ThinkTank_Logo_black
The wait is over
Ailance™ ThinkTank is here!
Learn more

These are the five highest GDPR fines in November 2024

These are the five highest GDPR fines in November 2024
Categories:

In November 2024, three million-euro fines were imposed on companies from Spain, Italy and Finland. In two cases, the data protection authorities criticized the fact that the principle of "privacy by design" had been implemented very inadequately in the data processing processes. And as is so often the case, the fines offer interesting insights for companies.

The Phone House Spain: 6.5 million euros (Spain)

On April 14, 2021, The Phone House Spain, S.L. (TPHS) reported a serious data breach to the Spanish data protection authority Agencia Española de Protección de Datos (AEPD). Around 13 million data records were affected. The attack was carried out using ransomware (Babuk Locker), which encrypted sensitive personal data. The data was then published on the dark web.

The AEPD saw a violation of Art. 5 para. 1 lit. f GDPR (integrity and confidentiality) and Art. 32 GDPR (technical and organizational measures). Specifically, the AEPD accused the mobile phone company of inadequate security measures such as insufficient password rules, weak network security measures and a lack of regular checks.

The Phone House, on the other hand, saw itself as the victim of a sophisticated cyber attack. The company explained that even the most advanced security measures may not have provided complete protection. Moreover, the subsequent publication of the data on the dark web was beyond its control.

Nevertheless, the AEPD imposed a fine of 6.5 million euros. In the fine notice, it justified this with the inadequate implementation of preventative security measures and the high number of people affected. The AEPD emphasizes the obligation of companies to proactively implement suitable security measures in accordance with the risks. An appeal against the ruling was rejected by the AEPD.

Source: Notice of fine from the Agencia Española de Protección de Datos against The Phone House

Source: Decision of the Agencia Española de Protección de Datos rejecting The Phone House's appeal

Foodinho: 5 million euros (Italy)

The proceedings were triggered by the tragic accident of a driver who died during a delivery for the delivery service Foodinho. After his account was deactivated by an automated system on the Glovo platform, the deceased received an inappropriate message excluding him from the platform due to alleged breaches of contract. The message not only caused a public stir, but also led to extensive data protection investigations.

During its investigations, the Italian data protection authority Garante per la protezione dei dati personali (GPDP) found massive deficiencies in data processing that affected not only this individual case, but Foodinho's entire data processing infrastructure. Particular attention was paid to automated data processing and the transparency of the terms of use. The personal data of around 35,000 registered drivers was processed unlawfully. In particular, Foodinho used biometric authentication methods without sufficiently clarifying and documenting their legal basis.

In particular, Foodinho used biometric authentication methods without sufficiently clarifying and documenting their legal basis. The "Excellence Score", a rating system for drivers, was also based on automated data processing that was neither sufficiently documented nor explained to users in a comprehensible manner.

The data protection authority imposed a fine of five million euros and demanded further corrective measures. It emphasized the need to integrate data protection into processes from the outset ("privacy by design").

Source: Notice of fine by the Garante per la protezione dei dati personali against Foodinho

Posti Jakelu Oy: 2.4 million euros (Finland)

The investigation began with complaints from users that personal documents - including invoices and sensitive medical records - were being forwarded to OmaPosti's digital mailbox without their explicit consent. Some users stated that they did not actively use the service or refused digital mail communication for personal reasons. The Finnish Data Protection Agency Tietosuojavaltuutetun toimisto then launched a comprehensive review of the data processing practices of the postal platform Posti Jakelu Oy.

The Finnish Data Protection Authority found significant deficiencies in data processing that violate several provisions of the General Data Protection Regulation:

  1. Automatic activation of mailboxes: Posti Jakelu Oy set up digital mailboxes for users without obtaining their explicit consent. This violated Article 6 GDPR, which requires a clear legal basis for the processing of personal data.
  2. Lack of transparency: Users were not sufficiently informed that their personal data would be automatically transferred to the digital mailbox. This was in breach of Art. 12 to 14 GDPR, which require transparency and clear information for data subjects.
  3. Lack of choice: Users had no option to refuse the service or prevent the transfer of their data. This constitutes a violation of the basic principles of data processing in accordance with Art. 5 GDPR.

