Search Privacy Fines
Browse and filter privacy enforcement fines worldwide.
2,028 fines found
Total: $8.1B
| Date | Company | Fine | Regulation | Authority | Country | Type | Summary |
|---|---|---|---|---|---|---|---|
| 2023-06-13 | Spotify | €5.0M | GDPR | Sweden IMY | Sweden | consent | Failed to properly fulfill data access requests under right of access.Failed to properly fulfill data access requests under right of access. Articles: Art. 15 |
| 2020-03-11 | €5.0M | GDPR | Data Protection Authority of Sweden | Sweden | Failure to comply with data processing principles | --Articles: Art. 5 GDPR, Art. 6 GDPR, Art. 17 GDPR | |
| 2020-12-11 | Banco Bilbao Vizcaya Argentaria, S.A. | €5.0M | GDPR | Spanish Data Protection Authority (AEPD) | Spain | Failure to comply with data processing principles | --Articles: Art. 6 GDPR, Art. 13 GDPR |
| 2025-01-01 | Replika (Luka Inc.) | €5.0M | GDPR | Italy Garante | Italy | other | AI chatbot GDPR violations |
| 2025-03-01 | Replika (Luka Inc.) | €5.0M | GDPR | Italy Garante | Italy | consent | AI chatbot GDPR violations.AI chatbot GDPR violations. Articles: Art. 5, Art. 6 |
| 2023-06-13 | Spotify | €5.0M | GDPR | Sweden IMY | Sweden | consent | Failed to properly fulfill data access requests.Failed to properly fulfill data access requests. Articles: Art. 15 |
| -- | Edison Energia S.p.A. | €4.9M | GDPR | Italian Data Protection Authority (Garante) | Italy | Failure to comply with data processing principles | --Articles: Art. 5 (1) a) GDPR, Art. 5 (2) GDPR, Art. 6 GDPR, Art. 7 GDPR, Art. 12 (1), (2), (3) GDPR, Art. 21 (2) GDPR, Art. 24 (1), (2) GDPR, Art. 25 (1) GDPR |
| 2025-01-01 | ING Bank Śląski | €4.4M | GDPR | Poland UODO | Poland | other | Unlawful scanning of customer ID documents |
| 2022-11-02 | Portuguese National Statistical Institute | €4.3M | GDPR | Portuguese Data Protection Authority (CNPD) | Portugal | Failure to comply with data processing principles | --Articles: Art. 5 (1) a) GDPR, Art. 9 (1) GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 28 (1), (6), (7) GDPR, Art. 35 (1), (2), (3) b) GDPR, Art. 44 GDPR, Art. 46 (2) GDPR |
| 2025-01-01 | McDonald's Polska | €4.0M | GDPR | Poland UODO | Poland | other | Employee and customer data processing violations |
| 2022-02-01 | Vodafone Espana, S.A.U. | €3.9M | GDPR | Spanish Data Protection Authority (AEPD) | Spain | Non-compliance with lawful basis for data processing | --Articles: Art. 5 (1) f) GDPR, Art. 5 (2) GDPR |
| 2022-04-07 | Dutch Tax and Customs Administration | €3.7M | GDPR | Dutch Supervisory Authority for Data Protection (AP) | Netherlands | Failure to comply with data processing principles | --Articles: Art. 5 (1) a), b), d), e) GDPR, Art. 6 (1) GDPR, Art. 32 (1) GDPR, Art. 35 (2) GDPR |
| 2021-09-16 | Sky Italia S.r.l. | €3.3M | GDPR | Italian Data Protection Authority (Garante) | Italy | Non-compliance with lawful basis for data processing | --Articles: Art. 5 (1), (2) GDPR, Art. 6 (1) GDPR, Art. 7 GDPR, Art. 12 (2) GDPR, Art. 14 GDPR, Art. 21 GDPR, Art. 28 GDPR, Art. 29 GDPR |
| 2022-01-27 | OTE Group | €3.2M | GDPR | Hellenic Data Protection Authority (HDPA) | Greece | Failure to implement sufficient measures to ensure information | --Articles: Art. 32 GDPR |
