Company – Fine (Germany, 2020)

Fine
Bundesbeauftragter für den Datenschutz1 January 2020Germany
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

A company running an online marketplace for worn underwear was found to have failed in protecting users' privacy. They didn't remove location data from photos uploaded by users, which could reveal where the photos were taken. This highlights the need for businesses to ensure they protect user data, especially when promising anonymity.

What happened

The company failed to remove location metadata from user-uploaded photos, risking exposure of users' locations.

Who was affected

Approximately 760 women aged 18 to 50 who uploaded photos to the online marketplace.

What the authority found

The privacy authority found the company lacked proper security measures and unlawfully processed data by not cleaning location metadata, violating GDPR.

Why this matters

This case emphasizes the importance of technical measures to protect user privacy, especially for platforms promising anonymity. Businesses should ensure they strip metadata from user content to avoid privacy breaches.

GDPR Articles Cited

Art. 6 GDPR
Art. 32 GDPR
Germany enforcementBundesbeauftragter für den Datenschutz actionsAll Company actions
Full Legal Summary
Detailed

The DPA from Hamburg has issued a fine against a company that operates an online marketplace, especially for worn underwear. The company advertises that it guarantees one hundred percent anonymity. On the platform, users can upload photos of underwear. In most cases, smartphones or other mobile devices were used to take the photos. The camera apps of the smartphones or GPS modules of the cameras often store additional information in the image file alongside the actual image as a standard setting. Based on this data, a fairly precise localization is possible. A review by the DPA revealed that the company had not cleaned up the residual information or metadata in the uploaded photos. Consequently, the data could be entered into any map service and the exact location where the photo was taken could be determined. The number of data subjects involved was approximately around 760 women between the ages of 18 and 50. For this reason, the DPA found that the company had failed to take appropriate technical and organizational measures to ensure a level of security appropriate to the risk posed to the data subjects. In addition, the DPA concluded that the company had unlawfully processed the associated data by uploading the photos without cleaning them.

Related Enforcement Actions (20)

Other enforcement actions involving Company in DE

Fine
Jan 2020· Bundesbeauftragter für den Datenschutz

The DPA from Hamburg as imposed a fine of EUR 13,000 on a company. An individual had booked and attended a course with a company, but had not paid the...

€13K
Fine
Jan 2020· Bundesbeauftragter für den Datenschutz

The DPA of Lower Saxony has imposed a fine of EUR 65,000 on a company. The reason for the proceedings was a report by the company to the authority reg...

€65K
Current
Jan 2020

Fine

Fine
Jan 2021· Bundesbeauftragter für den Datenschutz

The DPA of Hamburg has imposed a fine in the six-digit range on a Hamburg-based company operating in the healthcare sector. The company had failed to ...

€500K
Fine
Jan 2021· Bundesbeauftragter für den Datenschutz

The DPA of Brandenburg has imposed a fine on a company. An individual had filed a complaint with the DPA based on the fact that the company produced a...

€5K
Fine
Jan 2022· Bundesbeauftragter für den Datenschutz

The DPA of Bremen has imposed a five-digit fine on a company. The company had sent an unredacted social plan to all affected employees in the context ...

€50K
Fine
Jan 2022· Bundesbeauftragter für den Datenschutz

The DPA of Niedersachsen imposed a fine of EUR 8,900 on a company. The company had a customer database on the Internet with thousands of entries. Duri...

€9K
Fine
Jan 2022· Bundesbeauftragter für den Datenschutz

The DPA from Baden-Württemberg has imposed a fine of EUR 20,000 on a company. The company had developed a new office plan that took into account the v...

€20K
Fine
Sept 2022· Bundesbeauftragter für den Datenschutz

The DPA of Berlin has imposed a fine of EUR 525,000 on the subsidiary of a Berlin-based e-commerce group. The company had appointed a data protection ...

€525K
Fine
Jan 2023· Bundesbeauftragter für den Datenschutz

The DPA of Niedersachsen has imposed a fine of EUR 16,600 on a company in the real estate industry for failing to conclude a joint controllership agre...

€17K
Fine
Jan 2023· Bundesbeauftragter für den Datenschutz

The DPA of Hamburg imposed a fine of EUR 75,000 on a company. An employee had lodged a complaint with the DPA due to the fact that they had to report ...

€75K
Fine
Jan 2023· Bundesbeauftragter für den Datenschutz

The DPA of Hessen has fined a company EUR 25,000. A person had filed a complaint for receiving advertising messages, although they had objected to rec...

€25K
Fine
Jan 2024· Bundesbeauftragter für den Datenschutz

The DPA of Hamburg imposed a fine of EUR 11,500 on a company operating in the advertising industry for failing to comply with its deletion obligations...

€12K
Fine
Jan 2024· Bundesbeauftragter für den Datenschutz

The DPA of Berlin imposed a fine of EUR 60,000 on a healthcare company. The company offers practice management software that includes a patient commun...

€60K
Fine
Jan 2024· Bundesbeauftragter für den Datenschutz

The DPA of Hamburg has imposed a fine of EUR 32,000 on a logistics company for incorrectly disposing of delivery lists.

€32K
Fine
Jan 2024· Bundesbeauftragter für den Datenschutz

The DPA of Hessen has imposed a fine of EUR 10,000 on a company. The controller used data for marketing purposes without a legal basis. The company ob...

€10K
Fine
Jan 2024· Bundesbeauftragter für den Datenschutz

The DPA from Saxony has fined a company EUR 22,080 for failing to sufficiently cooperate with the DPA during an investigation.

€22K
Fine
Jan 2024· Bundesbeauftragter für den Datenschutz

The DPA of Hessen has imposed a fine of EUR 496,000 on a company. The DPA identified several GDPR violations, including transmitting customer data to ...

€496K
Fine
Jan 2024· Bundesbeauftragter für den Datenschutz

The DPA from Saxony has fined a company EUR 120,000 for failing to provide information requested by the DPA during an investigation.

€120K
Fine
Sept 2025· Bundesbeauftragter für den Datenschutz

The DPA of Hamburg has imposed a fine of EUR 195,000 on a company. The controller was active in direct marketing via post and failed to adequately res...

€195K
Fine
Sept 2025· Bundesbeauftragter für den Datenschutz

The DPA of Hamburg has imposed a fine of EUR 492,000 on a company in the finance sector. The controller used automated systems to decide whether to ap...

€492K

Details

Fine Date

1 January 2020

Authority

Bundesbeauftragter für den Datenschutz

Enforcement Tracker ID

ETid-1045

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Company - Germany (2020). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: