June GDPR Fines and Settlements

Date: 06-02-2021

Name: Avalos Consultores, S.L.

Sector: Finance, Insurance and Consulting

Country: Spain

Type: Insufficient legal basis for data processing

Fine: 4,000 EUR

Summary:

The Spanish DPA (AEPD) has imposed a fine of EUR 4,000 on Avalos Consultores, S.L.. The data subject, who was a client of the controller, filed a complaint with the AEPD because the controller had transferred her personal data to the agency Torrent Asesores Nga, S.L. without her consent.

Date: 06-03-2021

Name: PURPLE SEA MΟΝΟΠΡΟΣΩΠΗ ΙΚΕ

Sector: Not assigned

Country: Greece

Type: Non-compliance with general data processing principles

Fine: 15,000 EUR

Summary:

The Hellenic DPA has fined PURPLE SEA MΟΝΟΠΡΟΣΩΠΗ ΙΚΕ EUR 15,000 due to the illegal installation and operation of a video surveillance system. The controller had installed a video surveillance system in the office premises without informing the employees about it, thus violating the principles of legality, fairness, transparency, purpose limitation and accountability.

Date: 06-04-2021

Name: Creator Energy S.L.

Sector: Transportation and Energy

Country: Spain

Type: Insufficient legal basis for data processing

Fine: 6,000 EUR

Summary:

The Spanish DPA (AEPD) has imposed a fine of EUR 6,000 on Creator Energy S.L.. The controller had used the personal data of the data subject without his consent to conclude contracts for gas and electricity supplies and a maintenance service.

Date: 06-07-2021

Name: Master Distancia S.A.

Sector: Public Sector and Education

Country: Spain

Type: Insufficient legal basis for data processing

Fine: 20,000 EUR

Summary:

The Spanish DPA (AEPD) has imposed a fine of EUR 25,000 on Master Distancia S.A.. The controller had included personal data of the data subject in a credit report register without sufficient legal basis. The controller justified this with alleged debts the data subject had with the controller. In fact, however, the parties were still in arbitration. Accordingly, the controller had no authorization to include the data subject's data in the register. The original fine of EUR 25,000 was reduced to EUR 20,000 due to immediate payment.

Date: 06-07-2021

Name: Radiotelevisión del principado de Asturias

Sector: Employment

Country: Spain

Type: Non-compliance with general data processing principles

Fine: 19,600 EUR

Summary:

The Spanish DPA (AEPD) has imposed a fine of EUR 26,000 on Radiotelevisión del principado de Asturias. The fine consists of EUR 20,000 due to a violation of Art. 5 (1) c) GDPR and EUR 6,000 due to a violation of Art. 12 GDPR. The fine was based on the fact that the controller installed a video surveillance system totaling 14 video cameras and monitoring the business premises. The controller states that the cameras were installed for the purpose of security of the premises. However, the cameras captured the employees' offices in a way that was not necessary for this purpose. For example, one camera also captured a considerable part of the employees' recreation room. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform. The fine was reduced to EUR 19,600 due to timely payment and admission of guilt.

Date: 06-07-2021

Name: Region Sörmland

Sector: Health Care

Country: Sweden

Type: Insufficient fulfilment of information obligations

Fine: 25,000 EUR

Summary:

The Swedish DPA has imposed a fine of EUR 25,000 on Region Sörmland. The fine is related to an investigation against three companies and three Swedish regions. In all 21 regions of Sweden, a telephone hotline that offers advice on various health-related topics can be reached by dialing 1177. Each region operates its own health advice service, either internally or through contracted subcontractors, but together they form a national network. In 2019, the media reported that recorded calls to the 1177 helpline were available on a web server without password protection or other security measures. All calls to the 1177 number initially went to the company Inera, which managed and developed the shared systems. Calls to the number 1177 from people living in the Stockholm, Sörmland and Värmland regions were put through by Inera to Medhelp AB, which took the calls. Medhelp had in turn contracted the Thai company Medicall Co Ltd. to take calls on weekends and at night.

Date: 06-07-2021

Name: Region Värmland

Sector: Health Care

Country: Sweden

Type: Insufficient fulfilment of information obligations

Fine: 25,000 EUR

Summary:

Date: 06-07-2021

Name: Region Stockholm

Sector: Health Care

Country: Sweden

Type: Insufficient fulfilment of information obligations

Fine: 25,000 EUR

Summary:

Date: 06-07-2021

Name: MedHelp AB

Sector: Health Care

Country: Sweden

Type: Non-compliance with general data processing principles

Fine: 1,200,000 EUR

Summary:

The Swedish DPA has imposed a fine of EUR 1,200,000 on MedHelp AB. The fine is related to an investigation against three companies and three Swedish regions. In all 21 regions of Sweden, a telephone hotline that offers advice on various health-related topics can be reached by dialing 1177. Each region operates its own health advice service, either internally or through contracted subcontractors, but together they form a national network. In 2019, the media reported that recorded calls to the 1177 helpline were available on a web server without password protection or other security measures. All calls to the 1177 number initially went to the company Inera, which managed and developed the shared systems. Calls to the number 1177 from people living in the Stockholm, Sörmland and Värmland regions were put through by Inera to Medhelp AB, which took the calls. Medhelp had in turn contracted the Thai company Medicall Co Ltd. to take calls on weekends and at night.

