In 2018, GDPR enforcement actions began trickling out from various EU data protection agencies. We want to give people a way to know who was fined, when, and why. This list focuses on major fines, so the many small fines (in the €1,000’s of Euros) that do not make even regional news are not tracked here.
Did we miss one? Let us know at email@example.com.
Last updated: March 29, 2019
2019 GDPR Enforcement Actions
A data processor was fined because they scraped the internet for public contacts and conducted commercial outreach to over 90,000 people, 12,000 of which objected to unauthorized use of their data.
As a result of a random audit, the company was found to have over 9M personal records the company had stored but did not need to. The fine came as a result of a failure to delete this unused contact information.
Google was fined from France’s data regulator, citing a lack of transparency and consent in advertising personalization, including a pre-checked option to personalize ads.
2018 GDPR Enforcement Actions
Staff at the hospital used bogus accounts to access patient records.
Knuddels reported a data breach, and upon investigation, the local data protection agency determined the site had been storing user passwords in plaintext without hashing. The fine was issued over the data storage practices, not the breach itself.
Why: A local business had a CCTV camera capturing too much public space.
Alpin helps companies discover and manage their SaaS vendors. As part of that effort, we work to track the GDPR compliance status of a large number of vendors. And we stay up-to-date on GDPR news, too.
Stay in touch by subscribing to our weekly roundup – which includes news, useful tips about SaaS apps, and our latest blog posts.