The five highest fines in June 2024

In June, the data protection authorities in Spain and Italy were particularly active and issued large fines. The highest fine was imposed on an energy company from Italy - for unauthorized advertising calls. 
Categories:

In June, the data protection authorities in Spain and Italy were particularly active and issued large fines. The highest fine was imposed on an energy company from Italy - for unauthorized advertising calls. 

1st Eni Plenitude, Italy: 6,419,631 euros

The Italian data protection authority (Garante per la protezione dei dati personali) has imposed a fine of EUR 6,419,631 on the energy company Eni Plenitude in a decision dated 6 June 2024. The reason for this fine is extensive data protection violations in the context of telemarketing activities.

The authority received numerous complaints from affected persons who complained about unwanted and repeated advertising calls. Some of those affected even reported up to 248 calls within a few months, despite being registered in the RPO (Registro Pubblico delle Opposizioni). The RPO is a register in which people can register to prevent unwanted advertising calls.

An investigation by the data protection authority revealed that within one week alone, 657 of the 747 contracts concluded resulted from unauthorized contact requests.

When determining the fine, the data protection authority took into account the seriousness of the violations and the fact that Eni Plenitude had already been sanctioned for similar violations in the past. Although the company had taken some measures to improve its data protection practices, the investigation found that these measures were inadequate. In particular, there was a lack of adequate controls and security measures to ensure the lawfulness of data processing.

Link tip: Notice of fine Garante per la protezione dei dati personali (GPDP)

2. Avanza Bank AB, Sweden: SEK 15,000,000 (EUR 1,332,681)

The Swedish Data Protection Authority (IMY) imposed a fine of 15 million kronor (around 1,332,681 euros) on Avanza Bank AB on June 24, 2024. The reason is the use of a so-called meta pixel on the bank's website and in the app, which transmitted personal data such as securities holdings and account numbers to Meta (formerly Facebook).

Between November 15, 2019 and June 2, 2021, personal data of up to one million people was transmitted to Meta due to incorrect settings. The transmission occurred when Avanza accidentally activated new functions of the Meta pixel, which is used to optimize marketing on Facebook.

The data transferred included information on securities holdings, loan amounts, account numbers and personnel numbers. According to Catharina Fernquist, Head of Department at IMY, the bank violated the General Data Protection Regulation (GDPR) by failing to take appropriate technical and organizational measures to protect the personal data of website visitors and app users.

After Avanza was informed of the incident, the bank deactivated the pixel and confirmed that Meta had deleted the collected data. In addition, Avanza has improved its internal procedures to ensure the proper and secure processing of personal data.

Link tip: Notice of fine Integritetsskyddsmyndigheten (IMY) 

3rd company unknown, Belgium: 172,341 euros

On June 3, 2024, the Belgian data protection authority (Autorité de protection des données) imposed a fine of 172,341 euros on an unnamed company.

A private individual had repeatedly received unsolicited commercial messages, although he had previously exercised his right to erasure and objection. Despite the explicit objection to the use of the data for direct marketing purposes, the company continued to send advertising messages.

The investigation by the data protection authority found that the company had not implemented suitable technical and organizational measures to ensure and demonstrate compliance with the General Data Protection Regulation.

The authority initially imposed a fine of EUR 2,000,000, which was reduced to EUR 172,431 after taking into account the company's financial situation and size. This reduction was intended to ensure that the fine was proportionate and yet dissuasive.

Link tip: Notice of fine Autorité de protection des données

4. Allianz Compañía de Seguros y Reaseguros, S.A., Spain: 120,000 euros

An Allianz customer complained to the data protection authority that his ex-partner was in possession of documents containing confidential information about his car insurance policy and a report from the Dirección General de Tráfico (DGT). This information had been extracted from Allianz's internal systems and passed on without the client's consent.

The investigation by the Spanish Data Protection Agency (Agencia Española de Protección de Datos, AEPD) revealed that Allianz had not taken appropriate technical and organizational measures to ensure the confidentiality of personal data. An employee was able to access sensitive data without authorization and pass it on to the customer's ex-partner.

The lack of control over access to sensitive data was considered a serious omission. The AEPD therefore imposed a fine of 160,000 euros on Allianz, which was reduced to 120,000 euros if the fine was paid on time.

Link tip: Notice of fine Agencia Española de Protección de Datos

5th Cappello Giovanni & Figli, Italy: 120,000 euros

On June 6, 2024, the Italian data protection authority (Garante per la Protezione dei Dati Personali) issued a fine of 120,000 euros against the company Cappello Giovanni & Figli s.r.l..

A former employee had complained about the unlawful processing of his personal data by the company, a car dealer. The complaint related to two systems: the Infinity DMS software and the X-Face 380 hardware, which were used to record and monitor working hours.

An investigation by the Guardia di Finanza revealed that the systems were used in the production facilities in Modica and Ragusa to record employees' working hours and attendance. This data was also used to create pay slips.

In the opinion of the data protection authority, the use of the X-Face 380 facial recognition system to record attendance was disproportionate and not covered by legal provisions. Furthermore, the employees were not sufficiently informed about the processing of their data. The privacy policy provided was inadequate and did not contain any detailed information about the purpose and duration of data storage or the rights of the data subjects.

Link tip: Notice of fine Garante per la Protezione dei Dati Personali (GPDP)

Tags:
Share this post :
en_USEnglish