Both Medhelp and Medicall had a contract with the technology company Voice Integrate Nordic AB for, among other things, call recordings. A data breach had then occurred in which recordings of calls to the number 1177 were available on the Internet on a storage server belonging to Voice Integrate. The incident resulted from the misconfiguration of a network-attached storage device that was publicly accessible over the Internet and did not use encrypted communications. A large number of calls were accessed due to the vulnerability. The Swedish DPA found that MedHelp had failed to take appropriate technical and organizational measures to ensure an adequate level of security to protect personal data so that unauthorized persons could not access it. Similarly, MedHelp had failed to properly inform callers about the processing of their personal data in accordance with Art. 13 GDPR. In addition, the DPA finds the outsourcing of the processing of personal data to Medicall to be a breach of the legality principle set out in the GDPR. This is because Medicall is not covered by Swedish health and medical legislation and is therefore not subject to the legally regulated confidentiality obligation that exists in the Swedish healthcare sector.

Date: 06-07-2021

Name: Voice Integrate Nordic AB

Sector: Health Care

Country: Sweden

Type: Insufficient technical and organisational measures to ensure information security

Fine: 64,500 EUR

Summary:

The Swedish DPA has imposed a fine of EUR 64,500 on Voice Integrate Nordic AB. The fine is related to an investigation against three companies and three Swedish regions. In all 21 regions of Sweden, a telephone hotline that offers advice on various health-related topics can be reached by dialing 1177. Each region operates its own health advice service, either internally or through contracted subcontractors, but together they form a national network. In 2019, the media reported that recorded calls to the 1177 helpline were available on a web server without password protection or other security measures. All calls to the 1177 number initially went to the company Inera, which managed and developed the shared systems. Calls to the number 1177 from people living in the Stockholm, Sörmland and Värmland regions were put through by Inera to Medhelp AB, which took the calls. Medhelp had in turn contracted the Thai company Medicall Co Ltd. to take calls on weekends and at night.

Date: 06-09-2021

Name: S.C. Dreamtime Call S.R.L.

Sector: Not Assigned

Country: Romania

Type: Insufficient cooperation with supervisory authority

Fine: 2,000 EUR

Summary:

The Romanian DPA (ANSPDCP) has fined S.C. Dreamtime Call S.R.L. EUR 2,000 for failing to provide information requested by the DPA during an investigation.

Date: 06-09-2021

Name: Directorate of the Östra Skaraborg Rescue Service

Sector: Employment

Country: Sweden

Type: Non-compliance with general data processing principles

Fine: 34,800 EUR

Summary:

The Swedish DPA has imposed a fine of EUR 34,800 on the directorate of the Östra Skaraborg Rescue Service. The DPA had received information that several fire stations in Östra Skaraborg operated surveillance cameras that filmed areas where firefighters were changing during an emergency, whereupon it initiated a review of the camera surveillance. The video surveillance was taking place around the clock, although the controller itself stated that video surveillance was only required in case of emergency alarms. The DPA concludes that the 24/7 monitoring was too far-reaching, but notes that the controller had weighty reasons for the camera surveillance. However, the camera surveillance should be limited to emergency cases. The fine is composed proportionally of EUR 29,800 for a violation of Art. 5 (1) a), c) GDPR and EUR 5,000 for a violation of Art. 32 (1), (4) GDPR.

Date: 06-09-2021

Name: La Santrade S.R.L.

Sector: Not Assigned

Country: Romania

Type: Insufficient cooperation with supervisory authority

Fine: 2,000 EUR

Summary:

The Romanian DPA (ANSPDCP) has fined La Santrade S.R.L. EUR 2,000 for failing to provide information requested by the DPA during an investigation.

Date: 06-14-2021

Name: Inmopiso Zaragoza S.L.

Sector: Real Estate

Country: Spain

Type: Insufficient fulfilment of information obligations

Fine: 1,200 EUR

Summary:

The controller failed to provide accurate information about the data collection in accordance with Art. 13 GDPR. The original fine of EUR 2,000 was reduced to EUR 1,200 due to immediate payment and admission of guilt.

Date: 06-14-2021

Name: BRICO PRIVÉ

Sector: Industry and Commerce

Country: France

Type: Non-compliance with general data processing principles

Fine: 500,000 EUR

Summary:

The French DPA (CNIL) has imposed a fine of EUR 500,000 on BRICO PRIVÉ. CNIL conducted three inspections at BRICO PRIVÉ between 2018 and 2021 and identified several deficiencies in the processing of personal data of prospects and customers. The controller, for example, had not complied with the data retention periods it had established. In this regard the data of more than 16,000 customers who had not placed an order in the last five years had been retained. The same applied to more than 130,000 people who had not logged into their customer accounts for five years. In addition, the controller violated its information obligations under Art. 13 GDPR. Furthermore, the controller failed to fulfill its obligation to fully comply with the deletion requests received. The CNIL also found that the controller did not implement sufficient technical and organizational measures to ensure information security. Thus, for example, the controller did not require the use of a secure password during the process of opening an account on the company's website or when employees accessed the customer relationship management software. The fine is composed proportionately of EUR 300,000 for violations of Art. 5(1) e) GDPR, Art. 13 GDPR, Art. 17 GDPR and Art. 32 GDPR and EUR 200,000 for violations of Art. 82 Loi informatique et libertés and Art. L. 34-5 CPCE.

