GDPR Fines & Penalties so far

Total Fines:
∑ = 418.212.904

Fine [€] Country Authority Date Controller/Processor Quoted Art. Type Summary Infos
wdt_ID Fine [€] Country Authority Date Controller/Processor Quoted Art. Type Summary Infos
1 204.600.000 UNITED KINGDOM Information Commissioner (ICO) 08/07/2019 British Airways Art. 32 GDPR Insufficient technical and organisational measures to ensure information security Please note: This fine is not final but will be decided on when the company and other involved supervisory authorities of other member states have made their representations. The ICO issued a notice of its intention to fine British Airways £183.39M for GD link
2 110.390.200 UNITED KINGDOM Information Commissioner (ICO) 09/07/2019 Marriott International, Inc Art. 32 GDPR Insufficient technical and organisational measures to ensure information security Please note: This fine is not final but will be decided on when the company and other involved supervisory authorities of other member states have made their representations. The ICO issued a notice of its intention to fine Marriott International Inc whic link
3 50.000.000 FRANCE French Data Protection Authority (CNIL) 21/01/2019 Google Inc. Art. 13 GDPR, Art. 14 GDPR, Art. 6 GDPR, Art. 5 GDPR Insufficient legal basis for data processing The fine was imposed on the basis of complaints from the Austrian organisation "None Of Your Business" and the French NGO "La Quadrature du Net". The complaints were filed on 25th and 28th of May 2018 - immediately after the GDPR became applicable. The co link
4 18.000.000 AUSTRIA Austrian Data Protection Authority (dsb) 23/10/2019 Austrian Post Art. 5 (1) a) GDPR, Art. 6 GDPR Insufficient legal basis for data processing The Austrian Post had created profiles of more than three million Austrians, which included information about their home addresses, personal preferences, habits and possible party affinity - which were subsequently resold, for example to political parties link
5 14.500.000 GERMANY Data Protection Authority of Berlin 30/10/2019 Deutsche Wohnen SE Art. 5 GDPR, Art. 25 GDPR Non-compliance with general data processing principles The company used an archiving system for the storage of personal data of tenants that did not provide for the possibility of removing data that was no longer required. Personal data of tenants were stored without checking whether storage was permissible o link
6 9.550.000 GERMANY The Federal Commissioner for Data Protection and Freedom of Information (BfDI) 09/12/2019 Telecoms provider (1&1 Telecom GmbH) Art. 32 GDPR Insufficient technical and organisational measures to ensure information security The Controller is a company offering telecommunication services. A caller could obtain extensive information on personal customer data from the company's customer service department simply by entering a customer's name and date of birth. In this authentic link
7 2.600.000 BULGARIA Data Protection Commision of Bulgaria (KZLD) 28/08/2019 National Revenue Agency Art. 32 GDPR Insufficient technical and organisational measures to ensure information security Leakage of personal data in a hacking attack due to inadequate technical and organisational measures to ensure the protection of information security. It was found that personal data concerning about 6 million persons was illegally accessible. link
8 900.000 THE NETHERLANDS Dutch Supervisory Authority for Data Protection (AP) 31/10/2019 UWV (Dutch employee insurance service provider) Art. 32 GDPR Insufficient technical and organisational measures to ensure information security As the UWV (the Dutch employee insurance service provider - "Uitvoeringsinstituut Werknemersverzekeringen") did not use multi-factor authentication when accessing the online employer portal, security was inadequate. Employers and health and safety service link
9 645.000 POLAND Polish National Personal Data Protection Office (UODO) 10/09/2019 Morele.net Art. 32 GDPR Insufficient technical and organisational measures to ensure information security The Polish data protection authority imposed a fine of over PLN 2.8 million (approx. €644,780) on Morele.net for insufficient organisational and technical safeguards, which led to unauthorised access to the personal data of 2.2 million people. link
10 511.000 BULGARIA Data Protection Commision of Bulgaria (KZLD) 28/08/2019 DSK Bank Art. 32 GDPR Insufficient technical and organisational measures to ensure information security Leakage of personal data due to inadequate technical and organisational measures to ensure the protection of information security. Third parties had access to over 23000 credit records relating to over 33000 bank customers including personal data such as link
11 500.000 FRANCE French Data Protection Authority (CNIL) 21/11/2019 Futura Internationale Art. 5 GDPR, Art. 6 GDPR, Art. 13 GDPR, Art. 14 GDPR, Art. 21 GDPR Insufficient fulfilment of data subjects rights Futura Internationale was fined for cold calls after several complainants obtained cold calls, despite having declared directly to the caller and by post that this was not wanted. In particular, the decision pointed out that the CNIL's on-site investigati link
12 460.000 THE NETHERLANDS Dutch Supervisory Authority for Data Protection (AP) 18/06/2019 Haga Hospital Art. 32 GDPR Insufficient technical and organisational measures to ensure information security The Haga Hospital does not have a proper internal security of patient records in place. This is the conclusion of an investigation by the Dutch Data Protection Authority. This investigation followed when it appeared that dozens of hospital staff had unnec link
13 400.000 FRANCE French Data Protection Authority (CNIL) 28/05/2019 SERGIC (Real Estate) Art. 32 GDPR Insufficient technical and organisational measures to ensure information security The CNIL based the penalty on two grounds: Lack of basic security measures and excessive data storage. As to the first, sensitive user documents uploaded by rental candidates (including ID cards, health cards, tax notices, certificates issued by the famil link
14 400.000 PORTUGAL Portuguese Data Protection Authority (CNPD) 17/07/2018 Public Hospital Art. 5 (1) f) GDPR, Art. 32 GDPR Insufficient technical and organisational measures to ensure information security Investigation revealed that the hospital’s staff, psychologists, dietitians and other professionals had access to patient data through false profiles. The profile management system appeared deficient – the hospital had 985 registered doctor profiles while link
15 250.000 SPAIN Spanish Data Protection Authority (aepd) 11/06/2019 Professional Football League (LaLiga) Art. 5 (1) a), Art. 7 (3) GDPR Insufficient fulfilment of information obligations The national Football League (LaLiga) was fined for offering an app which once per minute accessed the microphone of users' mobile phones in order to detect pubs screening football matches without paying a fee. In the opinion of the AEPD LaLiga did not ad link
16 219.538 POLAND Polish National Personal Data Protection Office (UODO) 26/03/2019 Private company working with data from publicly available sources Art. 14 GDPR Insufficient fulfilment of information obligations The fine concerned the proceedings related to the activity of a company which processed the data subjects’ data obtained from publicly available sources, inter alia from the Central Electronic Register and Information on Economic Activity, and processed t link
17 203.000 NORWAY Norwegian Supervisory Authority (Datatilsynet) 29/04/2019 Oslo Municipal Education Department Art. 32 GDPR Insufficient technical and organisational measures to ensure information security Fine for security vulnerabilities in a mobile messaging app developed for use in an Oslo school. The app allows parents and students to send messages to school staff. Due to insufficient technical and organizational measures to protect information securit link
18 200.850 DENMARK Danish Data Protection Authority (Datatilsynet) 03/06/2019 IDdesign A / S Art. 5 (1) e) GDPR, Art. 5 (2) GDPR Non-compliance with general data processing principles The fine was imposed as a result of an inspection carried out in autumn of 2018. IDdesign had processed personal data of approximately 385,000 customers for a longer period than necessary for the purposes for which they were processed. Additionally, the c link
19 200.000 GREECE Hellenic Data Protection Authority (HDPA) 07/10/2019 Telecommunication Service Provider Art. 5 (1) c) GDPR, Art. 25 GDPR Non-compliance with general data processing principles A large number of customers were subject to telemarketing calls, although they had declared an opt-out for this. This was ignored due to technical errors. link
20 200.000 GREECE Hellenic Data Protection Authority (HDPA) 07/10/2019 Telecommunication Service Provider Art. 21 (3) GDPR, Art. 25 GDPR Non-compliance with general data processing principles Inappropriate technical measures resulted in the data of 8,000 customers not being deleted upon request. link
