The top 5 GDPR fines list for the month of July shows that serious violations of the GDPR are prosecuted and punished throughout Europe. This is what the well-known second-hand portal Vinted had to learn: The company has to pay around 2.4 million euros because it committed serious data protection violations in the EU. The five highest GDPR fines in July at a glance:
1. Vinted, Lithuania: 2,385,276 euros
On July 2, 2024, the Lithuanian data protection supervisory authority, the State Data Protection Inspectorate (SDPI), imposed a Fine in the amount of EUR 2,385,276 against Vinted, UAB, the operator of the online trading platform for second-hand clothing "Vinted". The fine was imposed following complaints from the French and Polish supervisory authorities.
The Fine was imposed because Vinted filed applications for Deletion of personal data and access to such data. The requests were rejected on the grounds that the applicants had not provided a specific reason in accordance with Article 17 of the General Data Protection Regulation.
In addition, Vinted unlawfully used "shadow blocking", in which users' data was processed without their knowledge, in violation of the principles of fairness and transparency. Transparency violated. In addition, insufficient technical and organizational measures were taken to ensure accountability and to demonstrate that requests to exercise data subjects' rights were adequately responded to.
The breaches were of a cross-border nature and affected a large number of people over a longer period of time. The decision was therefore taken in a closed meeting with representatives of the SDPI and the company and coordinated with the data protection authorities of other EU Member States.
2nd AS Watson Health & Beauty Continental Europe, Netherlands: 600,000 euros
The Dutch data protection authority Autoriteit Persoonsgegevens (AP) has filed a complaint against the company behind the drugstore chain Kruidvat. Fine was imposed in the amount of 600,000 euros.
The reason for this is that the company tracked visitors to the Kruidvat.nl website using tracking cookies without their knowledge or consent. In this way, Kruidvat collected sensitive personal data of millions of website visitors without their consent.
The company also created personal profiles of visitors by collecting data such as location, pages visited, products added and purchased, and recommendations clicked on. The data collected included sensitive information such as pregnancy tests, contraceptives and medications, which allowed for a detailed and invasive profile of visitors.
In addition, the cookie banner on Kruidvat.nl contained consent boxes ticked by default, which is not permitted. Visitors to the website had to go through several steps to accept the Cookies to be rejected.
3. GSMA Limited, Spain: 600,000 euros
The Spanish data protection authority, Agencia española protección datos (AEPD), investigated the following on the basis of a Complaint of a private individual the actions of GSMA Limited, the organizer of the Mobile World Congress 2022 (MWC 2022).
MWC 2022 employees had to upload their COVID-19 vaccination card or equivalent health information to an online portal to gain access to the site. The GSMA explained that the collection of Health data was necessary to ensure the safety of the event and prevent the spread of COVID-19. They stated that the data would be managed by Quironprevención, a medical service provider, and would be deleted after the end of the event.
The AEPD's investigation revealed that the GSMA had not sufficiently informed the data subjects about the data processing. Furthermore, the GSMA did not have a sufficient legal basis for the Processing the Health data.
The Fine is made up as follows: 100,000 euros for the Infringement against Article 14 GDPR. 300,000 euros for violation of Art. 9 para. 2 GDPR. 200,000 euros for breach of Art. 6 para. 1 GDPR.
4. Telefónica Móviles España (TME), Spain: 200,000 euros
On March 21, 2023, one person submitted a Complaint to the Spanish data protection authority Agencia española protección datos (AEPD). The complainant stated that his Movistar SIM card suddenly stopped working on January 7, 2023. After visiting a Movistar store on January 9, he received a new SIM card and later discovered that six unauthorized bank transactions had been made between January 7 and 9. TME informed the complainant on January 17 that on January 7 a duplicate SIM card had been sent to a third person had been issued.
During the DPA's investigation, TME explained that the usual procedure for issuing a duplicate SIM card involves double identity verification (visually and through documents) to ensure that only authorized persons receive the card. However, TME could not provide any documents confirming the identity verification of the third person on January 7.
The AEPD found that TME violated Article 6(1) of the General Data Protection Regulation (GDPR) by issuing the SIM card to an unauthorized third party without sufficient identity verification. This is not precluded by the fact that the incident was caused by fraudulent actions by a third party. A fine of 200,000 euros will be imposed on TME.
5th Vodafone España, Spain: 200,000 euros
A private individual repeatedly received unauthorized advertising calls from Vodafone numbers, although her number is listed on the Robinson list for the prevention of advertising calls.
Vodafone explained that the calls did not originate from its authorized partners and that the telephone numbers in question were operated by third parties. In addition, Vodafone informed the Spanish Data Protection Agency (AEPD) that it had stopped working with partners who had repeatedly violated data protection regulations and had taken measures to better identify the numbers.
During the investigation, however, the AEPD found that Vodafone had violated Article 58(1) of the General Data Protection Regulation (GDPR) by not providing the information required to investigate the calls. The company was fined EUR 200,000 for insufficient cooperation and failure to provide the necessary information in the context of a data protection investigation.
German 
English 
Italian 
French