Comité Europe de Protección de Datos

National News

On this page you will find news on GDPR enforcement by the national supervisory authorities. The press releases gathered here do not constitute official EDPB communication nor an endorsement. They are published strictly for information purposes and are represented here as they appeared on the supervisory authority's website or other channels of communication. Therefore, these news items are only available in English or in the Member State's official language with a short introduction. Any questions regarding these news releases should be directed at the supervisory authority concerned. You can find all supervisory authorities here.


11 March 2020

The Swedish Data Protection Authority imposes a fine of 75 million Swedish kronor (approximately 7 million euro) on Google for failure to comply with the GDPR. Google as a search engine operator has not fulfilled its obligations in respect of the right to request delisting.

In 2017 the Swedish Data Protection Authority (DPA) finalised an audit concerning how Google handles individuals’ right to have search result listings for searches that includes their name removed from Google’s search engine in case of for example lack of accuracy, relevance or if considered superfluous. In its decision the DPA concluded that a number of search result listings should be removed and subsequently ordered Google to do so.

In 2018, due to indications that Google had not fully complied with the previously issued order, the DPA initiated a follow-up audit. This audit is now finalised and the DPA is issuing a fine against Google.

– The General Data Protection Regulation, GDPR, increases the level of responsibility for organisations that collect and process personal data, and strengthens the rights of individuals. An important part of those rights is the possibility for individuals to have their search result delisted. We have found that Google is not fully complying with its obligations in relation to this data protection right, says Lena Lindgren Schelin, Director General at the Swedish DPA.

The Swedish Data Protection Authority is critical to the fact that Google did not properly remove two of the search result listings that the DPA had ordered them to remove back in 2017. In one of the cases Google has done a too narrow interpretation of what web addresses needed to be removed from the search result listing. In the second case Google has failed to remove the search result listing without undue delay.

When Google removes a search result listing, it notifies the website to which the link is directed in a way that gives the site-owner knowledge of which webpage link was removed and who was behind the delisting request. This allows the site-owner to re-publish the webpage in question on another web address that will then be displayed in a Google search. This in practice puts the right to delisting out of effect.

– In its delisting request form Google states that the site-owner will be notified of the request in a way that might result in individuals refraining from exercising their right to request delisting, thereby undermining the effectiveness of this right, says Olle Pettersson, legal advisor at the Swedish DPA who has participated in this audit of Google.

Google does not have a legal basis for informing site-owners when search result listings are removed and furthermore gives individuals misleading information by the statement in the request form. That is why the DPA orders Google to cease and desist from this practice.

Facts about the right to have search result listings removed
In May 2014 the Court of Justice of the EU ruled that an individual may request a search engine provider such as Google to remove a search result listing that contains the name of an individual in case the listing is incorrect, irrelevant or superfluous. This right was strengthened with the GDPR entering into force 25th May 2018. The right is however not absolute, you cannot demand that all search results are to be removed. Individuals who wish to exercise their right to request delisting should contact the search engine provider directly.
What happens next?
Google may appeal the decision of the Swedish DPA within three weeks. If Google decides not to appeal, the decision will enter into force by the end of that time period. Once the decision has entered into force it will be handed over to the Legal, Financial and Administrative Services Agency (Kammarkollegiet) that handles the administration of fines under the GDPR.

Note to editors:

The personal data processing in question is part of the processing operations carried out by Google as a search engine operator. For this part of Google’s activity it is Google LLC (parent company of the Google group) established in the United States that decides the purpose and means of the processing. Since there is no main establishment within the EU for this part of Google’s operations, each Supervisory Authority in the EU is competent for investigating possible infringements of the GDPR within their territory.

To read the press release in Swedish, click here

To read the full decision in Swedish, click here

For further information, please contact the Swedish SA:  

10 March 2020

On 5 March 2020, the Icelandic SA took the decision to impose an administrative fine of ISK 1.300.000 (EUR 8.945) on the Breiðholt Upper Secondary School in a case relating to a personal data breach.