21 195.407 GERMANY Data Protection Authority of Berlin 01/09/2019 Delivery Hero Art. 15 GDPR, Art. 17 GDPR, Art. 21 GDPR Insufficient fulfilment of data subjects rights According to the findings of the Berlin data protection officer, Delivery Hero Germany GmbH had not deleted accounts of former customers in ten cases, even though those data subjects had not been active on the company's delivery service platform for years link
22 180.000 FRANCE French Data Protection Authority (CNIL) 25/07/2019 ACTIVE ASSURANCES (car insurer) Art. 32 GDPR Insufficient technical and organisational measures to ensure information security Large amount of customer accounts, clients' documents (including copies of driver's licences, vehicle registration, bank statements and documents to determine whether a person had been the subject of a licence withdrawal) and data were easily accesible on link
23 170.000 NORWAY Norwegian Supervisory Authority (Datatilsynet) 01/03/2019 Bergen Municipality Art. 5 (1) f) GDPR, Art. 32 GDPR Insufficient technical and organisational measures to ensure information security The incident relates to computer files with usernames and passwords to over 35000 user accounts in the municipality’s computer system. The user accounts related to both pupils in the municipality’s primary schools, and to the employees of the same schools link
24 160.000 DENMARK Danish Data Protection Authority (Datatilsynet) Taxa 4x35 Art. 5(1) e) GDPR Non-compliance with general data processing principles The Danish DPA reported the taxi company to the police and recommended a fine (of 1.2M DKK) for non-adherence to the data-minimization principle. While the company deleted the names of its passengers from all its records after two years, the deletion did link
25 150.000 LATVIA Data State Inspectorate (DSI) 01/11/2019 Unknown Art. 6 GDPR Insufficient legal basis for data processing Unlawful data processing. No further information available yet. link
26 150.000 ROMANIA Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) 09/10/2019 Raiffeisen Bank SA Art. 32 GDPR Insufficient technical and organisational measures to ensure information security Raiffeisen Bank Romania carried out scoring assessments on the basis of personal data of individuals registered on the Vreau Credit platform provided by the platform's staff via WhatsApp and then returned the result to Vreau Credit using the same means of link
27 150.000 GREECE Hellenic Data Protection Authority (HDPA) 30/07/2019 PWC Business Solutions Art. 5 (1) GDPR, Art. 5 (2) GDPR, Art. 6 (1) GDPR, Art. 13 (1) c) GDPR, Art. 14 (1) c) GDPR Insufficient legal basis for data processing The processing of employee personal data was based on consent. The HDPA found that consent as legal basis was inappropriate, as the processing of personal data was intended to carry out acts directly linked to the performance of employment contracts, comp link
28 130.000 ROMANIA Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) 27/06/2019 UNICREDIT BANK SA Art. 25 (1) GDPR, Art. 5 (1) c) GDPR Insufficient technical and organisational measures to ensure information security The fine was issued as a result of the failure to implement appropriate technical and organisational measures (related to (1) the determination of the processing means/operations, and (2) the integration the necessary safeguards) resulting in the online-d link
29 105.000 GERMANY Data Protection Authority of Rheinland-Pfalz 03/12/2019 Hospital Art. 5 GDPR Non-compliance with general data processing principles The fine is based on several breaches of the GDPR in connection with a patient mix-up at the admission of the patient. This resulted in incorrect invoicing and revealed structural technical and organisational deficits in the hospital's patient management. link
30 92.146 HUNGARY Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) 23/05/2019 Organizer of SZIGET festival and VOLT festival Art. 6 GDPR, Art. 5 (1) b) GDPR, Art. 13 GDPR Insufficient legal basis for data processing The NAIH found that there were inappropriate legal bases is use and that the controller did not comply with the principle of purpose limitation. Also, information on the data processing was not fully provided to data subjects. link
31 80.000 ROMANIA Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) 28/11/2019 ING Bank N.V. Bucharest Art. 32 GDPR Insufficient technical and organisational measures to ensure information security ING Bank has not taken appropriate technical and organisational measures for an automated data processing system during the settlement process of card transactions affecting 225,525 customers, resulting in double transactions being executed between 8 and link
32 80.000 GERMANY Data Protection Authority of Baden-Wuerttemberg Unknown Art. 32 GDPR Insufficient technical and organisational measures to ensure information security A company in the financial sector had improperly disposed personal data. link
33 80.000 GERMANY Data Protection Authority of Baden-Wuerttemberg Unknown Art. 32 GDPR Insufficient technical and organisational measures to ensure information security In a digital publication, health data was accidentally published due to inadequate internal control mechanisms. link
34 75.000 SPAIN Spanish Data Protection Authority (aepd) 28/11/2019 Curenergía Comercializador de último recurso Art. 6 GDPR Insufficient legal basis for data processing An individual filed a complaint against the company alleging that the company had used its personal data as a former customer, such as first and last name, VAT identification number and address, to enter into an electricity supply contract. link
35 61.500 LITHUANIA Lithuanian Data Protection Authority (VDAI) 16/05/2019 Payment service provider UAB MisterTango Art. 5 GDPR, Art. 32 GDPR, Art. 33 GDPR Insufficient fulfilment of data breach notification obligations During an inspection, the Lithuanian Data Protection Supervisory Authority found that the controller processed more data than necessary to achieve the purposes for which he was a controller. In addition, it became known that from 09 - 10 July 2018 payment link
36 60.000 SPAIN Spanish Data Protection Authority (aepd) 21/11/2019 Viaqua Xestión Integral Augas de Galicia Art. 6 GDPR Insufficient legal basis for data processing Processing (modification) of the personal data of a customer included in a contract by a third party without the consent of the customer. link
37 60.000 SPAIN Spanish Data Protection Authority (aepd) 19/11/2019 Corporación radiotelevisión espanola Art. 32 GDPR Insufficient technical and organisational measures to ensure information security CORPORACIÓN RADIOTELEVISIÓN ESPAÑOLA and the trade union have reported a security breach to the AEPD after six unencrypted USB sticks containing personal data were lost. The violation affected about 11,000 people, including identification data, employment link
38 60.000 SPAIN Spanish Data Protection Authority (aepd) 19/11/2019 Xfera Moviles S.A. Art. 32 GDPR Insufficient technical and organisational measures to ensure information security An individual complainant had received an SMS from Xfera Móviles which was to be addressed to a third party and which allowed him to access the account and personal data of this third party on the Xfera Móviles website via the telephone number and passwor link
39 60.000 SPAIN Spanish Data Protection Authority (aepd) 16/10/2019 Xfera Moviles S.A. Art. 5 GDPR, Art. 6 GDPR Insufficient legal basis for data processing Xfera Movile has used personal data without a legal basis for the conclusion of a telephone contract and has continued to process personal data even when the data subject requested that the processing be discontinued. link
40 60.000 SPAIN Spanish Data Protection Authority (aepd) 16/08/2019 AVON COSMETICS Art. 6 GDPR Insufficient legal basis for data processing A consumer claimed that AVON COSMETICS had unlawfully processed his data without adequately verifying his identity, which led to his data being erroneously entered in a register of claims, preventing him from working with his bank. As a result, a third pa link
41 60.000 SPAIN Spanish Data Protection Authority (aepd) Debt collecting agancy (GESTIÓN DE COBROS, YO COBRO SL) Art. 5 (1) f) GDPR Insufficient legal basis for data processing After the claimant did alledgedly not pay back a microcredit to an online credit agany, the claim was assigned to the debt collecting agancy. Subsequently, the latter startet sending emails not only to email addresses provided by the claimant but also to link
42 60.000 SPAIN Spanish Data Protection Authority (aepd) ENDESA (energy supplyer) Art. 5 (1) f) GDPR Insufficient legal basis for data processing The complainant's bank account was charged by ENDESA, the beneficiary of which was a third party, who had been convicted under criminal law and imposed with a two-year restraining order regarding the claimant, her domicile and work. Instead amending the c link
