To help understand what would be considered an infraction or breach regarding the GDPR articles we know, we need to see the regulation enforced in the real world. In July, several infractions occurred, and DPP’s insight and recap is provided for each one in no particular order.

As a reminder, GDPR is only enforced on members of the European Union, so not every country within the continent of Europe will be under this scrutiny.

1. Spain
2. Fine: € 4,000 ($ 4,696)
3. Date of Decision: July 30, 2021
4. Article Violated: 6
5. Summary: A gas inspector carried out butane gas checks in the private homes of the data subjects on the basis of a list containing their surnames, first names, addresses and telephone umbers. The data subject had never consented to being included in the list. The original fine of € 5,000 was reduced due to immidiate payment and acknowledgement of guilt.

1. Spain
2. Fine: € 2,000 ($ 2,348)
3. Date of Decision: July 30, 2021
4. Article Violated: 6
5. Summary: A private individual had published the phone number of the data subject to a picture of another person on a dating website in order to create a fake profile with the name “Katy.”

1. Spain
2. Fine: € 600 ($ 704)
3. Date of Decision: July 30, 2021
4. Article Violated: 5
5. Summary: A private individual was fined for unauthorized video surveillance. The controller had installed a video surveillance camera which covered neighboring houses and a public street. Data minimization was violated in this instance.

1. Romania
2. Fine: € 200 ($ 235)
3. Date of Decision: July 30, 2021
4. Article Violated: 5, 6, 14
5. Summary: A private individual unlawfully disclosed personal data when they disclosed personal data of several individuals by distributing some materials in households of the municipality and through posts on his personal Facebook account. A salary statement of a data subject was included in the disclosure, whereby the surname, first name, place of work, and salary could be seen. A file from a register of children enrolled in the kindergarten of the municipality was also included i the disclosure. No data subjects were informed of this processing or collection.

1. Spain
2. Fine: € 3,000 ($ 3,522)
3. Date of Decision: July 29, 2021
4. Article Violated: 17, 21
5. Summary: A data subject filed a complaint that UNIVERSIDAD A DISTANCIA DE MADRID had not deleted his data when requested. The data subject received a cofirmation that his data had been deleted, however, he still received advertising from the university. The fine of € 5,000 was reduced for immidiate payment and acknowledgement of guilt.

1. Spain
2. Fine: € 4,000 ($ 4,696)
3. Date of Decision: July 27, 2021
4. Article Violated: 5
5. Summary: A private individual was fined for unauthorized video surveillance. The controller had installed two cameras on a public road and another in a tree which covered parts of a privact property. The controller stored the recordings for longer than necessary and violated the principle of data minimization.

1. Spain
2. Fine: € 3,000 ($ 3,522)
3. Date of Decision: July 27, 2021
4. Article Violated: 5, 6
5. Summary: A data subject filed a complaint that INSTAPACK had been sending thousands of SMS messages on his cell phone every month, informing him of the receipt of orders and deliveries and asking him to rate the company. He requested that his data be deleted to the contact address on the controller’s website, but without having received a reply. After sending the request, the messages continued.

1. Spain
2. Fine: € 3,000 ($ 3,522)
3. Date of Decision: July 27, 2021
4. Article Violated: 5
5. Summary: UST GLOBAL Espana had an employee file a complaint against it that alleged the controller sent personal information, which included names, email addresses, and ID card numbers, to a service provider for which the company was performing a project for. The company sent the information of each employee to the service provider, OpenBank, via email and cc’d both employees on that email, allowing them to have unauthorized access to personal information.

1. Spain
2. Fine: € 1,000 ($ 1,174)
3. Date of Decision: July 27, 2021
4. Article Violated: 13
5. Summary: APARTMENTOS PLAYA DE COVACHOS had installed a video surveillance system at its resort and informed about it on information posters, which, however, didn’t contain any info about the identity and contact details of the responsible person.