The breach occurred when a teacher at the school sent an e-mail to his students and their parents/guardians, 57 people in total. Attached to the e-mail was a document that the teacher believed to contain information on consultation appointments. However, the attachment concerned a different group of students, 18 in total, and contained data on their well-being, study performance, and social conditions. To a considerable extent, the information concerned the students' problems. In one instance, the data had to do with an intervention by child protection services. Furthermore, there were data on one student's physical illness, and on another student's mental health problem.

After carrying out an investigation of the data breach, the SA concluded that the breach was a result of a lack of implementation of appropriate data protection policies and appropriate technical and organisational measures to protect the data by the controller. The lack of appropriate measures to protect the personal data therefore constituted violations of, inter alia, Art. 5(1)f and Art. 32 of the GDPR.

When determining the fine, the SA referred to the nature of the personal information involved in the breach, which were data concerning health and other personal issues. The SA also cited the nature of the Breiðholt Upper Secondary School as a nonprofit institution.

The full decision in Icelandic is available here

For further information, please contact the Icelandic SA:

10 March 2020

The Danish Data Protection Agency has reported the municipality of Gladsaxe and the Municipality of Hørsholm to the police, as it finds that the municipalities have not met the requirements of an adequate level of security under the General Data Protection Regulation (GDPR).

For the municipalities of Gladsaxe and Hørsholm Municipality fines of DKK 100.000 and DKK 50.000 have been proposed respectively.

The Data Protection Agency became aware of the cases when both municipalities notified the agency of personal data breaches relating to the theft of computers containing personal data.

Neither computers were protected by encryption, and the loss of personal data by the municipalities therefore posed an undue risk to its citizens.

In one of the cases, the lack of security resulted in a serious personal data breach, as a computer containing personal data of 20.620 citizens, including information of a sensitive nature and personal data, was stolen from Gladsaxe City Hall.

The second security breach took place when the computer of an employee from the municipality of Hørsholm was stolen from his car. On the computer, there was information on about 1.600 employees in the municipality of Hørsholm, including information of a sensitive nature and personal data.

The specific security breaches express some of the possible consequences of the insufficient level of security which poses a high risk to all citizens of whom the municipality processes data.

Municipalities have a great deal of responsibility
“A municipality processes very large amounts of personal data concerning the municipality’s citizens, including information of a sensitive nature. As a citizen, it is not possible to opt out of the municipality’s processing of information about oneself, and the municipality therefore has a high responsibility to avoid the information being disclosed, "said Frederik Viksøe Siegumfeldt, Head of Unit of the Supervisory Unit in the Danish Data Protection Agency. He explains:

“It is simple to access the files stored on the computer when a computer’s hard drive is not encrypted, for example by moving the hard drive to another computer. Therefore, when personal data are stored locally on the computer, it is very imprudent that the municipalities' computers were not encrypted.”

Proposal of fines
The Danish Data Protection Agency has decided to report the Municipality of Gladsaxe and the Municipality of Hørsholm to the police and proposes that the two municipalities be fined DKK 100.000 and DKK 50.000 respectively.

To read the press release in Danish, click here

For further information, please contact the Danish DPA:

10 March 2020

On 5 March 2020, the Icelandic Supervisory Authority (SA) took the decision to impose an administrative fine of ISK 3.000.000 (EUR 20.643) on the National Center of Addiction Medicine in a case relating to a personal data breach.

The National Center of Addiction Medicine is an NGO that operates a detoxification clinic and four inpatient and outpatient rehabilitation centers, as well as a center for family services and a social center in Iceland. Its services are delivered by a staff of medical doctors, psychologists, registered nurses, nurse practitioners and licensed counselors.

The breach occurred when a former employee of the National Center of Addiction Medicine received boxes containing what were supposed to be personal belongings that he had left there. However, it turned out that the boxes contained patient data as well, including health records of 252 former patients and records containing the names of approximately 3.000 people who had attended rehabilitation for alcohol and substance abuse.

After carrying out an investigation of the data breach, the SA concluded that the breach was a result of a lack of implementation of appropriate data protection policies and appropriate technical and organisational measures to protect the data by the controller. The lack of appropriate measures to protect the personal data therefore constituted violations of, inter alia, Art. 5(1)f and Art. 32 of the GDPR.

