GDPR fines and notices

Last updated

The General Data Protection Regulation (GDPR) is a European Union regulation that specifies standards for data protection and electronic privacy in the European Economic Area, and the rights of European citizens to control the processing and distribution of personally-identifiable information.

Contents

Violators of GDPR may be fined up to €20 million, or up to 4% of the annual worldwide turnover of the preceding financial year, whichever is greater. [1] The following is a list of fines and notices issued under the GDPR, including reasoning.

Fines and notices

DateOrganisationAmountIssued byReason(s)
2018-10Hospital do Barreiro€400,000Portugal (CNPD)"...based on access policies to databases, which allowed technicians and physicians to consult patients’ clinical files, without proper authorization." [2]
2018-11-21Knuddels.de (German social network)€20,000Germany (LfDI)"...unauthorized access to and disclosure of personal data of around 330,000 users, including passwords and email addresses." [3]
2019-01-21 Google LLC €50,000,000France (CNIL)Insufficient transparency, control, and consent over the processing of personal data for the purposes of behavioural advertising. [4] [5]
2019-03-07Unnamed bank€1,560Hungary (NAIH)Failure to erase and correct data at the request of the data subject.

[6]

2019-03-07Unnamed debt collector€1,560Hungary (NAIH)

Breaching the principles of transparency and data minimisation. [7]

2019-03-15Bisnode (business, credit and market information)€220,000Poland (UODO)

Covert scraping of personal data. [8]

2019-03-16 Lower Silesian Football Association €13,000Poland (UODO)

Listing personal information of 585 referees on its website. [9]

2019-04-04Rousseau (participatory democracy platform)€50,000Italy (GPDP)Failing to protect users' personal data. [10]
2019-05-08The Municipality of Bergen €170,000Norway (Datatilsynet)

File with login credentials for 35,000 students and employees found in a public storage area. [11]

2019-05-16MisterTango UAB (payment services)€61,500Lithuania (ADA)Processing more personal data than is necessary for effecting of the payment. [12]
2019-05-28Unnamed Belgian mayor€2,000Belgium (GBA/APD)Misuse of personal data collected for local administrative purposes for election campaign purposes. [13]
2019-06 La Liga €250,000Spain (AEPD)Poorly disclosing purpose for requesting GPS and microphone permissions within the football league's mobile app. When the app was open, it transmitted the user's location if it detected an acoustic fingerprint embedded within game telecasts. This was used to help pinpoint the locations of venues that may be screening the games from unauthorized feeds. [14] [15]
2019-06-11IDDesign A/S (furniture)DKK 1,500,000Denmark (Datatilsynet)Failure to delete personal data from an older system: processing personal data for a longer time than necessary. [16]
2019-06-18Unnamed police officer€1,400Germany (LfDI)Autonomously processing personal data for non-legal purposes. [17]
2019-06-18Sergic (real estate services)€400,000France (CNIL)

Failure to implement appropriate security measures; failure to define appropriate data retention periods for the personal data of unsuccessful rental candidates. [18]

2019-06-18Uniontrad Company (translation services)€20,000France (CNIL)

Excessive video surveillance of employees; single, shared password for messaging system; ignoring earlier CNIL order to change practices. [19]

2019-06-24 EE (telecoms)£100,000UK (ICO)Sending over 2.5 million direct marketing messages to its customers, without consent. [20] [21]
2019-06-27 UniCredit Bank Romania €130,000Romania (ANSPDCP)Failure to implement appropriate technical and organisational measures [22] [23]
2019-07-08 British Airways £183,000,000UK (ICO)Use of poor security arrangements that resulted in a 2018 web skimming attack affecting 500,000 consumers. [24] [25] [26] Was later reduced to £20 million [27]
2020-10-30 Marriott International £18,400,000UK (ICO)Failure to keep millions of customers’ personal data secure [28]
2019-07-03 Cathay Pacific £500,000UK (ICO)Failure to protect the security of its customers’ personal data. Between October 2014 and May 2018 Cathay Pacific’s computer systems lacked appropriate security measures which led to customers’ personal details being exposed [29]
2019-07-16 HagaZiekenhuis €460,000The Netherlands (AP)Insufficient security of medical records [30] [31]
2019-07-25Active Assurances€180,000France (CNIL)

Failure to implement appropriate security measures. [32]

2019-07-25 PricewaterhouseCoopers €150,000Greece (HDPA)