1. Spain
2. Fine: € 2,000 ($ 2,348)
3. Date of Decision: July 27, 2021
4. Article Violated: 6
5. Summary: Fitness Place had a contract with a data subject that said the subject’s data could be shared with the company Vasco Andaluza de Inversiones, the owner of the gym. However, the company shared the data with Gerco Fit and Body Tonic Shop, and this was not seen in the contract. The data was processed without legal basis.

1. Spain
2. Fine: € 2,000 ($ 2,348)
3. Date of Decision: July 27, 2021
4. Article Violated: 6
5. Summary: Fitness Place had a contract with a data subject that said the subject’s data could be shared with the company Vasco Andaluza de Inversiones, the owner of the gym. However, the company shared the data with Gerco Fit and Body Tonic Shop, and this was not seen in the contract. The data was processed without legal basis.

1. Spain
2. Fine: € 2,000 ($ 2,348)
3. Date of Decision: July 27, 2021
4. Article Violated: 6
5. Summary: Fitness Place had a contract with a data subject that said the subject’s data could be shared with the company Vasco Andaluza de Inversiones, the owner of the gym. However, the company shared the data with Gerco Fit and Body Tonic Shop, and this was not seen in the contract. The data was processed without legal basis.

1. Spain
2. Fine: € 60,000 ($ 70,433)
3. Date of Decision: July 27, 2021
4. Article Violated: 6, 15
5. Summary: PRA Iberia had a contract with a data subject, where the data suject claimed that they had no knowledge of a claim made by the controller related to a contract. The data subject had attempted to exercise their right to information, but received no response from the controller.

1. Spain
2. Fine: € 2,000 ($ 2,348)
3. Date of Decision: July 27, 2021
4. Article Violated: 5
5. Summary: An owners’ association had installed a camera on a data subject’s house, which recorded both the public pool area and parts of the interior of the house.

1. Spain
2. Fine: € 900 ($ 1,057)
3. Date of Decision: July 27, 2021
4. Article Violated: 5
5. Summary: An owners’ association had installed a camera on a data subject’s house, which recorded both the public pool area and parts of the house. Voluntary payment and admission of guilt reduced the fine from € 1,500.

1. Spain
2. Fine: € 2,400 ($ 2,817)
3. Date of Decision: July 27, 2021
4. Article Violated: 5, 13
5. Summary: The political party PODEMOS PARTIDO POLITICO installed video surveillance cameras which covered public spaces. Data minimization was violated and the controller had not properly informed the data subjects about the processing of the data. Voluntary acknowledgement and payment reduced the fine from € 4,000.

1. Spain
2. Fine: € 10,000 ($ 11,739)
3. Date of Decision: July 27, 2021
4. Article Violated: 17
5. Summary: PERSONAL MARK sent promotional text messages to a data subject despite having requested the deletion of her personal data from the controller’s database on several occasions.

1. Spain
2. Fine: € 1,000 ($ 1,174)
3. Date of Decision: July 27, 2021
4. Article Violated: 13
5. Summary: NEXTSTEPAGENCY’s website ;acked reliable data about the owner of the website, such as a tax number and postal address.

1. Spain
2. Fine: € 500 ($ 587)
3. Date of Decision: July 27, 2021
4. Article Violated: 13
5. Summary: A website operator’s privacy policy did not comply with the requirements of Article 13.

1. Spain
2. Fine: € 2,520,000 ($ 2,994,314)
3. Date of Decision: July 26, 2021
4. Article Violated: 5, 6, 9, 12, 13, 25, 35
5. Summary: Mercadona installed facial recognition systems in Mercadona stores for the purposes of tracking individuals with criminal convictions or restraining orders. The system captured every movement in the stores, including those of minors and employees. Data minimization was violated, as well as the principle of necessity and proportionality since the controller could process multiple instances of biometric data – beyond the purposes of the system. The privacy impact assessment was deficient, as it didn’t take into account the specific and unique risks to the company’s employees posed by the data processing. The company had also violated its duty to inform data subjects of the purpose of the processing.