When determining the fine, the SA referred to the nature of the personal data involved in the breach, which were data concerning health, and the large scope of the processing. The SA also cited the nature of the National Center of Addiction Medicine as a non-profit health care provider and the fact that the Center had made considerable efforts to improve handling of personal data, beginning before the breach came to light.

The full decision in Icelandic is available here

For further information, please contact the Icelandic SA:

05 March 2020

The President of the Personal Data Protection Office imposed a fine of PLN 20 000 in connection with the breach consisting in the processing of biometric data of children when using the school canteen.

The school processed special categories of data (biometric data) of 680 children without a legal basis, whereas in fact it could use other forms of students identification.

For that breach, an administrative fine was imposed on Primary School No. 2 in Gdansk. In addition, the President of the Personal Data Protection Office (UODO) has ordered the erasure of the personal data processed in the form of digital information on the specific fingerprints of the children and the cessation of any further collection of personal data.

Following an ex officio administrative proceedings, the President of the UODO has established that the school is using a biometric reader at the entrance to the school canteen that identifies the children in order to verify the payment of the meal fee.

The proceedings has shown that the school obtains the data and processes them on the basis of the written consent of the parents or legal guardians. The solution has been in place since 1 April 2015. In the school year 2019/2020, 680 pupils use a biometric reader and four pupils - an alternative identification system.

In this case, it is important to stress that the processing of biometric data is not essential for achieving the goal of identifying a child’s entitlement to receive lunch. The school may carry out the identification by other means that do not interfere so much in the child’s privacy. Moreover, the school makes it possible to use the services of the school canteen not only by means of fingerprints verification, but also electronic cards, or by giving the name and contract number. Thus, in the school, there are alternative forms of identification of the child’s entitlement to receive lunch.

In the fined Primary School No. 2, in accordance with the lunch rules, available on the website of the school’s canteen, students who do not have biometric identification have to wait at the end of the queue until all the students with biometric identification enter the canteen. Once all the students with biometric identification have entered the canteen, the students without biometric identification are allowed to enter, one by one. In the opinion of the President of the UODO, such rules introduce unequal treatment of students and their unjustified differentiation, as they clearly favour students with biometric identification. Moreover, in the authority’s view, the use of biometric data, considering the purpose for which they are processed, is significantly disproportionate.

The President of the UODO, in the grounds of his decision, emphasised that children require special protection of personal data. Moreover, in the present case, the processed data constitute the data of special categories. The biometric system identifies characteristics which are not subject to change, as in the case of dactyloscopic data. Due to the unique and permanent character of biometric data, which means that they cannot change over time, the biometric data should be used with due care. Biometric data are unique in the light of fundamental rights and freedoms and therefore require special protection. Their possible leakage may result in a high risk to the rights and freedoms of natural persons.

To read the press release in Polish, click here

The Polish text of the decision is available here

For further information, please contact the Polish SA:

03 March 2020

The Dutch DPA imposed a fine of EUR 525,000 on tennis association KNLTB for selling the personal data of its Members. In 2018, KNLTB unlawfully provided personal data of a few thousand of its members to two sponsors.

Boete voor tennisbond vanwege verkoop van persoonsgegevens

De Autoriteit Persoonsgegevens (AP) legt tennisbond KNLTB een boete op van 525.000 euro voor het verkopen van persoonsgegevens. De KNLTB heeft in 2018 onrechtmatig tegen betaling persoonsgegevens van een paar honderdduizend van zijn leden verstrekt aan twee sponsoren.

De Koninklijke Nederlandse Lawn Tennisbond (KNLTB) verstrekte de sponsoren persoonsgegevens zoals naam, geslacht en adres, zodat zij een selectie van KNLTB-leden konden benaderen met tennisgerelateerde en andere aanbiedingen. De ene sponsor ontving persoonsgegevens van 50.000, de andere van meer dan 300.000 leden. Die sponsors benaderden een deel van die KNLTB-leden per post of telefoon.