In particular, the automatic activation of digital mailboxes without the active consent of users was classified as a serious infringement. The authority clarified that the creation of a digital mailbox was not absolutely necessary for the provision of other services and that there was therefore no valid legal basis in accordance with Article 6 GDPR.

In addition to imposing a fine of 2.4 million euros, the Finnish Data Protection Agency ordered Posti Jakelu Oy to revise its data processing practices to ensure compliance with the General Data Protection Regulation. The most important requirements included

  • Clear and transparent information for users to give them the opportunity to consent to or refuse the processing of their data.
  • Introduction of technical and organizational measures to ensure that the data processing processes comply with the principles of "privacy by design" and "privacy by default".
  • Ensure that electronic mailboxes are only activated at the express request of users.

Source: Fine imposed by the Finnish Data Protection Authority Tietosuojavaltuutetun toimisto against Posti Jakelu Oy

Service provider from the receivables management sector: 900,000 euros (Germany)

The Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) has imposed a fine of 900,000 euros on a company in the receivables management sector. The reason: the company had stored personal data without a legal basis for up to five years after the statutory deletion periods had expired.

The breach was identified as part of a focus audit in which the HmbBfDI checked market-leading companies in the sector for compliance with the GDPR. In addition to written surveys, on-site inspections were also carried out. While many companies handled sensitive debtor data professionally and made improvements in terms of transparency and data deletion, one company exhibited significant shortcomings. A six-figure number of data records remained stored despite expired deletion deadlines, in violation of Article 5(1)(a) and Article 6(1) GDPR.

The company admitted the infringement, cooperated in the investigation and accepted the fine. This cooperation was taken into account when calculating the fine.

Thomas Fuchs, Head of the HmbBfDI, emphasized the importance of a coherent deletion concept for data-driven companies. Data should be deleted after specified deadlines at the latest in order to avoid breaches of the General Data Protection Regulation.

Source: Press release by the Hamburg Commissioner for Data Protection and Freedom of Information

Vodafone España: 200,000 euros (Spain)

The Spanish data protection authority Agencia Española de Protección de Datos (AEPD) has imposed a fine of 200,000 euros on Vodafone Spain for a breach of Article 6(1) GDPR. The case concerned a fraudulent application for an additional SIM card that was approved without sufficient security checks. This later led to unauthorized access to personal data.

On December 1, 2022, a third person requested the delivery of an additional SIM card from Lowi, a Vodafone brand, via the private area of the customer account in question. A different delivery address was provided. Vodafone approved the card and delivered it without sufficiently verifying the identity of the applicant.

The AEPD's review revealed that the required security procedures were not fully implemented. For example, there was no recording of the call to verify identity and other security measures were not properly documented. The fraud allowed the perpetrator to access sensitive data and accounts of the affected customer. There had already been two failed attempts to change the affected customer's email address on November 30, 2022, which could have indicated a possible fraud attempt.

The AEPD found that Vodafone had breached Article 6(1) GDPR, as the personal data was processed without a valid legal basis and without the consent of the data subject. Although Vodafone had introduced security measures, the AEPD found the measures taken to be inadequate and accused the company of a lack of due diligence. The fine of 200,000 euros was set taking into account Vodafone's repeated violations in similar cases in order to achieve a deterrent effect. The appeal was rejected by the AEPD.

Source: Notice of fine from the Agencia Española de Protección de Datos against Vodafone España

Source: Rejection notice from the Agencia Española de Protección de Datos

Contact us
Tags:
Share this post :

Popular categories

Newsletter

Subscribe to our data protection newsletter to receive the latest updates, tips and insights straight to your inbox.
Subscribe

Latest posts

en_USEnglish
de_DEGerman it_ITItalian fr_FRFrench en_USEnglish