• Hope & May

Recent EU GDPR Fines

ICO Fines Decision Technologies £90,000 for direct marketing violation

The Information Commissioner's Office ('ICO') announced, on 2 July 2020, that it had imposed a fine of £90,000 on Decision Technologies Limited for a violation of Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003, namely transmission of unsolicited communications by means of electronic mail. In particular, the ICO found that between 12 July 2017 and 23 May 2018 there were 14,986,423 direct marketing emails received by subscribers, with a further 1,136,647 emails estimated, for which there were issues regarding whether the consent obtained was freely given, specific, and informed. In addition, the ICO considered, that the violations identified were negligent, and that Decision Technologies failed to take reasonable steps to prevent the violations. 


Fined €288,000

Under Article 5 (1)(b)(e) Article 32 (1)(2) of the GDPR

Insufficient Technical and Organisational Measures to ensure Information Security

The company had infringed the principles of purpose limitation and storage restriction because its database contained a large amount of customer data which were no longer relevant for the actual purpose of collection and for which no retention period had been set. Furthermore, the NAIH pointed out that the defendant had not taken proportionate measures to reduce the risks in the area of data management and data security, arguing, inter alia, that it had not used encryption mechanisms.


Fined €7,500

Under Article 5 & Article 6 of the GDPR

Insufficient Legal Basis for Data Processing

The recording of telephone jokes via an app constitutes processing of personal data in accordance with the applicable data protection law, as the voices of individuals may constitute personal data if they are associated with other information, such as the telephone number. The consent of the users at the end of the conversation was not sufficient in this case.


Fined €6,700

Under Article 5, 6, 33 & 34 of the GDPR

Non-compliance with General Data Processing Principles

The data protection authority had found that the Lejre Municipal Child and Youth Centre had regularly uploaded minutes of meetings with particularly sensitive and sensitive personal data, including on citizens under 18 years of age, to the Lejre Municipal Personnel Portal, which was accessible to employees of the Lejre Municipality, regardless of whether the employees in question were working with these cases. In addition, the data protection authority denied the failure to comply with the obligation to inform the persons concerned of the data breach.


Fined €1,240,000

Under Article 5, 6 & 32 of the GDPR

Insufficient Technical and Organisational Measures to ensure Information Security

From 2015 to 2019, AOK Baden-Württemberg (insurance organization) organized competitions on various occasions and collected personal data of the participants, including their contact details and health insurance affiliation. The AOK also wanted to use this data for advertising purposes, provided the participants had given their consent. With the help of technical and organizational measures, including internal guidelines and data protection training, the AOK wanted to ensure that only data of those contest participants who had previously given their effective consent would be used for advertising purposes. However, the measures defined by the AOK did not meet the legal requirements. As a result, the personal data of more than 500 lottery participants were used for advertising purposes without their consent. Immediately after this became known, the AOK Baden-Württemberg stopped all marketing measures in order to thoroughly examine all processes.

231 views0 comments

Recent Posts

See All