1. France
2. Fine: € 400,000 ($ 475,288)
3. Date of Decision: July 26, 2021
4. Article Violated: 14, 28
5. Summary: MONSANTO, in May 2019, was in possession of personal data of more than 200 political figures of members of civil society likely to influence the debate or public opinion on the renewal of the authorization of glyphosate in Europe. Seven compliants from data subjects afected by this file were submitted. Information such as the organization they belonged to, position they held, their business address, business phone number, cell phone number, business email address, and Twitter account. Each individual was assigned a score of 1 through 5 to evaluate their influence, credibility, and support for Monsanto on various issues. The company didn’t inform the data subjects that their data was stored in this file, nor did the company give any contractual agreements that would regulate the relationships with subcontractors. Data subjects have the right to know of the existence of that file in order to exercise their rights under GDPR.

1. Spain
2. Fine: € 2,000 ($ 2,376)
3. Date of Decision: July 26, 2021
4. Article Violated: 13
5. Summary: Fincas Miguel Garcia S.L. provided data to a data subject that did not comply with the request. Essential aspects were missing, and these included the purpose of the processing, the legal basis for the processing, as well as information around the legitimate interests of the controller that justify the processing, the period of the processing, and the right to withdraw consent at any time.

1. Spain
2. Fine: € 2,000 ($ 2,376)
3. Date of Decision: July 26, 2021
4. Article Violated: 13
5. Summary: Intersumi S.C. failed to provide an adequate privacy statement on its website.

1. Italy
2. Fine: € 2,500,000 ($ )
3. Date of Decision: July 22, 2021
4. Article Violated: 5, 13, 22, 25, 30, 32, 35, 37
5. Summary: Deliveroo Italy unlawfully processed the personal data of approximately 8,000 drivers. Violations of data protection included a lack of transparency in the algorithms used to manage drivers. The controller did not adequately inform the drivers about the functioning of the system they had installed on their smartphones, and did not ensure the accuracy of the results of the algorithmic systems used t evaluate the drivers. Deliveroo also carrid out a meticulous work performance ramework for its drivers using their geolocation, going far beyond what was needed to complete the order. The storage requirement of the data was not defined in a manner appropriate to the purpose.

1. France
2. Fine: € 1,750,000 ($ 2,079,385)
3. Date of Decision: July 20, 2021
4. Article Violated: 5, 13, 14
5. Summary: Private Insurer, SGAM AG2R LA MONDIALE, kept the data of millions of individuals for an excessive period of time and did not comply with their information obligations in the context of telephone canassing campaigns. The controller did not comply with the maximum data retention requirement of three years. The cotnroller retained the data of 2,000 customers who had not been in contact with the controller for more than three years, and five in some cases.

1. Luxembourg
2. Fine: € 746,000,000 ($ 877,407,900)
3. Date of Decision: July 16, 2021
4. Article Violated: Unknown
5. Summary: Amazon.com Inc. announced that it had failed to process data in compliance with the regulation (GDPR). Amazon plans to take legal action against the decision. This is a record GDPR fine. Find the report here.

1. Denmark
2. Fine: € 67,900 ($ 79,927)
3. Date of Decision: July 16, 2021
4. Article Violated: 32
5. Summary: Region of Syddanmark failed to comply with its obligation as a data controller to implement adequate security measures. A citizen, in 2020, complained that the company lacked proper security measures around the processing of her child’s data. The region eventually reported the matter to the apprpriate authority as a personal data breach when a database containing research for clinical processes was accessed inappropriately. By manipulating the URLs, a hacker could gain access to the PDFs stored in the database, which allowed individuals to acces the data of other individuals.

1. Spain
2. Fine: € 45,000 ($ 52,971)
3. Date of Decision: July 12, 2021
4. Article Violated: 6
5. Summary: Telefonica Mobiles Espana, S.A.U. was fined for a data subject’s complaint alleging that his telephone bumber and customer profile were used by the controller and employees to conduct tests in call centers without consent. The data suject received 247 unsolicited phone calls from the controller. The fine was reduced from € 70,000 for immidiate payment and acknowledgement of responsibility.

