On 18 September 2025, the French Data Protection Authority (CNIL) issued Deliberation SAN-2025-008, imposing a €100,000 fine on Samaritaine SAS for clandestinely installing surveillance cameras in employee areas. In August 2023, in response to a rise in stockroom thefts, the company installed five hidden cameras disguised as smoke detectors. The devices also recorded audio. Within […]
fine
You Have Been Called Out: The ICO’s Warning Against Unlawful Marketing
Recently, the UK’s Information Commissioner’s Office (ICO) has imposed significant fines totaling in £550,000 against two companies relying on unlawful automated marketing calls, or “robo calls” (read here). Green Spark Energy Ltd was fined £250,000 for making 9.5 million unsolicited automated calls, while Home Improvement Marketing Ltd faced a £300,000 penalty for making 2.4 million […]
Cookies are not always sweet in France
In the last three years, very high fines have been issued by the French data protection authority (Commission Nationale de l’Informatique et des Libertés or CNIL) to big companies for non-compliance in the area of cookies and tracking devices. Some examples are: the 35 million euros sanction imposed by the CNIL against Amazon in 2020 […]
GDPR and Biometric Data: The Lessons from Atlético Osasuna’s Fine
Spanish football club Atlético Osasuna introduced a facial recognition system for stadium access, sparking a GDPR complaint. The case highlights the challenges of biometric data processing, questioning its legality under the GDPR. The issue goes beyond simple convenience, raising concerns about proportionality, necessity, and fundamental privacy rights. Similar concerns arise when businesses upgrade traditional CCTV […]
LinkedIn hit with Fine of 310 Million Euros
LinkedIn Ireland has been fined 310 million euros by the Irish Data Protection Commission (DPC) for breaching several key provisions of the GDPR. The DPC issued this fine following a two-year investigation, which began in 2021. In particular, the investigation focused on LinkedIn’s processing of personal data for the purposes of behavioural analytics and targeted […]
GDPR Breach due to Health Data Leak results in 80,000 euro fine for Private Clinic
A private clinic specializing in assisted reproductive technology (ART), experienced a significant data breach due to a cyberattack. The breach compromised the personal data of approximately 400 individuals, including patients and employees. The affected data included identity, contact information, financial details, and sensitive health and genetic information. Even though the breach was detected on 21 […]
WhatsApp switches its legal basis to „Legitimate Interest“ due to severe sanctions
It is by far not the first time that Meta and its platforms had to face scrutiny in terms of their privacy policy. This time around, the Irish Data Protection Commission (DPC) sanctioned WhatsApp with a fine of 5.5 million Euros due to the lack of a legitimate legal basis for processing personal data in […]
Insurance company receives significant fine from Swedish SA
Another significant fine for the lack of adequate security measures on personal data was recently issued by a European Supervisory Authority (SA) to a controller responsible for private customers´ data. In the present case, the Swedish Supervisory Authority (IMY) imposed a fine of SEK 35 million (approx. EUR 2.9 million) to the insurance company Trygg-Hansa, […]
Clearview AI fined again, this time in France
The French Data Protection Authority, Commission Nationale de L’Informatique et des Libertés (CNIL), has issued a fine of €20 million against Clearview AI (hereafter Clearview), a company that now claims to have more than 30 billion images used for facial recognition. Clearview collects photos from all sorts of directly accessible websites, social media platforms and […]
Over €500.000 fine for a German e-Commerce company having appointed a DPO with a conflict of interest
The fine has been issued by the Berlin Supervisory Authority (Berliner Beauftragte für Datenschutz und Informationsfreiheit – BlnBDI) on the 20th of September to an e-Commerce company following to the identification of a conflict of interest among the roles of the appointed Data Protection Officer (DPO), as mentioned in the authority’s press release. The DPO […]
Amazon Road Transport Spain Fined 2 Million EUR by Spanish Regulator for Requesting Certificates of Good Conduct from Drivers
The Spanish data protection supervisory authority, Agencia Española de Protección de Datos (AEPD), has issued a fined of 2 million EUR against Amazon Road Transport Spain, S. L., a logistics company that manages deliveries for US-based online-merchant Amazon (see here). Backgound, or: How to Become a Delivery Driver Amazon Road Transport works with formally self-employed […]
Italian Data Protection Authority Fines Bologna Airport in Connection with Whistleblowing Application
In an injunction of July 10, 2021, published the following month, the Italian data protection authority (Garante per la protezione dei dati personali) has fined the Airport of Bologna € 40,000 for not having implemented adequate technical and organizational measures for a whistleblowing application. Further, the authority held that for that application, a data protection […]
Common trend in the health-industry?
Fine of 440.000 EUR imposed by Autoriteitspersoonsgegevens on Dutch Hospital. Back in the lovely Spring of 2019, the Autoriteitspersoongegevens (‘AP’) started investigations against the Onze Lieve Vrouwen Gasthuis (‘OLVG’). The OLVG is an educational hospital that has two locations in Amsterdam and holds more than 550.000 patients on an annual basis. After the AP got […]
Hellenic DPA Fines PWC for Unlawful Processing of Employee Data
The Hellenic Data Protection Authority has fined PriceWaterhouseCoopers Business Solutions SA 150,000.00 € for unlawful processing of employee data, after the Authority had conducted an ex officio investigation in response to a complaint. The Authority also ordered a series of corrective measures and gave PWC three months’ time for their implementation. Reportedly, the company had […]