Unlawful processing of employee data. [33]

2019-08-21 Skellefteå High School Board €20,000Sweden (SDPA)

Using facial recognition technology to monitor the attendance of students in school on an invalid legal basis; processing sensitive biometric data unlawfully and failure to do an adequate impact assessment including seeking prior consultation with the Swedish DPA. [34]

2019-??-??Unnamed company€3,135Hungary (NAIH)

Infringing a data subject's access rights. [35]

2019-08-12Unnamed medical company€55,000Austria (DSB)

Not appointing a DPO, not publishing its contact details or reporting those to the supervisory authority, obligatory consent of data subjects (Art. 7), not providing information (Art. 13, 14), no DPIA despite handling sensitive data (Art. 35). [36]

2019-08-12Unnamed online retailer€7,000Latvia (DSI)

Nonconformity with data subjects rights to erasure and non-cooperation with the supervisory authority. [37]

2019-09-19Unnamed retailer€10,000Belgium (GBA/APD)Demanding an electronic identity card to create a customer loyalty card. [38]
2019-10-17 Vueling Airlines €30,000Spain (AEPD)Failing to obtain valid consent to process customer cookies, as per privacy notice. [39]
2019-12-09 1&1 Ionos €9,550,000Germany (BfDI)

Insufficient protection of personal data, failing to put “sufficient technical and organizational measures” in place to protect customer data in its call centers. Violation of article 32 of GDPR [40]

2019-12-17Doorstep Dispensaree£275,000UK (ICO)"cavalier attitude to data protection”, having left 500,000 patient records in an unsecured location [41]
2020-01-15 TIM S.p.A. €27,800,000Italy (GPDP)Unlawful processing for marketing purposes [42]
2020-03-10 Google LLC SEK 75 M
(€7 M)		Sweden (SDPA)Right-to-be-forgotten violations [43]
2020-07-06BKR€840,000The Netherlands (AP)Failing to give access to personal data free of charge, failing to provide easy means of accessing the data, putting unreasonable limits on the number of requests per individual [44]
2020-07-14 Google LLC (Google Belgium)€600,000Belgium (GBA/APD)

Failure to respect a citizen's right to be forgotten. [45]

2020-10-01 H&M €35,300,000Germany (HmbBfDI)Illegal surveillance of several hundred employees [46]
2020-12-10 Amazon Europe Core Sarl €35,000,000France (CNIL)Deposit of cookies without obtaining consent and lack of information provided to users [47]
2020-12-10 Google LLC €60,000,000Deposit of cookies without obtaining consent, lack of information provided to users and defective "opposition" mechanism [48]
2020-12-10Google Ireland Limited€40,000,000
2021-01-26 Grindr LLC NOK 65 M
(€6.5 M)		Norway (Datatilsynet)Sharing special category data without valid consent [49]
2021-03-10Filigrana Comunicación€8,000Spain (AEPD)Violation of Article 6(1)(a), 6(1)(f), 13 and 14 GDPR by collecting and re-using data from the Andalusian Education Department without a legitimate basis, and not fulfilling their information obligations.
2021-03-17Miljø- og Kvalitetsledelse AS€3,500 (NOK 35,000)Norway (Datatilsynet)Violation of Article 6(1) and Article 5(1)(a) of the GDPR by sharing a CCTV recording of a data subject vandalising a property with the data subject's employer, without a legal basis. [50] [51]
2021-03-18Air Europa Líneas Aéreas S.A.€600,000Spain (AEPD)infringement of Articles 32(1) and 33 GDPR, due to the lack of appropriate technical and organisational measures and of an adequate level of security and due to the delay in the notification of a personal data breach. [52]
2021-03-22FURNISHYOURSPACE SL€3,000Spain (AEPD)Infringing the Spanish Law regulating cookies after an investigation launched due to a complaint referred by the Berlin DPA, for offering unclear information and not giving the option of rejecting the cookies. [53]
2021-03-24CP&A B.V.€15,000The Netherlands (AP)Violation of Article 4(15) GDPR, Article 9 GDPR and Article 32 GDPR by processing the health data of sick employees, and for failing to implement appropriate security measures regarding such processing [54] [55]
2021-04-07Orange Espagne, S.A.U.€150,000 (reduced to €90,000)Spain (AEPD)Violation of Articles 6(1)(a) and 7 GDPR, as well as Article 21(1) LSSI, by sending bulk unsolicited commercial communications without adequately obtaining the consent of the users. [56] [57]
2021-04-14Natural person (landlord)€3000Spain (AEPD)Violating Articles 5(1)(c) and 13 GDPR in relation to a video surveillance system in an apartment building. [58]
2021-04-15Vodafone Espana, S.A.U.€150,000 (reduced to €90,000)Spain (AEPD)Violation of Article 6(1)(a) GDPR by processing personal data without consent or any other legal basis. When imposing the fine, the AEPD took into account:
  • The type of data affected: basic identifiers such as names, surnames, phone number.
  • The relation between the processing and the business activities of the respondent.
  • The previous fines on the same grounds.
  • The lack of diligence regarding the erasure request.

