These are the five highest GDPR fines in November 2024

These are the five highest GDPR fines in November 2024
Categories:

In November 2024, three million-euro fines were imposed on companies from Spain, Italy and Finland. In two cases, the data protection authorities criticized the fact that the principle of "privacy by design" had been implemented very inadequately in the data processing processes. And as is so often the case, the fines offer interesting insights for companies.

The Phone House Spain: 6.5 million euros (Spain)

On April 14, 2021, The Phone House Spain, S.L. (TPHS) reported a serious data breach to the Spanish data protection authority Agencia Española de Protección de Datos (AEPD). Around 13 million data records were affected. The attack was carried out via a Ransomware (Babuk Locker), the sensitive personal data encrypted. The data was then published on the dark web.

The AEPD saw a violation of Art. 5 para. 1 lit. f GDPR (Integrity and Confidentiality) and Art. 32 GDPR (Technical and organizational measures). Specifically, the AEPD accused the mobile phone company of inadequate security measures such as insufficient password rules, weak network security measures and a lack of regular checks.

The Phone House, on the other hand, saw itself as the victim of a sophisticated cyber attack. The company explained that even the most advanced security measures may not have provided complete protection. Moreover, the subsequent publication of the data on the dark web was beyond its control.

Nevertheless, the AEPD imposed a Fine in the amount of 6.5 million euros. In the fine notice, it justifies this with the inadequate implementation of preventative security measures and the high number of people affected. The AEPD emphasizes the obligation of companies to proactively implement suitable security measures in accordance with the risks. An appeal against the ruling was rejected by the AEPD.

Source: Notice of fine from the Agencia Española de Protección de Datos against The Phone House

Source: Decision of the Agencia Española de Protección de Datos rejecting The Phone House's appeal

Foodinho: 5 million euros (Italy)

The proceedings were triggered by the tragic accident of a driver who died during a delivery for the delivery service Foodinho. After his account was deactivated by an automated system on the Glovo platform, the Deceased an inappropriate message that excluded him from the platform due to alleged breaches of contract. The message not only caused a public stir, but also led to extensive data protection investigations.

The Italian data protection authority Garante per la protezione dei dati personali (GPDP) found massive deficiencies in data processing during its investigations, which affected not only this individual case, but Foodinho's entire data processing infrastructure. Particular attention was paid to automated data processing and the Transparency of the terms of use. Thus personal data of around 35,000 registered drivers processed unlawfully. In particular, Foodinho used biometric authentication methods without sufficiently clarifying and documenting their legal basis.

In particular, Foodinho used biometric authentication methods without sufficiently clarifying and documenting their legal basis. The "Excellence Score", a rating system for drivers, was also based on automated data processing that was neither sufficiently documented nor explained to users in a comprehensible manner.

The data protection authority imposed a Fine amounting to five million euros and called for further corrective measures. She emphasized the need to Data protection into the processes from the outset ("privacy by design").

Source: Notice of fine by the Garante per la protezione dei dati personali against Foodinho

Posti Jakelu Oy: 2.4 million euros (Finland)

The investigation began with complaints from users that personal documents - including invoices and sensitive medical records - were being forwarded to OmaPosti's digital mailbox without their explicit consent. Some users stated that they did not actively use the service or refused digital mail communication for personal reasons. The Finnish Data Protection Agency Tietosuojavaltuutetun toimisto then launched a comprehensive review of the data processing practices of the postal platform Posti Jakelu Oy.

The Finnish Data Protection Authority found significant deficiencies in data processing that violate several provisions of the General Data Protection Regulation:

  1. Automatic activation of mailboxes: Posti Jakelu Oy set up digital mailboxes for users without their explicit consent. Consent to be obtained. This was in breach of Article 6 GDPRwhich provides a clear legal basis for the Processing of personal data.
  2. Lack of TransparencyUsers were not sufficiently informed that their personal data would be automatically transferred to the digital mailbox. This violated Art. 12 to 14 GDPRwhich Transparency and demand clear information for those affected.
  3. Lack of choice: Users did not have the option of refusing the service or using the Transmission of their data. This represents a Infringement against the basic principles of data processing according to Art. 5 GDPR represent.

