July 2021 GDPR Fines and Settlements
Date: 07-01-2021
Name: Unknown
Sector: Not Assigned
Country: Spain
Type: Insufficient legal basis for data processing
Fine: 1,000 EUR
Summary:
The Spanish DPA (AEPD) has imposed a fine of EUR 1,000 on a company, because the controller had used the personal data of a third party in order to obtain a microcredit. The DPA states that the controller lacked a legal basis for the processing and thus violated Art. 6.
Date: 07-01-2021
Name: Private Individual
Sector: Individuals and Private Associations
Country: Spain
Type: Insufficient legal basis for data processing
Fine: 6,000 EUR
Summary:
The Spanish DPA (AEPD) has imposed a fine of Euro 6,000 on a private individual. On July 8, 2020, the DPA became aware of the dissemination on social networks of a video showing images of aggression by a man against a woman, as well as a young male minor intervening in the scene and trying to prevent the aggression that was taking place. However, the faces of the woman and the minor had not been pixelated. The original fine of EUR 10,000 was reduced to EUR 6,000 due to timely payment and admission of guilt.
Date: 07-02-2021
Name: Private Individual
Sector: Individuals and Private Associations
Country: Spain
Type: Insufficient legal basis for data processing
Fine: 1,500 EUR
Summary:
The Spanish DPA (AEPD) has imposed a fine of EUR 1,500 on a private individual. That private individual had published personal data of the data subject on a website without her permission. The data included photos, personal notes and information about the sexual relationship between the controller and the data subject. The DPA finds that the controller processed these data without a valid legal basis and thus violated Art. 6 (1) a) GDPR.
Date: 07-05-2021
Name: IT services company
Sector: Industry and Commerce
Country: Croatia
Type: Insufficient technical and organizational measures to ensure information security
Fine: Unknown
Summary:
A Croatian IT company provides IT services to entities such as mobile operators, banks and state institutions in Croatia, as well as to companies abroad (USA, Great Britain, the Netherlands, etc.), thereby acting as a data processor in relation to personal data. The data controller, a telecommunications company using the services of the IT provider, informed the DPA as well its users of the potential breach of personal data by the IT provider. The incident consisted of a security breach which led to unauthorized access and processing of personal data by hackers and involved personal data of 28,085 respondents.
The incident occurred because the IT provider had not taken the necessary measures to achieve an adequate level of security in accordance with existing and foreseeable risks. The IT provider, as a data processor, was obliged to take appropriate technical security measures in such a way as to ensure the permanent confidentiality of the system, including regular testing, evaluation and assessment of the effectiveness of technical and organizational measures to ensure security of processing. When assessing the appropriate level of security, the IT provider should have taken particular account of the risks of unauthorized disclosure of personal data. Due to failure to take appropriate technical measures for the security of personal data processing, the DPA imposed an administrative fine on the IT provider. The amount of the fine is unknown at the moment. In its decision, the DPA took into account the nature of the IT provider’s business activity, whose role should be to support other entities through opinions and guidelines, proposing solutions for the implementation of web applications, and especially designing and implementing appropriate technical measures
Date: 07-05-2021
Name: Mermaids
Sector: Individuals and Private Associations
Country: United Kingdom
Type: Insufficient technical and organisational measures to ensure information security
Fine: 29,000 EUR
Summary:
The ICO has fined transgender charity, Mermaids, EUR 29,000 for failing to protect the personal data of its users, in breach of Art. 5 (1) f) UK GPDR and Art. 32 (1), (2) UK GDPR. The ICO conducted an investigation after it received a report of a data breach relating to an internal email group. During the investigation, the ICO found that the group was created with insufficiently secure settings, resulting in approximately 780 pages of confidential emails being viewable online for nearly three years. This resulted in personal information, such as names and email addresses, of 550 people being online.
The ICO concludes that Mermaids should have restricted access to its email group and could have considered pseudonymization or encryption to provide additional protection for the personal data. Organizations responsible for personal data must ensure that they take the appropriate technical and organizational measures to ensure the security of personal data.