43 50.000 AUSTRIA Austrian Data Protection Authority (dsb) 01/08/2019 Company in the medical sector Art. 13 GDPR, Art. 37 GDPR Insufficient fulfilment of information obligations The (none-final) fine was imposed on a company in the medical sector for non-compliance with information obligations and for not appointing a data protection officer. link
44 50.000 ITALY Italian Data Protection Authority (Garante) 17/04/2019 Italian political party Movimento 5 Stelle Art. 32 GDPR Insufficient technical and organisational measures to ensure information security A number of websites affiliated to the Italian political party Movimento 5 Stelle are run, by means of a data processor, through the platform named Rousseau. The platform had suffered a data breach during the summer 2017 that led the Italian data protecti link
45 50.000 GERMANY Data Protection Authority of Berlin 01/03/2019 N26 Art. 6 GDPR Insufficient legal basis for data processing The fine was imposed against against a bank (according to a newspaper N26) that had processed "personal data of all former customers" without permission.The Bank has acknowledged that it had retained data relating to former customers in order to maintain Page 131 of the activity report of the Data Protection Commissioner of Berlin link link
46 50.000 SLOVAKIA Slovak Data Protection Office Social Insurance Agency Art. 32 GDPR Insufficient technical and organisational measures to ensure information security Applications for social benefits from Slovak citizens were sent by post to foreign authorities. These were lost by post, with the result that the whereabouts of these personal data could not be clarified. link
47 48.000 SPAIN Spanish Data Protection Authority (aepd) VODAFONE ONO, S.A.U. Art. 32 GDPR Insufficient technical and organisational measures to ensure information security Customers could access personal data of other customers in the customer area. The initial fine of EUR 60.000 was reduced to EUR 48.000. link
48 48.000 SPAIN Spanish Data Protection Authority (aepd) TELEFONICA MOVILES ESPAÑA, S.A.U. Art. 5 (1) a) GDPR Non-compliance with general data processing principles The claimant's bank account was charged by the company with two invoices for the services he had contracted, however, displaying personal data of another customer. The initial fine of EUR 60.000 was reduced to EUR 48.000. link
49 47.000 POLAND Polish National Personal Data Protection Office (UODO) 16/10/2019 ClickQuickNow Art. 5 GDPR Non-compliance with general data processing principles The UODO imposed a fine of EUR 47000 for obstructing the exercise of the right of withdrawal for the processing of personal data. The company has not taken appropriate technical and organisational measures that allow the simple and effective withdrawal of link
50 40.000 SPAIN Spanish Data Protection Authority (aepd) VODAFONE ESPAÑA, S.A.U. Art. 6 GDPR Insufficient legal basis for data processing The company had charged a Netflix service that had not been solicited by the claimant. The claimant could prove that the service had been used by another household which allegedly had received the claimant's bank account and phone number from Vodafone. Si link
51 40.000 SLOVAKIA Slovak Data Protection Office Slovak Telekom Art. 32 GDPR Insufficient technical and organisational measures to ensure information security The controller did not take adequate security measures when processing personal data, thereby breaching the obligation to protect the processed personal data. link
52 36.000 SPAIN Spanish Data Protection Authority (aepd) 25/10/2019 VODAFONE ESPANA, S.A.U. Art. 5 GDPR, Art. 6 GDPR Insufficient legal basis for data processing The claimant, whose data had been provided to the company by his daughter, as authorised by him, received a call from the company offering its services, which he refused. However, Vodafone España proceeded to providing him services and seeking payment fro link
53 36.000 SPAIN Spanish Data Protection Authority (aepd) VODAFONE ONO, S.A.U. Art. 5 (1) f) GDPR Non-compliance with general data processing principles The company sent a marketing email to a large number of recipients (clients) without using the blind copy feature. The initial fine of EUR 60.000 was reduced to EUR 36.000. link
54 34.375 HUNGARY Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) 01/04/2019 Hugarian political party Art. 33 (1) GDPR, Art. 33 (5) GDPR, Art. 34 (1) GDPR Insufficient fulfilment of data breach notification obligations NAIH imposed a fine of HUF 11,000,000 (EUR 34,375) on an undisclosed Hungarian political party for failing to notify the NAIH and relevant individuals about a data breach, and failing to document the breach according to GDPR Article 33.5. As mandated by l link
55 30.000 SPAIN Spanish Data Protection Authority (aepd) 14/11/2019 Telefónica SA Art. 5 GDPR Non-compliance with general data processing principles Telefónica had charged the complainant various fees in connection with the operation of a telephone line which the complainant had never owned. The reason for this was that the complainant's bank account was linked to another Telefónica customer, which le link
56 30.000 SPAIN Spanish Data Protection Authority (aepd) 01/10/2019 Vueling Airlines Art. 5 GDPR, Art. 6 GDPR Insufficient legal basis for data processing The Spanish Data Protection Agency (AEPD) has sanctioned Vueling Airlines with 30,000 euros for not giving users the ability to refuse their cookies and force them to use them if they want to browse its website. In other words, it was not possible to brow link
57 30.000 SPAIN Spanish Data Protection Authority (aepd) VODAFONE ESPAÑA, S.A.U. Art. 5 (1) f) GDPR, Art. 32 GDPR Insufficient technical and organisational measures to ensure information security Disclosure of customer personal data (i.a. purchase history) via an SMS to another customer. The initial fine of EUR 50.000 was reduced to EUR 30.000. link
58 28.160 BULGARIA Data Protection Commision of Bulgaria (KZLD) Unknown Art. 6 GDPR Insufficient legal basis for data processing Unknown link
59 27.100 BULGARIA Bulgarian Commission for Personal Data Protection (KZLD) 26/02/2019 Telecommunication service provider Art. 6 GDPR, Art. 5 (1) a) GDPR Insufficient legal basis for data processing Repeated registration of prepaid services without the knowledge and consent of the data subject Employees of the telecommunications provider have used personal data and registered the complainant with the company's prepaid service. The data subject had no link
60 27.000 SPAIN Spanish Data Protection Authority (aepd) VODAFONE ESPAÑA, S.A.U. Art. 5 (1) d) GDPR Insufficient fulfilment of data subjects rights Although the complainant (a former Vodafone customer) had requested Vodafone to delete his data in 2015 and this request had been confirmed by the company, he received more than 200 SMS from the company from 2018 onwards. Following Vodafone's statement, t link
61 21.000 SPAIN Spanish Data Protection Authority (aepd) VODAFONE ESPAÑA, S.A.U. Art. 6 (1) GDPR Insufficient legal basis for data processing Vodafone had processed personal data of the claimant (bank details, name, surname and national identification number) years after the contractual relationsid had ended. The fine of EUR 35.000 was reduced to EUR 21.000. link
62 20.000 ROMANIA Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) 04/12/2019 S CNTAR TAROM SA (Airline) Art. 32 GDPR Insufficient technical and organisational measures to ensure information security The Romanian data protection authority imposed a sanction on an airline because it has not taken appropriate measures to ensure that any natural person acting under its supervision processes personal data in accordance with its instructions (Article 32(4) link
63 20.000 ROMANIA Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) 09/10/2019 Vreau Credit SRL Art. 32 GDPR, Art. 33 GDPR Insufficient technical and organisational measures to ensure information security Raiffeisen Bank Romania carried out scoring assessments on the basis of personal data of individuals registered on the Vreau Credit platform provided by the platform's staff via WhatsApp and then returned the result to Vreau Credit using the same means of link
64 20.000 FRANCE French Data Protection Authority (CNIL) 13/06/2019 Employer UNIONTRAD COMPANY Art. 5 (1) c) GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 32 GDPR Insufficient legal basis for data processing Between 2013 and 2017, the CNIL received complaints from several employees of the company who were filmed at their workstation. On two occasions, it alerted the company to the rules to be observed when installing cameras in the workplace, in particular, t link
65 20.000 PORTUGAL Portuguese Data Protection Authority (CNPD) 05/02/2019 Unknown Art. 15 GDPR Insufficient fulfilment of data subjects rights Denial of the right to access recorded phone calls by the Data Subject link
66 20.000 GERMANY Data Protection Authority of Baden-Wuerttemberg 21/11/2018 Knuddels.de Art. 32 GDPR Insufficient technical and organisational measures to ensure information security After a hacker attack in July personal data of approx. 330.000 users, including passwords and email addresses had been revealed. link