Verkoop van persoonsgegevens

Voor elke verwerking van persoonsgegevens moet de organisatie die ze verwerkt zich kunnen beroepen op één van de zes grondslagen uit de AVG. Bijvoorbeeld dat degene om wie het gaat toestemming heeft gegeven voor die verwerking. Verkoop van persoonsgegevens zonder toestemming van de persoon achter de gegevens is doorgaans verboden. De KNLTB vond dat hij een gerechtvaardigd belang had bij verkoop van de gegevens. De AP is het daarmee niet eens en heeft geoordeeld dat KNLTB geen grondslag had om die persoonsgegevens door te geven aan de sponsoren.

Klacht KNLTB over AP
Tijdens het onderzoek naar de KNLTB diende de tennisbond een klacht in tegen de AP, die de AP gegrond verklaarde. Die klacht ging over het optreden van AP-voorzitter Aleid Wolfsen in Nieuwsuur, op 17 december 2018. Daarin gaf Wolfsen aan dat de AP ‘een sportbond’ onderzocht. De AP heeft in reactie op deze klacht erkend dat zij in die uitzending de indruk heeft gewekt dat de handelwijze van KNLTB niet correct was, terwijl het onderzoek daarnaar nog liep. De KNLTB zag in die uitlatingen de schijn van vooringenomenheid en dat betreurt de AP. Op aanbeveling van de Nationale Ombudsman laat de AP hierbij weten dat de uitlatingen van Wolfsen ten onrechte vooruitliepen op de uitkomsten van het onderzoek.

Bezwaar KNLTB
De KNLTB heeft bezwaar gemaakt tegen het boetebesluit. De AP zal dit gaan beoordelen.

To read the full decision, click here

For further information, please contact the Dutch DPA:

01 February 2020

The Italian SA (Garante per la protezione dei dati personali) fined TIM SpA EUR 27,802,496 on account of several instances of unlawful processing for marketing purposes. The infringements concerned on the whole millions of individuals.

From January 2017 to the beginning of 2019, the SA received hundreds of complaints regarding, in particular, unsolicited marketing calls that had been performed without any consent or in spite of the called parties’ inclusion in the public opt-out register; in yet other cases, the called parties had clearly denied their consent to receiving marketing calls. Allegedly unfair processing practices were also mentioned in the complaints with regard to prize competitions and the relevant forms as submitted by TIM to users.
Complex investigations were carried out also with the support provided by a specialised unit of the Italian Financial Police and brought to light a number of severe infringements of personal data protection legislation.
TIM were proven to be insufficiently familiar with fundamental features of the processing activities they performed (accountability).
In many cases out of the millions of marketing calls that had been placed in a six-month period with ‘non-customers’, the SA could establish that the call centre operators relied upon by TIM had contacted the data subjects in the absence of whatever consent. In one case, a person was contacted 155 times in one month. In about two hundred thousand cases, ‘off-list’ numbers – that is, numbers not included in TIM’s list of marketing numbers – had been called. Other types of illicit conduct were also found such as TIM’s failure to supervise the activities of some call centres or to properly manage and update their blacklists (listing individuals who do not wish to receive marketing calls), and the fact that consent to marketing activities was mandatory in order to join the ‘Tim Party’ incentive discount scheme.
Inaccurate, unclear data processing information was provided in connection with certain apps targeted to customers and the arrangements for obtaining the required consent were inadequate. In a few cases paper forms were to be filled in where a single consent statement was available in respect of different purposes including marketing.
The data breach management system proved ineffective as well and no adequate implementation and management systems were in place regarding personal data processing, which fell short of privacy by design requirements. TIM’s blacklists were found not to match those of the contractor call centres, and this also applied to the recordings of the ‘verbal orders’ - that is, the contracts stipulated on the phone. The numbers relating to other phone operators’ customers, which TIM held in their capacity as network provider, were stored for longer than permitted by the law and had been used for marketing campaigns without the customers’ consent.
As well as the fine, the Italian SA imposed 20 corrective measures on TIM including both prohibitions and injunctions. In particular, the SA banned TIM from using, for marketing purposes, the data of the users that had denied their consent to marketing calls when contacted by call centres, of the users included in the black lists, and of the ‘non-customers’ that had not given their consent.
The company is not permitted to use any longer the customer data that were collected via the ‘MyTim’, ‘TimPersonal’ and ‘TimSmartKid’ apps for purposes other than the provision of the relevant services without the users’ free, specific consent.

