GDPR Breach Fines for SL Group Companies

The Swedish Authority for Privacy Protection (IMY) has issued administrative fines of SEK 75,000 each to Aktiebolaget Storstockholms Lokaltrafik (SL) and Waxholms Ångfartygs AB (WÅAB). The fines were imposed for processing personal data related to employee sobriety tests in breach of the GDPR, specifically regarding excessive data storage and handling of potentially sensitive health data.

Apoteket and Apohem Fined for GDPR Violations

The Swedish Authority for Privacy Protection (IMY) has fined Apoteket AB SEK 37 million and Apohem AB SEK 8 million for GDPR violations. The companies improperly transferred sensitive personal data to Meta via the Meta Pixel tool, failing to implement adequate protective measures.

Sportadmin Fined SEK 6 Million for GDPR Data Leak

The Swedish Authority for Privacy Protection (IMY) has imposed an administrative fine of SEK 6 million on Sportadmin following a data leak that exposed personal data of over 2.1 million individuals. The authority found that Sportadmin did not maintain an appropriate level of security to protect the data, violating GDPR Article 32.

AEPD Resolves GDPR Breach: 492 Individuals' Data Published

The Spanish Data Protection Agency (AEPD) has initiated a sanctioning procedure against the Consejería de Hacienda y Administración Pública of the Junta de Extremadura for publishing the personal data (name, surname, and DNI) of 492 individuals on its website. The data was published without consent as part of a public employment selection process and has been accessible since September 2019.

Spanish DPA Resolution on Data Rights Claim

The Spanish Data Protection Agency (AEPD) has issued a resolution regarding a data rights claim (EXP202517310). The claimant exercised their right of access, and after initial non-compliance, the respondent has now demonstrated that the right was attended to and a response was provided.

Data Protection Commission 2024 Annual Report

The Data Protection Commission (DPC) has published its 2024 Annual Report, detailing €652 million in administrative fines issued, including significant penalties against Meta and LinkedIn. The report also highlights the conclusion of numerous inquiries and breach notifications.

DPC Fines CDETB €125,000 for GDPR Data Breach

The Irish Data Protection Commission (DPC) has fined the City of Dublin Education and Training Board (CDETB) €125,000 for a GDPR data breach. The inquiry found CDETB infringed multiple GDPR articles related to security measures, breach notification to the DPC, and notification to data subjects.

DPC Inquiry into TikTok Data Transfers to China

The Irish Data Protection Commission (DPC) has opened an inquiry into TikTok Technology Limited regarding the transfer of EEA users' personal data to servers in China. This follows TikTok's admission that limited data was stored in China, contrary to previous evidence provided to the DPC.

Data Protection Commission Opens Inquiry into Children's Health Ireland

The Data Protection Commission (DPC) has opened a formal inquiry into Children's Health Ireland (CHI) concerning the security of children's health records at Tallaght University Hospital. The inquiry follows protected disclosures and a breach notification, and will examine CHI's GDPR compliance regarding physical data security.

CJEU Rules Pre-Ticked Checkboxes Invalid for Cookie Consent

The European Court of Justice (CJEU) ruled that pre-ticked checkboxes are invalid for obtaining cookie consent. This decision, welcomed by data protection authorities, clarifies that active user behavior is required for valid consent regarding data processing.