67 20.000 SPAIN Spanish Data Protection Authority (aepd) individual Art. 5 (1) c) GDPR Non-compliance with general data processing principles Video surveillance cameras have not only been used to protect property, but have also monitored employees (violation of principle of data minimisation). link
68 20.000 GERMANY Data Protection Authority of Hamburg Unknown Art. 83 (4) a) GDPR, Art. 33 (1) GDPR, Art. 34 (1) GDPR Insufficient fulfilment of data breach notification obligations Late notification of a data breach and failure to notify the data subjects. Page 134 of the activity report of the Data Protection Commissioner of Hamburg, accessible under link
69 18.630 SWEDEN Data Protection Authority of Sweden 20/08/2019 School in Skellefteå Art. 5 (1) c) GDPR, Art. 9 GDPR, Art. 35 GDPR, Art. 36 GDPR Insufficient legal basis for data processing A school in Skellefteå made a trial to use facial recognition technology. The fine was imposed against the school which had used facial recognition technology to monitor the attendance of students. Even though, in general, data processing for the purpose link
70 15.150 HUNGARY Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) 25/06/2019 Unknown Art. 33 GDPR Insufficient fulfilment of data breach notification obligations The data controller did not fulfil its data breach notification obligations when a flash memory with personal data was lost. link
71 15.100 HUNGARY Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) 01/10/2019 Town of Kerepes Art. 6 (1) GDPR Insufficient legal basis for data processing The city based its video surveillance practice on its legitimate interests (Art. 6 (1) f GDPR). However, accordingt to Art. 6 (1) subparagraph 2 this legal basis shall not apply to processing carried out by public authorities in the performance of their t link
72 15.000 ROMANIA Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) 02/07/2019 WORLD TRADE CENTER BUCHAREST SA Art. 32 GDPR Insufficient technical and organisational measures to ensure information security The breach of data security was that a printed paper list used to check breakfast customers and containing personal data of 46 clients who stayed at the hotel's WORLD TRADE CENTER BUCHAREST SA was photographed by unauthorized people outside the company, w link
73 14.000 CYPRUS Cyprian Data Protection Commissioner Doctor Art. 5 GDPR, Art. 6 GDPR Insufficient legal basis for data processing A patient complained to the Commissioner that the request for access to her medical file was not satisfied by the hospital because the dossier could not be identified/located by the controller. After investigating the case, an administrative fine of €5,00 link
74 12.950 POLAND Polish National Personal Data Protection Office (UODO) 25/04/2019 Sports association Art. 6 GDPR Insufficient legal basis for data processing One sports association published personal data referring to judges who were granted judicial licenses online. However, not only their names were provided, but also their exact addresses and PESEL numbers. Meanwhile, there is no legal basis for such a wide link link
75 12.000 SPAIN Spanish Data Protection Authority (aepd) Madrileña Red de Gas Art. 32 GDPR Insufficient technical and organisational measures to ensure information security The gas company did not have appropriate measures in place to verify the identity of the data subject. The person who filed the complaint alleges that the company e-mailed his information to a third party in response to a request. link
76 11.000 ROMANIA Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) 25/11/2019 Courier Services Company Art. 32 GDPR Insufficient technical and organisational measures to ensure information security The fine was imposed because the controller failed to take appropriate technical and organisational measures leading to the loss and unauthorised access to personal data (name, bank card number, CVV code, cardholder's address, personal identification numb link
77 11.000 AUSTRIA Austrian Data Protection Authority (dsb) 01/07/2019 Private person (soccer coach) Art. 6 GDPR Insufficient legal basis for data processing The fine was imposed on a soccer coach who had secretly filmed female players while they were naked in the shower cubicle for years. link
78 10.000 GERMANY The Federal Commissioner for Data Protection and Freedom of Information (BfDI) 09/12/2019 Rapidata GmbH Art. 37 GDPR Lack of appointment of data protection officer Despite repeated requests of the BfDI the company (an internet provider) did not comply with its legal obligation under Article 37 GDPR to appoint a data protection officer. link
79 10.000 BELGIUM Belgian Data Protection Authority (APD) 17/09/2019 Merchant Art. 5 (1) c) GDPR Non-compliance with general data processing principles The Belgian data protection authority has imposed a fine of 10,000 euros on a merchant who wanted to use an electronic identity card (eID) to create a customer card. The DPA's investigation revealed that the merchant required access to personal data locat link
80 10.000 CYPRUS Cyprian Data Protection Commissioner Newspaper Art. 6 GDPR Insufficient legal basis for data processing The publication of the newspaper, both in hard copy and in electronic form, allegedly involved inconvenience, unnecessary and unlawful detention of a citizen, and revealed the names and pictures of the two police investigators involved, as well as the pho link
81 10.000 SPAIN Spanish Data Protection Authority (aepd) Ikea Ibérica Art. 6 GDPR Insufficient legal basis for data processing The company installed cookies on an end users terminal device without prior consent of the data subject. link
82 9.704 CZECH REPUBLIC Czech Data Protection Auhtority (UOOU) 21/03/2019 Unknown Art. 5 (1) GDPR Non-compliance with general data processing principles Data was not only processed if adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ("data minimisation") and not only kept in a form which permits identification of data subjects for no longer than link
83 9.600 SPAIN Spanish Data Protection Authority (aepd) Restaurant (SANTI 3000, S.L.) Art. 5 (1) a) GDPR, Art. 6 GDPR Insufficient legal basis for data processing A restaurant wanted to impose disciplinary sanctions on an employee using images from a mobile phone video which was recorded by another employee in the restaurant for evidence purposes. The initial fine of EUR 12.000 was reduced to EUR 9.600. link
84 9.400 HUNGARY Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) 17/04/2019 Unknown Art. 5 (1) a) GDPR, Art. 6 GDPR Insufficient legal basis for data processing A data controller used a, in the point of view of NAIH, wrong legal basis for processing of personal data (Art. 6.1.b) for the assignment of claims. link
85 9.380 POLAND Polish National Personal Data Protection Office (UODO) 18/10/2019 Major of Aleksandrów Kujawski Art. 28 GDPR Insufficient data processing agreement No data processing agreement has been concluded with the company whose servers contained the resources of the Public Information Bulletin (BIP) of the Municipal Office in Aleksandrów Kujawski. For this reason, a fine of 40.000 PLN (9400 EUR) was imposed o link
86 9.000 ROMANIA Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) 26/09/2019 Inteligo Media SA Art. 5 (1) a) GDPR, Art. 6 (1) a) GDPR Insufficient legal basis for data processing As part of the registration process on the webseite avocatnet.ro, the operator used an unfilled checkbox, by means of which users could declare that they did not wish to receive information letters via e-mail (opt-out). Without any action, the user was au link
87 9.000 SPAIN Spanish Data Protection Authority (aepd) individual Art. 5 (1) c) GDPR Non-compliance with general data processing principles Video surveillance cameras have not only been used to protect property, but have also monitored employees (violation of principle of data minimisation). link
88 8.000 SPAIN Spanish Data Protection Authority (aepd) 16/10/2019 Iberdrola Clientes Art. 31 GDPR Lack of cooperation with the supervisory authority Iberdrola Clientes, an electricity company, had refused to make a request to a person to change its electricity supplier because it claimed that its data would be included in the solvency list. As a result, the AEPD requested that Iberdola Clientes provid link
89 7.000 LATVIA Data State Inspectorate (DSI) 26/08/2019 Online Services Art. 17 GDPR Insufficient fulfilment of data subjects rights A merchant who provides services in an online store has infringed the "right to be forgotten" pursuant to Art. 17 GDPR when he was repeatedly requested by a data subject to delete all his personal data, in particular his/her mobile phone number, which the link
90 6.000 SPAIN Spanish Data Protection Authority (aepd) 31/10/2019 Jocker Premium Invex Art. 6 GDPR Insufficient legal basis for data processing After registering for a local census, Jocker Premium Invex had sent the applicant postal advertisements and commercial offers, although data such as first name, surname and postal address were only communicated to the public administration. link
