Clearview AI fined 30.5 million euros

The Dutch Data Protection Authority (Dutch DPA) has imposed a significant fine of 30.5 million euros on Clearview AI, a U.S.-based company known for its controversial facial recognition services. In addition to the fine, Clearview also faces potential additional penalties of up to 5 million euros for non-compliance. This decision underscores the Dutch authority’s firm stance against privacy violations and the unauthorized use of data, particularly in the rapidly developing field of biometric technology. Read More

856.000 euro GDPR fine

One of Finland’s largest online retailers, Verkkokauppa.com, was recently fined a not inconsiderable €856,000 by the national supervisory authority.

How it came about: a customer of the Finnish retailer complained to the authority that he was forced to create a user account in order to shop on the site.

Read More

40.000 euro fine for Emag for failure to comply with GDPR requirements

1. The National Supervisory Authority for Personal Data Processing (NSPSPDPA) has received complaints from three individuals in Hungary against Dante International SA, through the cooperation mechanisms of Regulation (EU) 2016/679.

2. The ANSPDCP has been designated as the lead supervisory authority in this case, as Dante International SA has its main office in Romania.

Read More

Emag receives fine for not respecting GDPR regulation

The National Supervisory Authority for Personal Data Processing has formally completed its investigation into Dante International SA and found that the company violated several provisions of Regulation (EU) 2016/679.

Thus, Emag.ro did not comply with a data subject’s request to delete his data,the company informed him by SMS about a new offer, when he had expressly requested the deletion of his account and all irrelevant data. As a result, the regulator issued a fine of €1,000 (equivalent).

details here

Processing of personal data by a data processor

The processing of personal data by a processor must be documented, i.e. there must be a contract, in accordance with Article 28, paragraph 3 of REGULATION 679 of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
Date December 20, 2022 Poland

Basic information
Date of final decision: September 7, 2022
Operator: Cultural Center of the Municipality of Sułkowice
Legal reference: Requirements relating to the processor (Article 28(1)(3)(9))
Decision: Administrative fine

Summary of the decision

Origin of the case
Polish SA was notified about a personal data breach at the Cultural Center Sułkowice. In the course of the procedure, it was found that the operator, without a written contract, used a processor to whom it outsourced bookkeeping, record keeping and reporting (in the areas of finance, taxation and social security) or documentation storage.

Furthermore, the controller has not verified whether the processor provides sufficient guarantees for the implementation of appropriate technical and organizational measures to ensure that the processing of personal data complies with the GDPR.

Key findings
Failure to verify the processor and its safeguards for processing in compliance with data protection regulations may entail consequences for individuals whose personal data have been entrusted to the processor, such as loss of personal data. Only after having examined the competence and suitability of the chosen processor, the controller may proceed to conclude an appropriate contract.

In the course of the case, the supervisory authority found that the controller did not have any document confirming the verification of the conditions of cooperation with the processor. In addition, requests to the controller for information, clarifications and return or access to the processed data were unsuccessful.

Decision
The Polish Personal Data Supervisory Authority imposed an administrative fine of PLN 2 500 on the Sułkowice Cultural Center.

The reason for the decision was the use by the controller of a processor without a written contract and the failure to verify whether the processor provides sufficient guarantees to implement adequate technical measures.

source https://edpb.europa.eu/news/national-

„Effective training” – a new concept after the recent decision of the Cluj courts in the Banca Transilvania vs ANSPDCP case

Much has been said about the fine of € 100,000 imposed by the National Authority for the Supervision of Personal Data (ANSPDCP) almost two years ago to sanction the dissemination of personal data belonging to a customer and employees of Banca Transilvania in the public space. It is not our intention to go back over the history of those facts, nor do we intend to analyze it, as we do not have the concrete details of the case at our disposal.

Read More