Privacy Fines Database

TikTok

Unlawful data transfers to China

Failed to ensure adequate protection for EU user data transferred to China and lacked transparency about data processing practices.

Meta (Facebook)

Unlawful EU-US data transfers

Transferred EU user data to the US without adequate safeguards post-Schrems II ruling. Largest GDPR fine ever issued.

Meta (Instagram)

Children's data processing

Made children's accounts public by default and exposed phone numbers and email addresses of minors aged 13–17.

LinkedIn

Unlawful advertising data processing

Processed personal data for behavioral advertising without a valid legal basis, violating consent and legitimate interest principles.

Meta (Facebook)

Data breach — 29M accounts

A 2018 data breach exposed personal data of 29 million accounts due to insufficient technical and organizational security measures.

WhatsApp

Transparency failures

Failed to provide clear and transparent information to users about how their personal data was being shared with Meta companies.

TikTok

Children's privacy violations

Default public settings for children's accounts and enabled direct messaging to minors without adequate age verification.

Google LLC

Cookie consent violations

Google.fr and YouTube.com made it difficult for users to refuse cookies — "Accept All" was one click but refusing required multiple steps.

Microsoft Ireland

Advertising cookies without consent

Bing deposited advertising cookies on users' devices without prior consent and lacked a clear rejection mechanism.

Criteo

Tracking without valid consent

Ad-tech company tracked users across millions of websites without obtaining valid, prior consent as required by the ePrivacy Directive.

Amazon France

Cookie deposit without consent

Deposited advertising cookies on users' computers without prior consent or adequate information about cookie purposes.

Google LLC

Cookie deposit without consent

Placed advertising cookies on google.fr without adequate prior information or consent, violating the French Data Protection Act.

Clearview AI

Biometric data collection without basis

Scraped billions of facial images from the internet without any legal basis, creating a biometric database without individuals' knowledge or consent.

SAF Logistics (transport SME)

Employee surveillance via GPS

Small logistics company tracked delivery drivers via GPS in real-time without proper consent or data protection impact assessment.

DS Automobiles (car dealership)

Marketing emails without consent

Car dealership sent promotional emails to prospects who never consented and failed to honor unsubscribe requests within the legal deadline.

Real estate agency (unnamed)

Excessive data collection from tenants

Small agency demanded bank statements, tax returns and ID copies beyond what is legally permitted for tenant applications.

Vodafone GmbH

General data processing violations

Non-compliance with general data processing principles under GDPR, including insufficient measures for lawful processing of customer data.

H&M

Employee surveillance

Systematically surveilled employees at its Nuremberg service center by recording detailed private information about health, religion, and family during return-to-work meetings.

Deutsche Wohnen

Excessive data retention

Real estate company stored tenant personal data indefinitely without any data retention policy, keeping old financial records, personal IDs, and employment contracts.

1&1 Telecom

Insufficient authentication

Customer service agents could access customer accounts using only a name and date of birth — no additional identity verification was required.

Delivery service (Hamburg)

Employee health data processing

Small food delivery company collected employees' health data (sick notes with diagnosis details) and stored them in an insecure shared folder.

Dental practice (Bavaria)

Patient records without encryption

Dental clinic stored unencrypted patient health records on a server accessible from the open internet, exposing sensitive medical data.

Fitness studio (Berlin)

CCTV in changing rooms

Gym installed surveillance cameras covering changing room entrances without proper signage, consent, or a legitimate purpose under GDPR.

Uber

Improper EU-US data transfers

Transferred EU driver personal data to the US headquarters without adequate safeguards (Standard Contractual Clauses or DPF).

Clearview AI

Unlawful facial recognition database

Built a facial recognition database by scraping billions of images from the internet without consent, legal basis, or transparency.

Netflix

Inadequate privacy notices

Failed to adequately inform customers about what personal data was collected and how it was used between 2018 and 2020.

Uber

Transparency on data transfers

Insufficient transparency about third-country data transfers and data retention periods communicated to drivers.

