April 2021 GDPR Fines and Settlements

April was a busy month for the GDPR, as they levied many fines at a variety of organizations in different sectors for noncompliance.

APRIL 2021

Date: 04-05-2021

Name: Stockhunters S.L.

Sector: Finance, Insurance and Consulting

Country: Spain

Type: Insufficient fulfilment of information obligations

Fine: 4,000 EUR

Summary:

The Spanish DPA (AEPD) has imposed a fine of EUR 4,000 on Stockhunters S.L.. The controller was not able to answer the data subject's requests regarding the use of his personal data. In addition, the data protection policy of the controller's website did not comply with the provisions of Art. 13 GDPR. The data subject was therefore unsure of how his personal data was being used.

 


Date: 04-05-2021

Name: Electrotecnica Bastida S.L.

Sector: Industry and Commerce

Country: Spain

Type: Insufficient technical and organisational measures to ensure information security

Fine: 3,000 EUR

Summary:

The Spanish DPA (AEPD) has fined Electrotecnica Bastida S.L. EUR 3,000. Police officers had found 29 envelopes addressed to the controllers' respective employees on a vacant lot in the local industrial area. Two envelopes had already been opened. The envelopes contained results of medical examinations. The AEPD considered this to be a breach of the controller's duty to implement adequate technical and organizational measures to protect the processing of personal data.



Date: 04-05-2021

Name: Kukimbia S.L.

Sector: Industry and Commerce

Country: Spain

Type: Insufficient technical and organisational measures to ensure information security

Fine: 3,000 EUR

Summary:

The Spanish DPA (AEPD) has fined Kukimbia S.L. EUR 3,000. The controller is a company that stores, transports and distributes goods. Documents containing personal data about the controller's customers and suppliers were found freely accessible next to a trash can near one of the controller's warehouses. The DPA determined that the controller had violated Art. 32 GDPR.



Date: 04-06-2021

Name: Promotech Digital S.L.

Sector: Finance, Insurance and Consulting

Country: Spain

Type: Insufficient fulfilment of data subjects rights

Fine: 2,400 EUR

Summary:

The Spanish DPA (AEPD) has fined Promotech Digital S.L. EUR 2,400 for repeatedly sending the data subject advertising SMS, even though he never subscribed or agreed to receive SMS. Furthermore, the SMS did not offer a direct option to unsubscribe from the advertising. Instead, reference was made to the possibility of cancellation by email. Even though the data subject had objected to receiving further SMS, he continued to receive SMS from the controller. The original fine of EUR 3,000 was reduced by 20% to EUR 2,400 due to immediate payment and acknowledgement of guilt.



Date: 04-8-2021

Name: Kutxabank, S.A.

Sector: Finance, Insurance and Consulting

Country: Spain

Type: Insufficient fulfilment of data subjects rights

Fine: 60,000 EUR

Summary:

The Spanish DPA (AEPD) has imposed a fine of EUR 100,000 on Kutxabank, S.A.. Following a complaint from a former customer, claiming that the bank did not comply with his request to erasure of his data, the DPA started an investigation against the controller. The data subject had already been a customer of the bank in the past. At that time, he had exercised his right to erasure of his data. When he tried to open a new account with the controller, he was informed that this was not possible as his data was still blocked (due to his previous erasure request). The controller further informed the data subject that he would have to unblock the data if he wanted to open an account. For this purpose, a form was attached to the letter. The form stated that by signing it, the data subject was revoking his right to erasure and allowing his data to be used (again) by the controller. The DPA found that temporarily blocking the data, does not correspond to the right to erasure. The DPA also emphasized that deleted or blocked data may not be processed again when a new contractual relationship is entered into with the controller, even if the new processing purpose is the same as the previous one. The original fine of EUR 100,000 was reduced to EUR 60,000 euros due to the immediate payment and acknowledgement of guilt.



