Here, we’ll cover the latest fines due to lack of data protection.
Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)
2019-XX-XX
€15,150 – Unknown
Art. 33 GDPR
Insufficient fulfilment of data breach obligations – The data controller did not fulfil its data breach obligations when a flash memory with personal data was lost.
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
2019-10-09
€150,000 – Raiffeisen Bank SA
Art. 32 GDPR
Insufficient technical and organisational measures to ensure information security – Employees had unauthorized access to customer data.
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
2019-10-09
20,000 – Vreau Credit SRL
Art. 32, Art. 33 GDPR
Insufficient technical and organisational measures to ensure information security – Employees had unauthorized access to customer data.
(Greese) Hellenic Data Protection Authority (HDPA)
2019-10-07
€200,000 – Telecommunication Service Provider
Articles 5(1)(c), 25 GDPR
Non-compliance with general data processing principles – A large number of customers were subject to telemarketing calls, although they had declared an opt-out for this. This was ignored due to technical errors.
(Greese) Hellenic Data Protection Authority (HDPA)
2019-10-07
€200,000- Telecommunication Service Provider
Articles 21(3) and 25 GDPR
Non-compliance with general data processing principles – Inappropriate technical measures resulted in the data of 8,000 customers not being deleted upon request.
Belgian Data Protection Authority (APD)
2019-09-19
€10,000 – Merchant
Art. 5 (1) c) GDPR
Non-compliance with general data processing principles – The Belgian data protection authority has imposed a fine of 10,000 euros on a merchant who wanted to use an electronic identity card (eID) to create a customer card. The DPA’s investigation revealed that the merchant required access to personal data located on the eID, including the photo and barcode which is linked to the data subject’s identification number.
Polish National Personal Data Protection Office (UODO)
2019-09-10
€644,780 – Morele.net
Art. 32 GDPR
Insufficient technical and organisational measures to ensure information security – The Polish data protection authority imposed a fine of over PLN 2.8 million (approx. €644,780) on Morele.net for insufficient organisational and technical safeguards, which led to unauthorised access to the personal data of 2.2 million people.