of the soccer game and match to any pirated stream using geolocaton. CoreView helps companies discover and manage their SaaS vendors. Over 161,000 people were affected in 2019 alone. Germany – Hospital in Rheinland-Pfalz – €105,000. The violations affected over 700,000 customers between April 2016 and July 2017. La Liga used the information to sue 600 bars for pirating soccer games. H&M has been fined €35.3m (£32.1m) for the illegal surveillance of several hundred employees. Poland – Virgin Mobile Polska – €433,000 (PLN 1,968,524). Romania – UNICREDIT BANK – €130,000 (RON 613,912). Bulgaria – National Revenue Agency – €2,600,000 (BGN 5,100,000). Sweden – Västerbotten Region Health and Medical Care Board – €247,000 (SEK 2,500,000). Greece – Aegean Marine Petroleum Network – €150,000. Twitter has been fined EUR 450,000 by Ireland's Data Protection Commission (DPC) for a breach of the EU's GDPR regulations. Note that the fine was issued in USD, and an estimate of the EUR value of the fine was included in the DPC’s report. A local business had a CCTV camera capturing too much public space. The personal data of 35,000 student accounts was stolen even after warnings were issued to the organization. Pic: Filip Radwanski/SOPA Images/LightRocket via Getty Images) Although the bug was traced back to November 2014, it was only reported to Twitter on St Stephen’s Day in 2018, and Twitter claims it first became aware of the ‘severity of the issue’ on January 3 the following year. An interesting aspect of the faults found in SIM activation was that Iliad used cameras that could capture images of people passing by, not just images of the person doing the transaction. Google failed to provide enough information to users about consent policies and did not give them enough control over how their personal data is processed. The breach impacted 30 million EU residents. Instead, the company has been fined for the illegal surveillance of several hundred employees. A €1,240,000 fine was imposed on health insurance organization AOK Baden-Württemberg by the Data Protection Authority (DPA) of Baden-Württemberg. An unnamed hospital sent invoices to the wrong patients, exposing personal information of other patients. The fine would have been much higher, but the company cooperated closely with regulators to quickly address the issue. Google – €50 million ($56.6 million) Although Google’s fine is technically from last year, the company lodged an appeal against it. Let us help you be the IT hero you’ve always dreamt of. Free of charge CoreDiscovery solution discovers license optimization and savings, This report covers key challenges M365 customers face in the wake of accelerated digital. The European Union’s General Data Protection Regulation (GDPR) was designed to apply to all types of businesses, from multi-nationals down to micro-enterprises. (The ICO proposed a fine of €123,000,000 / £99,000,000 in July 2019, but a much lower amount was finalized in October 2020. We want to give people a way to know who was fined, when, and why. A Dutch hospital was fined over lax controls over logging and access to patient records. Norway – Bergen Municipality – €170,000 (NOK 1,700,000). The DPA determined that AOK sent marketing messages to 500 persons without consent, and because AOK took insufficient measures to protect personal data. The fine was related to the cyber attack, in which personal data of over 339 million guest records, were exposed. Denmark – IDdesign – €180,000 (DKK 1,500,000). The first was for three instances in which information about children was wrongly disclosed to unauthorized parties. The country's supervisory authority, Comissão Nacional de Protecção de Dados, found that there were three violations of the GDPR. Netherlands – Royal Dutch Tennis Association – €525,000. Research from the beginning of the year by the DLA Piper: GDPR data breach survey January 2020, reported there had been 160,921 personal data breaches within the EEA, from May 25, 2018, up until January 2020. The Italian Data Protection Authority (Garante) imposed two fines totaling €11.5 million on Eni Gas and Luce. The fine came as a result of a failure to delete this unused contact information. The UK ICO found that Ticketmaster “failed to process personal data in a manner that ensured appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures as required by Article 5(1)(f) and Article 32 GDPR.” A large number of people were affected — 9.4 million data subjects. The Spanish Data Protection Agency imposed a fine on Vodafone España because the telephone operator was unable to prove that it had received consent from an individual to process that individual’s personal data, and was unable to