In particular, the automatic activation of digital mailboxes without the active consent of users was seen as a serious problem. Infringement classified. The authority clarified that the establishment of a digital mailbox was not mandatory for the provision of other services and therefore did not constitute a valid legal basis under Article 6(1) of the GDPR. GDPR is available.

In addition to imposing a fine of 2.4 million euros, the Finnish Data Protection Agency ordered Posti Jakelu Oy to revise its data processing practices to ensure compliance with the General Data Protection Regulation. The most important requirements included

  • Clear and transparent information for users to give them the opportunity to follow the Processing of their data or to reject it.
  • Introduction of technical and organizational measures to ensure that the data processing processes comply with the principles of "privacy by design" and "privacy by default".
  • Ensure that electronic mailboxes are only activated at the express request of users.

Source: Fine imposed by the Finnish Data Protection Authority Tietosuojavaltuutetun toimisto against Posti Jakelu Oy

Service provider from the receivables management sector: 900,000 euros (Germany)

The Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) has filed a complaint against a company in the receivables management industry. Fine in the amount of 900,000 euros. The reason: the company had personal data stored without a legal basis for up to five years after expiry of the statutory deletion periods.

The Infringement was determined in the course of a focus audit in which the HmbBfDI examined market-leading companies in the industry for compliance with the GDPR reviewed. In addition to written surveys, on-site audits were also carried out. While many companies handled the sensitive debtor data professionally and made improvements to Transparency and data erasure, one company exhibited significant deficiencies. A six-digit number of data records remained stored despite expired deletion deadlines, in violation of Article 5(1)(a) and Article 6(1) of the GDPR. GDPR violated.

The company has cleared the Infringement cooperated in the reappraisal and accepted the Fine. This cooperation was taken into account when calculating the fine.

Thomas Fuchs, Head of the HmbBfDI, emphasized the importance of a coherent deletion concept for data-driven companies. Data should be deleted after specified deadlines at the latest in order to avoid breaches of the General Data Protection Regulation.

Source: Press release by the Hamburg Commissioner for Data Protection and Freedom of Information

Vodafone España: 200,000 euros (Spain)

The Spanish data protection authority Agencia Española de Protección de Datos (AEPD) has charged Vodafone Spain with a breach of Article 6(1) of the GDPR. GDPR imposed a fine of 200,000 euros. The case concerned a fraudulent application for an additional SIM card that was approved without sufficient security checks. This later led to unauthorized access to personal data.

On December 1, 2022, an application was submitted by a third person via the private area of the affected customer account with Lowi, a Vodafone brand, the delivery of an additional SIM card. A different delivery address was provided. Vodafone approved the card and delivered it without sufficiently verifying the identity of the applicant.

The AEPD's review revealed that the required security procedures were not fully implemented. For example, there was no recording of the call to verify identity and other security measures were not properly documented. The fraud allowed the perpetrator to access sensitive data and accounts of the affected customer. There had already been two failed attempts to change the affected customer's email address on November 30, 2022, which could have indicated a possible fraud attempt.

The AEPD found that Vodafone had violated Article 6 (1) GDPR violated, since the Processing of personal data without a valid legal basis and without Consent of the person concerned. Although Vodafone had introduced security measures, the AEPD found the measures taken to be inadequate and accused the company of a lack of due diligence. The fine of 200,000 euros was set taking into account Vodafone's repeated violations in similar cases in order to achieve a deterrent effect. The appeal was rejected by the AEPD.

Source: Notice of fine from the Agencia Española de Protección de Datos against Vodafone España

Source: Rejection notice from the Agencia Española de Protección de Datos

Contact us
Tags:
Share this post :

Popular categories

Newsletter

Subscribe to our data protection newsletter to receive the latest updates, tips and insights straight to your inbox.
Subscribe

Latest posts