91 5.100 BULGARIA Data Protection Commision of Bulgaria (KZLD) 26/03/2019 A.P. EOOD Art. 5 (1) a) GDPR, Art. 6 GDPR Insufficient legal basis for data processing The sanction was imposed on personal data administrator A.P. EOOD for unlawful processing of personal data. The personal data of data subject D.D. was used by A.P. EOOD for preparing an Employment Contract, while he was in prison. link
92 5.000 BELGIUM Belgian Data Protection Authority (APD) 28/11/2019 Mayor Art. 6 GDPR Insufficient legal basis for data processing Fine for sending election mailings without a sufficient legal basis. The e-mail addresses used have not been collected for this purpose. link
93 5.000 BELGIUM Belgian Data Protection Authority (APD) 28/11/2019 Municipal alderman Art. 6 GDPR Insufficient legal basis for data processing Fine for sending election mailings without a sufficient legal basis. The e-mail addresses used have not been collected for this purpose. link
94 5.000 MALTA Data Protection Commissioner of Malta 18/02/2019 Lands Authority Art. 5 GDPR, Art. 32 GDPR Insufficient technical and organisational measures to ensure information security As a result of the lack of appropriate security measures on the Lands Authority website, over 10 gigabytes of personal data became easily accessible to the public via a simple google search. The majority of the leaked data contained highly-sensitive infor link
95 5.000 GERMANY Data Protection Authority of Hamburg 17/12/2018 Kolibri Image Regina und Dirk Maass GbR Art. 28 (3) GDPR Insufficient data processing agreement Please note: According to our information this fine has been withdrawn in the meantime. Kolibri Image had send a request to the Data Protection Authority of Hessen asking how to deal with a service provider who does not want to sign a processing agreement link link
96 5.000 CYPRUS Cyprian Data Protection Commissioner State Hospital Art. 15 GDPR Insufficient fulfilment of data subjects rights A patient complained to the Commissioner that the request for access to her medical file was not satisfied by the hospital because the dossier could not be identified/located by the controller. After investigating the case, an administrative fine of €5,00 link
97 5.000 SPAIN Spanish Data Protection Authority (aepd) VODAFONE ESPANA, S.A.U. Art. 5 (1) d) GDPR Non-compliance with general data processing principles The spanish telecommunications and informations agancy (SETSI) decided Vodafone had to reimburse a customer for costs he was wrongfully charged for. Nevertheless, Vodafone reported personal data of this respective customer to a solvency registry (BADEXCUG link
98 4.800 AUSTRIA Austrian Data Protection Authority (dsb) 09/12/2018 Betting place Art. 13 GDPR Insufficient fulfilment of information obligations Video surveillance was not sufficiently marked and a large part of the sidewalk of the facility was recorded. Surveillance of the public space in this way, i.e. on a large scale by private individuals, is not permitted. link
99 3.600 SPAIN Spanish Data Protection Authority (aepd) AMADOR RECREATIVOS, S.L Art. 5 (1) c) GDPR Non-compliance with general data processing principles Surveillance of the public space by video surveillance cameras against violation of the principles of data minimisation. link
100 3.200 HUNGARY Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) 04/03/2019 Unnamed financial institution Art. 5 (1) b) GDPR, Art. 5 (1) c) GDPR, Art. 13 (3) GDPR, Art. 17 (1) GDPR, Art. 6 (4) GDRP Insufficient fulfilment of data subjects rights The fine was imposed in relation to a data subject's request for data correction and erasure. NAIH levied a fine against an unnamed financial institution for unlawfully rejecting a customer’s request to have his phone number erased after arguing that it w link link
101 3.200 HUNGARY Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) 28/02/2019 Mayor's Office of the city of Kecdkemét Art. 5 (1) a) GDPR, Art. 6 GDPR Insufficient legal basis for data processing The fine was imposed on the Mayor’s Office of the city of Kecskemét for unlawful disclosure of the personal information of a whistleblower.NAIH imposed the fine after an employee of an organisation that it supervised reported a public interest complaint d link link
102 3.200 HUNGARY Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) 18/12/2018 Unknown Art. 12 (4) GDPR, Art. 15 GDPR, Art. 18 (1) c) GDPR, Art. 13 GDPR Insufficient fulfilment of data subjects rights The fine was imposed for (i) not providing a data subject with CCTV recordings, (ii) not retaining recordings for further use by the data subject, and (iii) not informing the data subject about his right to lodge a complaint to the supervisory authority. link
103 3.140 CZECH REPUBLIC Czech Data Protection Auhtority (UOOU) UniCredit Bank Czech Republic and Slovakia, a.s. Art. 6 GDPR Insufficient legal basis for data processing The bank established a personal bank account for a data subject without his consent or knowledge. The bank supposedly had his personal data available because the subject had disposed of his employer’s company account. The bank was not able to provide The link
104 3.000 SPAIN Spanish Data Protection Authority (aepd) 13/11/2019 General Confederation of Labour ('CGT') Art. 6 GDPR Insufficient legal basis for data processing The CGT, with the aim of convening a meeting, e-mailed personal data of the complainant, including her home address, family relationship, pregnancy status and the date of an ongoing verbal abuse and harassment case, to 400 union members without her consen link
105 3.000 ROMANIA Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) 05/07/2019 LEGAL COMPANY & TAX HUB SRL Art. 32 GDPR Insufficient technical and organisational measures to ensure information security The fine was imposed because adequate technical and organizational measures to ensure a level of security appropriate to the risk of processing were not implemented. This has led to unauthorized disclosure and unauthorized access to the personal data of p link
106 2.500 ROMANIA Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) 29/11/2019 Royal President S.R.L. Art. 15 GDPR, Art. 6 GDPR, Art. 32 GDPR Insufficient fulfilment of data subjects rights Royal President refused a request for access to personal data pursuant to Article 15 of the GDPR and disclosed personal data without the consent of the data subjects. In addition, Royal President has not taken appropriate technical or organisational measu link
107 2.500 ROMANIA Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) 17/10/2019 UTTIS INDUSTRIES SRL Art. 12 GDPR, Art. 13 GDPR, Art. 5 (1) c) GDPR, Art. 6 GDPR Insufficient fulfilment of information obligations The sanctions were applied to the controller because he could not prove that the data subjects were informed about the processing of personal data / images through the video surveillance system, which they have been operating since 2016. And because he ma link
108 2.500 GERMANY Data Protection Authority of Sachsen-Anhalt 05/02/2019 Private person Art. 6 GDPR, Art. 5 GDPR Insufficient legal basis for data processing The fine was impossed against a private person who sent several e-mails between July and September 2018, in which he used personal e-mail addresses visible to all recipients, from which each recipient could read countless other recipients. The man was acc link
109 2.200 AUSTRIA Austrian Data Protection Authority (dsb) 20/12/2018 Private person Art. 5 (1) a) GDPR, Art. 5 (1) c) GDPR, Art. 6 (1) GDPR, Art. 13 GDPR Insufficient legal basis for data processing The fine was imposed against a private person who was using CCTV at his home. The video surveillance covered areas which are intended for the general use of the residents of the multi-party residential complex, namely: parking lots, sidewalks, courtyard, link
110 2.000 ROMANIA Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) 22/11/2019 BNP Paribas Personal Finance S.A. Art. 12 GDPR, Art. 17 GDPR Insufficient fulfilment of data subjects rights BNP Paribas Personal Finance did not react to a request for erasure within the period set by the GDPR. link
111 2.000 BELGIUM Belgian Data Protection Authority (APD) 28/05/2019 Mayor Art. 5 (1) b) GDPR, Art. 6 GDPR Insufficient legal basis for data processing The administrative fine was imposed for the misuse of personal data by a mayor for campaign purposes. link
112 2.000 PORTUGAL Portuguese Data Protection Authority (CNPD) 25/03/2019 Unknown Art. 13 GDPR Insufficient fulfilment of information obligations Inexistence of signalization regarding the use of CCTV systems link
113 2.000 PORTUGAL Portuguese Data Protection Authority (CNPD) 19/03/2019 Unknown Art. 13 GDPR Insufficient fulfilment of information obligations Inexistence of signalization regarding the use of CCTV systems link
