fbpx

Download free GDPR compliance checklist!

Tag Archives for " sanctions "

German Court Slashes a GDPR Privacy Fine by 90%

A German appeals court has slashed by 90% a General Data Protection Regulation fine levied by the nation’s federal privacy watchdog against 1&1 Telecom over call center data protection shortcomings.

In December 2019, Germany’s Federal Commissioner for Data Protection and Freedom of Information, or BfDI, announced a fine of 9.6 million euros ($11.3 million) – at the time, the second-largest privacy fine ever announced in Germany – against 1&1 Telecom.

Source: German Court Slashes a GDPR Privacy Fine by 90%

Ticketmaster fined £1.25m over personal data breach

Ticketmaster has been fined £1.25m for failing to keep the personal data of millions of customers secure.

The online events ticket seller failed to put “appropriate security measures in place” to prevent a cyber-attack on a chat-bot installed on its online payment page, the Information Commissioner’s Office (ICO) in the UK said.

The breach potentially affected 9.4million customers across Europe. As a result, 60,000 payment cards belonging to Barclays Bank customers were subjected to fraud, and another 6,000 cards were replaced by Monzo bank after suspected fraud.

Source: Ticketmaster fined £1.25m over personal data breach

Data protection scofflaws failed to pay £2m or 68% of fines from UK watchdog

Scofflaws have failed to pay nearly £2m in fines handed out by the UK Information Commissioner’s Office over the past 18 months, according to new research.

Between January 2019 and August 2020, the ICO issued a total of £3.2m in monetary penalty notices but just £1.03m has been paid, according to research from SMS API biz The SMS Works.

When measured as a percentage of the fine amount, nuisance-call operators were the least likely to have paid their fines, with The SMS Works finding that just 13 per cent of penalties handed to such firms had been paid.

Source: Data protection scofflaws failed to pay £2m in fines from UK watchdog – and 68% of penalties are still outstanding • The Register

Marriott International fined £18.4m for 2014 data breach

The UK data regulator has issued Marriott International with a watered-down £18.4 million fine for a data breach that affected 339 million guest records worldwide.

The sum has been significantly reduced from the initial £99 million notice of intent to fine that the Information Commissioner’s Office (ICO) first issued the hotel chain in July 2019. The decision to issue a substantially lower fine once again raises questions as to the effectiveness of GDPR enforcement.

Source: Marriott International fined £18.4m for 2014 data breach | IT PRO

Experian faces GDPR action after ICO finds ‘widespread data protection failings’

The Information Commissioner’s Office (ICO) has ordered credit rating giant Experian to stop profiting from the secretive enriching and processing of people’s personal data or face a massive GDPR fine.

The investigation found the three firms were trading, enriching and enhancing people’s personal data without their knowledge or consent. This resulted in products which were used by third-party commercial organisations to find new customers, identify those who were most likely to be able to afford products, and build individual profiles around people.

UK watchdog gives Experian nine-month ultimatum to change ‘illegal’ business practices or face punishment.

Source: Experian faces GDPR action after ICO finds ‘widespread data protection failings’ | IT PRO

ICO fines British Airways £20m for data breach affecting more than 400,000 customers

The Information Commissioner’s Office (ICO) has fined British Airways (BA) £20m for failing to protect the personal and financial details of more than 400,000 of its customers.

An ICO investigation found the airline was processing a significant amount of personal data without adequate security measures in place. This failure broke data protection law and, subsequently, BA was the subject of a cyber-attack during 2018, which it did not detect for more than two months.

Source: ICO fines British Airways £20m for data breach affecting more than 400,000 customers | ICO

ICO Launches Consultation on Its Draft Statutory Guidance

On October 1, 2020, the UK Information Commissioner’s Office (ICO) launched a public consultation on its draft Statutory Guidance.

The Guidance provides an overview of the ICO’s powers and how it intends to regulate and enforce data protection legislation in the UK, including its approach to calculating fines.

Source: ICO Launches Consultation on Its Draft Statutory Guidance

Fashion chain H&M fined $35m for snooping on employees

Fashion chain H&M has been fined $35million for data protection breaches, including recording and sharing private information about hundreds of employees among managers.

Hamburg’s data protection commissioner said the company collected private information about employees at a customer service in Nuremberg.

After absences, such as vacations and sick leave, supervisors would conduct “welcome back talks” with members of staff. The data protection commissioner said: “After these talks, in many cases not only the employees’ concrete vacation experiences were recorded, but also symptoms of illness and diagnoses.

Source: Fashion chain H&M fined $35m for snooping on employees

Danish hotel group fined for failing to delete customers’ details

The Arp-Hansen Hotel Group in Denmark has been fined 1.1m Danish crowns (US$170,000, €148,000) and referred to the police by the country’s data protection authority (Datatilsynet) for storing information on clients longer than necessary.

In an audit visit, the DPA found there were customer profiles which should have been deleted several years earlier. The authority considers 500,000 entries ought to have been erased from the group’s systems.

Source: Danish hotel group fined for failing to delete customers’ details

CNIL Adopts Its First Sanction as Lead Supervisory Authority

French Data Protection Authority (CNIL) has levied a fine of €250,000 on French online shoe retailer, Spartoo, for various infringements of the EU General Data Protection Regulation (GDPR). This is the first penalty under the GDPR enforced by the CNIL as the lead supervisory authority (Lead SA) in cooperation with other EU supervisory authorities.

The CNIL’s investigation focused on the processing of personal data of Spartoo’s existing and prospective customers, and on the recording of telephone conversations between customers and Spartoo’s customer service. The investigation revealed several infringements of the GDPR, including (1) absence of a defined data retention period(s), (2) no regular erasure of existing and prospective customer personal data, and (3) improper acceptance of weak passwords for online customer accounts.

Source: CNIL Adopts Its First Sanction as Lead Supervisory Authority, Fining French Online Shoe Retailer

>