1. Spain
2. Fine: € 1,500 ($ 1,766)
3. Date of Decision: July 9, 2021
4. Article Violated: 5, 13
5. Summary: Aparcamiento Arcusa S.L.U. installed video surveillance cameras that covered public spaces. Data subjects were not informed of the surveillance effort and violated the controller’s duty to inform.

1. Denmark
2. Fine: € 80,700 ($ 94,994)
3. Date of Decision: July 9, 2021
4. Article Violated: Unknown
5. Summary: In January 2021, Medicals Nordic I/S was using WhatsApp to transmit confidential information and health data about citizens being tested in the company’s test care centers. All employees working in the test centers were invited to join the WhatsApp group and all messages transmitted by employees were viewable by the others in the group. Confidential information was shared about citizens, meaning that employees without a work-related need to process information received the information.

1. Greece
2. Fine: € 5,000 ($ 5,886)
3. Date of Decision: July 8, 2021
4. Article Violated: 12, 15
5. Summary: A father asked the controller to view the medical records of his child’s patient file via email. The controller did not comply with this request.

1. Spain
2. Fine: € 4,000 ($ 4,709)
3. Date of Decision: July 8, 2021
4. Article Violated: 6
5. Summary: A data subject purchased a product from Malagatrom S.L.U. via the Amazon platform, which was delivered in defective condiction. The data subject left a negative review on the controller’s store page and the controller published the personal data of the person concerned on the store page of the Amazon portal. The data suject;s name, address, cell phone, and name of his wife and her phone number were all published on Amazon.

1. Spain
2. Fine: € 50,000 ($ 58,857)
3. Date of Decision: July 8, 2021
4. Article Violated: 6
5. Summary: A data subject filed a complaint against Caixabank S.A. because he had received commercial advertising from the controller, although he had objected to the processing of his data for advertising purposes. The controller had originally replied that they would comply with the data subject’s request.

1. Spain
2. Fine: € 2,000 ($ 2,354)
3. Date of Decision: July 7, 2021
4. Article Violated: 5
5. Summary: Usage of a CCTV camera captured the public space in violation of the principle of data minimization.

1. Denmark
2. Fine: € 53,800 ($ 63,330)
3. Date of Decision: July 7, 2021
4. Article Violated: 5, 6
5. Summary: Nordbornholms Byggeforretning ApS, in 2018, had disclosed information about a former employee to the company’s customers. The company had emailed two customers, informing them that the former employee had committed crimes in the course of employment. The controller had legitimate interest in disclosing this information about the employee’s dismissal and therefore, the former employee could not engage in any contracts on the company’s behalf. However, such a detailed description of the allegations was not necessry and thus unlawful by the company.

1. Spain
2. Fine: € 4,200 ($ 4,944)
3. Date of Decision: July 6, 2021
4. Article Violated: 28
5. Summary: Marbella Resorts S.L. was at fault for a lack of due dilligence regarding the management of customer data. On the day of the data subject’s arrival, a concierge made copies of the data subject’s data. The concierge was not authroized to do so and could only authorize the reservation and provide keys to the guest. After providing their personal data, the data suject discovered that their data was published on a page with online content for adults. This constituted a lack of data management by the controller.

1. Finland
2. Fine: € 25,000 ($ 29,347)
3. Date of Decision: July 5, 2021
4. Article Violated: 5, 6
5. Summary: A higher education institution introduced a mobile application that allowed teleworkers to clock in and clock out. The use of this application also required the user’s location data and was required in order to sucessfully clock in and out of the app. The fact that an individual can only clock in or out if their location data is processed, which violated data minimization standards, caused the DPA to conclude this was a violation.

