In the individuals and private associations sector, DPAs from 17 different countries have so far imposed 360 fines (+52 compared to the 2024 ETR) on private individuals, individual entrepreneurs, private sport associations and leagues in the total amount of EUR 2,544,656 (+EUR 693,990 compared to the 2024 ETR).
Let's take a closer look
- The highest fine of EUR 600,000 was issued against the GSM Association by the Spanish DPA (AEPD) for not carrying out a data protection impact assessment regarding its use of an identification system for physical attendees that granted access based on facial recognition and biometric tokens (ETid-2545).
- Fines against private individuals were generally much lower, most often below EUR 2,000.
- The lowest fine of EUR 48 was issued against an Estonian police officer (ETid-384) who accessed personal data in a police database for private research.
- Many cases against individuals and private associations involve video surveillance on private grounds or in traffic. DPAs imposed fines for such violations regularly even on private individuals.
Main takeaways
The number of fines and total amount for this sector has grown modestly since the 2024 ETR. Many small fines were imposed against individuals. More than 60% of all fines in this sector were imposed by the Spanish DPA (i.e. 219 of 360 cases).
DPAs have tended to treat bigger non-profits (esp. sports associations) just like similarly sized businesses. They imposed fines for various offences ranging from lack of technical and organisational measures to insufficient information provided to data subjects.
For individual entrepreneurs and private individuals, the DPAs seem to pay very close attention to the extent to which the violation was foreseeable by the individual and to the motives behind the processing. The number of data subjects and the violator's intention to pursue economic interests through the illegal data processing was particularly important.
Nearly half of all fines in this sector were based on illegal video surveillance. This underscores the general focus of DPAs on video surveillance. They consider video surveillance to be such a risky form of processing that strict requirements must be met even by private individuals.
