MAY GDPR Fines and Settlements
Date: 05-04-2021
Name: EDP Comercializadora, S.A.U.
Sector: Transportation and Energy
Country: Spain
Type: Insufficient fulfilment of information obligations
Fine: 1,500,000 EUR
Summary:
The Spanish DPA (AEPD) has imposed a fine of EUR 1,500,000 on EDP Comercializadora, S.A.U.. The decision follows, in particular, several complaints received for processing personal data without consent. As the DPA found, the controller had failed to inform data subjects in accordance with Art. 13 GDPR when collecting their data. This involved data subjects not being informed of their rights under Art. 15 GDPR - Art. 22 GDPR, and the contact details of the controller (e.g. its address) being incomplete. Besides, the company's business practice allowed it to conclude contracts with customer representatives instead of with the customers directly. In these cases, however, the data controller did not check whether there was actually an authorization to represent the data subjects. The DPA finds that the controller failed to implement a procedure to verify the authorization of the alleged representatives.The fine is composed proportionately of EUR 1,000,000 for a breach of Art. 13 GDPR and EUR 500,000 for a breach of Art. 25 GDPR.
Date: 05-04-2021
Name: EDP Energía, S.A.U
Sector: Transportation and Energy
Country: Spain
Type: Insufficient fulfilment of information obligations
Fine: 1,500,000 EUR
Summary:
The Spanish DPA (AEPD) has imposed a fine of EUR 1,500,000 on EDP Energía, S.A.U.. The decision follows, in particular, several complaints received for processing personal data without consent. As the DPA found, the controller had failed to inform data subjects in accordance with Art. 13 GDPR when collecting their data. This involved data subjects not being informed of their rights under Art. 15 GDPR - Art. 22 GDPR, and the contact details of the controller (e.g. its address) being incomplete. Besides, the company's business practice allowed it to conclude contracts with customer representatives instead of with the customers directly. In these cases, however, the data controller did not check whether there was actually an authorization to represent the data subjects. The DPA finds that the controller failed to implement a procedure to verify the authorization of the alleged representatives.The fine is composed proportionately of EUR 1,000,000 for a breach of Art. 13 GDPR and EUR 500,000 for a breach of Art. 25 GDPR.
Date: 05-05-2021
Name: Disqus Inc.
Sector: Media, Telecoms and Broadcasting
Country: Norway
Type: Insufficient legal basis for data processing
Fine: Only intention to issue fine
Summary:
On May 5, 2021, the Norwegian DPA (Datatilsynet) announced that it intends to fine Disqus Inc. EUR 2, 500, 000 for violations of Art. 5 (1), (2) GDPR, Art. 6 GDPR, Art. 12 GDPR and Art. 13 GDPR. It is alleged that Disqus unlawfully tracked visitors of Norwegian websites which used the Disqus plugin. Their data was then passed on to third-party advertisers.
Date: 05-07-2021
Name: World Class România S.A.
Sector: Employment
Country: Romania
Type: Insufficient technical and organizational measures to ensure information security
Fine: 2,000 EUR
Summary:
The Romanian DPA (ANSPDCP) has imposed a fine of EUR 2,000 on World Class România S.A.. The controller had published the termination letter of an employee in a WhatsApp group used by the controller's employees. As a result, all members of this WhatsApp group were granted unauthorized access to certain personal data of the data subject (surname, first name, address, ID number, information related to the request for termination).
Date: 05-12-2021
Name: Solram T Y R S.L.
Sector: Industry and Commerce
Country: Spain
Type: Insufficient fulfilment of data subjects rights
Fine: 3,000 EUR
Summary:
The Spanish DPA (AEPD) has imposed a fine of EUR 3,000 on Solram T Y R S.L.. A data subject had filed a complaint with the AEPD against the controller due to the fact that the controller continued to send him advertisements via WhatsApp, despite the fact that he had requested the deletion of his data.
