2 large fines in the GDPR world

The month of May brought along 2 large fines for GDPR infringements. 

CNIL, the French Data Protection Authority, issued a subsequent 5.2 million EUR fine for CLEARVIEW AI, a company which collects photos from a wide range of websites and then sells access to its database of images. The company was first fined with 20 million EUR in 2022, in addition to the French DPA ordering the company not to collect and process data on individuals located in France without any legal basis, and to delete the data of these individuals, after responding to requests for access it received. The company had 2 months to comply to the request, subject to a penalty of 100.000 EUR per day of delay, as part of its decision from October 2022 by which Clearview AI was initially fined.

The second large fine issued in May comes from the Croatian Personal Data Protection Agency, with a 2.3 million EUR fine issued to the Debt Collection Agency. The fine was imposed due to the controller’s failure to inform its data subjects, in an accurate manner about the processing of their personal data through a privacy policy and for failing to apply technical and organizational protection measures while processing personal data. Aditionally, The Debt Agency did not conclude a contract on the processing of personal data with the data processor for the service of monitoring simple consumer bankruptcy.  Following these issues, a security breach had occured, with more than 132,652 data subjects being affected.