After the Irish data protection authority DPC had already issued a Fine 91 million euros against Meta, it followed suit against LinkedIn in October: The Microsoft-owned company has to pay 310 million euros for serious data protection violations. The United Kingdom's Data Protection Commissioner was particularly busy in October: its data protection authority, the ICO, made it into the top 5 GDPR fines twice.
1. LinkedIn Ireland: 310 million euros
On October 22, 2024, the Irish Data Protection Commission (DPC) issued a decision against the Microsoft-owned business network LinkedIn. Fine in the amount of 310 million euros. The subject of the investigation was the Processing personal data of LinkedIn users for behavioral analysis and targeting. Advertising.
The DPC investigation was opened on August 20, 2018 after a Complaint of the French non-profit organization La Quadrature Du Net. The Complaint was first filed with the French data protection authority CNIL and then submitted to the DPC in its role as lead authority. Supervisory authority forwarded for LinkedIn.
According to the DPC's statement, the investigation concerned "the legality, fairness and Transparency the Processing personal data of users of the LinkedIn platform for the purpose of behavioral analysis and targeted Advertising". The DPC found that the personal data in question was data provided directly to LinkedIn by its members (first-party data) and data collected by LinkedIn through its third-party partners in relation to its members (third-party data).
You can read more details about the record fine in our extra article: LinkedIn fined 310 million euros
2. Police Service of Northern Ireland: 750,000 GPD (approx. 890,000 euros)
The UK's Information Commissioner's Office (ICO) has fined the Police Service of Northern Ireland (PSNI) £750,000 (equivalent to around €890,000) for a major data protection breach. On August 8, 2023, data was inadvertently personal data of around 9,500 PSNI employees, including their job numbers, departments and locations, on a public website. This publication posed a major risk to the employees concerned, particularly those in secret and security-sensitive roles.
The ICO found that the PSNI had breached several articles of the UK GDPR as the authority had not taken appropriate technical and organizational measures to ensure the security of the data. The Infringement was due to deficiencies in internal administration and training in the handling of sensitive data.
Despite the measures taken by the PSNI following the incident, such as establishing a threat management process and improving internal security policies, the ICO decided that a fine was appropriate to highlight the seriousness of the breach and create a deterrent for similar organizations.
Source: Notice of fine Information Commissioner's Office (published on October 3, 2024)
3rd Cosmospace: 250,000 euros AND Telemaque: 150,000 euros
The French data protection authority Commission Nationale de l'Informatique et des Libertés (CNIL) imposed fines on the companies Cosmospace (250,000 euros) and Telemaque (150,000 euros) for data protection violations in connection with their fortune-telling services. Several breaches were identified during an investigation in 2021:
Cosmospace systematically recorded all conversations between customers and fortune tellers, which the CNIL found to be excessive and disproportionate. The CNIL found that such comprehensive recording was not necessary and should only be limited to certain conversations for quality control purposes.
Cosmospace and Telemaque also retained customer data for an excessive period of time. Cosmospace stored data for six years for commercial use, while TelemaqueE did so without restricting access to the data or filtering it accordingly.
The two companies also collected sensitive data such as health information and sexual orientation of their customers without obtaining explicit consent.
Cosmospace sent advertising messages by SMS and email to people without obtaining their unambiguous consent. The CNIL found that consent was not properly obtained via the partner company Telemaque.
The amount of the fine takes into account the severity of the violations, the large number of people affected (over 1.5 million contacts) and the financial situation of the company.
4. Ibercaja Banco, S.A: 180,000 euros
The Spanish data protection authority Agencia Española de Protección de Datos (AEPD) imposed a fine of 300,000 euros on Ibercaja Banco in a decision dated October 1, 2024. The company had unlawfully accessed the personal data of a former customer after the termination of a contractual relationship The customer had terminated the contract in February 2022, but Ibercaja carried out a total of 47 searches of his data in a credit assessment register until January 2023. These accesses were made without a valid legal basis, as there was no contractual or legal necessity.
Ibercaja accepted the decision and used the option to voluntarily pay and acknowledge the debt, reducing the fine to 180,000 euros. The company also undertook to take measures within six months to ensure compliance with the
5. Quick Tax Claims Limited: GBP 120,000 (approx. 143,400 euros)
The British data protection authority ICO has imposed a fine of £120,000 on Quick Tax Claims Limited (QTC). The reason for this was breaches of the regulations on Privacy and Electronic Communications Regulation (PECR). QTC sent nearly 8 million unsolicited marketing SMS messages between February 12 and May 12, 2023 without valid consent from the recipients. Over 93 percent of these messages did not include an unsubscribe option, which also violates the PECR.
A total of 66,793 consumers complained about the campaign.
The ICO found that QTC was sourcing the data from third party providers but their consent mechanisms did not meet the legal requirements. In addition, the ICO found that QTC had not carried out sufficient due diligence checks to ensure that the Consent for data processing had been duly granted.
Source: Notice of fine Information Commissioner's Office dated October 15, 2024
German 
English 
Italian 
French