5 Data Privacy Violations that Led to Fines

1. Accessing personal data without authorization

Since the General data Protection (GDPR) has been enforced, many sanctions have been applied to data handlers for not complying to certain provisions of the law. For the first time, an employee was sentenced to 6 months of prison for violating the GDPR. The news comes from England. According to the ICO (UK’s Information Commissioner’s Office), an employee of the Dorset Department of Social Welfare was prosecuted for accessing the files of four individuals she knew, without having an authorization to do so.

The employee was sued and it was found that, although she had been instructed on the obligations she had to ensure data protection and how to perform her duties according to the job description, she chose to violate the regulations and obtained personal data in an abusive manner.


2. Using video devices without properly informing the data subjects

ICO has imposed a £120,000 fine on a London TV Channel for illegally filming maternity patients.

True Vision Productions (TVP) set up several cameras and microphones inside a maternity ward and used the images to make a documentary about the premature death of children. There was an agreement between the maternity hospital and the television company for the placements of the cameras and microphones, however, following the investigation, ICO found that the patients were not properly notified, and no consent was obtained from them.


3. Not providing proper training to staff handling sensitive personal data

Morele.net is the first online store launched in Poland and one of the largest in Europe. They have a fairly large database that contains personal data of customers who have used the services of the retailer.

The Polish store reported that its online database was the victim of a cyber-attack. Following the attack, the data of approximately 2.2 million customers such as name, e-mail and home address and telephone number were compromised. Subsequently, the stolen data was used by hackers in another phishing attack. The customers of the online store received a link that redirected them to a fake page where they were asked to pay a certain amount of money that was due from prior purchases at the Morele.net store.

UODO (Polish Data Protection Authority) established that the security breach was due to lack of technical and organizational measures adequate to the existing risks, including not appropriately training staff on the GDPR and proper handling of sensitive data.

The store was fined by the Polish Authority with over 2.8 million PLN, the equivalent of approximately €645,000.


4. Using the collected data for purposes than the specified one

In Belgium, a mayor has been fined for sending electoral campaign messages to two citizens. The announcement was made by the Litigation Chamber of the Belgian Authority, which also announced that they found during the investigation that the mayor had used the data abusively and for a different purpose than the legitimate interest specified originally. The two citizens corresponded by e-mail with the mayor in order to carry out an urban project. Shortly before the local elections, the mayor sent them an e-mail containing and electoral message. For this fact, a fine of 2,000 Euros was applied. Hielke Hijmas, President of the Dispute Resolution Chamber stated: ”The use of personal data by political representatives for electoral purposes is a matter of great concern to citizens. It is important to remember that public officials must abide by the law.”


5. Storing personal data in an inadequate way

   Doorstep Dispensaree Ltd, a pharmaceutical supplier, was fined 320,000 Euros following an investigation by the ICO. During the investigation, approximately 500,000 documents held by Doorstep Dispensaree Ltd were discovered, including names, addresses, dates of birth, NHS numbers, medical information and prescriptions that belonged to a large number of people. The documents were kept in an improper condition, more precisely they were kept in containers near its headquarters. Some of documents were damaged due to humidity and exposed to the risk of unauthorized access and use for illegitimate purposes.


Need help?

Sovy’s GDPR Essentials can help you get compliant and stay compliant with our suite of on-line tools and services, including:

  • eLearning for GDPR and CyberSecurity
  • Cookie Consent Manager with data rights access requests
  • Privacy Policy Builder
  • Records of Data Processing

We also offer Advisory Services for additional support to address your company’s needs. Find out more about how the Sovy GDPR Privacy Essentials can help you or get in touch with Sovy for more information.