The Federal Data Protection Authority found that 1&1 had not taken sufficient measures to prevent unauthorised persons in the telephone customer service to obtain customer data.
Following appeal, a court reduced the fine from €9.55m to €900,000.
The Personal Information Protection Commission (PIPC) has fined – and imposed an improvement recommendation on – AliExpress for violating personal information protection laws.
The regulator found that 'open market' nature of the AliExpress platform meant that data of Korean consumers was being transferred overseas (to about 180,000 Chinese vendors) without their knowledge or consent.
The CNIL found that Amazon placed advertising cookies on the computers of people who used the amazon.fr website, without obtaining prior consent and without providing adequate information.
Following press articles about company practices and complaints from employees, the French Data Protection Authority (CNIL) carried out several investigations into Amazon France Logistique – the company that manages Amazon's large warehouses in France.
The CNIL discovered an excessively intrusive system for monitoring employee activity and performance, as well as the use of video surveillance without information nor sufficient security.
Amazon France Logistique subsequently received a fine of €32m.
The Luxembourg data protection authority, the CNPD, fined Amazon €746m.
The fine reportedly relates to the company’s targeted advertising practices, which were allegedly carried out without consent.
Amazon has appealed the decision.
The Spanish data protection authority, Agencia Española de Protección de Datos (AEPD), launched an investigation into Amazon Road Transport Spain S.L. – the Spanish logistics arm of Amazon.
The AEPD found that formally self-employed drivers were being required to submit information, including personal data on criminal convictions and offences, that was then unlawfully processed according to Article 10 of the GDPR.
Drivers also had to consent to the transfer of their data to any Amazon company outside the European Economic Area.
According to a complaint filed by the Department of Justice (DOJ) on behalf of the FTC, Amazon prevented parents from exercising their deletion rights under the hildren’s Online Privacy Protection Act (COPPA) Rule, kept sensitive voice and geolocation data for years, and used it for its own purposes, while putting data at risk of harm from unnecessary access.
The federal district court imposed a civil penalty and injunctive relief that requires Amazon to identify and delete inactive child profiles (profiles that have not been used for 18 months) unless a parent requests that they be retained.
Amazon was also ordered to notify parents whose children have accounts of this change to its policies, and make disclosures to consumers relating to its retention and deletion practices regarding Alexa App geolocation information and voice information.
Following several investigations in 2021 and 2022, the CNIL fined Apple €8m for a breach of Article 82 of the French Data Protection Act.
The data protection authority found that Apple did not obtain the consent of French iPhone users (using iOS 14.6 version) before depositing and/or writing identifiers used for advertising purposes on their devices.
The Korea Communications Commission (KCC) concluded its investigation into compliance with Location Information Act, which was revised in 2022.
The KCC found that Apple had violated location information protection laws, with breaches covering inadequate disclosure of terms of use, non-compliance with consent related to collecting location information and insufficient managerial and technical protective measures.
Apple received a fine of KRW210m, plus an additional penalty of KRW12m.
The Personal Information Protection Commission (PIPC) has fined Apple KRW2.45bn and imposed a penalty surcharge of KRW2.2m for the unauthorised overseas transfer of personal information.
The PIPC stated that Apple had not informed its users of the overseas transfer and processing of their data through its policies, and (unlike Google) had not disclosed AliPay as an overseas trustee for that purpose.
In February 2020, the FCC issued a Notice of Apparent Liability against AT&T for apparently disclosing its customers’ location information, without their consent, to a third party who was not authorised to receive it. The regulator proposed a fine of $57,265,625 for failing to take reasonable steps to protect its customers’ location information, which it subsequently confirmed.
On 17 April 2025, a US Court of Appeals overruled this fine, citing new court precedent stating the FCC no longer had the authority to impose fines through an administrative proceeding and instead must take cases through the federal court system. The case could still be subject to further appeal.
Source
AT&T has agreed to pay a $13m settlement to resolve an FCC Enforcement Bureau investigation into its supply chain integrity and data protection standards.
In January 2023, threat actors exfiltrated AT&T customer information from the operator's vendor’s cloud environment.
The Enforcement Bureau's investigation examined whether AT&T failed to protect customer information and engaged in unreasonable privacy, cybersecurity and vendor management practices in connection with the breach.