The AEPD finally fined Vodafone €150,000, that was reduced to €90,000 due to the assumption of responsibility and the early payment. [59] [60]

2021-04-22Cyfrowy Polsat Spółka Akcyjna€250,000Poland (UODO)Violation of Articles 24(1) and 32(1) and (2) GDPR by not implementing appropriate technical and organisational measures to ensure the security of personal data when cooperating with a courier company [61] [62]
2021-05-04EDP Comercializadora, S.A.U.€1,500,000Spain (AEPD)Violation of Articles 6, 13, 22 and 25 GDPR by not providing sufficient information to data subjects, and for not implementing adequate measures to avoid or mitigate risks related to the data processing. [63] [64]
2021-05-04EDP ENERGÍA, S.A.U.€1,500,000Spain (AEPD)Violation of Articles 6, 13, 22 and 25 GDPR by not providing sufficient information to data subjects, and for not implementing adequate measures to avoid or mitigate risks related to the data processing. [65] [66]
2021-05-06Owner's association in Iasi€500 (RON 2,463.30)Romania (ANSPDCP)Violation of Articles 58(1)(a), 58(1)(e), 83(5)(e) GDPR as well as of Article 8 of Government Ordinance No 2/2001, by violating the obligation to cooperate with the DPA during an investigation by failing to provide the information requested [67] [68]
2021-05-11 PVV (Overijssel)€7,500The Netherlands (AP)Violation of Articles 4(12), 9(1) GDPR and 33(1) GDPR by unauthorised disclosure of a mailing list containing 101 email addresses, and failing to notify this breach to the DPA. The email addresses constituted special category data revealing political party opinions. [69] [70]
2021-05Locatefamily.com€525,000The Netherlands (AP)Failure to appoint a representative pursuant to article 27 [71]
2021-06-16 Amazon Europe Core Sarl €746,000,000Luxembourg (CNPD)The largest fine for violating GDPR at the time. Related to targeted advertising. [72] [73]
2021-09-02 WhatsApp Ireland Ltd €225 MIreland [74]
2021-12-16 Psykoterapiakeskus Vastaamo €608,000FinlandFailure to protect sensitive medical data. [75]
2022-12-14 Viking Line €230,000FinlandThe Office of the Data Protection Ombudsman's Sanctions Board has imposed an administrative fine on Viking Line Oy Abp for data protection violations related to the processing of its employees' health data. [76]
2023-05-12 Meta Platforms €1.2 billionIrelandTransferring data from the European Union to the United States without adequate privacy protections [77] [78]

Related Research Articles

The Office of the Data Protection Commissioner (DPC), also known as Data Protection Commission, is the independent national authority responsible for upholding the EU fundamental right of individuals to data privacy through the enforcement and monitoring of compliance with data protection legislation in Ireland. It was established in 1989.

<span class="mw-page-title-main">Data Protection Act 1998</span> United Kingdom legislation

The Data Protection Act 1998 (DPA) was an Act of Parliament of the United Kingdom designed to protect personal data stored on computers or in an organised paper filing system. It enacted provisions from the European Union (EU) Data Protection Directive 1995 on the protection, processing, and movement of data.

<span class="mw-page-title-main">Information Commissioner's Office</span> Non-departmental public body

The Information Commissioner's Office (ICO) is a non-departmental public body which reports directly to the Parliament of the United Kingdom and is sponsored by the Department for Science, Innovation and Technology. It is the independent regulatory office dealing with the Data Protection Act 2018 and the General Data Protection Regulation, the Privacy and Electronic Communications Regulations 2003 across the UK; and the Freedom of Information Act 2000 and the Environmental Information Regulations 2004 in England, Wales and Northern Ireland and, to a limited extent, in Scotland. When they audit an organisation they use Symbiant's audit software.