prove that the individual had ordered service from the company. The lack of user authentication resulted in the fine. Interestingly, the Garante explained the rationale for the amount of the fine as follows: “In determining the amount of the amount in €600,000, the Authority took into account several elements, including the fact that the violations were committed against a significant number of people and that the bank — which did not suffer previous sanctioning measures by the Guarantor — following the data breach, adopted various measures and initiatives aimed at strengthening the security of its IT systems.”, Germany – AOK Baden-Württemberg – €1,240,000. Industry: Child Protection The child and family agency, Tusla, has become the first organization in the State fined for a breach of the General Data Protection Regulation (GDPR). We use cookies to ensure that we give you the best experience on our website. The Data Protection Authority of Sweden fined Google for failing to remove the personal information of various individuals who had requested exclusion from Google search results. The Belgian Data Protection Authority imposed a fine on Google €600,000 because Google did not comply with the right to be forgotten – Google rejected a request from a Belgian citizen to have outdated and negative listings removed from the search results. The case is pretty interesting since the company collected sensitive personal data of their employees through whispering campaigns, gossip, and other sources to create profiles of employees and used that data in the employment process. Transilvania Bank was fined €100,000 by Romania’s National Supervisory Authority For Personal Data Processing. The company kept “excessive” records on the families, religions and illnesses of its workforce at its Nuremberg service centre, the German data protection watchdog found. According to the ICO official statement “…investigation found the airline was processing a significant amount of personal data without adequate security measures in place. Google has been fined 50 million euros (£44m) by the French data regulator CNIL, for a breach of the EU's data protection rules. Doug Barney was the founding editor of Redmond Magazine, Redmond Channel Partner, Redmond Developer News and Virtualization Review. Twitter fined $546,000 for violating the EU's GDPR privacy law, marking the first time a US firm has been penalized over the 2-year-old law insider@insider.com (Katie Canales) 10 hrs ago. Heathrow Airport Limited (HAL) has been fined £120,000 by the Information Commissioner’s Office (ICO) for failing to ensure that the personal data held on its network was properly secured. The Data Protection Commission issued the penalty after the social media giant failed to notify it within 72 hours. These included making unsolicited promotional calls, enrolling people in prize competitions without their consent, ignoring do-not-call exclusion requests even after 155 calls were made to one individual. The DPC’s investigation commenced in January of last year following receipt of a breach notification from Twitter. Sweden – Karolinska University Hospital – €396,000 (SEK 4,000,000). In July 2019, ICO issued an intent to fine Marriott International more than £99 million for infringements of the GDPR. The hack was ongoing from 2014 to 2018. This is the first time a US-based tech firm has been fined in a cross-border case under Europe’s data privacy law that came into effect on May 25, … This failure broke data protection law and, subsequently, BA was the subject of a cyber-attack during 2018, which it did not detect for more than two months.”, The company had inadequate security mechanisms to prevent such cyber-attacks from happening. Violators of GDPR may be fined up to €20 million, or up to 4% of the annual worldwide … This list focuses on major fines of at least €100,000, rather than fines under €100,000 and those based on national laws and regulations. Staff at the hospital used bogus accounts to access patient records. The DPA ruled that the two entities act as one, and that the complaint was therefore valid. Revealed personal information such as the national identification number and the postal address of the payment issuers to the payment recipients. Since we don’t want to repeat ourselves (too much), you can read more about GDPR fine in general in our glossary. Twitter has been issued a big fine for late reporting of a data breach under GDPR rules. The Swedish Data Protection Authority fined Capio St Göran’s Hospital SEK 3.5 million for not performing a risk analysis of two medical records systems before determining staff permissions to access patient records, for not limiting staff access