Date: 07-05-2021
Name: Insurance company
Sector: Finance, Insurance and Consulting
Country: Croatia
Type: Insufficient fulfilment of information obligations
Fine: Unknown
Summary:
The DPA has ex officio, without prior notice, conducted a direct supervision over an insurance company based in Zagreb. Upon inspection of its business facility for carrying out technical inspections and vehicle registration and contracting insurance services, the DPA established that both the business facility and its external surface are under video surveillance. However, the DPA established that the insurance company has failed to provide notice of such surveillance, which is contrary to Art 27 (1) of the Law on the Implementation of GDPR. Namely, data controllers and processors are obliged to indicate that the object and its outer surface are under video surveillance, and such notice must be visible at the latest when entering the perimeter of the recording and must contain all the prescribed information. Due to the breach, the DPA imposed an administrative fine on the insurance company.
Date: 07-06-2021
Name: Marbella Resorts S.L.
Sector: Accommodation and Hospitality
Country: Spain
Type: Insufficient data processing agreement
Fine: 4,200 EUR
Summary:
The Spanish DPA (AEPD) has imposed a fine of EUR 7,000 on Marbella Resorts S.L.. In the case at hand, the data subject had booked a room in the hotel complex of the controller. On the day of the data subject's arrival, a concierge made copies of the data subject's data. However, the concierge was not authorized to do so. He was solely authorized to verify the reservation and then to give the guests the keys to their room.
After providing the controller with his personal data, the data subject discovered that his personal data had been published on a page with online content for adults. In this regard, the DPA found a lack of diligence on the part of the controller in managing the personal data of its customers and thus a violation of Article 28 (3) GDPR. The fine is composed proportionally of EUR 2,000 for a breach of Art. 22(2) LSSI and 5,000 EIR for a breach of Art. 28(3) GDPR. However, the original fine of EUR 7,000 was reduced to EUR 4,200 due to the immediate payment and admission of guilt.
Date: 07-07-2021
Name: Nordbornholms Byggeforretning Aps
Sector: Employment
Country: Denmark
Type: Insufficient legal basis for data processing
Fine: 53,800 EUR
Summary:
The Danish DPA (Datatilsynet) has imposed a fine of EUR 53,800 on Nordbornholms Byggeforretning Aps. In 2018, the DPA was contacted by a data subject who complained that his former employer Nordbornholms Byggeforretning ApS, had disclosed information about him to the company's customers. The controller had emailed two of the company's customers informing them that the former employee had committed crimes in the course of employment and had admitted to committing them, as well as describing in detail the alleged course of events.
According to the DPA, the controller in such a case had a legitimate interest in disclosing information about the former employee's dismissal to its customers and in informing the customers that, as a result, the employee could not enter into any contracts on behalf of the company. However, such a detailed description of the allegations was not necessary and thus unlawful.
Date: 07-07-2021
Name: Homeowners Association
Sector: Real Estate
Country: Spain
Type: Non-compliance with general data processing principles
Fine: 2,000 EUR
Summary:
Usage of CCTV cameras which also captured the public space in violation of the principle of data minimisation.
Date: 07-08-2021
Name: Caixabank S.A
Sector: Finance, Insurance and Consulting
Country: Spain
Type: Insufficient legal basis for data processing
Fine: 50,000 EUR
Summary:
The Spanish DPA (AEPD) has imposed a fine of EUR 50,000 on Caixabank S.A.. A data subject had filed a complaint with the DPA because he had received commercial advertising from the controller, although he had objected to the processing of his data for advertising purposes and the controller had replied that it would comply with this request.
Date: 07-08-2021
Name: Malagatrom S.L.U.
Sector: Industry and Commerce
Country: Spain
Type: Insufficient legal basis for data processing
Fine: 4,000 EUR
Summary:
The Spanish DPA (AEPD) has imposed a fine of EUR 4,000 on Malagatrom S.L.U.. The data subject had purchased a product from the controller via the platform 'Amazon', which was delivered defectively. The data subject then decided to leave a negative review on the controller's store page due to the defective delivery. Thereupon, the controller published personal data of the person concerned, such as his first and last name, address, cell phone number as well as the name of his wife and her cell phone number on the store page of the defendant in the Amazon portal.