Information privacy, data privacy or data protection laws provide a legal framework on how to obtain, use and store data of natural persons. The various laws around the world describe the rights of natural persons to control who is using its data. This includes usually the right to get details on which data is stored, for what purpose and to request the deletion in case the purpose is not given anymore.

ePrivacy Directive

Privacy and Electronic Communications Directive2002/58/EC on Privacy and Electronic Communications, otherwise known as ePrivacy Directive (ePD), is an EU directive on data protection and privacy in the digital age. It presents a continuation of earlier efforts, most directly the Data Protection Directive. It deals with the regulation of a number of important issues such as confidentiality of information, treatment of traffic data, spam and cookies. This Directive has been amended by Directive 2009/136, which introduces several changes, especially in what concerns cookies, that are now subject to prior consent.

Binding Corporate Rules (BCRs) were developed by the European Union Article 29 Working Party to allow multinational corporations, international organizations, and groups of companies to make intra-organizational transfers of personal data across borders in compliance with EU Data Protection Law. BCRs are a framework for having different elements that allow compliance with EU data protection regulations and privacy protection. The BCRs were developed as an alternative to the "standard contractual clauses" (SCCs) and the now defunct U.S. Department of Commerce EU Safe Harbor.

Data portability is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. closed platforms, thus subjecting them to vendor lock-in and making the creation of data backups or moving accounts between services difficult.

<span class="mw-page-title-main">Real-time bidding</span> Automated auction for advertisements

Real-time bidding (RTB) is a means by which advertising inventory is bought and sold on a per-impression basis, via instantaneous programmatic auction, similar to financial markets. With real-time bidding, online advertising buyers bid on an impression and, if the bid is won, the buyer's ad is instantly displayed on the publisher's site. Real-time bidding lets advertisers manage and optimize ads from multiple Ad networks, allowing them to create and launch advertising campaigns, prioritize networks, and allocate percentages of unsold inventory, known as backfill.

<span class="mw-page-title-main">General Data Protection Regulation</span> EU regulation on the processing of personal data

The General Data Protection Regulation, abbreviated GDPR, or French RGPD is a European Union regulation on information privacy in the European Union (EU) and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and human rights law, in particular Article 8(1) of the Charter of Fundamental Rights of the European Union. It also governs the transfer of personal data outside the EU and EEA. The GDPR's goals are to enhance individuals' control and rights over their personal information and to simplify the regulations for international business. It supersedes the Data Protection Directive 95/46/EC and, among other things, simplifies the terminology.

There are several national data protection authorities across the world, tasked with protecting information privacy. In the European Union and the EFTA member countries, their status was formalized by the Data Protection Directive and they were involved in the Madrid Resolution.

CISPE is a non-profit trade association for infrastructure as a service (IaaS) cloud providers in Europe. It was started to aid IaaS providers in explaining their business model to policymakers.

Vinted, UAB Group, commonly known as Vinted, is a Lithuanian online marketplace for buying, selling, and exchanging new or secondhand items, mainly clothing and accessories.

<span class="mw-page-title-main">NOYB</span> European data protection advocacy group

NOYB – European Center for Digital Rights is a non-profit organization based in Vienna, Austria established in 2017 with a pan-European focus. Co-founded by Austrian lawyer and privacy activist Max Schrems, NOYB aims to launch strategic court cases and media initiatives in support of the General Data Protection Regulation (GDPR), the proposed ePrivacy Regulation, and information privacy in general. The organisation was established after a funding period during which it has raised annual donations of €250,000 by supporting members. Currently, NOYB is financed by more than 4,400 supporting members.

<span class="mw-page-title-main">European Data Protection Board</span> EU body for implementing the GDPR

The European Data Protection Board (EDPB) is a European Union independent body with juridical personality whose purpose is to ensure consistent application of the General Data Protection Regulation (GDPR) and to promote cooperation among the EU’s data protection authorities. On 25 May 2018, the EDPB replaced the Article 29 Working Party.

<span class="mw-page-title-main">Anna-Misel Asimakopoulou</span> Greek politician

Anna-Misel Asimakopoulou is a Greek lawyer and politician who was elected as a Member of the European Parliament in 2019.