Date: 04-09-2021

Name: Miljø- og Kvalitetsledelse AS

Sector: Industry and Commerce

Country: Norway

Type: Insufficient legal basis for data processing

Fine: 3,400 EUR

Summary:

The Norwegian DPA (Datatilsynet) has imposed a fine of EUR 3,400 on Miljø- og Kvalitetsledelse AS. At one of the carwashes operated by the controller, incidents of vandalism had occurred at the payment terminal. The controller thereupon sent footage of the incident from a surveillance camera to the employer of the alleged vandal. The Norwegian DPA concluded that the sharing of the video footage had taken place without a legal basis and the controller had thus violated Art. 6 (1) GDPR and Art. 5 (1) a) GDPR. Furthermore, the DPA emphasizes that the disclosure of the recordings was not necessary to clarify the incident, as the recordings had already been provided to the police.



Date: 04-13-2021

Name: Vodafone España, S.A.U.

Sector: Media, Telecoms and Broadcasting

Country: Spain

Type: Insufficient legal basis for data processing

Fine: 90,000 EUR

Summary:

The Spanish DPA (AEPD) has imposed a fine of EUR 150,000 on Vodafone España S.A.U.. Three data subjects had filed complaints with the AEPD against the controller. They complained about receiving unsolicited text messages from the controller informing them of new invoices, even though there was no longer a contractual relationship between them and the controller. Moreover, there were no outstanding invoices, as the amount to be paid was always zero euros. The data subjects had asked the controller several times to stop sending them text messages and to delete their data. The controller had explained that the messages had been sent due to a technical error and assured the data subjects that they would no longer receive such notifications in the future. However, the sending continued. The original fine of EUR 150,000 was reduced to EUR 90,000 due to immediate payment and admission of guilt.




Date: 04-15-2021

Name: Private Individual

Sector: Individuals and Private Associations

Country: Spain

Type: Non-compliance with general data processing principles

Fine: 3,000 EUR

Summary:

The Spanish DPA (AEPD) has imposed a fine of EUR 3,000 on a private individual. The controller resides on the 1st floor of an apartment building, where he is the owner of apartments on the 2nd and 3rd floors. He regularly rents out these apartments to tourists. The controller had installed four video cameras on the three floors and in the entrance area of the building. He justified their operation with security concerns related to the rental to tourists. The owners' association had not granted permission for the operation of the cameras. Also, the controller did not put up a sign in the building informing about the operation of the camera. The DPA found this to be a violation of the principle of data minimization, as the cameras covered areas of the building used by the community, whose monitoring was not necessary for the protection of the controller's property. Furthermore, the controller violated its obligation to provide information, as he failed to inform the other residents of the building about the processing of their data.



Date: 04-15-2021

Name: S.C. Tip Top Food Industry S.R.L

Sector: Employment

Country: Romania

Type: Insufficient legal basis for data processing

Fine: 5,000 EUR

Summary:

The Romanian DPA (ANSPDCP) has fined S.C. Tip Top Food Industry S.R.L. EUR 5,000. The controller had installed several video cameras in the food areas and changing rooms to surveil its employees. The CCTV was intended to deter theft and protect the manufactured goods. The Romanian DPA stated that the controller violated the principle of data minimization, as such extensive surveillance was not necessary. The goods produced could have been protected by methods less intrusive to the privacy of the employees.



Date: 04-19-2021

Name: Pub owner

Sector: Accommodation and Hospitality

Country: Spain

Type: Non-compliance with general data processing principles

Fine: 1,500 EUR

Summary:

The Spanish DPA (AEPD) fined the owner of a pub EUR 1,500 due to the unauthorized use of two video surveillance cameras covering parts of the public space.



Date: 04-19-2021

Name: Lugera & Makler Broker S.R.L.

Sector: Finance, Insurance and Consulting

Country: Romania

Type: Insufficient technical and organisational measures to ensure information security

Fine: 1,500 EUR

Summary:

The Romanian DPA (ANSPDCP) has imposed a fine of EUR 1,500 on Lugera & Makler Broker S.R.L.. The controller had accidentally destroyed data of customers of Raiffeisen Bank S.A., for which it acted as processor. The ANSPDCP states that the incident occurred due to the fact that the controller had not taken sufficient technical and organizational measures to ensure an adequate level of protection of the data processing.



Date: 04-20-2021

Name: Highcliffe Estates Marbella S.L.