Date: 06-016-2021

Name: Vejle Municipality

Sector: Public Sector and Education

Country: Denmark

Type: Insufficient technical and organisational measures to ensure information security

Fine: 27,000 EUR

Summary:

The Danish DPA (Datatilsynet) has imposed a fine of EUR 27,000 on Vejle municipality. The Danish DPA had started investigations against the municipality after it had reported a data breach pursuant to Art. 33 GDPR. The municipal dental care service had sent automated welcome letters to both parents as part of the treatment of children, which contained the contact details of both parents. In this process, the municipality had not checked whether it was permitted to pass the information on to the other parent. In several cases, parents thus received the address of the other parent, regardless of whether the other parent had name and address protection. The DPA considered this to be a failure of the municipality to take technical and organizational measures to ensure adequate data protection.

Date: 06-21-2021

Name: UAB VS FITNESS

Sector: Industry and Commerce

Country: Lithuania

Type: Non-compliance with general data processing principles

Fine: 20,000 EUR

Summary:

The Lithuanian DPA (VDAI) has imposed a fine of EUR 20,000 on UAB VS FITNESS. After receiving a notification from an individual stating that scanning a fingerprint was necessary to use the services of a sports club owned by the controller, the DPA started an investigation against the controller. The DPA's review found that the consent given by customers to have their fingerprint patterns processed was not voluntary as there were no other identification measures. In addition, the DPA found that the controller also unlawfully processed employees' fingerprints. The controller also failed to set out for what purpose and on what legal basis it processed the employees' biometric data. It also did not conduct a data protection impact assessment and did not demonstrate the necessity and proportionality of the processing of the employees' fingerprints. Furthermore, the DPA finds that the controller did not comply with its information obligations pursuant to Art. 13 GDPR.

Date: 06-21-2021

Name: Storstockholms Lokaltrafik

Sector: Transportation and Energy

Country: Sweden

Type: Insufficient legal basis for data processing

Fine: 1,600,000 EUR

Summary:

The Swedish DPA has fined Storstockholms Lokaltrafik (Stockholm Local Transport Company) EUR 1,600,000. The controller had equipped ticket inspectors with body-worn cameras, which were designed to prevent threatening situations, document incidents, and ensure that the right person was fined for traveling on Stockholm's public transportation without a valid ticket. Ticket inspectors were required to keep the camera on for their entire shift and were therefore able to film all passengers who passed the inspector. Since several hundred thousand people use public transportation in Stockholm every day, a large number of people were thus at risk of being monitored by video and audio recordings. The DPA believes that body-worn camera technology could be used to prevent and document threatening situations, but that the pre-recording time should be reduced to a maximum of 15 seconds, as a longer pre-recording time is not necessary to achieve the above-mentioned purposes.

Furthermore, the DPA found that audio recordings did not contribute to the identification of persons without a valid ticket. The DPA therefore considered the audio recordings to be a violation of the principles of legality and transparency as well as data minimization. The DPA also criticized the controller for not providing sufficient information about the camera surveillance, including the fact that not only images but also sounds were recorded.

Date: 06-22-2021

Name: Unknown

Sector: Employment

Country: Norway

Type: Insufficient legal basis for data processing

Fine: 24,800 EUR

Summary:

The Norwegian DPA (Datatilsynet) has imposed a fine of EUR 14,800 on a company. The background to the case is a complaint by a former employee who learned that the company's managing director logged into the complainant's email inbox on a daily basis for a period of six weeks after the former employee's employment was terminated. In total, the managing director had access to the account for a period of five months. The process had been justified by business requirements (e.g., processing customer inquiries). However, the DPA found that the controller lacked a legal basis for such access to the data subject's e-mail account. In addition, the DPA concluded that the controller had breached its information obligations under Art. 13 GDPR, its obligation to delete the contents of the data subject's e-mail account under Art. 17 GDPR and its obligation to consider the complainant's objection under Art. 21 GDPR.

Date: 06-22-2021

Name: TNT EXPRESS WORLDWIDE SPAIN, S.L.

Sector: Industry and Commerce

Country: Spain

Type: Non-compliance with general data processing principles

Fine: 10,000 EUR

Summary:

The Spanish DPA (AEPD) has imposed a fine of EUR 10,000 on TNT EXPRESS WORLDWIDE SPAIN, S.L.. The data subject had placed a private order with the controller and had entered the address of his workplace as the delivery address. The delivery was correctly delivered, but the invoice was issued to the company where the data subject was employed and not to the data subject. Both the invoice and the delivery bill contained various personal data of the data subject. These were disclosed to his employer as a result of the incident.