Vastaamo was a Finnish private psychotherapy service provider founded in 2008. On 21 October 2020, Vastaamo announced that its patient database had been hacked. Private information obtained by the perpetrators was used in an attempt to extort Vastaamo and, later, its clients. The extorters demanded 40 bitcoins, roughly worth 450,000 euros at the time, and threatened to publish the records if the ransom was not paid. To add pressure to their demands, the extorters published hundreds of patient records a day on a Tor message board.

Michael Veale is a technology policy academic who focuses on information technology and the law. He is currently associate professor in the Faculty of Laws at University College London (UCL).


The EU Cloud Code of Conduct is a transnational Code of Conduct pursuant Article 40 of the European General Data Protection Regulation (GDPR).

The Age appropriate design code, also known as the Children's Code, is a British internet safety and privacy code of practice created by the Information Commissioner's Office (ICO). The draft Code was published in April 2019, as instructed by the Data Protection Act 2018 (DPA). The final regulations were published on 27 January 2020 and took effect 2 September 2020, with a one-year grace period before the beginning of enforcement. The Children's Code is written to be consistent with GDPR and the DPA, meaning that compliance with the Code is enforceable under the latter.

Europrivacy is a comprehensive certification scheme designed to assess and verify compliance with the General Data Protection Regulation (GDPR).