Date: 05-12-2021
Name: A. ΕΠΙΛΟΓΗ ΙΔΙΩΤΙΚΗ ΚΕΦΑΛΑΙΟΥΧΙΚΗ ΕΤΑΙΡΕΙΑ
Sector: Not Assigned
Country: Greece
Type: Non-compliance with general data processing principles
Fine: 5,000 EUR
Summary:
The Hellenic DPA has fined A. ΕΠΙΛΟΓΗ ΙΔΙΩΤΙΚΗ ΚΕΦΑΛΑΙΟΥΧΙΚΗ ΕΤΑΙΡΕΙΑ EUR 5,000. The controller had not responded to requests for information and deletion from the data subject. During the DPA´s investigation, the controller informed the DPA that it had deleted the data of the data subject. However, the data subject had not been informed of this. Furthermore, the DPA determined that the data subject's data had been collected for a purpose other than the agreed purpose. A corresponding consent of the data subject for this new processing purpose had not been obtained.
Date: 05-13-2021
Name: Telekom Romania Communications SA
Sector: Media, Telecoms and Broadcasting
Country: Romania
Type: Insufficient fulfilment of data subjects rights
Fine: 2,000 EUR
Summary:
The Romanian DPA (ANSPDCP) has imposed a fine of EUR 2,000 on Telekom Romania Communications SA. The controller had made an advertising call to the data subject although the latter had exercised his right to object to the processing of his personal data for marketing and advertising purposes by requesting the controller to delete his telephone number and email address from the Telekom database.
Date: 05-14-2021
Name: Website operator
Sector: Individuals and Private Associations
Country: Romania
Type: Non-compliance with general data processing principles
Fine: 200 EUR
Summary:
The Romanian DPA (ANSPDCP) has imposed a fine of EUR 200 on the operator of the website declaratieppr.ro. During the Covid19 pandemic, visitors to the site were able to fill out a form that was required to leave their place of residence. Personal data such as name, address and ID number were collected for this purpose. However, the controller was unable to prove that it was processing the data lawfully. In addition, the controller had not sufficiently informed the data subjects about the processing of the data when collecting their personal data and had not implemented sufficient technical and organizational measures to ensure the security of the data processing.
Date: 05-14-2021
Name: Allianz Compañia de Seguros y Reaseguros, S.A.
Sector: Finance, Insurance and Consulting
Country: Spain
Type: Insufficient legal basis for data processing
Fine: 30,000 EUR
Summary:
The Spanish DPA (AEPD) has fined Allianz Compañia de Seguros y Reaseguros, S.A. EUR 30,000. The controller had sent an invoice to the data subject although no contractual relationship existed. The data subject had concluded a motorcycle insurance policy with the controller in 2016, but had terminated the policy in 2017.
Date: 05-17-2021
Name: Municipal Organization for Pre-School Education and Social Solidarity (DOPAKA) of the municipality of Tavros Moschato
Sector: Individuals and Private Associations
Country: Greece
Type: Insufficient legal basis for data processing
Fine: 10,000 EUR
Summary:
The Hellenic DPA has fined the Municipal Organization for Pre-School Education and Social Solidarity (DOPAKA) of the municipality of Tavros Moschato EUR 10,000. The controller had published documents containing personal data of the data subject without legal basis. The documents contained, besides his name, information about his profession, his place of work and an evaluation of his behavior. The controller also failed to respond to a subsequent deletion request from the data subject.The fine is composed proportionately of EUR 7,000 for a violation of Art. 6 (1) c) GDPR and EUR 3,000 for a violation of Art. 12 (3), (4) GDPR and Art. 17 (1) d) GDPR.
Date: 05-19-2021
Name: Owners Association of Iasi Municipality
Sector: Individuals and Private Associations
Country: Romania
Type: Insufficient cooperation with supervisory authority
Fine: 500 EUR
Summary:
The Romanian DPA (ANSPDCP) has imposed a fine of EUR 500 on Asociație de Proprietari din municipiul Iași (Owners Association of Iasi Municipality). The controller did not provide the DPA with the information it had requested.
Date: 05-19-2021
Name: Banca Comercială Română S.A.
Sector: Finance, Insurance and Consulting
Country: Romania
Type: Insufficient legal basis for data processing
Fine: 2,000 EUR
Summary:
The Romanian DPA (ANSPDCP) has fined Banca Comercială Română S.A. EUR 2,000. A data subject had initiated a complaint with the DPA because the controller had used his personal data in the context of an enforcement procedure for debts arising from a credit agreement of which he was unaware.