The injunctions issued by the Italian SA include the obligation for TIM to check consistency of their blacklists and to timely acquire those put together by call centres so as to update their own blacklists. TIM will have to reconsider the ‘TimParty’ scheme and enable customers to access discount schemes and prize competitions without having to consent to marketing activities. TIM will also have to check the app activation procedures; always specify, in clear and understandable language, the processing activities they perform along with the purposes and the relevant processing mechanisms; and obtain valid consent. TIM will have to implement technical and organisational measures in respect of data subject rights requests and enhance the measures to ensure quality, accuracy and timely updates of the personal data that are processed in their individual systems.
The measures and implementing arrangements imposed will have to be in place and notified to the Italian SA according to a specific timeline, whilst the fine will have to be paid within thirty days.

For further information, please contact the Italian SA:

27 January 2020

The Commissioner for Personal Data Protection (Cypriot SA) fined LGS Handling Ltd, Louis Travel Ltd and Louis Aviation Ltd (Louis Group of Companies) for a total amount of EUR 82,000.00, concerning the lack of legal basis of “Bradford Factor” tool, which was used to score sick leaves of employees.

The Commissioner launched an investigation after a complaint was lodged by the employees’ trade union.

The reasoning behind Bradford's Factor automated system for scoring employees' sick leave was that short, frequent, and unplanned absences lead to a higher disorganising of the company rather than longer absences.

The date and the frequency of a sick leave relating to an individual, insofar as his or her identity is directly or indirectly disclosed, entail the processing of "special categories of personal data", as defined under Article 9(1) of the GDPR. Providing personal data to an automated system, scoring the data using 'Bradford Factor', and profiling individuals based on the results, is considered as processing of personal data; therefore such a processing operation needs to be in line with the principles defined in the GDPR.

The controller carried out an impact assessment of the processing operation, and it was submitted to the Commissioner for consultation during the investigation. The Commissioner was of the opinion that the controller failed to demonstrate through the impact assessment that its legitimate interest prevailed over the interests, rights and freedoms of its employees and consequently the mitigation of the risks was inadequate.

In the course of the investigation, we made use of the possibility to raise legal questions to the other EEA SAs via the so called Mutual assistance procedure and received input from 25 authorities. The replies received validated the absence of legal basis of the said processing and highlighted the necessity to regulate such issues with specific rules in line with article 88 of the GDPR.

After assessing all the elements gathered for the purpose of the investigation, the Commissioner decided that such processing operation had no legal basis. Primarily, it had not been established that the legitimate interest of the controller overrides the interests, rights and freedoms of its employees, which would enable the controller to rely on article 6(1)(f) of the GDPR. Likewise, none of the provisions of Article 9(2) of the GDPR would apply in this case, enabling the controller to process health data of employees.

The controller, as the employer, was entitled to supervise the frequency of sick leaves and the validity of sick leaves certificates. However, such a perquisite should not lead to mishandling and should be applied within the limits set by the relevant legislative framework.

Having established such unlawful conduct, the Commissioner ordered the controller to interrupt the processing and delete all data collected. Moreover, a fine of €70.000 was imposed to LGS Handling Ltd, a fine of €10.000 was imposed to Louis Travel Ltd and a fine of €2.000 was imposed to Louis Aviation Ltd, in relation to the infringements of articles 6(1) and 9 of the GDPR.

When deciding on the amount of the administrative fines, due regard was given to the number of data subjects (818 employees in total), the nature and duration of the infringements and the relevant turnover of the companies.

The full decision in Greek is available here

For further information, please contact the Cypriot SA:

17 January 2020

The Italian Supervisory Authority imposed two fines on Eni Gas and Luce (Egl), totalling EUR 11,5 million, concerning respectively illicit processing of personal data in the context of promotional activities and the activation of unsolicited contracts. The fines were determined in the light of the parameters set out in the EU Regulation, including the wide range of stakeholders involved, the pervasiveness of the conduct, the duration of the infringement, and the economic conditions of Egl.

The first fine of EUR 8,5 million relates to unlawful processing in connection with telemarketing and teleselling activities as found during inspections and inquiries that were carried out by the Authority following several dozens of alerts and complaints received in the immediate aftermath of the full application of the GDPR.  
The verifications revealed a limited number of cases, which however pointed to ‘systematic’ conduct  by Egl and highlighted serious criticalities with regard to the general processing of data.