The CAC determined the following violations of the PIPL and Cybersecurity Law by the 14 mobile apps operated by CNKI, including the: collection of personal information without consent; excessive collection of personal information beyond the stated purpose; failure to make the privacy policy public; failure to provide an account cancellation function; and failure to delete users' personal information following the cancellation of user accounts.
Following a year-long investigation, the Cyberspace Administration of China determined that Didi had breached the country's Network Security Law, Data Security Law and Personal Information Protection Law.
Didi was found to have engaged in 16 types of violation, including illegally collection of screenshot information from mobile phones and excessive collection of personal data from ride-hailing customers.
The agency imposed on Didi a fine of CNY8.026bn, as well as fines of CNY1m on the company's Chairman and CEO and on its President.
The CNIL found that Facebook's website offered users a button to easily accept cookies, but did not provide an equivalent option to refuse them.
On 11 July 2022, the CNIL closed the procedure against Facebook, stating that the company had complied with the injunction issued by installing a button for users to allow only essential cookies.
In March 2019, the Hamburg Commissioner for Data Protection and Freedom of Information( HmbBfDI) became aware through a complaint that Facebook Germany GmbH had not notified a data protection officer.
Given this is mandatory under Article 37 of the GDPR, the regulator imposed a fine of €51,000.
This was paid by the company and not appealed.
The Garante found that 57 Italians had used Cambridge Analytica’s app (“Thisisyourdigitallife”).
The app had subsequently acquired data relating to additional 214,000 Italian users who had not downloaded the app, had not been informed of the sharing of their data and had not given their consent to such sharing.
The ICO fined Facebook £500,000 as a result of the Cambridge Analytica scandal.
The fine is not higher because the conduct occurred at a time when the GDPR was not yet into force.
The $5bn fine relates to the extent of the Cambridge Analytica scandal, and is motivated by Facebook’s failure to comply with a privacy settlement it reached with FTC in 2011.
The CNIL fined Free for failings in how it protected its customers' personal data and respected the rights of individuals.
The CNIL received several complaints concerning the difficulties encountered by Free customers regarding access and erasure of their personal data.
Checks revealed several shortcomings, in particular concerning the rights of data subjects (right of access and right to erasure), as well as data security (weak password robustness, storage and transmission in plain text of pass, recirculation of around 4,100 badly reconditioned “Freebox” boxes).
The Federal Court has ordered Google to pay A$60m in penalties for making misleading representations to consumers about the collection and use of their personal location data on Android phones between January 2017 and December 2018, following court action by the ACCC.
The Court previously found that Google had breached the Australian Consumer Law by representing to some Android users that the setting titled “Location History” was the only Google account setting that affected whether Google collected, kept and used personally identifiable data about their location.
However, another Google account setting titled “Web & App Activity” also enabled Google to collect, store and use personally identifiable location data when it was turned on, and that setting was turned on by default.
The CNIL found that Google placed advertising cookies on the computers of people who used the google.fr search engine, without obtaining prior consent and without providing adequate information.
The fine is split between Google LLC (€60m) and Google Ireland (€40m).
The CNIL found two problems: breach of transparency obligations, by not making essential information easily accessible; and failure to provide a legal basis for personalised advertising, which was not relying on “specific” and “unambiguous consent”.
The infringement continues “to this day”, hence the high fine.
The CNIL found that Google's websites (google.fr and youtube.fr) offered users a button to easily accept cookies, but did not provide an equivalent option to refuse them.
As a result, the CNIL fined Google LLC €90m, and Google Ireland €60m.
The Personal Information Protection Commission (PIPC) has fined Google KRW69.2bn for violations of privacy laws in its use of personal user information.
The PIPC also fined Meta for the same reason.
The data protection authority accused the companies of “illegal collection of personal information”, stating that they did not clearly inform users and obtain prior consent when collecting and analysing behavioural information for customised advertising.
The Korea Communications Commission (KCC) concluded its investigation into compliance with Location Information Act, which was revised in 2022.
The KCC found that Google had violated location information protection laws, specifically for failing to disclose its location information handling policy.
Google received a fine of KRW3m.
The AEPD found that Google committed two serious breaches of the GDPR, transferring data to third parties without a legal basis and hindering citizens' right to erasure (Articles 6 and 17 pf the GDPR).
In March 2020, the Swedish Data Protection Authority (then known as Datainspektionen) imposed a fine of SEK75m on Google for failure to comply with the GDPR.