| 2020-01-17 | Eni Gas e Luce | €3.0M | GDPR | Italian Data Protection Authority (Garante) | Italy | Non-compliance with lawful basis for data processing | The Italian Data Protection Authority (Garante) imposed two fines of €11,5 milli...The Italian Data Protection Authority (Garante) imposed two fines of €11,5 million total on Eni Gas and Luce because of the unlawful processing of personal data during an advertising campaign as well as for the activation of unsolicited contracts. This second fine of €3 million was issued for the opening of unsolicited contracts for the provision of electricity and gas. A large number of individuals have reported that they have only learned of the new contracts after they received a termination letter from their old provider. Some complaints even reported false data as well as forged signatures. Articles: Art. 5 GDPR, Art. 6 GDPR |
| 2019-12-11 | Eni Gas e Luce | €3.0M | GDPR | Italian Data Protection Authority (Garante) | Italy | Non-compliance with lawful basis for data processing | --Articles: Art. 5 GDPR, Art. 6 GDPR |
| 2021-10-21 | Caixabank Payments & Consumer EFC, EP, S.A.U. | €3.0M | GDPR | Spanish Data Protection Authority (AEPD) | Spain | Failure to comply with data processing principles | --Articles: Art. 6 (1) GDPR |
| 2020-12-03 | Capio St. Goran AB | €2.9M | GDPR | Data Protection Authority of Sweden | Sweden | Failure to implement sufficient measures to ensure information security | --Articles: Art. 5 (1) f) GDPR, Art. 5 (2) GDPR, Art. 32 (1) GDPR, Art. 32 (2) GDPR |
| 2021-05-13 | Iren Mercato S.p.A. | €2.9M | GDPR | Italian Data Protection Authority (Garante) | Italy | Non-compliance with lawful basis for data processing | --Articles: Art. 5 (1), (2) GDPR, Art. 6 (1) GDPR, Art. 7 (1) GDPR |
| 2021-11-25 | Dutch Minister of Finance | €2.8M | GDPR | Dutch Supervisory Authority for Data Protection (AP) | Netherlands | Failure to comply with data processing principles | --Articles: Art. 5 (1) a) GDPR, Art. 6 (1) e) GDPR, Art. 8 Wbp |
| 2019-08-28 | National Revenue Agency | €2.6M | GDPR | Data Protection Commission of Bulgaria (KZLD) | Bulgaria | Failure to implement sufficient measures to ensure information security | --Articles: Art. 32 GDPR |
| 2019-08-28 | National Revenue Agency | €2.6M | GDPR | Data Protection Commission of Bulgaria (KZLD) | Bulgaria | Failure to implement sufficient measures to ensure information security | Because of the inappropriate handling of personal data, more than 6 million indi...Because of the inappropriate handling of personal data, more than 6 million individuals had their data hacked. This informational leak was a direct cause of the company’s security laxity. Articles: Art. 32 GDPR |
| 2021-06-10 | Foodinho s.r.l. | €2.6M | GDPR | Italian Data Protection Authority (Garante) | Italy | Multiple types of violations | --Articles: Art. 5 (1) a), c), e) GDPR, Art. 13 GDPR, Art. 22 (3) GDPR, Art. 25 GDPR, Art. 30 (1) a), b), c), f), g) GDPR, Art. 32 GDPR, Art. 35 GDPR, Art. 37 (7) GDPR |
| 2021-07-26 | Mercadona S.A. | €2.5M | GDPR | Spanish Data Protection Authority (AEPD) | Spain | Failure to comply with data processing principles | --Articles: Art. 5 (1) c) GDPR, Art. 6 GDPR, Art. 9 GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 25 (1) GDPR, Art. 35 GDPR |
| 2021-07-22 | Deliveroo Italy s.r.l. | €2.5M | GDPR | Italian Data Protection Authority (Garante) | Italy | Failure to implement sufficient measures to ensure information security | --Articles: Art. 5 (1) a), c), e) GDPR, Art. 13 GDPR, Art. 22 (3) GDPR, Art. 25 GDPR, Art. 30 (1) c), f), g) GDPR, Art. 32 GDPR, Art. 35 GDPR, Art. 37 (7) GDPR |