The violations brought to light include advertising calls made without the consent of the contacted person or despite that person’s refusal to receive promotional calls, or without triggering the specific procedures for verifying the public opt-out register; the absence of technical and organisational measures to take account of the indications provided by users; longer than permitted data retention periods; and the acquisition of the data on prospective customers from entities (list providers) that had not obtained any consent for the disclosure of such data.

Having declared the conduct detected as unlawful, the Italian SA ordered Egl to put in place procedures and systems in order to verify, also by examining a large sample of customers, the consent of the persons included in the contact lists prior to the start of promotional campaigns. Egl will also have to ensure full automation of data flows from its database to the company’s own black list, i.e., the list of those who do not wish to receive advertising.  

The Italian SA further prohibited the company from using the data made available by the list providers  if the latter had not obtained specific consent for the communication of such data to Egl.

The second fine of EUR 3 million concerns breaches due to the conclusion of unsolicited contracts for the supply of electricity and gas under ‘free market’ conditions. Many individuals complained to the Authority that they learned about the conclusion of a new contract only on receiving the letter of termination of the contract with the previous supplier or else the first Egl bills. In some cases, the complaints reported incorrect  data in the contracts and forged signatures.

About 7200 consumers were affected by the above serious irregularities. The Authority’s findings showed that the conduct of Egl in acquiring new customers through certain external agencies operating on its behalf led, in organisational and managerial terms, to processing activities in breach of the EU Regulation  as they violated the principles of data fairness, accuracy and up-to-dateness.

Having established such unlawful conduct, the Italian SA ordered Egl to take several corrective measures and to introduce specific alerts in order to detect various procedural anomalies.  

Implementation of the above measures will have to take place and be communicated to the Authority within a set timeframe, while the fines will have to be paid within 30 days.

To read the press release in Italian, click here

For further information, please contact the Italian SA:

14 January 2020

The Ηellenic DPA in response to a complaint conducted an investigation regarding the lawfulness of personal data processing on a server of ‘ALLSEAS MARINE S.A.’, as well as the lawfulness of access to and inspection of deleted emails of a senior manager for whom there was suspicion that he had committed unlawful acts against the company’s interests.

The Authority found that the company as a controller had complied with the requirements of the GDPR and that its internal policies and regulations provided for a ban on the use of the company’s electronic communications and networks for private purposes, and for the possibility of carrying out internal inspections. The company therefore had a legal right under Articles 5(1) and 6(1)(f) of the GDPR to carry out an internal investigation searching and retreating employee’s emails.

The DPA, on the other hand, found that the closed-circuit video-surveillance system had been installed and operated illegally and, in addition, the recorded material submitted to the Authority was considered to be illegal.

Finally, the Authority found that the company did not satisfy the employee’s right of access to his personal data contained in his corporate PC.

Following the finding that the GDPR had been infringed, the Authority decided in this particular case to exercise its corrective powers under Article 58(2) of the GDPR by means of corrective measures, and decided to:

i) order the company to comply immediately with the complainant’s request to exercise his right to access and information concerning his personal data stored in the company’s computer that the complainant used, and inform the Authority thereof;
ii) ensure within one (1) month of receipt of the decision that the processing operations which take place by means of its video surveillance system comply with the provisions of the GDPR, and inform the Authority thereof, and, in particular:

(a) restore the application of the provisions of Article 5(1)(a) and (2) of the GDPR in accordance with the grounds of the judgement;
(b) also restore the application of the other provisions of subparagraphs (b) to (f) of Article 5(1) of the GDPR in so far as the infringement found affects the internal organisation and compliance with the provisions of the GDPR by taking all necessary measures under the principle of accountability;
iii) impose on the company an effective, proportionate and dissuasive administrative fine, as appropriate in the case of illegal installation and operation of a closed-circuit video-surveillance system, in accordance with the specific circumstances of this case, amounting to fifteen thousand euros (EUR 15,000.00).

Decision 43/2019 is available in Greek on  “Decisions”

For further information, please contact the Hellenic DPA: