May GDPR Fines and Settlements

May was a busy month for the GDPR, as they levied many fines at a variety of organizations in different sectors for noncompliance.

MAY GDPR Fines and Settlements


Date: 05-04-2021

Name: EDP Comercializadora, S.A.U.

Sector: Transportation and Energy

Country: Spain

Type: Insufficient fulfilment of information obligations

Fine: 1,500,000 EUR

Summary:

The Spanish DPA (AEPD) has imposed a fine of EUR 1,500,000 on EDP Comercializadora, S.A.U.. The decision follows, in particular, several complaints received for processing personal data without consent. As the DPA found, the controller had failed to inform data subjects in accordance with Art. 13 GDPR when collecting their data. This involved data subjects not being informed of their rights under Art. 15 GDPR - Art. 22 GDPR, and the contact details of the controller (e.g. its address) being incomplete. Besides, the company's business practice allowed it to conclude contracts with customer representatives instead of with the customers directly. In these cases, however, the data controller did not check whether there was actually an authorization to represent the data subjects. The DPA finds that the controller failed to implement a procedure to verify the authorization of the alleged representatives.The fine is composed proportionately of EUR 1,000,000 for a breach of Art. 13 GDPR and EUR 500,000 for a breach of Art. 25 GDPR.



Date: 05-04-2021

Name: EDP Energía, S.A.U

Sector: Transportation and Energy

Country: Spain

Type: Insufficient fulfilment of information obligations

Fine: 1,500,000 EUR

Summary:

The Spanish DPA (AEPD) has imposed a fine of EUR 1,500,000 on EDP Energía, S.A.U.. The decision follows, in particular, several complaints received for processing personal data without consent. As the DPA found, the controller had failed to inform data subjects in accordance with Art. 13 GDPR when collecting their data. This involved data subjects not being informed of their rights under Art. 15 GDPR - Art. 22 GDPR, and the contact details of the controller (e.g. its address) being incomplete. Besides, the company's business practice allowed it to conclude contracts with customer representatives instead of with the customers directly. In these cases, however, the data controller did not check whether there was actually an authorization to represent the data subjects. The DPA finds that the controller failed to implement a procedure to verify the authorization of the alleged representatives.The fine is composed proportionately of EUR 1,000,000 for a breach of Art. 13 GDPR and EUR 500,000 for a breach of Art. 25 GDPR.



Date: 05-05-2021

Name: Disqus Inc.

Sector: Media, Telecoms and Broadcasting

Country: Norway

Type: Insufficient legal basis for data processing

Fine: Only intention to issue fine

Summary:

On May 5, 2021, the Norwegian DPA (Datatilsynet) announced that it intends to fine Disqus Inc. EUR 2, 500, 000 for violations of Art. 5 (1), (2) GDPR, Art. 6 GDPR, Art. 12 GDPR and Art. 13 GDPR. It is alleged that Disqus unlawfully tracked visitors of Norwegian websites which used the Disqus plugin. Their data was then passed on to third-party advertisers.



Date: 05-07-2021

Name: World Class România S.A.

Sector: Employment

Country: Romania

Type: Insufficient technical and organizational measures to ensure information security

Fine: 2,000 EUR

Summary:

The Romanian DPA (ANSPDCP) has imposed a fine of EUR 2,000 on World Class România S.A.. The controller had published the termination letter of an employee in a WhatsApp group used by the controller's employees. As a result, all members of this WhatsApp group were granted unauthorized access to certain personal data of the data subject (surname, first name, address, ID number, information related to the request for termination).



Date: 05-12-2021

Name: Solram T Y R S.L.

Sector: Industry and Commerce

Country: Spain

Type: Insufficient fulfilment of data subjects rights

Fine: 3,000 EUR

Summary:

The Spanish DPA (AEPD) has imposed a fine of EUR 3,000 on Solram T Y R S.L.. A data subject had filed a complaint with the AEPD against the controller due to the fact that the controller continued to send him advertisements via WhatsApp, despite the fact that he had requested the deletion of his data.



Date: 05-12-2021

Name: A. ΕΠΙΛΟΓΗ ΙΔΙΩΤΙΚΗ ΚΕΦΑΛΑΙΟΥΧΙΚΗ ΕΤΑΙΡΕΙΑ

Sector: Not Assigned

Country: Greece

Type: Non-compliance with general data processing principles

Fine: 5,000 EUR

Summary:

The Hellenic DPA has fined A. ΕΠΙΛΟΓΗ ΙΔΙΩΤΙΚΗ ΚΕΦΑΛΑΙΟΥΧΙΚΗ ΕΤΑΙΡΕΙΑ EUR 5,000. The controller had not responded to requests for information and deletion from the data subject. During the DPA´s investigation, the controller informed the DPA that it had deleted the data of the data subject. However, the data subject had not been informed of this. Furthermore, the DPA determined that the data subject's data had been collected for a purpose other than the agreed purpose. A corresponding consent of the data subject for this new processing purpose had not been obtained.



Date: 05-13-2021

Name: Telekom Romania Communications SA

Sector: Media, Telecoms and Broadcasting

Country: Romania

Type: Insufficient fulfilment of data subjects rights

Fine: 2,000 EUR

Summary:

The Romanian DPA (ANSPDCP) has imposed a fine of EUR 2,000 on Telekom Romania Communications SA. The controller had made an advertising call to the data subject although the latter had exercised his right to object to the processing of his personal data for marketing and advertising purposes by requesting the controller to delete his telephone number and email address from the Telekom database.



Date: 05-14-2021

Name: Website operator

Sector: Individuals and Private Associations

Country: Romania

Type: Non-compliance with general data processing principles

Fine: 200 EUR

Summary:

The Romanian DPA (ANSPDCP) has imposed a fine of EUR 200 on the operator of the website declaratieppr.ro. During the Covid19 pandemic, visitors to the site were able to fill out a form that was required to leave their place of residence. Personal data such as name, address and ID number were collected for this purpose. However, the controller was unable to prove that it was processing the data lawfully. In addition, the controller had not sufficiently informed the data subjects about the processing of the data when collecting their personal data and had not implemented sufficient technical and organizational measures to ensure the security of the data processing.



Date: 05-14-2021

Name: Allianz Compañia de Seguros y Reaseguros, S.A.

Sector: Finance, Insurance and Consulting

Country: Spain

Type: Insufficient legal basis for data processing

Fine: 30,000 EUR

Summary:

The Spanish DPA (AEPD) has fined Allianz Compañia de Seguros y Reaseguros, S.A. EUR 30,000. The controller had sent an invoice to the data subject although no contractual relationship existed. The data subject had concluded a motorcycle insurance policy with the controller in 2016, but had terminated the policy in 2017.



Date: 05-17-2021

Name: Municipal Organization for Pre-School Education and Social Solidarity (DOPAKA) of the municipality of Tavros Moschato

Sector: Individuals and Private Associations

Country: Greece

Type: Insufficient legal basis for data processing

Fine: 10,000 EUR

Summary:

The Hellenic DPA has fined the Municipal Organization for Pre-School Education and Social Solidarity (DOPAKA) of the municipality of Tavros Moschato EUR 10,000. The controller had published documents containing personal data of the data subject without legal basis. The documents contained, besides his name, information about his profession, his place of work and an evaluation of his behavior. The controller also failed to respond to a subsequent deletion request from the data subject.The fine is composed proportionately of EUR 7,000 for a violation of Art. 6 (1) c) GDPR and EUR 3,000 for a violation of Art. 12 (3), (4) GDPR and Art. 17 (1) d) GDPR.



Date: 05-19-2021

Name: Owners Association of Iasi Municipality

Sector: Individuals and Private Associations

Country: Romania

Type: Insufficient cooperation with supervisory authority

Fine: 500 EUR

Summary:

The Romanian DPA (ANSPDCP) has imposed a fine of EUR 500 on Asociație de Proprietari din municipiul Iași (Owners Association of Iasi Municipality). The controller did not provide the DPA with the information it had requested.



Date: 05-19-2021

Name: Banca Comercială Română S.A.

Sector: Finance, Insurance and Consulting

Country: Romania

Type: Insufficient legal basis for data processing

Fine: 2,000 EUR

Summary:

The Romanian DPA (ANSPDCP) has fined Banca Comercială Română S.A. EUR 2,000. A data subject had initiated a complaint with the DPA because the controller had used his personal data in the context of an enforcement procedure for debts arising from a credit agreement of which he was unaware.



Date: 05-20-2021

Name: Municipality of Oslo

Sector: Public Sector and Education

Country: Norway

Type: Insufficient legal basis for data processing

Fine: 39,000 EUR

Summary:

The Norwegian DPA (Datatilsynet) has imposed a fine of EUR 39,000 on the Municipality of Oslo. On a website of the controller a subpoena from the public prosecutor's office concerning the data subject had been published. The subpoena contained, among other things, personal information such as health data. The incident occurred because the subpoena was not originally classified as confidential and accordingly was not exempted from public disclosure. The document was publicly available for five hours before it was removed.



Date: 05-21-2021

Name: Physician

Sector: Health Care

Country: Spain

Type: Insufficient legal basis for data processing

Fine: 3,000 EUR

Summary:

The Spanish DPA (AEPD) has fined a physician EUR 3,000. The controller had left his/her former clinic and started working in a new clinic. The complainant had taken over the controller's former clinic. The purchase agreement explicitly stated that the selling party (the controller) was not allowed to make a copy of the patient's files under any circumstances. Nevertheless, the controller had informed his/her former patients that his/her services could be obtained at his/her new clinic in the future. The AEPD found that the controller had acted not only in breach of contract but also in breach of data protection legislation by contacting the former patients.



Date: 05-25-2021

Name: Managing Director of a company

Sector: Industry and Commerce

Country: Spain

Type: Insufficient fulfilment of information obligations

Fine: 900 EUR

Summary:

The Spanish DPA (AEPD) has imposed a fine of EUR 1,500 on the managing director of a company. A data subject filed a complaint with the AEPD against the controller with whom he had entered into a contract. The fine is based on the fact that the controller had not properly informed the data subject about the processing of his data when collecting it. The AEPD considers this to be a violation of Art. 13 GDPR. The original fine of EUR 1,500 was reduced to EUR 900 due to immediate payment and admission of guilt.



Date: 05-25-2021

Name: Vodafone España, SAU

Sector: Media, Telecoms and Broadcasting

Country: Spain

Type: Insufficient technical and organisational measures to ensure information security

Fine: 100,000 EUR

Summary:

The Spanish DPA (AEPD) has imposed a fine of EUR 100,000 on Vodafone España, S.A.U.. A data subject had filed a complaint with the Spanish DPA against the telecommunications company. According to the complaint, the data subject had received an advertising call from a company, which was made on behalf of Vodafone España, S.A.U., although the data subject was registered in the Robinson advertising exclusion list. According to Vodafone's commissioned processor, the advertising call to the data subject had occurred due to an error in the call number filtering system. In the course of its investigation, the DPA found that Vodafone had not established any measures to avoid advertising calls to numbers on the Robinson list. In the present case, Vodafone had not even been aware that the number of the data subject was on the Robinson list, which meant that it was not blocked for the commissioned company.



Date: 05-25-2021

Name: Alava Norte, S.L.

Sector: Industry and Commerce

Country: Spain

Type: Non-compliance with general data processing principles

Fine: 4,000 EUR

Summary:

The Spanish DPA (AEPD) has fined Alava Norte, S.L. EUR 4,000. The controller had installed three 360° video surveillance cameras on the facade of one of its buildings to secure the facility. These also captured parts of the public space. The AEPD considered this to be a violation of the principle of data minimization, as such extensive video surveillance was not necessary to fulfill the purpose of the processing (security of the facility).



Date: 05-25-2021

Name: Desolasol Restauración, S.L.

Sector: Accommodation and Hospitality

Country: Spain

Type: Non-compliance with general data processing principles

Fine: 6,000 EUR

Summary:

The Spanish DPA (AEPD) has fined Desolasol Restauración S.L. EUR 6,000. The data subject had submitted a consumer complaint form to the restaurant because he was unable to converse at the table due to the volume of the music. A copy of the form remained with the controller. Due to an error by a restaurant employee, the copies of the form were given to other guests of the restaurant who were present during the incident.





Need HIPAA help?

Accountable can help you achieve HIPAA compliance for your company.

Schedule a Call

More Articles