Updated on 22 Nov 2019
More than a year after GDPR was implemented. What have we learned over this past year? What is happening in the privacy compliance industry?
GDPR fines list including UK, Spain, Lithuania, Poland, Denmark, Portugal, Germany.
‘2019 is the year of enforcement’: GDPR fines have begun
UK: Marriott to be fined nearly £100m over GDPR breach
“ICO imposes fine after personal data of 339 million guests was stolen by hackers” by The Guardian.
UK: ICO Announces Intention To Fine British Airways £183 Million For Infringements Of GDPR
“British Airways is “surprised and disappointed” that it could be fined £183m by the Information Commissioner’s Office (ICO) for a data breach, according to its chairman and chief executive, Alex Cruz.” by The Guardian.
Spain: La Liga, the soccer league fined €250,000
La Liga is accused of listening for piracy through its smartphone application. La Liga turned on user microphones in order to listen for sounds of the soccer game and match to any pirated stream using geolocation. La Liga used the information to sue 600 bars for pirating soccer games.
Lithuania: MisterTango UAB fined €61,500
MisterTango accidentally exposed a website with a list of consumer payments and payment details, including personal information.
Poland: A Data Processor fined €220,000
A data processor was fined because they scraped the internet for public contacts and conducted commercial outreach to over 90,000 people, 12,000 of which objected to the unauthorized use of their data.
Denmark: Taxa 4X35 (Taxi Company) fined 1.2M DKK
The company was found to have over 9M personal records the company had stored but did not need to.
Portugal: Hospital near Lisbon fined €400,000
Staff at the hospital used bogus accounts to access patient records.
Germany: Knuddels.de (social media and chat platform) fined €20,000
Knuddels reported a data breach, and upon investigation, the local data protection agency determined the site had been storing user passwords in plaintext without hashing.
Spain: Vueling Airline fined €30,000
The resolution highlights the lack of a cookie configuration panel or other granular management systems – browser controls are not sufficient here.
The authority issued a fine of EUR 30,000 (which is the maximum possible fine under the LSSI for violation of Art. 22.2 LSSI). This, however, was reduced to a total of EUR 18,000 as the law provides for a reduction in cases in which the fined company accepts/acknowledges that they are responsible for the violation within the term provided to formulate their response (here 20%) as well as an additional reduction if the company pays the set fine before the proceedings resolution (here 20%).