Google as a search engine operator was found to have not fulfilled its obligations in respect of the right to request delisting – i.e. the the right to be forgotten (Article 17 GDPR).
On 20 December 2022, Sweden's Supreme Administrative Court decided not to grant Google leave to appeal the decision against it.
The Garante found that Iliad employees had easy access to the company’s data about traffic.
Following a two-year investigation, Ireland's Data Protection Commission (DPC) fined social media platform Instagram €405m for violations of the GDPR.
The fine relates to Instagram's violation of children's privacy, including its publication of email addresses and phone numbers.
The Personal Information Protection Commission (PIPC) has fined Kakao, South Korea's largest mobile messaging app, KRW15.1bn for violating its security obligations under the Personal Information Protection Act.
The PIPC launched an investigation in March 2023 after media reports stated the personal information of users was being illegally traded.
The investigation found that personal information was being disclosed due to negligence by Kakao in the design and implementation of its open chat service, and that the company had employed insufficient countermeasures against malicious activities and failed to report the data leak or notify users.
The Personal Information Protection Commission (PIPC) has fined Kakao Pay KRW5.968bn for the unauthorised overseas transfer of personal information.
The PIPC launched an investigation following media reports that Kakao Pay had transferred personal information to Alipay without customer consent, something which the regulator confirmed and therefore determined violated the overseas transfer regulations of the Personal Information Protection Act.
The Irish Data Protection Commission (DPC) concluded its inquiry into LinkedIn, following a complaint initially made to the French Data Protection Authority.
The DPC's inquiry examined LinkedIn’s processing of personal data for the purposes of behavioural analysis and targeted advertising of users, with its decision focused on the lawfulness, fairness and transparency of this processing.
The DPC concluded that LinkedIn breached the GDPR in respect of the processing of personal data, imposing an administrative fine of €310m.
The AEPD found that MasMovil violated article 6.1.a) of the GDPR, related to lawful processing of personal data under the user’s consent.
The Data Protection Commission (DPC) sanctioned Meta for failing to demonstrate the security measures implemented in practice to protect EU users’ data.
The decision was adopted in the context of 12 data breaches that took place between June and December 2018.
Ireland's Data Protection Commission (DPC) fined Meta €265m and imposed a range of corrective measures.
The DPC commenced its inquiry on 14 April 2021 after media reports into the discovery of a collated dataset of Facebook personal data that had been made available on the internet.
The DPC investigated data processing by Meta using Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer tools between 25 May 2018-September 2019.
Ireland's Data Protection Commission (DPC) concluded two inquiries into Meta, fining the firm €210m (for breaches of the GDPR relating to its Facebook service) and €180m (for breaches in relation to its Instagram service).
Having consulted with the European Data Protection Board (EDPB), the DPC’s decisions include findings that Meta is not entitled to rely on the “contract” legal basis in connection with the delivery of behavioural advertising as part of its Facebook and Instagram services, and that its processing of users’ data to date, in purported reliance on the “contract” legal basis, amounts to a contravention of Article 6 of the GDPR.
Meta has also been directed to bring its data processing operations into compliance with the GDPR within a period of three months.
Concluding an inquiry into WhatApp, the Data Protection Commission (DPC) of Ireland has imposed an administrative fine of €5.5m on the firm for breaches of the GDPR.
The sanction follows a similar order relating to other major Meta platforms, Facebook and Instagram.
WhatsApp must also bring its processing operations into compliance with the GDPR within a period of six months.
Ireland’s Data Protection Commission (DPC) imposed a record fine for privacy violations, stating that that Facebook's EU-US data flows had relied on standard contractual clauses (SCCs) that "did not address the risks to the fundamental rights and freedoms" of users.
Meta also has five months to suspend any future transfer of personal data from Facebook to the US and six months to cease the processing – including storage – of any European citizens’ personal information in the US that was previously transferred in violation of GDPR.
Ireland’s Data Protection Commission (DPC) has fined Meta €91m following an inquiry into the platform's inadvertent storing on social media users' passwords in 'plaintext' on its internal systems (i.e. without cryptographic protection or encryption).
The inquiry, which commenced in April 2019, assessed Meta's compliance with the GDPR, finding several breaches, including the firm's failure to notify the DPC of a personal data breach concerning storage of user passwords in plaintext and its lack of documentation regarding those breaches.