114 1.900 HUNGARY Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) 05/04/2019 Unknown Art. 15 GDPR Insufficient fulfilment of data subjects rights The data controller did not fulfil the data subject's access request. link
115 1.800 AUSTRIA Austrian Data Protection Authority (dsb) Kebab restaurant Unknown Insufficient legal basis for data processing CCTV was unlawfully used. No further information available. link
116 1.560 HUNGARY Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) 20/02/2019 Debt collector Art. 5 (1) a) GDPR, Art. 5 (1) c) GDPR Non-compliance with general data processing principles A data subject requested information about and erasure of the data processed, which the debt collector refused stating that it could not identify the subject. For identification purposes he requested place of birth, mother’s maiden name and further detail link link
117 1.560 HUNGARY Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) 08/02/2019 Bank Art. 5 (1) d) GDPR Non-compliance with general data processing principles A bank mistakenly sent SMS messages about a subject's credit card debt to the telephone number of another person. After receiving an incorrect telephone number from the client at the time of contracting, the bank did not comply with the data subject's req link link
118 1.500 SPAIN Spanish Data Protection Authority (aepd) 06/11/2019 Cerrajero Online Art. 13 GDPR Insufficient fulfilment of information obligations The company had collected personal data without providing accurate information about data collection in its data protection declaration pursuant to Article 13 of the GDPR. link
119 1.400 GERMANY Data Protection Authority of Baden-Wuerttemberg 09/05/2019 Police Officer Art. 6 GDPR Insufficient legal basis for data processing The police officer, using his official user ID but without reference to official duties, queried the owner data concerning the license plate of a person who he did not know well via the Central Traffic Information System (ZEVIS) of the Federal Motor Trans link
120 1.165 CZECH REPUBLIC Czech Data Protection Auhtority (UOOU) 04/02/2019 Car renting company Art. 5 (1) a) GDPR Insufficient fulfilment of information obligations A person who rented a car found out that the car was tracked via GPS by the renting company even though there was no information provided on the fact that the car is being tracked. The Czech Data Protection Authority found that there was no information pr link
121 1.165 CZECH REPUBLIC Czech Data Protection Auhtority (UOOU) 04/02/2019 Credit brokerage Art. 32 GDPR Insufficient technical and organisational measures to ensure information security Data was not processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational m link
122 980 CZECH REPUBLIC Czech Data Protection Auhtority (UOOU) Individual entrepreneur - no further details published Art. 32 GDPR Insufficient technical and organisational measures to ensure information security The operator of an online game was exposed to several DDoS attacks which caused the malfunctioning of the servers. The attacker blackmailed the operator stating that the attacks will not stop unless he pays money. As part of the blackmail, the attacker of link
123 900 SPAIN Spanish Data Protection Authority (aepd) 07/11/2019 TODOTECNICOS24H S.L. Art. 13 GDPR Insufficient fulfilment of information obligations TODOTECNICOS24H had collected personal data without providing accurate information about data collection in its data protection declaration pursuant to Article 13 of the GDPR. link
124 776 CZECH REPUBLIC Czech Data Protection Auhtority (UOOU) 26/02/2019 Unknown Art. 15 GDPR Insufficient fulfilment of data subjects rights Information was not provided. link
125 588 CZECH REPUBLIC Czech Data Protection Auhtority (UOOU) Alza.cz a.s. Art. 6 GDPR, Art. 7 GDPR Insufficient legal basis for data processing The company obtained a copy of photographic ID of the personal data subject with his consent, however did not react to his consent withdrawal and continued in processing of his personal data. link
126 582 CZECH REPUBLIC Czech Data Protection Auhtority (UOOU) 28/02/2019 Unknown Art. 32 GDPR Insufficient technical and organisational measures to ensure information security Data was not processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational m link
127 510 BULGARIA Data Protection Commision of Bulgaria (KZLD) 08/04/2019 Medical centers Art. 5 (1) a) GDPR, Art. 9 (1) GDPR, Art. 9 (2) GDPR, Art. 6 (1) GDPR Insufficient legal basis for data processing The sanction of 510 EUR was imposed on each medical center for unlawful processing of the personal data of data subject G.B. by a medical centre for the purpose of changing his GP. The medical centre used a software to generate a registration form for cha link
128 500 BULGARIA Bulgarian Commission for Personal Data Protection (KZLD) 22/02/2019 Employer Art. 15 GDPR Insufficient fulfilment of data subjects rights An employee sent a request to his employer for access to personal data concerning him. The request was not answered in time and not in a complete way. link
129 500 BULGARIA Bulgarian Commission for Personal Data Protection (KZLD) 17/01/2019 Bank Art. 6 GDPR, Art. 5 (1) a) GDPR Insufficient legal basis for data processing A bank gained personal data concernign a student wihtout a legal basis. link
130 500 BULGARIA Bulgarian Commission for Personal Data Protection (KZLD) 12/04/2018 Bank Art. 5 (1) b) GDPR, Art. 6 GDPR Insufficient legal basis for data processing A fine of 1000 BGN (or roughly 500 EUR) was imposed on a bank for calling a client for the unresolved bills of his neighbor. This provoked the client to evoke his right to be forgotten. After not receiving any answer from the bank he filed another motion, link link
131 500 GERMANY Data Protection Authority of Hamburg Unknown Unknown Unknown Unknown link
132 388 CZECH REPUBLIC Czech Data Protection Auhtority (UOOU) 10/01/2019 Employer Art. 6 GDPR Insufficient legal basis for data processing A former employee of a company requested the deletion of information relating to him/her which was published on the Facebook website of the employer and which was still available long after the termination of the employment relationship. The fine was impo link
133 388 CZECH REPUBLIC Czech Data Protection Auhtority (UOOU) 25/10/2018 Unknown Art. 15 GDPR Insufficient fulfilment of data subjects rights Information was not provided. link
134 300 AUSTRIA Austrian Data Protection Authority (dsb) 27/09/2018 Private car owner Art. 5 (1) a) GDPR, Art. 6 GDPR Insufficient legal basis for data processing A Dashcam was unlawfully used. link
135 194 CZECH REPUBLIC Czech Data Protection Auhtority (UOOU) 06/05/2019 Unknown Art. 15 GDPR Insufficient fulfilment of data subjects rights Information was not provided. link
136 118 GERMANY Data Protection Authority of Saarland Unknown Art. 6 GDPR Insufficient legal basis for data processing Illegal disclosure of personal data relating to a third party. link
137 0 GERMANY Data Protection Authority of Berlin 30/10/2019 Deutsche Wohnen SE Art. 5 GDPR Non-compliance with general data processing principles In addition to sanctioning violations of privacy by design principles (Art. 5 GDPR, Art. 25 GDPR - see separate entry), the Berlin data protection commissioner imposed further fines of between 6,000 and 17,000 euros on the company for the inadmissible sto link
138 0 AUSTRIA Austrian Data Protection Authority (dsb) Restaurant Unknown Insufficient legal basis for data processing CCTV was unlawfully used. No further information available. link
139 0 SLOVAKIA Slovak Data Protection Office Unknown Art. 15 GDPR Insufficient fulfilment of data subjects rights A Data Controller failed to comply with data subject´s request to access his/her personal data processed by audio recordings. link
140 0 SLOVAKIA Slovak Data Protection Office Unknown Art. 5 (1) f) GDPR, Art. 32 GDPR Insufficient technical and organisational measures to ensure information security Documents containing personal data were disposed of in the area of the municipal garbage dump. link
141 0 SLOVAKIA Slovak Data Protection Office Unknown Art. 5 (1) f) GDPR, Art. 32 GDPR Insufficient technical and organisational measures to ensure information security Violation of information security measures (no further information available at the moment) link
142 0 SLOVAKIA Slovak Data Protection Office Unknown Art. 5 (1) a) GDPR, Art. 6 (1) a) GDPR Insufficient legal basis for data processing Personal data have been unlawfully published on the website of a city within the framework of fulfilling its disclosure obligation under the Freedom of Information Act. However, the Data Protection Authority stated that the City had published the personal link

Nine months after the entry into application of the GDPR, the members of the EDPB are of
the opinion that the GDPR cooperation and consistency mechanism work quite well in
practice. The national supervisory authorities make daily efforts to facilitate this cooperation,
which implies numerous exchanges (written and oral) between them.
