Non compliance with the obligations under the Regulation (EU) 2016/679 can be a costly mistake for large and small businesses. The Article 83 of the Regulation (EU) 2016/679 provides for the conditions for the imposition of administrative fines that may reach the amount of up to 20 million Euro.
|
Competent
Authority |
Fine |
Basis |
Date |
|
Spanish DPA (AEPD) |
Since 2018, the Spanish DPA (AEPD) had received a
total of 191 complaints against Vodafone Espana, S.A.U. The data subjects
complained about advertising calls and messages (e-mail and SMS) made on
behalf of Vodafone Espana as part of marketing campaigns. The contact was
made without the prior consent of the data subjects and continued even after
they had exercised their right to object. The fine imposed was in total for EUR 8,150,000. |
Insufficient fulfilment of data
subjects rights |
11/03/2021 |
|
Spanish DPA (AEPD) |
Spanish DPA (AEPD) fined Air Europa Lineas
Aereas, SA. EUR 600,000 after a
serious data breach involving unauthorized access to contact details and bank
accounts was reported to the AEPD. Approximately 489,000 individuals and
1,500,000 records were affected. |
Insufficient technical and
organisational measures to ensure information security |
15/03/2021 |
|
DPA of Baden-Wuerttemberg-Germany |
The DPA from Baden-Württemberg has imposed a fine
of EUR 300,000 on the soccer club
VfB Stuttgart 1893 AG for negligent breach of data protection accountability
under Art. 5 (2) GDPR. |
Non-compliance with general data
processing principles |
10/03/2021 |
|
Spanish DPA (AEPD) |
The Spanish DPA (AEPD) imposed a fine of EUR 200,000 on I-DE Redes Electricas
Inteligentes, S.A.U. The DPA received complaints from Waitum, S.L. and
Servicios Aby 2018, S.L. because their customers had received letters from
the controller. Both companies had previously transferred their customers'
personal data to the controller under a network access agreement entered into
with the controller. Under this agreement, the two companies acted as
representatives of their respective customers, who were supplied with
electricity by the controller. The DPA determined that the sending of these
letters was neither related to nor necessary for the performance of the
respective contract. The controller had therefore violated the principles of
purpose limitation and data minimization, so that the sending of these
letters constituted unlawful processing of the customers' personal data. |
Non-compliance with general data
processing principles |
02/03/2021 |
|
Spanish DPA (AEPD) |
The Spanish DPA (AEPD) imposed a fine of EUR 150,000 on Xfera Moviles S.A..
The DPA had received two complaints from a data subject. The first complaint
concerned the sending of advertising SMS messages that the data subject
received from the controller, although he had objected to this and requested
that his data be deleted. According to the data subject, he received over 60
SMS messages within 30 days. The second complaint was filed by the data
subject because the controller repeatedly sent him messages containing
confidential data of a third party. This concerned the login information of
another customer to a company platform. |
Insufficient technical and
organisational measures to ensure information security |
10/3/2021 |