1. Croatia
2. Fine: Unknown
3. Date of Decision: July 5, 2021
4. Article Violated: 13, 14, 27
5. Summary: An insurance company based in Zagreb failed to provide notice that its external surface and business facility are under video surveillance. Data controllers and processors are onliged to provide notice of video surveillance activities and must be visible when entering the perimeter of the recording.

1. United Kingdom
2. Fine: € 29,000 ($ 34,137)
3. Date of Decision: July 5, 2021
4. Article Violated: 5, 32
5. Summary: The transgender charity, Mermaids EUR, for failing to protect the personal data of its users. Approximately 780 pages of confidential email were publicly viewable olnline for three years. Names and email addresses of 550 data subjects were viewable online. The organization did not adequately secure its systems or data to protect the personal data from disclosure.

1. Croatia
2. Fine: Unknown
3. Date of Decision: July 5, 2021
4. Article Violated: 32
5. Summary: A Croatian IT company provides IT services to mobile operators, banks, and state institutions in Croatia and other countries. This company, therefore, acted as the data processor in relation to personal data. The controller, a telecommunications company, informed the DPA and data subjects of a breach of personal data leading to unauthorized access and processing of personal data by hackers. 28,085 respondents had their personal data compromised in this hack. The IT provider had not taken appropriate protective measures to achieve an adequate level of security. This failure led to the breach and fine, which remains private information.

1. Spain
2. Fine: € 1,500 ($ 1,766)
3. Date of Decision: July 2, 2021
4. Article Violated: 6
5. Summary: An individual published personal data of a woman on a website without her permission. This included photos, personal notes, and information about the sexual relationship between the controller and the data subject.

1. Spain
2. Fine: € 6,000 ($ 7,063)
3. Date of Decision: July 1, 2021
4. Article Violated: 6
5. Summary: On July 8, 2020, an individual disseminated a video on social media showing images of aggression by a man against a woman, as well as a young male minor intervening. The faces of the woman and the minor had not been anonymized/pixelated. Timely payment and adminssion of guilt reduced the fine by 40%.

1. Spain
2. Fine: € 1,000 ($ 1,177)
3. Date of Decision: July 1, 2021
4. Article Violated: 6
5. Summary: The controller used the personal data of a third party to obtain a microcredit. The controller lacked a legal basis for obtaining this data.

Summary of July 2021

Spain clearly took first when it comes to total violations for the month with 30. This doesn’t incriminate the country, but rather helps us understand that Spain, compared to the others, doesn’t have as many companies complying with GDPR regulations.

The largest fine was brought against Luxembourg, and specifically against Amazon for their violation of several GDPR articles. This was included in Amazon’s quarterly report where it stated that it was accused of inappropriately processing and collecting data of customers. Several articles were violated and it’s currently being battled out in court, as Amazon files countersuits.

By far, Article 6 was the most violated article during July. This article details the lawfulness of processing and includes several provisions for when the processing of personal data is and is not permitted. Article 6 was violated 20 times in July. The next two were articles 5 (16 violations) and 13 (11 violations).

Country	Total Violations	Total Fine (€)	Largest Fine (€)	Most Affected Article
Spain	30	2,742,600	2,520,000	6
France	2	2,150,000	1,750,000	14
Croatia	2	Unknown	Unknown	Tie (13, 14, 27, 32)
United Kingdom	1	29,000	29,000	Tie (5, 32)
Denmark	3	202,400	80,700	Tie (5, 6, 32)
Greece	1	5,000	5,000	Tie (12, 15)
Luxembourg	1	746,000,000	746,000,000	N/A – Noncompliance with Regulation
Italy	1	2,500,000	2,500,000	5, 13, 22, 25, 30, 32, 35, 37
Finland	1	25,000	25,000	5, 6
Romania	1	200	200	5, 6, 14

---

See the Newsletters page for the latest content and to subscribe to the regular update, see the About page for information around who DPP is, and check out the Contact page to reach out to DPP with any questions or concerns. These are my thoughts and should not be taken as professional advice simply because you are not paying me for my opinion.

Once you understand how valuable your information is, then you can begin taking steps to keep it private.