Date: 07-08-2021
Name: Pediatrician
Sector: Health Care
Country: Greece
Type: Insufficient fulfilment of data subjects rights
Fine: 5,000 EUR
Summary:
The Hellenic DPA has fined a pediatrician EUR 5,000. A father had asked the controller to view the medical records contained in his child's patient file via email. However, the controller did not comply with this request.
Date: 07-09-2021
Name: Medicals Nordic I/S
Sector: Health Care
Country: Denmark
Type: Non-compliance with general data processing principles
Fine: 80,700 EUR
Summary:
The Danish DPA (Datatilsynet) has fined Medicals Nordic I/S EUR 80,700. In January 2021, the DPA became aware that Medicals Nordic was using WhatsApp to transmit confidential information and health data about citizens being tested in the company's test centres. All employees working in a test centre were invited to a WhatsApp group associated with the test centre.
The members of these WhatsApp groups received all the messages transmitted by other employees in the groups. The employees shared confidential information about citizens to the company's central administration through those WhatsApp groups. This meant that employees who did not have a work-related need to process information - which other employees had to transmit to the central administration - nevertheless received the information, which included, inter alia, personal identity numbers and health data of citizens.
Date: 07-09-2021
Name: Aparcamiento Arcusa S.L.U.
Sector: Industry and Commerce
Country: Spain
Type: Non-compliance with general data processing principles
Fine: 1,500 EUR
Summary:
The Spanish DPA (AEPD) has imposed a fine of EUR 1,500 on Aparcamiento Arcusa S.L.U. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform. The fine is made up of EUR 1,000 for a violation of Art. 5 (1) c) GDPR and EUR 500 for a violation of Art. 13 GDPR.
Date: 07-12-2021
Name: Telefónica Móviles España, S.A.U.
Sector: Media, Telecoms and Broadcasting
Country: Spain
Type: Insufficient legal basis for data processing
Fine: 45,000 EUR
Summary:
The Spanish DPA (AEPD) has fined Telefónica Mobiles España, S.A.U. EUR 45,000. A data subject filed a complaint against the controller with the DPA. His complaint was based on the fact that his telephone number and customer profile were used by controller employees to conduct tests in call centers and branches without his consent. As a result, the data subject received 247 unsolicited calls from the controller. The original fine of EUR 75,000 was reduced to EUR 45,000 due to immediate payment and acknowledgement of responsibility.
Date: 07-16-2021
Name: Region of Syddanmark
Sector: Health Care
Country: Denmark
Type: Insufficient technical and organisational measures to ensure information security
Fine: 67,900 EUR
Summary:
The Danish DPA (Datatilsynet) has fined the Region of Syddanmark EUR 67,900 for failing to comply with its obligation as a data controller to implement adequate security measures. The matter came to the attention of the DPA when a citizen complained to the authority in 2020 about the lack of security in the processing of personal data of the citizen's child by the region, and shortly thereafter the region reported the matter to the authority as a personal data breach. The Region of Syddanmark had maintained a database for research and clinical purposes for a period of more than 1.5 years, whereby the database was not adequately secured against unauthorized access. By manipulating URLs, it was possible to gain access to PDF documents stored in the database. This allowed citizens who were registered in the database - and who also had a login to the database - to access the personal data of people registered in the database. The database contained questionnaires with health information on more than 30,000 children receiving psychiatric care.
Date: 07-20-2021
Name: SGAM AG2R LA MONDIALE
Sector: Finance, Insurance and Consulting
Country: France
Type: Non-compliance with general data processing principles
Fine: 1,750,000 EUR
Summary:
The French DPA (CNIL) has fined private insurer SGAM AG2R LA MONDIALE EUR 1,750,000. The CNIL had carried out an inspection at the AG2R LA MONDIALE group in 2019. On this occasion, the CNIL found that the controller kept the data of millions of individuals for an excessive period of time and did not comply with their information obligations in the context of telephone canvassing campaigns.
With regard to the data of prospects, the controller did not comply with the maximum retention period of three years defined in the reference framework and in the Group's processing register. As a result, the controller retained the data of nearly 2,000 customers who had not been in contact with the controller for more than three years, and in some cases five years. In relation to customer data, the controller did not comply with the maximum statutory retention periods stipulated in the Insurance Code and the Commercial Code. In this case, the controller retained the data of more than 2 million customers, some of which were sensitive (health) or specific (banking data), beyond the legally permitted retention periods after the end of the contract.
