The five highest fines in July 2024

GDPR fines in the month of July.
Categories:

The top 5 GDPR fines list for the month of July shows that serious breaches of the GDPR are being prosecuted and penalized across Europe. The well-known second-hand portal Vinted had to learn this: The company has to pay around 2.4 million euros because it committed serious data protection violations in the EU. The five highest GDPR fines in July at a glance:

1. Vinted, Lithuania: 2,385,276 euros

On July 2, 2024, the Lithuanian data protection supervisory authority, State Data Protection Inspectorate (SDPI), imposed a fine of EUR 2,385,276 on Vinted, UAB, the operator of the online trading platform for second-hand clothing "Vinted". The fine was imposed following complaints from the French and Polish supervisory authorities.

The fine was imposed because Vinted had not properly processed requests for the erasure of personal data and for access to this data. The requests were rejected on the grounds that the applicants had not provided a specific reason in accordance with Article 17 of the General Data Protection Regulation.
In addition, Vinted unlawfully used "shadow blocking", where users' data was processed without their knowledge, in violation of the principles of fairness and transparency. In addition, insufficient technical and organizational measures were taken to ensure accountability and to demonstrate that requests to exercise data subjects' rights were adequately responded to.

The breaches were of a cross-border nature and affected a large number of people over a longer period of time. The decision was therefore taken in a closed meeting with representatives of the SDPI and the company and coordinated with the data protection authorities of other EU Member States.

Source: Press release State Data Protection Inspectorate

2nd AS Watson Health & Beauty Continental Europe, Netherlands: 600,000 euros

The Dutch data protection authority Autoriteit Persoonsgegevens (AP) has imposed a fine of 600,000 euros on the company behind the drugstore chain Kruidvat.

The reason for this is that the company tracked visitors to the Kruidvat.nl website using tracking cookies without their knowledge or consent. In this way, Kruidvat collected sensitive personal data from millions of website visitors without their consent.

The company also created personal profiles of visitors by collecting data such as location, pages visited, products added and purchased, and recommendations clicked on. The data collected included sensitive information such as pregnancy tests, contraceptives and medications, which allowed for a detailed and invasive profile of visitors.

In addition, the cookie banner on Kruidvat.nl contained consent boxes ticked by default, which is not permitted. Visitors to the website had to go through several steps to reject the cookies.

Source: Notice of fine Autoriteit Persoonsgegevens 

3. GSMA Limited, Spain: 600,000 euros

The Spanish data protection authority Agencia española protección datos (AEPD) investigated the actions of GSMA Limited, the organizer of the Mobile World Congress 2022 (MWC 2022), following a complaint from a private individual.

MWC 2022 employees had to upload their COVID-19 vaccination card or equivalent health information to an online portal to gain access to the site. The GSMA explained that the collection of health data was necessary to ensure the safety of the event and prevent the spread of COVID-19. They stated that the data would be managed by Quironprevención, a medical service provider, and would be deleted after the end of the event.

The AEPD's investigation revealed that the GSMA had not sufficiently informed the data subjects about the data processing. Furthermore, the GSMA did not have a sufficient legal basis for processing the health data.

The fine is made up as follows: 100,000 euros for violation of Article 14 GDPR. 300,000 euros for violation of Art. 9 para. 2 GDPR. 200,000 euros for violation of Art. 6 para. 1 GDPR.

Source: Notice of fine Agencia española protección datos

4. Telefónica Móviles España (TME), Spain: 200,000 euros

On March 21, 2023, a person submitted a complaint to the Spanish data protection authority Agencia española protección datos (AEPD). The complainant stated that his Movistar SIM card suddenly stopped working on January 7, 2023. After visiting a Movistar store on January 9, he received a new SIM card and later discovered that six unauthorized bank transactions had been made between January 7 and 9. TME informed the complainant on January 17 that a duplicate SIM card had been issued to a third person on January 7.

During the DPA's investigation, TME explained that the usual procedure for issuing a duplicate SIM card includes double identity verification (visually and through documents) to ensure that only authorized persons receive the card. However, TME could not provide any documents confirming the identity verification of the third person on January 7.

The AEPD found that TME violated Article 6(1) of the General Data Protection Regulation (GDPR) by issuing the SIM card to an unauthorized third party without sufficient identity verification. The fact that the incident was caused by fraudulent actions by a third party does not preclude this. A fine of 200,000 euros will be imposed on TME.

Source: Notice of fine Agencia española protección datos

5th Vodafone España, Spain: 200,000 euros

A private individual repeatedly received unauthorized advertising calls from Vodafone numbers, although her number is listed on the Robinson list for the prevention of advertising calls.

Vodafone explained that the calls did not originate from its authorized partners and that the telephone numbers in question were operated by third parties. In addition, Vodafone informed the Spanish Data Protection Agency (AEPD) that it had stopped working with partners who had repeatedly violated data protection regulations and had taken measures to better identify the numbers.

However, during the investigation, the AEPD found that Vodafone had breached Article 58(1) of the General Data Protection Regulation (GDPR) by failing to provide the information necessary to investigate the calls. The company was fined EUR 200,000 for insufficient cooperation and failure to provide the necessary information in the context of a data protection investigation.

Source: Notice of fine Agencia española protección datos

Tags:
Share this post :
en_USEnglish