Dentist practice (Amsterdam)

Unencrypted patient data sharing

Dental practice emailed unencrypted patient health records and X-rays to third-party labs using regular email without any security measures.

Webshop (Utrecht)

No cookie consent mechanism

Small online retailer loaded Google Analytics and Facebook Pixel tracking cookies before obtaining any user consent, with no cookie banner at all.

Amazon Europe

Advertising targeting without consent

Amazon's behavioral advertising system processed personal data for targeted ads without obtaining valid consent from users. Legal challenge lost in 2025.

Amazon Europe

Data subject access rights failures

Failed to adequately respond to customer data access requests within the required timeframe under GDPR Article 15.

Satispay Europe

Marketing without consent

Fintech company sent promotional communications to users who had not given valid consent for direct marketing purposes.

OpenAI

AI training without legal basis

Processed personal data to train ChatGPT without a valid legal basis and failed to report a data breach within the 72-hour notification window.

Clearview AI

Biometric data processing

Operated an unlawful biometric surveillance system by scraping facial images of Italian residents without consent or legal basis.

Enel Energia

Unsolicited telemarketing

Made millions of unsolicited telemarketing calls using data obtained from unauthorized lists, contacting people on the do-not-call registry.

TIM (Telecom Italia)

Aggressive telemarketing

Systematic telemarketing violations including making calls without consent, ignoring opt-out requests, and mishandling personal data across call centers.

Bar Gioia (café)

Illegal CCTV installation

Small bar installed surveillance cameras without required information signs and filmed public sidewalk areas without any legal basis.

Macelleria La Costata (butcher)

Excessive video surveillance

Butcher shop installed cameras covering public areas and staff workstations without a data protection impact assessment or employee consent.

Medical practice (Rome)

Patient emails without BCC

Doctor sent a group email to 45 patients about test results using CC instead of BCC, exposing all patients' email addresses and health conditions.

Hotel (Florence)

Passport data retention

Small hotel kept photocopies of guests' passports for years instead of the mandatory 24-hour retention period, storing them in an unlocked cabinet.

CaixaBank

Unlawful customer data processing

Processed customer data for marketing purposes without valid consent and failed to adequately document processing activities.

Vodafone España

Unsolicited communications

Sent marketing communications to users who had opted out and processed personal data for telemarketing without adequate consent mechanisms.

La Liga (football)

Surveillance via mobile app

Used the official La Liga app to activate microphones and GPS on users' phones to detect unauthorized broadcasts of football matches.

EDP Energía

Lack of consent for processing

Processed customer personal data for marketing and profiling without obtaining proper consent, affecting a large customer base.

Dental clinic (Madrid)

Video surveillance in examination rooms

Small dental practice installed CCTV in the doctor's office, recording patients during examinations without consent or legitimate interest.

Restaurant owner (Valencia)

Unlawful CCTV recording

Restaurant installed cameras filming public streets and neighbouring properties without proper signage or a valid legal basis.

Gym (Barcelona)

Biometric access without consent

Fitness center used fingerprint scanners for member access without obtaining explicit consent for biometric data processing.

Online shop (Seville)

Missing privacy policy

Small e-commerce website collected customer data (names, addresses, payments) without any privacy policy or data processing information.

Real estate agency (Málaga)

Sharing tenant data without basis

Agency shared personal data of tenants with third-party service providers without consent or a data processing agreement.

Apoteket AB (pharmacy)

Meta Pixel data leak

Transferred sensitive health-related personal data to Meta via the Meta Pixel advertising tracker installed on their e-commerce website.

Spotify AB

Right of access violation

Failed to provide users with sufficiently clear information about how their personal data was processed in response to access requests.

Apohem AB (pharmacy)

Meta Pixel health data transfer

Pharmacy chain transferred sensitive customer health data to Meta through advertising pixel, revealing purchases of medical products.

Capio St. Görans Hospital

Unauthorized record access

Hospital staff accessed patient records without medical justification. Inadequate access controls allowed employees to view any patient data.

Hellenic Post (ELTA)

Data breach — dark web exposure

Inadequate technical and organizational security measures led to a data breach that exposed customer personal data on the dark web.