Ireland’s Data Protection Commission (DPC) has fined Meta €251m following completion of two own-volition inquiries following a personal data breach, which was reported by Meta in September 2018.
The breach impacted around 29m Facebook accounts globally, of which 3m were based in the EU/EEA, with the categories of personal data affected including: user’s full name; email address; phone number; location; place of work; date of birth; religion; gender; posts; groups; and children’s personal data.
According to the DPC, the breach arose from the exploitation by unauthorised third parties of user tokens on the Facebook platform, and was remedied by Meta shortly after discovery.
In May 2021, Nigeria's Federal Competition and Consumer Protection Commission began an inquiry into WhatsApp’s new privacy policy.
The Commission found that Meta shared WhatsApp user data with its Facebook subsidiary and third parties without asking for permission from users, violating the country's date protection laws.
Meta has been required to immediately reinstate the rights of Nigerian users to self-determine and control the use, processing, sharing or transfer of their data, and revert to the data sharing practices adopted in 2016, with a new opt-in screen.
On 17 July 2023, the Norwegian Data Protection Authority (Datatilsynet) imposed a ban on Meta carrying out behavioural advertising based on the surveillance and profiling of users in Norway.
The ban was applied from 4 August and will last for three months, or until Meta can show that it complies with the law.
Should Meta not comply with the decision, the regulator will impose a fine of up to NOK1m per day.
The Personal Information Protection Commission (PIPC) has fined Meta KRW30.8bn for violations of privacy laws in its use of personal user information.
The PIPC also fined Google for the same reason.
The data protection authority accused the companies of “illegal collection of personal information”, stating that they did not clearly inform users and obtain prior consent when collecting and analysing behavioural information for customised advertising.
The Personal Information Protection Commission (PIPC) has fined Meta for violating the Personal Information Protection Act for collecting and utilising sensitive information, such as religious and political views and same-sex marital status, of around 980,000 domestic users without consent.
The PIPC also stated that Meta failed to remove the unused account recovery page from deleted or blocked websites, enabling hackers to access the data of at least 10 South Korean users.
The Personal Information Protection Commission (PIPC) fined Meta (then Facebook) KRW6.7bn for sharing user data with third-parties without consent. The regulator found that Meta had shared the data of approximately 3.3m Korean users with around 10,000 third-party apps without first securing those users' consent.
The investigation found that Meta had shared the data over the course of six years (from 2012 to 2016) and that data included sensitive personal information including education and family status.
On 13 March 2025, the Supreme Court of the Republic of Korea upheld the fine against an appeal filed by Meta in 2021.
Following a complaint about the conditions for depositing cookies on "bing.com", the CNIL carried out several investigations on the website in September 2020 and May 2021.
It found that when users visited this site, cookies were deposited on their terminal without their consent, while these cookies were used, among others, for advertising purposes.
The CNIL also observed that there was no button allowing to refuse the deposit of cookies as easily as accepting it.
The Department of Justice (DOJ) and the FTC alleged that Microsoft knew that certain users of its Xbox Live service were children but nonetheless continued to collect personal information, such as telephone numbers, before notifying parents of its information collection practices and before obtaining parental consent.
In addition, the authorities alleged that while Microsoft provided some notice to parents, that notice was incomplete and failed to comply with the Children’s Online Privacy Protection Act (COPPA) Rule.
A court imposed on Microsoft a civil penalty, as well as injunctive relief to improve communication with parents and monitor the firm's compliance with privacy rules.
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) has fined Netflix €4.75m for failing to provide customers with sufficient information about what the company does with their personal data between 2018 and 2020.
The AP also found that some of the information that was provided by Netflix was unclear.
The Hellenic Data Protection Authority examined complaints from a subscriber of WIND, now Nova, in which they complained of repeated receipt of marketing emails despite their opposition and repeated protests, as well as non-compliance with requests to exercise the right of access.
The authority's investigation substantiated the complaints, after which it imposed three separate fines on Nova that totalled €150,000.
Following an investigation that began in March 2023, the Garante determined that OpenAI failed to notify it of a data breach and processed users’ personal data to train ChatGPT without first identifying an appropriate legal basis.
OpenAI also violated the principle of transparency outlined in the GDPR and failed to provide mechanisms for age verification, which could lead to the risk of exposing children under 13 to inappropriate AI-generated responses.