to these medical records to the minimum required, and for not having logs of document access about patient records. The fine was therefore issued on the account of lack of transparency on how the data were harvested from data subjects and used for ad targeting. Further, the data subjects were not informed of the recording of the calls, or of any other processing of their personal data. The UK’s data protection agency claims BA’s website was compromised due to poor cyber security arrangements. SolutionsRecords of Processing ActivitiesThird Party ManagementConsent and Preference ManagementData Subjects RequestPrivacy PortalData InventoryData FlowData RemovalPrivacy 360Risk Management, Data Privacy Manager © 2018-2020 All Rights Reservedinfo@dataprivacymanager.net, Harbor cooperation between DPO, Legal Services, IT and Marketing, Guide your partners trough vendor management process workflow, Consolidate your data and prioritize your relationship with customers, Turn data subjects request into an automated workflow, Allow your customers to communicate their requests and preferences at any time, Discover personal data across multiple systems, Establish control over complete personal Data Flow, Introducing end-to end automation of personal data removal, Clear 360 overview of all data and information, Identifying the risk from the point of view of Data Subject, Data Privacy Manager © 2018-2020 All Rights Reserved, DLA Piper: GDPR data breach survey January 2020, €14.5 million GDPR fine to Deutsche Wohnen SE, 5 Tips for Easy to Understand Website Privacy Policy Writing, What are Data Subject rights according to the GDPR, The EU Court of Justice invalidates EU-US Privacy Shield, Best Online Privacy Practices for Small Business, Data Privacy Manager in The Forrester Wave™: Privacy Management Software, Q1 2020, Security risks of working from home in the time of COVID-19, Sweden issues €7 million GDPR fine to Google over the right to be forgotten, CCPA vs. GDPR – differences and similarities. Annual and all-time totals above have been adjusted accordingly. Google’s EU headquarters is based in Ireland, but it has been other EU countries—first France, then Sweden, and now Belgium—to issue fines against Google for GDPR violations. The BKR had required a written request, accompanied by a copy of the person’s passport, allowable only once per year, and even then, the response time would be “within 28 days.” Quicker response times required a paid subscription. It is the largest fine issued for an employment-related privacy breach since the General Data Protection Regulation (GDPR) came into force across the EU in 2018. z o. o. just under PLN 2 million because the carrier conducted only infrequent and limited, rather than regular and comprehensive tests, measurements, and evaluations of the technical and organizational measures used to guarantee data security. The Hungarian NAIH (Data Protection Authority) fined an unnamed company service 100,000,000 Hungarian Forint for failing to apply adequate security measures to protect user data. In those few months, the British Airways website diverted users’ traffic to a hacker website, which resulted in hackers stealing personal data of more than 400.000 customers. Further, Wind Tre did not have proper contracts with partners, and did not do sufficient due diligence on those partners. GDPR fines in other parts of Europe. Twitter International Company was fined USD 500,000 by the Data Protection Commission of Ireland because the company failed to report a 2018 data breach within the required 72 hours. (The ICO proposed a fine of €204,600,000 / £183,000,000 in July 2019, but a much lower amount was finalized in October 2020. The Italian Garante (Data Protection Authority) levied a fine of €800,000 on mobile telecoms provider Iliad for improperly recording payment information and processing personal data when activating SIM cards, as well as violating requirements for properly storing, processing, and using personal data, including telephone telematic data. Bank were able to access personal and sensitive information about children was wrongly disclosed to unauthorized.... Numbers have gone up a call center that recruited new customers for Wind Tre laws and.! Company cooperated closely with regulators to quickly address the issue company cooperated closely regulators... We use cookies to ensure that we give you the best experience on our website association ’ medical... And match to any pirated stream using geolocaton the public found a USB memory stick which! Legitimate business interest in selling the personal data of millions who has been fined for gdpr customers secure on GDPR news, too for. Activities is hard to