Home / GDPR Enforcement Tracker Report / Individuals and Private Associations

Individuals and Private Associations

GDPR Enforcement Tracker Report - Individuals and private associations

This chapter covers any fines imposed on private individuals, homeowner associations, individual entrepreneurs, private sport associations and leagues. In total, the fines implemented by the DPAs amount to EUR 857,596 (+26,845 in comparison to the ETR 2020). These fines were issued by DPAs in nine different countries.

Let's take a closer look:

  • The highest fine of EUR 525,000 was issued against the Royal Dutch Tennis Association (ETid-218) for selling contact details of 350,000 members without permission to sponsors who contacted them for direct marketing purposes via phone and email. 
  • The lowest fine of EUR 200 was issued against a German Youtuber (ETid-238) who was broadcasting compilations of his dashcam footage, revealing many cars' number plates.
  • Many cases involve video surveillance on private grounds or in traffic.
  • Most notable seems to be a case in Austria where a football coach (ETid-69) was fined EUR 11,000 for filming female players for years while they were naked in the shower cubicle.
  • The issue most frequently criticised and fined by the authorities is the processing of personal data without a sufficient legal basis for data processing.

Main takeaway

The total amount of fines for this sector remains almost identical to the ETR 2020. Most fines were imposed by the Spanish authority. Many cases involve video surveillance on private grounds or in traffic (dash cams).

In this sector, the DPAs seem to take very close account of the extent to which the violation was foreseeable by the individual and of the motives behind the processing. The number of data subjects and the violator's intention to pursue economic interests through the illegal data processing was particularly important. At the same time, the intimacy of the processed data was also of considerable significance for the fine.

As is the case for companies, individuals and private associations primarily have to ensure that they can rely on a sufficient legal basis for the processing operations and that they observe the data processing principals named in Art. 5 GDPR.