In 2018, GDPR enforcement actions began trickling out from various EU data protection agencies. We want to give people a way to know who was fined, when, and why. This list focuses on major fines of at least €100,000.
Did we miss one? Let us know at firstname.lastname@example.org.
Major GDPR fine count:
- 2019: 27
- 2018: 1
- Total: 28
Major GDPR fine total in Euros (approximate due to currency conversion):
- 2019: € 428,545,407
- 2018: € 400,000
- Total: € 428,945,407
Last updated: December 17, 2019 | Lire cet article en français.
2019 Major GDPR Fines
Personal information was available to anyone who provided the name and data of birth of a customer. The fine would have been much higher, but the company cooperated closely with regulators to quickly address the issue.
An unnamed hospital sent invoices to the wrong patients, exposing personal information of other patients.
A 2016 data breach concerning 57 million Uber users, of which 174,000 were Dutch citizens, was not reported within 72 hours.
Cell center operators entered data into a CRM system. Some of those operators were located outside the EU, so there was unlawful data storage in countries that did not provide an adequate level of protection of personal data. Some of the data related to the health status of the people contacted, as well as offensive language. Further, the data subjects were not informed of the recording of the calls, or of any other processing of their personal data.
Dutch employee insurance service provider UWV did not apply multi-factor authentication when granting access to the online employer portal, so security was deemed insufficient.
Unlawful storage of personal information in an archive system that did not have an option to delete old data. The system contained sensitive information about former and current tenants.
The Austrian Post sold detailed personal profiles of approximately 3 million Austrians to various companies and political parties.
Bank employees sent personal information, without requesting permission from the affected individuals, to Vreau Credit (which was also fined €20,000), and did not evaluate the risks of taking these actions.
Did not delete personal information, and continued telemarketing after being notified by consumers to stop.
2.2 million people’s personal information was accessed because it was poorly protected.
The company did not delete information of dormant customers, and continued sending unsolicited advertising emails.
Records of 6 million people was accessed in a security breach.
Tens of thousands of bank customer records were stolen because of poor system design and process execution.
PWC required its employees to sign a blanket consent for PWC to process their data. The regulator determined that there was an imbalance of power in the company-employee relationship, and that the consent was therefore not binding. Further, the regulator determined that the company gave the false impression that it was processing the data legally.
Exposed personal information through poor security. This was discovered by a customer, who found that personal data of other customers, including their driver’s licenses, registration cards and bank identification records, could be seen by simply changing the numbers at the end of the URL.
After acquiring its competitor Starwood, Marriott discovered Starwood’s central reservation database had been hacked. This included 5 million unencrypted passwords and 8 million credit card records. The hack was ongoing from 2014 to 2018. The breach impacted 30 million EU residents.
As a result of an attack on British Airways’ website, about 500,000 customer records were extracted by a malicious third party. The UK’s data protection agency claims BA’s website was compromised due to poor cyber security arrangements. This would represent the largest GDPR fine to date.
Revealed personal information such as the national identification number and the postal address of the payment issuers to the payment recipients. 337,042 individuals were affected between February and December 2018.
A Dutch hospital was fined over lax controls over logging and access to patient records. In one instance, 197 employees accessed one Dutch celebrity’s medical records.
The soccer league was accused of listening for piracy through its smartphone application. La Liga turned on user microphones in order to listen for sounds of the soccer game and match to any pirated stream using geolocaton. La Liga used the information to sue 600 bars for pirating soccer games.
Did not delete personal information of 385,500 dormant customers.
The real estate company’s website easily allowed accessing other individual’s information by changing the URL, making ID cards, tax notices, and other important documents available. The lack of user authentication resulted in the fine.
The personal data of 35,000 student accounts was stolen even after warnings were issued to the organization.
Exposed 63,000 students’ information in a mobile app that was not designed or tested to secure personal information.
This data process was fined because they scraped the internet for public contacts, amassing data on 6 million people. They did not inform these people that their data would be processed, and the company conducted commercial outreach to over 90,000 people, 12,000 of which objected to unauthorized use of their data.
As a result of a random audit, this taxi operator was found to have over 9 million personal records the company had stored unnecessarily. The fine came as a result of a failure to delete this unused contact information.
Google was fined from France’s data regulator, citing a lack of transparency and consent in advertising personalization, including a pre-checked option to personalize ads.
2018 Major GDPR Fines
Staff at the hospital used bogus accounts to access patient records.
We include this small fine, since it was the first. A local business had a CCTV camera capturing too much public space.
Alpin helps companies discover and manage their SaaS vendors. As part of that effort, we work to track the GDPR compliance status of a large number of vendors, so that you can see if your vendor are compliant. And we stay up-to-date on GDPR news, too.
Stay in touch by subscribing to our weekly roundup – which includes news, useful tips about SaaS apps, and our latest blog posts.