In May 2024, another fine in the millions was imposed for serious data protection violations. And this was against a company that is supposed to protect its customers online.
1. Avast Software and Avast Limited: 13.9 million euros (Czech Republic)
The Czech data protection authority has imposed a fine of EUR 13.9 million (CZK 351 million) on Avast Software, based in Prague (Czech Republic), and Avast Limited. The final decision of the competent supervisory authority was issued on April 10, 2024 and published on May 2, 2024.
An anonymous tip-off and media reports at the end of 2019 triggered the investigation.
The Czech supervisory authority found that the company had transferred personal data of users of its antivirus software and browser extensions to its sister company without a lawful basis. The transferred data concerned around 100 million users and included, in particular, pseudonymized internet browsing histories of users linked to a unique identifier. In addition, the supervisory authority found that the controller had misinformed its users (the data subjects) about these data transfers by claiming that the transferred data was anonymized and used solely for statistical trend analysis. The LSA came to the conclusion that internet browsing histories, even if they are not complete, can constitute personal data, as it is possible to re-identify at least some of the data subjects. The misconduct is all the more serious because the company is one of the leading experts in cybersecurity and provides the public with tools to protect data and privacy.
Source: The President of the Office for Personal Data Protection
2nd Verkkokauppa.com: 856,000 euros (Finland)
Following a complaint, the Finnish supervisory authority has investigated the activities of online retailer Verkkokauppa.com. The company required its customers to register before online purchases could be made. Purchases in the online store were not possible without creating a customer account.
The company's review revealed that the online store's customer account data was stored indefinitely. There was also no indication of the storage period for the data that was collected.
Furthermore, the practice of requiring the creation of a customer account for online purchases violates data protection law. The creation of a customer account or the storage of personal data resulting from this creation may not be a prerequisite for the conclusion of individual online purchases.
In a decision dated March 6, 2024, the Finnish supervisory authority imposed a fine of EUR 856,000 on Verkkokauppa.com for failing to set a retention period for customer account data. The company was also ordered to correct its practice of requiring registration for online purchases. The decision was published on May 8.
3. the Greek Ministry of the Interior: 400,000 euros
The Greek data protection authority has found in an investigation that MEP Anna-Michelle Asimakopoulou sent political emails to Greek voters abroad without permission. The email addresses came from a register kept by the Ministry of the Interior for the 2023 elections. There were 236 complaints that Asimakopoulou had sent unsolicited political messages. There were also 66 complaints against the Ministry of the Interior for passing on these addresses.
The supervisory authority's investigation revealed that Asimakopoulou used a list of 25,538 email addresses, 23,392 of which matched those of the Ministry of the Interior. The addresses were not properly secured and were processed without adequate safeguards.
The Greek data protection authority therefore issued a fine of 400,000 euros against the Ministry of the Interior on 27.05.2024 and recommended measures to improve data security. The supervisory authority also called on the Ministry of the Interior to ensure compliance with data protection regulations.
A fine of 40,000 euros was issued against the MP Anna-Michelle Asimakopoulou.
Source: Notice of fine
4. 4Finance Spain Financial Services, S.A.U.: 360,000 euros (Spain)
The Spanish Data Protection Agency (AEPD) has initiated fine proceedings against 4Finance Spain Financial Services after a security breach was reported on February 17, 2023.
The investigation revealed that attackers had used stolen credentials to access customer accounts and submit fraudulent credit applications. Access to the data was gained through brute force attacks and credential stuffing. A total of 9,497 customers were affected, whose personal and financial data was compromised by the unauthorized access.
Furthermore, it emerged that the company had not immediately reported the data breach to the AEPD or the data subjects, although this would have been required under Articles 33 and 34 of the General Data Protection Regulation (GDPR). The company only informed the affected customers about the incident on April 11, 2023, following an order from the AEPD.
Following the incident, 4Finance Spain Financial Services introduced additional security measures, including the introduction of two-factor authentication (2FA), to prevent future attacks.
The original fine of EUR 600,000 was reduced to EUR 360,000 by decision dated April 8, 2024 due to the guilty plea. The decision was published on May 8, 2024.
Source: Notice of fine from the AEPD
5th Vodafone España: 200,000 euros (Spain)
Following a customer's complaint, the Spanish Data Protection Authority (AEPD) has initiated sanction proceedings against Vodafone España, S.A.U. The customer had received a text message on January 14, 2022 announcing a change of contract holder without his consent. Vodafone confirmed that the change had been made fraudulently in a store in Rubí (Barcelona).
The telephone company stated that the fraud was committed by a third party who had obtained the customer's personal data and used it to conclude several fraudulent contracts. Following an investigation, Vodafone found that the fraud was made possible by forged identity documents and insufficient identity checks in several stores in Barcelona and Valencia.
Vodafone took action to terminate the fraudulent contracts, reimbursed the customer for the costs incurred and added the customer to the internal list of fraud victims to prevent future incidents.
However, the AEPD found that Vodafone had not taken sufficient measures to prevent such fraud. Furthermore, the security measures were inadequate to properly verify the identity of customers when signing a contract.
The AEPD recommended a revision of Vodafone's security protocols and imposed a fine of EUR 200,000 for breach of Article 6(1) of the GDPR. According to the supervisory authority, Vodafone failed to ensure the lawfulness of the processing of personal data.
Source: Notice of fine from the AEPD
English 
German 
Italian 
French