Ministry of Interior + MEP

Unsolicited political communication

Personal data leaked and used for unsolicited political messages in election campaigns without citizen consent.

Ministry of Migration

AI surveillance without safeguards

Deployed AI-powered surveillance in refugee camps without proper data protection impact assessments or data retention policies.

Posti (postal service)

Unlawful automatic mailbox creation

Automatically created electronic mailboxes for citizens without consent, processing personal data unlawfully.

Verkkokauppa.com

No data retention limits

Failed to define data retention periods and forced customers to create mandatory accounts for online purchases — went beyond what is necessary.

Taksi Helsinki

Excessive data collection

Collected and stored excessive personal data from taxi passengers beyond what was necessary for the service provided.

Psykoterapiakeskus Vastaamo

Massive therapy data breach

Private psychotherapy records of 33,000+ patients were stolen and leaked online due to catastrophically poor security. CEO was criminally charged.

Private school (Helsinki)

Student data without legal basis

Private school processed detailed behavioral notes on students and shared them with external psychologists without parental consent.

Unnamed hospital

Cybersecurity failure — 300K records

Insufficient cybersecurity protections led to a cyberattack that compromised the personal data of 300,000 patients.

RTL Belgium

Non-compliant cookie banner

Cookie banner lacked a "Reject All" button and used misleading design with color contrasts steering users toward acceptance.

Freedelity

Consent and data minimization failures

Violated consent mechanisms, data minimization principles, and retained customer data excessively beyond the purpose of collection.

Construction firm (Liège)

Unauthorized employee monitoring

Small construction company installed keystroke loggers on employee computers to monitor productivity without informing workers or having a legal basis.

Santander Bank Polska

Failure to notify data breach

Lost bank documents containing personal data and failed to notify affected individuals about the data breach as required.

Polish bank (unnamed)

Failure to inform breach victims

Did not inform individuals whose data was compromised in a breach, violating the GDPR notification obligation.

Toyota Bank Polska

DPO independence issues

Data Protection Officer was not positioned to operate independently and the bank failed to adequately document its profiling activities.

Netcompany Group

Digital mail service security failures

Security vulnerabilities in a digital mail service exposed personal data of citizens, referred to police for prosecution.

OiSTER Telecom

Data breach — 247K customers

Data breach affected 246,748 customers' personal data. Reported to police with a recommended fine of DKK 750,000.

DSB (Danish State Railways)

Employee data processing

Unlawfully processed employee personal data and failed to maintain adequate records of processing activities.

IDdesign A/S

Data retention violations

Retained personal data of 385,000 former customers for years beyond what was necessary, with no deletion procedures in place.

Telenor ASA

Organizational GDPR failures

Issues with Records of Processing Activities (RoPA) and failure to ensure Data Protection Officer (DPO) independence as required.

Grindr LLC

Sharing sensitive data without consent

Shared users' GPS location, device identifiers, and sexual orientation data with advertising partners without valid legal consent.

Municipality of Bergen

Student data breach

Personal data of 35,000 students and employees was exposed due to a security flaw in the school administration system.

Stortinget (Parliament)

Cyberattack security failures

The Norwegian Parliament suffered a cyberattack exploiting vulnerabilities in Microsoft Exchange, exposing email accounts of elected officials.

Austrian Post

Failure to fulfill data subject rights

Created profiles on political preferences of Austrian citizens and sold this data to political parties without adequate consent.

Media company (unnamed)

Failure to cooperate with DPA

Refused to cooperate with the data protection authority during an investigation, obstructing regulatory enforcement.

REWE Group (supermarket)

Customer profiling without consent

Loyalty card program processed customer behavior data for profiling purposes without valid consent under GDPR.

Jö Bonus Club

Tracking purchase behavior

Loyalty program tracked detailed purchase behavior of 4 million Austrians and used it for targeted advertising without adequate consent.

Physiotherapy practice (Vienna)

Unsecured patient records

Small physiotherapy clinic stored patient treatment records on a shared computer without password protection, accessible to all staff and visitors.