References

  1. "L_2016119EN.01000101.xml". eur-lex.europa.eu. Archived from the original on 10 November 2017. Retrieved 28 August 2016.
  2. "Hospital Do Barreiro fined by Comissão Nacional de Protecção de Dados in 400,000 Euro for allowing improper access to clinical files". 24 June 2019. Retrieved 27 June 2019.
  3. "Data Protection Authority of Baden-Württemberg Issues First German Fine Under the GDPR". 23 November 2018. Retrieved 27 June 2019.
  4. Fox, Chris (21 January 2019). "Google hit with £44m GDPR fine". BBC News. Retrieved 14 June 2019.
  5. Porter, Jon (21 January 2019). "Google fined €50 million for GDPR violation in France". The Verge. Retrieved 14 June 2019.
  6. "Hungary fines two companies for GDPR infringement". CMS. 19 March 2019. Retrieved 10 September 2019.
  7. "Hungary fines two companies for GDPR infringement". CMS. 19 March 2019. Retrieved 10 September 2019.
  8. Lomas, Natasha (30 March 2019). "Covert data-scraping on watch as EU DPA lays down 'radical' GDPR red-line". TechCrunch. Retrieved 24 June 2019.
  9. Clark, Sam (17 May 2019). "Polish watchdog issues second GDPR fine". Global Data Review. Retrieved 24 June 2019.
  10. "5Stars defend their digital democracy in face of privacy sanction". Politico. 19 April 2019. Retrieved 27 June 2019.
  11. "Administrative fine of 170.000 € imposed on Bergen Municipality". Datatilsynet. 12 April 2019. Retrieved 24 June 2019.
  12. "First Significant Fine Was Imposed for the Breaches of the General Data Protection Regulation in Lithuania". 21 May 2019. Retrieved 24 June 2019.
  13. Fiten, Bernd (3 June 2019). "First GDPR fine in Belgium: € 2000 imposed on a mayor" . Retrieved 24 June 2019.
  14. "LaLiga facing €250k fine for GDPR violations in app used to spy on users". TechRepublic. 12 June 2019. Retrieved 14 June 2019.
  15. Geigner, Timothy (14 June 2019). "La Liga Fined 250K Euros For Using Mobile App To Try To Catch 3rd Party Pirates". Techdirt. Retrieved 14 June 2019.
  16. "Danish DPA set to fine furniture company". 11 June 2019. Retrieved 24 June 2019.
  17. "German Data Protection Authority of Baden-Württemberg fines an employee of a public body". 24 June 2019. Retrieved 26 June 2019.
  18. Lanois, Paul (21 June 2019). "Videosurveillance: CNIL issues fine of 20,000 euros against a small company in France". Fieldfisher. Retrieved 24 June 2019.
  19. Lanois, Paul (21 June 2019). "Videosurveillance: CNIL issues fine of 20,000 euros against a small company in France". Fieldfisher. Retrieved 24 June 2019.
  20. "EE fined £100,000 for unlawful texts". BBC News. 24 June 2019. Retrieved 24 June 2019.
  21. "ICO fines telecoms company EE Limited for sending unlawful text messages". ICO. 24 June 2019. Retrieved 24 June 2019.
  22. "First Fine For The Application Of Gdpr". 4 July 2019. Retrieved 9 July 2019.
  23. "First fine by the Romanian Supervisory Authority". 5 July 2019. Retrieved 9 July 2019.
  24. "British Airways faces record £183m fine for data breach". 8 July 2019. Retrieved 8 July 2019.
  25. Sweney, Mark (8 July 2019). "BA faces £183m fine over passenger data breach". The Guardian. ISSN   0261-3077 . Retrieved 8 July 2019.
  26. "UK's ICO fines British Airways a record £183M over GDPR breach that leaked data from 500,000 users". TechCrunch. 8 July 2019. Retrieved 8 July 2019.
  27. "British Airways fined £20m over data breach". BBC News. 16 October 2020. Retrieved 11 July 2022.
  28. "ICO fines Marriott International Inc £18.4million for failing to keep customers' personal data secure". 30 October 2020. Retrieved 25 May 2021.
  29. "International airline fined £500,000 for failing to secure its customers' personal data". 4 March 2020. Retrieved 21 May 2021.
  30. "Haga beboet voor onvoldoende interne beveiliging patiëntendossiers". 16 July 2019. Retrieved 17 July 2019.
  31. "Hague Hospital Fined €460,000 For Not Protecting Patient's Privacy". 16 July 2019. Retrieved 17 July 2019.
  32. Lanois, Paul (25 July 2019). "CNIL issues fine of €280.000 for failure to implement "basic security measures"". Fieldfisher. Retrieved 29 July 2019.
  33. "Exercise of the Hellenic DPA's corrective powers pursuant to the GDPR for selection and application of inappropriate legal basis and violation of the principle of accountability by a company". HDPA. 30 July 2019. Retrieved 5 August 2019.
  34. "Facial recognition in school renders Sweden's first GDPR fine". EDPB. 22 August 2019. Retrieved 3 September 2019.
  35. "First GDPR fine in Hungary for breaching data subject's rights". Lexology. 15 February 2019. Retrieved 10 September 2019.
  36. "Austrian DPA fines controller in the medical sector". EDPB. 12 August 2019. Retrieved 11 September 2019.
  37. "Data State Inspectorate of Latvia imposes a financial penalty of 7000 euros against online retailer". EDPB. 3 September 2019. Retrieved 11 September 2019.
