GDPR enforcement roundup: Spain stays on Vodafone, record fine in Poland

Clearview AI has been fined twice this year—20 million euros (then-U.S. $22 million) in Italy in February and more than 7.5 million pounds (U.S. $9.4 million) in the United Kingdom earlier this week—while Big Tech firms Meta (Facebook) and Google have received fines of €17 million (then-U.S. $18.6 million) from the Irish Data Protection Commission and €10 million (then-U.S. $10.6 million) from Spain’s AEPD, respectively.

Below is a roundup of other notable cases recently announced.

France

In April, the CNIL fined Dedalus Biology €1.5 million (then-U.S. $1.62 million) after the personal and medical details of nearly 500,000 people were leaked and posted on a website, including whether they had HIV, cancer, a genetic disease, or were having drug treatments.

The data regulator found the company did not have basic information technology (IT) security protocols in place: patient information was not encrypted, user accounts were shared among employees, and the public area of the server could be accessed without authentication.

Sweden

Klarna was fined 7.5 million Swedish krona (then-U.S. $799,000) in March over shortcomings in the way it processed people’s data. The payments firm was also singled out for failing to be forthcoming with the Swedish Data Protection Authority (DPA) during its investigation.

Klarna “continuously” changed the information it shared with the DPA about how the company handled personal data and provided “misleading” details about who received personal data when data was shared with Swedish and foreign credit information companies, according to the regulator. The company also failed to provide an adequate reason for the legal basis of the processing.

Further, Klarna did not provide information regarding which countries outside the European Union/European Economic Area personal data was transferred to or how individuals could obtain information on the safeguards that applied to the transfer to third countries, the regulator found. The company allegedly offered incomplete information about data subjects’ rights, including the right to delete data, the right to data portability, and the right to object to how one’s personal data is processed.

Klarna is appealing the fine.

Poland

In January, Poland imposed its largest GDPR fine to date, approximately €1.08 million (then-U.S. $1.2 million), on a marketing firm for failing to take basic security measures on its servers to protect customer details.

The Polish DPA found Fortum Marketing and Sales Polska violated the GDPR when it created a duplicate customer database, which was further duplicated by unauthorized persons.

In its decision notice, the regulator said the company failed to check whether standard security protocols had been followed during IT work and left it up to the contractor (who was also fined €55,000, or then-U.S. $62,500) to implement appropriate security measures despite the responsibility to ensure data privacy belonging to Fortum under the GDPR.

Spain

In February, telecommunications giant Vodafone was once again fined by the AEPD over accountability and security failings relating to the fraudulent replication of SIM cards. The €3.94 million (then-U.S. $4.45 million) penalty is the second largest fine the Spanish regulator has issued against the company, following an €8.15 million (then-U.S. $9.72 million) sanction imposed against it in March 2021.

So far, Vodafone has been fined around 65 times under the GDPR, including nearly 60 times in Spain, according to the GDPR Enforcement Tracker.