In 2018, GDPR enforcement actions began trickling out from various EU data protection agencies. We want to give people a way to know who was fined, when, and why. This list focuses on major fines, so the many small fines (in the €1,000’s of Euros) that do not make even regional news are not tracked here.
Did we miss one? Let us know at firstname.lastname@example.org.
Major fine count:
- 2018: 3
- 2019: 9
- Total: 12
Major fine total in Euros (approximate due to currency conversion):
- 2018: € 424,800
- 2019: € 358,780,500.00
- Total: € 359,205,300.00
Last updated: August 5, 2019 | Lire cet article en français.
2019 GDPR Enforcement Actions
After acquiring its competitor Starwood, Marriott discovered Starwood’s central reservation database had been hacked. This included 5 million unencrypted passwords and 8 million credit card records. The hack was ongoing from 2014 to 2018. The breach impacted 30 million EU residents.
A Dutch hospital was fined over lax controls over logging and access to patient records. In one instance, 197 employees accessed one Dutch celebrity’s medical records.
As a result of an attack on British Airways’ website, about 500,000 customer records were extracted by a malicious third party. The UK’s data protection agency claims BA’s website was compromised due to poor cyber security arrangements. This would represent the largest GDPR fine to date.
One fine was reported by some outlets in July, but it was actually issued in June. See Sergic in France under June, 2019 below.
La Liga is accused of listening for piracy through its smartphone application. La Liga turned on user microphones in order to listen for sounds of the soccer game and match to any pirated stream using geolocaton. La Liga used the information to sue 600 bars for pirating soccer games.
The company’s website easily allowed accessing other individual’s information by changing the URL, making ID cards, tax notices, and other important documents available. The lack of user authentication resulted in the fine.
MisterTango accidentally exposed a website with a list of consumer payments and payment details, including personal information. The website was exposed for 2 days. The resulting investigation found the company collected too much information and stored it for too long. The Lithuanian investigator also cited the company for only employing one person to implement and maintain all of their IT infrastructure.
A data processor was fined because they scraped the internet for public contacts and conducted commercial outreach to over 90,000 people, 12,000 of which objected to unauthorized use of their data.
As a result of a random audit, the company was found to have over 9M personal records the company had stored but did not need to. The fine came as a result of a failure to delete this unused contact information.
Google was fined from France’s data regulator, citing a lack of transparency and consent in advertising personalization, including a pre-checked option to personalize ads.
2018 GDPR Enforcement Actions
Staff at the hospital used bogus accounts to access patient records.
Knuddels reported a data breach, and upon investigation, the local data protection agency determined the site had been storing user passwords in plaintext without hashing. The fine was issued over the data storage practices, not the breach itself.
Why: A local business had a CCTV camera capturing too much public space.
Alpin helps companies discover and manage their SaaS vendors. As part of that effort, we work to track the GDPR compliance status of a large number of vendors. And we stay up-to-date on GDPR news, too.
Stay in touch by subscribing to our weekly roundup – which includes news, useful tips about SaaS apps, and our latest blog posts.