These cooperation duties lead to extra workloads, additional time dealing with cases and have
an impact on the budget of the regulators. The handling of cross border cases takes time, due
to the cooperation, to the need to carry out thorough investigations and in order to national
procedural rules. The national SAs have to tackle these challenges regarding the harmonized
protection and enforcement of the GDPR.
Until now, there are 6 final One-Stop-Shop cases.
The experiences of the EDPB regarding consistency is – up to now – limited, as no dispute
resolution through this new EU body was necessary during the reported period.
2
I. Cooperation mechanism among SAs and the consistency mechanism of the EDPB
Cooperation mechanism
The GDPR requires close cooperation between SAs of EEA (EU-28 + Iceland, Norway and
Liechtenstein) in cases implying a cross-border component and supports this by using the
following tools:
 the mutual assistance,
 the joint operation,
 the One-Stop-Shop cooperation mechanism, which introduces the obligatory
intervention of a Lead Supervisory Authority for the cross-border cases.
The cooperation on cross-border cases (ie. on the basis of complaints from individuals) is
conducted by the national supervisory authorities. The EDPB does not deal with those cases
unless a dispute arises between the authorities or in the case of urgency.
Consistency mechanism
One of the main tasks of the EDPB is to ensure the consistent application of the GDPR.
One opportunity to ensure consistency is to provide general guidance on the interpretation
of the GDPR, which will contribute to a common understanding and application of the
provisions by the stakeholders, the supervisory authorities and the public in general. Since 25
May 2018, the EDPB has endorsed 16 guidelines prepared by the Article 29 Working Party
(predecessor of the EDPB) and has adopted 5 additional guidelines.
Another opportunity is to adopt consistency opinions and decisions. These decisions mainly
address the national supervisory authorities and ensures a consistent application and
enforcement of the GDPR.
Standardised communication:
To support the cooperation and the consistency mechanism among the EDPB members the
DG Grow of the EU Commission, together with the EDPB Secretariat and the EDPB members,
have customised an already existing IT system – the Internal Market Information system (IMI).
This system was operational on the first day of the entry into application of the GDPR. This
system provides a structured and confidential way to share information among the SAs.
The feedback of the national regulators on this system is really positive. A dedicated expert
subgroup has been created to ensure the continuous enhancement of the system on the basis
of the feedback collected via a dedicated IT Helpdesk support provided to the EDPB members
by the EDPB Secretariat.
Before a case is produced in the case register of the system, the competent authorities have
to be identified. This registry is the central database from which different procedures can be
started, such as the mutual assistance, joint operation and One-Stop-Shop mechanism.
The scheme in the appendix provides an overview of the functioning of the system.
3

  1. Cooperation Mechanism
    a. Preliminary procedure to identify the lead and concerned supervisory authorities
    Before starting a One-Stop-Shop procedure for cross-border cases, it is necessary to identify
    the authority that will lead the cooperation (Lead SA), and the other Concerned supervisory
    authorities (Concerned SA). The Lead SA will have to lead the cooperation procedure, draft
    the decision and the Concerned SAs will have the opportunity to raise objections.
    The Lead SA is the authority within the EEA where the organisation subject to the
    investigation has its main establishment. The main establishment is identified as the central
    administration of the investigated company/organisation in the EU.
    The EDPB created workflows in the IMI system to enable the SAs to identify their respective
    roles. The main purpose of this procedure is to define the roles at an early stage and to avoid
    objections on the question of competences at a later stage of the procedure.
    In case of conflicting views regarding which authority should act as Lead SA, EDPB has the role
    of a dispute resolution body and issues a binding decision.
    Since 25 May 2018, 642 procedures have been initiated to identify the Lead SA and the
    Concerned SAsin cross-border cases. Out of the 642 procedures, 306 are closed and the Lead
    SA identified.
    Up to now, no dispute arose on the selection of the Lead SA.
    24 EEA countries already initiated procedures and 26 SAs were proposed to act as lead SA.
    b. Data base regarding cases with cross-border component
    These cases will be registered in a central database from which different procedures can be
    initiated, such as the mutual assistance, joint operation and One-Stop-Shop mechanism.
    Since 25 May 2018, 30 different EEA SAs have registered a total amount of 281 cases with
    cross-border component in the IMI system.
    The large part of the opened cases derived from complaints by individuals (194 cases). The
    rest of the cases (87) has other origins.
    The three main topics of the cases are related to the exercise of the data subjects’ rights, to
    the consumer rights and to data breaches.
    4
    c. One-Stop-Shop Mechanism
    The GDPR provides a specific cooperation procedure (One-Stop-Shop) for cross-border cases.
    A cross border case emerges where the controller or the processor has an establishment in
    more than one Member State or where the data processing activity substantially affects
    individuals in more than one Member State.
    The One-Stop-Shop mechanism implies a cooperation between the Lead SA and the
    Concerned SA. The Lead SA will lead the cooperation procedure and plays a key role in the
    process to reach consensus between the Concerned SAs and to reach a coordinated decision
    with regard to a data controller or processor.
    The Lead SA first has to investigate the case while observing its national procedural rules (eg.
    provide the right to be heard to the affected persons). During this investigation phase, it can
    gather information from another supervisory authority via mutual assistance or conduct joint
    investigation, where foreseen in the respective national law.
    The IMI system also offers the opportunity for the Lead SA to launch – if necessary – an
    informal communication with all the Concerned SAs to collect information to prepare its
    draft decision.
    Once the Lead SA has completed the investigation, it prepares a draft decision and
    communicates it to the Concerned SAs. These can object to the draft decision, which either
    leads to a revised draft decision or triggers the dispute resolving mechanism of the board.
    If a dispute arose on the draft decision and no consensus is found, the consistency mechanism
    is triggered and the case is referred to the EDPB. The EDPB will then act as a dispute resolution
    body and issue a binding decision on the case. The Lead SA will have to adopt its final decision
    on the basis of the decision of the EDPB.
    If the Concerned SAs do not object to the initial draft decision, or the revised one, they are
    deemed in agreement with the draft decision. So, the Lead SA can adopt its final decision.
    The IMI system offers different procedures to handle the One-Stop-Shop cases:
  2. Informal consultation procedures,
  3. Draft decisions or revised decision submitted by the Lead SA to the Concerned
    SAs,
  4. Final One-Stop-Shop decisions submitted to the Concerned SAs and to the
    EDPB.
    Since 25 May 2018, 45 One-Stop-Shop procedures were initiated by SAs from 14 different
    EEA countries. The 45 procedures are at different stages: 23 are at the informal consultation
    level, 16 are at draft decision level and 6 are final decisions.