Instituto Nacional de Estatística

Unlawful international data transfers

Census data was transferred to the US via Cloudflare without adequate safeguards and no data protection impact assessment was conducted.

Hospital do Barreiro

Unauthorized access to patient records

Hospital allowed non-medical staff to access patient records through falsified doctor profiles. 985 active profiles for only 296 doctors.

Câmara Municipal de Lisboa

Sharing activist data with embassies

The Lisbon city council shared personal data of protest organizers with foreign embassies, endangering activists from authoritarian countries.

Capita Group

Cybersecurity failure — 6.6M records

Failed to secure personal data of 6.6 million individuals including sensitive information after a cyber-attack. Originally proposed at £45M, reduced via early settlement.

British Airways

Data breach — 400K customers

Hackers skimmed payment card data from 400,000 customers through the BA website due to poor security measures.

Marriott International

Data breach — 339M records

Failure to keep personal data secure led to a breach affecting approximately 339 million guest records globally.

Advanced Computer Software

Ransomware attack — NHS disruption

Inadequate cybersecurity allowed a ransomware attack that compromised 79,404 individuals' data and disrupted NHS 111 healthcare services.

23andMe

Security failure — 155K UK users

Failed to implement appropriate security measures, leading to a credential-stuffing attack that exposed genetic data of 155,592 UK users.

Police Service of NI

Accidental data leak — 9,483 officers

Accidentally published a spreadsheet containing the personal details of all 9,483 serving officers and staff.

Law firm (London)

Client data sent to wrong recipient

Small solicitors firm accidentally emailed sensitive case files including medical and financial records to the wrong person due to autocomplete error.

Recruitment agency (Manchester)

CV database without security

Staffing agency stored CVs containing personal data of 5,000+ candidates in an unencrypted, publicly accessible cloud folder.

Zoom

Privacy and security failures

Misleading security claims, sharing data with Facebook, and security vulnerabilities that enabled "Zoombombing" incidents.

Disney

Opt-out non-compliance

Failed to honor consumer opt-out requests for data sharing on its streaming platform. Part of a broader 2024 enforcement sweep on streaming services.

Healthline Media

Sensitive health data leakage

Allowed third-party trackers to collect sensitive user health data without consent and failed to provide a functional opt-out mechanism.

Tractor Supply Co.

HR data privacy violations

First CCPA fine targeting HR data. Failed to provide privacy rights information to job applicants and had a broken opt-out mechanism.

American Honda

Excessive verification for rights requests

Required excessive personal information for consumer verification and shared data with ad tech companies without appropriate contractual safeguards.

DoorDash

Customer data sharing without notice

Shared customer personal data with third-party marketing companies without informing consumers or providing an opt-out option.

Todd Snyder Inc.

Misconfigured privacy portal

Privacy portal was misconfigured, delaying opt-out requests. Additionally demanded excessive personal information from consumers making privacy requests.

Telecom operator (unnamed)

Customer data processing without basis

Processed customer personal data for commercial purposes without a valid legal basis, affecting millions of subscribers.

Telekall Infoservice

First-ever LGPD fine

Microenterprise processed personal data for WhatsApp marketing campaigns without a valid legal basis — the very first LGPD enforcement action.

Instituto Nacional do Seguro Social (INSS)

Social security data breach

Personal data of social security beneficiaries was accessed by unauthorized third parties and used for predatory loan marketing.

Bytedance (TikTok Brazil)

Children's data processing

Collected and processed personal data of children under 13 without parental consent and inadequate age verification mechanisms.

Clearview AI

Unlawful facial recognition

Scraped images of Canadians from the internet for facial recognition without consent. Ordered to cease operations and delete all Canadian data.

Equifax

Data breach — 19K Canadians

The 2017 data breach exposed personal data of 19,000 Canadians. Investigation found inadequate security safeguards and poor data governance.

Tim Hortons

Excessive location tracking

The Tim Hortons app tracked users' location data every few minutes even when the app was closed, far exceeding what was necessary.