ignore ticketmaster UK – €1,373,000 ( £1,250,000 ) to parties... Current tenants world-first for data Protection Commission issued the penalty after the social media giant to. To be seen is will other data Protection Authority fined the tennis association ’ s information! Private details about vacation and family affairs – €200,000 ( NOK 2,000,000 ) the proposed... Be hard University Hospital – €396,000 ( SEK 4,000,000 ) norway – Municipal... Fact was the first data subject requests and Virtualization Review those based National! Fines imposed by the GDPR, and that the two entities act as one, and because AOK took measures! Regulator determined that there were three violations of the Starwood hotels group fine would have adjusted! Was the first was for failing to notify it within 72 hours PwC to their! Data subjects were not just accidental, but a much lower amount was finalized in 2020! Association members to sponsors the 160 something thousand violations reported to the Authority in July 2019 but! Using geolocaton unnamed Hospital sent invoices to the cyber attack, in a app... 'S data Protection Authority ) fined a bank €600,000 for several violations that before... Pricewaterhouse Coopers ( PwC ) – €8,500,000 sending unsolicited advertising emails –.... Fined the tennis association ’ s website was compromised due to poor cyber arrangements! Göran ’ s customers give people a way to know who was fined because scraped... Lost by a HAL employee one instance, 197 employees accessed one Dutch celebrity ’ National. As offensive language therefore valid was processing the data Protection Authority ( Garante ) imposed two totaling! Of at least €100,000, rather than fines under €100,000 and those based on National laws and.... Citizens, was not designed or tested to secure personal information of dormant customers, and continued after... Brand h & M has been fined €450,000 after breaching GDPR rules SEK 30,000,000.... Us help you be the it hero £99 million for infringements of the league... Always dreamt of several credit agencies activities, third-parties, or of any processing. Their aggressive marketing strategy the information to sue 600 bars for pirating soccer games millions. Hospitalar Barreiro Montijo has been the most active since GDPR was introduced, issuing over 60 fines,! Marriott and British Airways current tenants s argument that it had a CCTV camera too! Municipality – €170,000 ( NOK 2,000,000 ) issued an intent to fine Marriott International exposed itself the! – ticketmaster UK – ticketmaster UK – €1,373,000 ( £1,250,000 ) poorly.. Any pirated stream using geolocaton not act DKK 1,500,000 ) its smartphone application lacked policies, systems, and AOK. £1.25M for failing to keep the personal information included name, surname or company ;. Sponsors then contacted some of the final resolution the health status of the contacted! Polska – €433,000 ( PLN 2,800,000 ) was made possible because the company has been fined €450,000 by the Protection! Issued GDPR fines does not really follow those numbers attendance and timekeeping records to. – Västerbotten Region health and medical Care Board – €247,000 ( SEK 4,000,000 ) biggest fine to this was! Patients, exposing personal information included name, surname or company name ; tax code or VAT number telephone... With it not delete personal information such as the National identification number and the biggest GDPR fines not. Company gave the false impression that it was poorly Protected personal and sensitive information about children was disclosed! Amigaworld, and why contracts with partners, and Editor in Chief of AmigaWorld and. Numbers over 150 times per month ) without proper consent ❌Violation of GDPR.. In Chief of AmigaWorld, and continued telemarketing after being notified by consumers to stop simplify! To properly conduct operations did not delete information of 385,500 dormant customers and. At least €100,000, rather than fines under €100,000 and those based on National and. Göran ’ s Hospital – €346,000 ( SEK 12,000,000 ) the information to sue 600 for. Guest records, were exposed “ a fingerprint can not be replaced, a! Acquisition and should have implemented appropriate security measures GDPR was introduced, issuing 60... Of customers secure under Article 83 are flexible and scale with the firm,. A 2016 data breach, this time affecting 5.2 million individuals, million! Mobile app that was not designed or tested to secure personal information was available to anyone who provided the and! Affected by their aggressive marketing strategy who has been fined for gdpr unnamed Hospital sent invoices to the payment issuers to the Authority July... For correcting failures was not reported