    These first final One-Stop-Shop decisions relate to the exercise of the rights of individuals
    (such as the right to erasure), the appropriate legal basis for data processing and data breach
    notifications.
    The limited number of One-Stop-Shop procedures can be explained because the circulation
    of the draft decision is the result of the investigations conducted by the Lead SA respecting
    national administrative procedural laws. The number of One-Stop-Shop procedures are
    increasing steadily.
    5
    d. Mutual assistance
    The mutual assistance procedure allows each SAs to ask for information to other SAs but also
    to request any other measures for effective cooperation (such as prior authorisations,
    investigations, etc.).
    The mutual assistance can be used for cross-border cases subject to the One-Stop-Shop
    procedure (as part of the preliminary phase to gather elements necessary before drafting a
    decision), or can also be used for national cases with cross-border component.
    The IMI system enables the use of informal mutual assistance, without any legal deadline or
    the use of formal mutual assistance where the requested SA has a legal deadline of 1 month
    to reply to the request.
    Since 25 May 2018, 444 mutual assistance requests (formal and informal) have been
    triggered by SAs from 18 different EEA countries.
    In 353 cases out of the 444 mutual assistance requests, the answers were sent within 23
    days. The remaining 91 cases are ongoing, not yet answered by the requested SA.
    e. Joint operations
    The GDPR allows the SAs of different member states to carry out joint investigations and joint
    enforcement measures. The joint operations can be used in the context of cross-border cases
    subject to the One-Stop-Shop procedure (as part of the preliminary phase to gather elements
    necessary before the drafting a decision), or can also be used for national cases including a
    cross-border component.
    Since 25 May 2018 to 31 January 2019, no joint operations have been initiated.
    f. Assessment of the cooperation mechanism and suggestions for improvement by the
    SAs
    In comparison with the EC Directive 95/46/EC where SAs were working separately even on
    cross border cases, the GDPR foresees a duty for the SAs to cooperate in order to provide a
    consistent application of the GDPR.
    The national regulators adapted to this new situation. One of the advantages of the GDPR is
    to let some margin of manoeuvre for the SA to address those challenges.
    However, the GDPR has been in application only for 9 months and there is still work to be
    done at the EDPB level to further streamline the procedure to make the system even more
    efficient. The question of the resources allocated to the authorities (and the possibility to
    recruit staff speaking also English) has impacts on the global efficiency of the system.
    6
  5. Consistency Mechanism
    a. Consistency opinion
    For some type of decisions, the national SAs have to require an opinion of the EDPB before
    being entitled to adopt its decision. This applies for instance to the approval of cross-border
    codes of conducts, the adoption of standardised contractual clauses, or the adoption of
    national lists describing the type of processing that must be subject to a Data Protection
    Impact Assessment.
    The purpose of the consistency opinion issued by the EDPB is to guarantee the consistent
    application of the GDPR in cases where a competent SA wants to adopt those specific
    measures.
    Each national SA, the Chair of the EDPB or the Commission can ask the EDPB to issue a
    consistency opinion on any matter of general application or producing effects in more than
    one Member State.
    Since 25 May 2018, 28 opinions on the national lists of processing subject to a Data Protection
    Impact Assessment and 1 opinion on a draft administrative arrangement for the transfer of
    personal data between financial supervisory authorities (in the EEA and outside of the EEA)
    have been adopted by the EDPB. Currently there are 3 ongoing procedures which are related
    to binding corporate rules, to a draft standard contract between Controllers and Processors
    and to the interplay between the GDPR and the ePrivacy Directive, in particular as regardsthe
    competence of the national data protection supervisory authorities.
    b. Dispute resolution
    The EDPB intervenes as dispute resolution body and adopt binding decisions, in order to
    ensure the consistent application of the GDPR, in following cases:
     A dispute takes place within the One-Stop-Shop mechanism (a Concerned SA raises a
    relevant and reasoned objection which is not followed by the Lead SA);
     A disagreement takes place on the determination of the Lead SA;
     A SA does not request or does not follow a consistency opinion of the EDPB.
    From 25 May 2018 to 18 February 2019, no dispute resolutions were initiated. This means
    that up to now, the SAs were able to reach consensus in all current cases, which is a good sign
    in terms of cooperation.
    c. Assessment of the consistency mechanism and suggestion for improvement by the
    SAs
    The following analysis reflects the views and impressions of the authorities in the context of
    this report.
    Up to now, the EDPB did not have to act as a dispute resolution body, also due to the fact that
    the number of decisions resulting from the One-Stop-Shop cases is still relatively small.
    7
    Since the EDPB has so far focused mainly on the preparation of consistency opinions on
    national DPIA lists (on the national lists of processing subject to a Data Protection Impact
    Assessment) most authorities emphasised that the experience of the EDPB with the
    consistency mechanism in other areas is still limited. However, it is planned that in the coming
    months other types of national measures, such as BCRs, codes of conducts, standard contracts
    and issues related to certification will be submitted to the EDPB and thus trigger the
    consistency mechanism in other fields.
    It was indicated that, already on the basis of the first experiences the consistency mechanisms
    was found to require many resources, to be time-consuming and to require the authorities to
    act swiftly within the given timeframe. In this context, a possible need to extend the deadlines
    was addressed.
    II. Means and powers of the national supervisory authorities
  6. Budget and human resources
    Under the new legal framework, SAs wear two hats. They not only deal with their enhanced
    enforcement powers but are required to become more engaged, which implies the need for
    more budget and staff.
    a. Budget
    While, based on information provided by SAs from 26 EEA countries and the EDPS, in most
    cases an increase in the budget for 2018 and 2019 was observed, in two cases a decrease and
    in 3 cases no changes in the budget were noticed. According to information provided by the
    respective SAs, the latter phenomena can be explained by biannual plans for this period of
    time.
    Although the majority of the 17 replying SAs stated that they would need an increase in the
    budget of 30-50%, almost none of them received the requested amount. There are some
    extreme examples where this need is close to or even 100 %.
    b. Human resources
    Based on information provided by SAs from 26 EEA countries and the EDPS, the majority of
    SAs have experienced an increase in the number of staff, while for 8 SAs the human resources
    did not change. For one SA, there was even a decrease in personnel.
    Given the different scope of competences of the SAs (GDPR, e-Privacy, Freedom of
    Information), the requirements for more personnel also vary.
  7. Implementation and enforcement of the GDPR at national level
    The total number of cases reported by SAs from 31 EEA countries is 206.326. Three different
    types of the cases can be distinguished, namely cases based on complaints, cases based on
    data breach notifications and other types of cases. The majority of the cases are related to
    complaints, notably 94.622 while 64.684 were initiated on the basis of data breach
    notification by the controller.
    52 % of these cases have already been closed and 1 % of these cases challenged before
    national court.
    8
    Corrective powers:
    Regarding the corrective powers, the SAs have different measures to use:
     to issue warnings to a controller or processor that intended processing operations are
    likely to infringe the GDPR,
     to issue reprimands to a controller or a processor where processing operations have
    infringed the GDPR,
     to order the controller or the processor to comply with the data subject’s requests or
    to bring processing operations into compliance with the GDPR,
     to impose administrative limitations, bans and fines.
    SAs from 11 EEA countries have already imposed administrative fines according to Article 58.2
    (i) GDPR. The total amount of the imposed fine is 55.955.871 EUR.
    III. Conclusion
    Nine months after the entry into application of the GDPR, the members of the EDPB are of
    the opinion that the GDPR works quite well in practice making use of the new way of
    cooperation including numerous daily exchanges. The One-Stop-Shop cases that have already
    led to an outcome tested some of the core principles of the GDPR and were resolved
    smoothly. So far, not a single cross-border case has been escalated to the EDPB level.
    Despite the increase in the number of cases in the last months, the SAs reported that the
    workload is manageable for the moment, in large part thanks to a thorough preparation
    during the past two years by SAs, the Article 29 Working Party and by the Board.