Home Depot

Sharing data without consent

Shared customer email addresses with Meta for targeted advertising when customers provided receipts, without obtaining meaningful consent.

Aylo (Pornhub/MindGeek)

Non-consensual content

Investigation into inadequate verification systems that failed to prevent non-consensual intimate images from being uploaded and distributed.

Clearview AI

Facial recognition without consent

Scraped Australian residents' facial images from social media without knowledge or consent to build a biometric surveillance database.

Australian Information Commissioner v HealthEngine

Misleading health data practices

Shared patient personal information with insurance brokers, lawyers, and advertisers without proper consent or disclosure.

Medibank

Massive data breach — 9.7M records

A 2022 ransomware attack exposed highly sensitive health data of 9.7 million current and former customers due to inadequate cybersecurity.

Optus (SingTel)

Data breach — 10M customers

A cyberattack exposed personal data of 10 million customers including passport and driver's license numbers due to an exposed API endpoint.

Latitude Financial

Data breach — 14M records

Hackers stole 14 million customer records including driver's license numbers, passport numbers, and financial data from systems dating back to 2005.

SingHealth

Data breach — 1.5M patients

Singapore's worst data breach. Hackers accessed personal data of 1.5 million patients including PM Lee Hsien Loong's prescription data.

IHiS (IT vendor)

Inadequate cybersecurity for SingHealth

As the IT service provider for SingHealth, failed to implement adequate security measures and delayed response to the cyber-attack.

Consumers Association of Singapore

Security arrangement failures

Failed to implement reasonable security arrangements and adequate policies to protect personal data under its care.

Meta (Facebook Korea)

Sharing sensitive data without consent

Collected and shared sensitive information about 980,000 Korean users (political views, sexual orientation, religion) with advertisers without consent.

Google Korea

Location data consent violations

Collected location data from Android users without proper consent and made it difficult for users to opt out of location tracking.

Business On Communication

SQL injection data breach

Data breach resulting from SQL injection attacks due to insufficient security safeguards. Failed to send timely breach notifications.

LINE Corporation

Cross-border data handling failures

Allowed subsidiary in China to access Japanese user data including messages and payment info without proper user notification.

NTT Docomo / dpoint

Inadequate third-party data controls

Failed to maintain adequate oversight of third-party contractors who had access to customer personal information.

Toyota Motor Corporation

Cloud misconfiguration data exposure

Location and vehicle ID data of 2.15 million customers was publicly accessible for over a decade due to a cloud environment misconfiguration.

NTT Communications

Unauthorized access — 17K records

Data breach affected 17,000 corporate customer records after attackers gained unauthorized access to internal systems through compromised VPN credentials.

(Enforcement starting 2027)

New regulatory framework

DPDP Rules notified Nov 2025. Penalties range from ₹50 Crore to ₹250 Crore per violation. Full compliance deadline: May 2027.

BigBasket (Tata Digital)

Data breach — 20M users

Personal data of 20 million users including emails, phone numbers, and hashed passwords was found on sale on the dark web.

Air India

Data breach — 4.5M passengers

Flight booking data of 4.5 million passengers leaked including passport details, credit card info, and ticket information.

Domino's India

Data breach — 180M orders

Personal data from 180 million pizza orders leaked online including names, phone numbers, addresses, and email IDs.

WhatsApp

Privacy policy update violations

Forced users to accept new privacy policy sharing data with Meta companies. Found to violate transparency and informed consent requirements.

Meta (Facebook)

Data breach notification failure

Failed to notify Turkish authorities about a data breach in a timely manner and inadequate security measures to prevent unauthorized access.

Google LLC

Cookie policy violations

Failed to obtain valid consent for cookies and did not provide adequate information about data processing purposes on Google services used in Turkey.

Yemeksepeti (Delivery Hero)

Data breach — 21.5M users

Online food delivery platform suffered a massive data breach exposing personal data of 21.5 million users including addresses and phone numbers.

TikTok

Children's data processing

Insufficient age verification and parental consent mechanisms for Turkish users under 13, violating KVKK requirements for sensitive data.