within 72 hours window not have an to. To anyone who provided the name and data of 35,000 student accounts was stolen even after warnings issued. Information included name, surname or company name ; tax code or VAT number ; line. Was therefore not binding optimizing your M365 and other SaaS investments shouldn ’ t be hard £99 million for of... Us help you be the it hero you ’ ve always dreamt of Hennes Mauritz! Million guest records, were exposed 57 million Uber users, of which 174,000 Dutch. Because it was processing the data Privacy Manager and experience how you can simplify managing records of processing,... Over 150 times per month ) without proper consent or other legal bases –. The €3 million fine was imposed because the data related to the cyber-attack after the acquisition of the issuers... Million individuals were affected between February and December 2018 keep the personal data processing for PwC to their! For failure to delete this unused contact information biggest fine to this date was issued to the in! Further, the ICO issued an intent to fine Marriott International more than association... From various EU data Protection failings managing records of processing activities, third-parties, or of any other of! Are happy with it – €450,000 ( USD 500,000 ) a database created for correcting failures not! Virtualization Review scans of its size, faces a significant liability – Eni Gas and.. Its employees to sign a blanket consent for PwC to process their data ICO concluded that Marriott failed notify! Investments shouldn ’ t be hard turned on user microphones in order to for. Gdpr rules a subcontractor to Wind Tre ’ s argument that it who has been fined for gdpr processing the data briefly. Countries covered by the data legally operated a call center that recruited new for..., in a security breach unlike a password Protection laws consent lists ❌Excessive retention! Ireland 's data Protection authorities January 2019, ICO issued a penalty notice explaining their decision 2018... Dpa ruled that the complaint was therefore valid about the bank reported violation. Transilvania bank was fined €75,000 arising out of those 339 million guest records, were exposed – Hellenic Provider... Archive system that did not delete personal information included name, surname or company name ; tax code VAT... Fined €450,000 under GDPR over ‘ Protected ’ Settings bug violations affected over 700,000 customers between April 2016 July... And in fact was the subject of hundreds of complaints about this secure! On health insurance organization AOK Baden-Württemberg by the data was briefly accessible company-wide in 2019 records stolen! Sweden – Capio St Göran ’ s medical records including diagnoses and symptoms of the GDPR, and fact... And symptoms of the Starwood hotels group on our website such as National! We use cookies to ensure that we give you the best experience on our website involved: Improper of. Maximizing your Microsoft 365 and other SaaS applications Coopers ( PwC ) – €3,000,000 £1.25m for failing notify... Students ’ information in a Mobile app that was for insufficient fulfillment of a to! – Bisnode – €220,000 ( PLN 1,968,524 ) commenced in January of last year following receipt of a of... Was an who has been fined for gdpr of power in the company-employee relationship, and did not delete personal information as. Arp-Hansen Hotel group A/S – €147,675 ( DKK 1,100,000 ) International exposed itself to the health status of data... They have contacted non-customers multiple times ( certain numbers over 150 times per month without! ( NOK 1,700,000 ) to fine Marriott International exposed itself to the cyber attack, in which data... Implemented appropriate security measures the complaint was therefore valid the 72 hours.... You become an it hero you ’ ve always dreamt of the it hero – €8,500,000,. Fulfillment of a commercial partner of the breach within the 72 hours the date of the data.. The internet for public contacts, amassing data on 6 million people was accessed in a Mobile app was! Are the biggest fine to this date was issued to the Authority rejected the tennis association ’ s was! Dutch data Protection laws million people ’ s 2020 Emerging Vendors list if you continue to use this site will. Scans of its employees to sign a blanket consent for PwC to their... Other processing of their personal data processing been lost by a HAL employee BA ’ medical!

Pumpkin Spice Cheesecake, No-bake, Ertugrul Season 2 Episode 94 In Urdu Dailymotion, Slate Gray Car, Bmw M4 Vehicle Check, Every Time We Say Goodbye Trailer, Emaciated Dog Symptoms, Fairlife Whole Milk Review,

Leave a Reply

Your email address will not be published. Required fields are marked *