  38. "The Belgian data protection authority imposes a fine of € 10,000". 19 September 2019. Retrieved 2 October 2019.
  39. "The Spanish Data Protection Authority fined the company Vueling for the cookie policy used on its website with 30,000 euros". 17 October 2019. Retrieved 6 November 2019.
  40. "DSGVO-Verstoß: 1&1 muss knapp 10 Millionen Euro Strafe zahlen". 9 December 2019. Retrieved 22 November 2024.
  41. "Pharmacy incurs first ever UK data protection fine worth £275k". Pharmaceutical Journal. 20 December 2019. Retrieved 24 February 2020.
  42. DOSLAKOSKA, Wiktoria (11 February 2020). "MARKETING: THE ITALIAN SA FINES TIM EUR 27.8 MILLION". European Data Protection Board - European Data Protection Board. Retrieved 29 March 2021.
  43. HANSELAER, Sarah (11 March 2020). "The Swedish Data Protection Authority imposes administrative fine on Google". European Data Protection Board - European Data Protection Board. Retrieved 29 March 2021.
  44. "National Credit Register (BKR) fined for personal data access charges" . Retrieved 14 August 2020.
  45. "Google's failure to respect the " right to be forgotten " results in €600,000 fine". 14 July 2020. Retrieved 10 January 2021.
  46. "H&M fined for breaking GDPR over employee surveillance". BBC News. 5 October 2020. Retrieved 29 March 2021.
  47. "Cookies: financial penalty of 35 million euros imposed on the company AMAZON EUROPE CORE | CNIL". www.cnil.fr. Retrieved 29 March 2021.
  48. "Cookies: financial penalties of 60 million euros against the company GOOGLE LLC and of 40 million euros against the company GOOGLE IRELAND LIMITED | CNIL". www.cnil.fr. Retrieved 29 March 2021.
  49. "Norwegian DPA imposes fine against Grindr LLC". edpb.europa.eu. 21 December 2021. Retrieved 10 January 2022.
  50. "Miljø- og Kvalitetsledelse AS fined". Datatilsynet. Retrieved 27 May 2021.
  51. "Datatilsynet (Norway) - DT-20/01777 - GDPRhub". gdprhub.eu. Retrieved 27 May 2021.
  52. "AEPD - PS/00179/2020 - GDPRhub". gdprhub.eu. Retrieved 27 May 2021.
  53. "AEPD - PS/00126/2020 - GDPRhub". gdprhub.eu. Retrieved 27 May 2021.
  54. "AP sanctions CP&A B.V." (PDF). autoriteitpersoonsgegevens.nl. Retrieved 27 May 2021.
  55. "AP (The Netherlands) - CP&A". gdprhub.eu. Retrieved 27 May 2021.
  56. "AEPD - PS/00089/2021 - GDPRhub". gdprhub.eu. Retrieved 27 May 2021.
  57. "RESOLUCIÓN R/00251/2021 DE TERMINACIÓN DEL PROCEDIMIENTO POR PAGOVOLUNTARIO - ORANGE ESPAGNE, S.A.U. (Spanish)" (PDF). aepd.es. Retrieved 27 May 2021.
  58. "AEPD - PS/00151/2020 - GDPRhub". gdprhub.eu. Retrieved 27 May 2021.
  59. "AEPD - PS/00085/2021 - GDPRhub". gdprhub.eu. Retrieved 27 May 2021.
  60. "RESOLUCIÓN R/00248/2021 DE TERMINACIÓN DEL PROCEDIMIENTO POR PAGOVOLUNTARIO - VODAFONE ESPAÑA, S.A.U. (Spanish)" (PDF). aepd.es. Retrieved 27 May 2021.
  61. "Decyzje Prezesa UODO - UODO". www.uodo.gov.pl (in Polish). Retrieved 27 May 2021.
  62. "UODO (Poland) - DKN.5130.3114.2020 - GDPRhub". gdprhub.eu. Retrieved 27 May 2021.
  63. "AEPD (Spain) - PS/00037/2020 - GDPRhub". gdprhub.eu. Retrieved 27 May 2021.
  64. "RESOLUCIÓN DE PROCEDIMIENTO SANCIONADOR - EDP COMERCIALIZADORA, S.A.U. (Spanish)" (PDF). aepd.es. Retrieved 27 May 2021.
  65. "AEPD (Spain) - PS/00236/2020 - GDPRhub". gdprhub.eu. Retrieved 27 May 2021.
  66. "RESOLUCIÓN DE PROCEDIMIENTO SANCIONADOR - EDP ENERGÍA, S.A.U. (Spanish)" (PDF). aepd.es. Retrieved 27 May 2021.
  67. "ANSPDCP (Romania) - Fine against a Property Owners Association - GDPRhub". gdprhub.eu. Retrieved 27 May 2021.
  68. "Comunicat_Presa_19_/_05_/_2021_1". www.dataprotection.ro. Retrieved 27 May 2021.
  69. "AP (The Netherlands) - PVV Overijssel - GDPRhub". gdprhub.eu. Retrieved 27 May 2021.
  70. "AP sanctions PVV Overijssel (Dutch)" (PDF). autoriteitpersoonsgegevens.nl. Retrieved 27 May 2021.
  71. "Dutch DPA imposes fine of €525,000 on Locatefamily.com for failing to appoint Article 27 EU representative". SME Comply. 2021-05-13. Accessed 2023-02-08.
  72. "Amazon hit with record EU data privacy fine". Reuters. 30 July 2021. Retrieved 9 August 2021.
  73. "EU hits Amazon with record-breaking $887M GDPR fine over data misuse". TechCrunch. 30 July 2021. Retrieved 9 August 2021.
  74. "Data Protection Commission announces decision in WhatsApp inquiry". dataprotection.ie. 2 September 2021. Retrieved 10 January 2022.
  75. "Psykoterapiakeskus Vastaamolle seuraamusmaksu tietosuojarikkomuksesta". Tietosuojavaltuutetun toimisto. 16 December 2021. Retrieved 16 December 2021.
  76. "Administrative fine on Viking Line for unlawful processing of employees' health data". Tietosuojavaltuutetun toimisto.
  77. Milmo, Dan; O'Carroll, Lisa (22 May 2023). "Facebook owner Meta fined €1.2bn for mishandling user information". TheGuardian.com .
  78. "Data Protection Commission announces conclusion of inquiry into Meta Ireland". Data Protection Commission. 22 May 2023.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.