Date: 07-26-2021
Name: Intersumi S.C.
Sector: Industry and Commerce
Country: Spain
Type: Insufficient fulfilment of information obligations
Fine: 2,000 EUR
Summary:
The Spanish DPA (AEPD) has imposed a fine of EUR 2,000 on Intersumi S.C.. The controller failed to provide an adequate privacy statement on its website.
Date: 07-26-2021
Name: Fincas Miguel García S.L.
Sector: Industry and Commerce
Country: Spain
Type: Insufficient fulfilment of information obligations
Fine: 2,000 EUR
Summary:
The Spanish DPA (AEPD) has fined Fincas Miguel García S.L. in the amount of EUR 2,000. A data subject had filed a complaint against the controller, alleging a breach of Art. 13 GDPR. The DPA found that the information provided to the data subject by the controller did not comply with the provisions of Art. 13 GDPR, as essential aspects were missing, such as information on the purposes of the processing for which the personal data collected are intended and its legal basis, as well as information on the legitimate interests of the controller that justify the processing, the period for which the personal data will be stored and the right to withdraw consent at any time.
Date: 07-26-2021
Name: Monsanto Company
Sector: Industry and Commerce
Country: France
Type: Insufficient fulfilment of information obligations
Fine: 400,000 EUR
Summary:
The French DPA (CNIL) has fined MONSANTO EUR 400,000. In May 2019, several media revealed that MONSANTO was in possession of a file containing the personal data of more than 200 political figures or members of civil society (e.g. journalists, environmental activists, scientists or farmers) likely to influence the debate or public opinion on the renewal of the authorization of glyphosate in Europe. At the same time, the CNIL received seven complaints from data subjects affected by this file. For each of these individuals, the file contained information such as the organization they belonged to, the position they held, their business address, their business phone number, their cell phone number, their business email address, and in some cases their Twitter account.
In addition, CNIL noted that each person was assigned a score from 1 to 5 to evaluate their influence, credibility, and support for Monsanto on various issues. The DPA believes that the company violated the provisions of the GDPR by not informing the data subjects that their data was stored in this file. In addition, the CNIL complained that the company had not given the contractual guarantees that should normally regulate the relationship with a subcontractor. The creation of contact files by stakeholders for lobbying purposes is not illegal in itself. However, CNIL stressed that data subjects nevertheless have the right to be informed of the existence of the file in order to exercise additional rights, in particular the right to object. In addition, the CNIL found that the data collection was carried out by a provider contracted by Monsanto and that Monsanto violated Article 28 of the General Data Protection Regulation by not including in its contracts with the data processor the provisions foreseen in the GDPR, in particular regarding data security.
Date: 07-26-2021
Name: Mercadona S.A.
Sector: Industry and Commerce
Country: Spain
Type: Insufficient legal basis for data processing
Fine: 2,520,000 EUR
Summary:
The Spanish DPA (AEPD) has fined Mercadona S.A. EUR 2,520,000. The controller had installed facial recognition systems in Mercadona stores for the purpose of tracking individuals with criminal convictions or restraining orders. The system captured everyone who entered the stores, including minors and MERCADONA employees. During its investigation, the DPA found numerous privacy violations. For instance, the system violated the principle of data minimization, the principle of necessity and proportionality since the controller could process multiple biometric data - beyond the purpose of the system. In addition, the DPA concluded that Mercadona's privacy impact assessment was deficient as it did not take into account the specific and unique risks to Mercadona's employees posed by data processing through facial recognition systems.
Furthermore, MERCADONA had violated its duty to inform accordingly by not properly providing data subjects with information about the processing of their personal data. The original fine of EUR 3,150,000 consisted of EUR 500,000 due to a violation of Art. 5(1)(c), EUR 2,000,000 due to a violation of Art. 6 and Art. 9 of the GDPR, EUR 100,000 due to a violation of Art. 12 and Art. 13 of the GDPR, EUR 500,000 due to a violation of Art. 25(1) of the GDPR, and EUR 50,000 due to a violation of Art. 35 of the GDPR. The original fine was reduced to EUR 2,250,000 due to voluntary payment.