Sector: Real Estate

Country: Spain

Type: Insufficient legal basis for data processing

Fine: 8,000 EUR

Summary:

The Spanish DPA (AEPD) has imposed a fine of EUR 8,000 on Highcliffe Estates Marbella S.L.. The controller had published a photo of the data subject on its website without his consent.



Date: 04-22-2021

Name: Private Individual

Sector: Individuals and Private Associations

Country: Spain

Type: Non-compliance with general data processing principles

Fine: 1,500 EUR

Summary:

The Spanish DPA (AEPD) has imposed a fine of EUR 1,500 on a private individual. The controller had installed a surveillance camera on his property, which recorded, among other things, the public space and neighboring properties. According to the controller, he had installed the camera for security purposes regarding his property. The AEPD considered this to be a violation of the principle of data minimization, as such extensive monitoring was not necessary to protect the controller's property.



Date: 04-23-2021

Name: Equifax Iberica S.L.

Sector: Finance, Insurance and Consulting

Country: Spain

Type: Insufficient legal basis for data processing

Fine: 1,000,000 EUR

Summary:

The Spanish DPA (AEPD) has imposed a fine of EUR 1,000,000 on Equifax Ibérica, SL. A total of 96 complaints were filed with the DPA against the controller because it had included personal data of individuals associated with alleged debts in the Judicial Claims and Public Entities File ('FIJ') without their consent. In some cases, these data were not even correct. According to the DPA, the processing of the data subjects' personal data involving the FIJ file had been unlawful and violated several data protection principles of data processing (lawfulness and transparency, purpose limitation, data minimization, and accuracy). In addition, the controller had not properly informed the data subjects about the processing of their data, thus violating its duty to inform them.



Date: 04-26-2021

Name: Financial company

Sector: Finance, Insurance and Consulting

Country: Belgium

Type: Insufficient technical and organisational measures to ensure information security

Fine: 100,000 EUR

Summary:

The Belgian DPA (APD) has imposed a fine of EUR 100,000 on a financial company. A data subject had filed two complaints with the APD against the company. They were based on 20 queries of her personal data from the credit register of the National Bank of Belgium. The controller employs the data subject's ex-husband, who allegedly used his role to unlawfully gain access to the register in order to obtain financial information about the data subject and thus gain an advantage in their divorce proceedings. As the DPA noted, the data protection violations occurred due to the fact that the controller had not taken adequate organizational measures to protect personal data from unauthorized processing.



Date: 04-27-2021

Name: Anytime Fitness Iberia S.L.

Sector: Industry and Commerce

Country: Spain

Type: Insufficient fulfilment of data subjects rights

Fine: 15,000 EUR

Summary:

The Spanish DPA (AEPD) has imposed a fine of EUR 15,000 on Anytime Fitness Iberia S.L.. A data subject had filed a complaint with the AEPD against the controller due to the fact that the controller continued to send him SMS advertisements, despite the fact that he had requested the deletion of his data and the controller had confirmed the deletion. The fine is composed proportionally of EUR 10,000 for a breach of Art. 17 GDPR and EUR 5,000 for a breach of Art. 21 LSSI.



Date: 04-27-2021

Name: Pagamastarde S.L.

Sector: Finance, Insurance and Consulting

Country: Spain

Type: Insufficient fulfilment of data subjects rights

Fine: 3,000 EUR

Summary:

The Spanish DPA (AEPD) has imposed a fine of EUR 5,000 on Pagamastarde S.L.. A data subject had filed a complaint with the AEPD against the controller due to the fact that the controller continued to send him SMS advertisements, despite the fact that he had requested the deletion of his data and the controller had confirmed the deletion. The controller stated that the data subject's request had not been fulfilled due to a human error. The fine is composed proportionately of EUR 3,000 for a violation of Art. 17 (1) GDPR and EUR 2,000 for a violation of Art. 21 LSSI. The original fine of EUR 5,000 was reduced to EUR 3,000 due to immediate payment and admission of guilt.


Get started on the road to Compliance

Accountable can help you achieve HIPAA compliance for your company.

Schedule a Call

More Articles