Date: 05-20-2021
Name: Municipality of Oslo
Sector: Public Sector and Education
Country: Norway
Type: Insufficient legal basis for data processing
Fine: 39,000 EUR
Summary:
The Norwegian DPA (Datatilsynet) has imposed a fine of EUR 39,000 on the Municipality of Oslo. On a website of the controller a subpoena from the public prosecutor's office concerning the data subject had been published. The subpoena contained, among other things, personal information such as health data. The incident occurred because the subpoena was not originally classified as confidential and accordingly was not exempted from public disclosure. The document was publicly available for five hours before it was removed.
Date: 05-21-2021
Name: Physician
Sector: Health Care
Country: Spain
Type: Insufficient legal basis for data processing
Fine: 3,000 EUR
Summary:
The Spanish DPA (AEPD) has fined a physician EUR 3,000. The controller had left his/her former clinic and started working in a new clinic. The complainant had taken over the controller's former clinic. The purchase agreement explicitly stated that the selling party (the controller) was not allowed to make a copy of the patient's files under any circumstances. Nevertheless, the controller had informed his/her former patients that his/her services could be obtained at his/her new clinic in the future. The AEPD found that the controller had acted not only in breach of contract but also in breach of data protection legislation by contacting the former patients.
Date: 05-25-2021
Name: Managing Director of a company
Sector: Industry and Commerce
Country: Spain
Type: Insufficient fulfilment of information obligations
Fine: 900 EUR
Summary:
The Spanish DPA (AEPD) has imposed a fine of EUR 1,500 on the managing director of a company. A data subject filed a complaint with the AEPD against the controller with whom he had entered into a contract. The fine is based on the fact that the controller had not properly informed the data subject about the processing of his data when collecting it. The AEPD considers this to be a violation of Art. 13 GDPR. The original fine of EUR 1,500 was reduced to EUR 900 due to immediate payment and admission of guilt.
Date: 05-25-2021
Name: Vodafone España, SAU
Sector: Media, Telecoms and Broadcasting
Country: Spain
Type: Insufficient technical and organisational measures to ensure information security
Fine: 100,000 EUR
Summary:
The Spanish DPA (AEPD) has imposed a fine of EUR 100,000 on Vodafone España, S.A.U.. A data subject had filed a complaint with the Spanish DPA against the telecommunications company. According to the complaint, the data subject had received an advertising call from a company, which was made on behalf of Vodafone España, S.A.U., although the data subject was registered in the Robinson advertising exclusion list. According to Vodafone's commissioned processor, the advertising call to the data subject had occurred due to an error in the call number filtering system. In the course of its investigation, the DPA found that Vodafone had not established any measures to avoid advertising calls to numbers on the Robinson list. In the present case, Vodafone had not even been aware that the number of the data subject was on the Robinson list, which meant that it was not blocked for the commissioned company.
Date: 05-25-2021
Name: Alava Norte, S.L.
Sector: Industry and Commerce
Country: Spain
Type: Non-compliance with general data processing principles
Fine: 4,000 EUR
Summary:
The Spanish DPA (AEPD) has fined Alava Norte, S.L. EUR 4,000. The controller had installed three 360° video surveillance cameras on the facade of one of its buildings to secure the facility. These also captured parts of the public space. The AEPD considered this to be a violation of the principle of data minimization, as such extensive video surveillance was not necessary to fulfill the purpose of the processing (security of the facility).
Date: 05-25-2021
Name: Desolasol Restauración, S.L.
Sector: Accommodation and Hospitality
Country: Spain
Type: Non-compliance with general data processing principles
Fine: 6,000 EUR
Summary:
The Spanish DPA (AEPD) has fined Desolasol Restauración S.L. EUR 6,000. The data subject had submitted a consumer complaint form to the restaurant because he was unable to converse at the table due to the volume of the music. A copy of the form remained with the controller. Due to an error by a restaurant employee, the copies of the form were given to other guests of the restaurant who were present during the incident.