The Garante imposed a fine of €15m on OpenAI (which was calculated taking into account the company’s cooperative attitude) and required it to launch a six-month campaign in local media and on the internet to raise awareness about how it collects personal data.
The CNIL fined Orange €50m for displaying advertisements between the genuine emails of users of its email service without their consent. It considered that the display of such advertisements required the consent of Orange messaging service users.
The CNIL's investigations also identified violations of the French Data Protection Act, revealing that when users of the orange.fr website withdrew their consent to the storage and reading of cookies on their devices, previously stored cookies continued to be read.
In addition to the fine, Orange received an order to stop reading cookies after the withdrawal of consent by the person concerned, within three months, with a fine of €100,000 per day overdue.
The AEPD fined Orange for failing to implement appropriate security measures to ensure the integrity and confidentiality of personal data.
It found that Orange issued SIMs to criminals following applications, which enabled them to carry out fraudulent banking activities that genuine Orange customers had not authorised.
Following a complaint to the AEPD and a subsequent investigation, the regulator fined Orange for entering into a contract with an individual without their consent and knowledge.
The AEPD found that these activities were carried out by a third party fraudulently and that the complainant's personal data was included in common credit information systems as a result of the non-payment of these fraudulently contracted services.
It determined a lack of due diligence on the part of Orange.
Following complaints, Integritetsskyddsmyndigheten (IMY) audited how Spotify handles customers' right to access their personal data.
IMY determined that Spotify releases the personal data the company processes when individuals request it, but that it does not inform clearly enough about how this data is used.
IMY imposed a fine of SEK58m, citing in particular a violation of Article 15 of the GDPR, as well as measures Spotify was already taking to address the deficiencies identified.
In February 2020, the FCC issued a Notice of Apparent Liability against Sprint for apparently disclosing its customers’ location information, without their consent, to a third party who was not authorised to receive it.
The regulator proposed a fine of $12,240,000 for failing to take reasonable steps to protect its customers’ location information, which it subsequently confirmed.
In February 2020, the FCC issued a Notice of Apparent Liability against T-Mobile for apparently disclosing its customers’ location information, without their consent, to a third party who was not authorised to receive it.
The regulator proposed a fine of $91,630,000 for failing to take reasonable steps to protect its customers’ location information.
Having taken into account additional factual evidence provided by T-Mobile, the FCC reduced the proposed penalty by $11,550,000.
Following an initial Notice of Penalty issued in 2023, in August 2024, the Committee on Foreign Investment in the United States (CFIUS) imposed a $60m penalty on T-Mobile.
T-Mobile entered into a National Security Agreement (NSA) with CFIUS in 2018 in connection with its merger with Sprint and the foreign ownership of the resulting entity; however, CFIUS determined that between August 2020-June 2021, T-Mobile failed to take appropriate measures to prevent unauthorised access to certain sensitive data and failed to report some incidents of unauthorised access promptly to CFIUS, delaying the Committee’s efforts to investigate and mitigate any potential harm.
CFIUS concluded that these violations breached the NSA and resulted in harm to the national security equities of the US.
In September 2024, the FCC announced that it had reached a data protection and cybersecurity settlement with T-Mobile over data breaches that impacted millions of consumers in the US.
As part of the settlement, T-Mobile will pay a $15.75m civil penalty to the US Treasury.
T-Mobile has also agreed to forward-looking and enforceable commitments to address security flaws, prioritise cybersecurity issues at the board level and adopt robust modern architectures, such as zero-trust and phishing-resistant multi-factor authentication.
The Swedish Authority for Privacy Protection (IMY) has audited how four companies use Google Analytics for web statistics, which involves transferring personal data to the US.
The authority concluded that the technical security measures that the firms have taken are not sufficient to ensure a level of protection that essentially corresponds to that guaranteed within the EU/EEA.
Despite having recently stopped using the product under its own initiative, IMY fined Tele2 SEK12m.
The Norwegian Data Protection Authority, Detailsynet, has fined Telenor NOK4m for failing to implement appropriate structures and guidelines around the role of Data Protection Officer (DPO). The regulator has instructed the operator to reassess whether they are required to have a DPO and, if so, set up the appropriate reporting structures and record keeping procedures related to the role.
The CNIL fined TikTok €5m for failures to comply with obligations set out in Article 82 of the French Data Protection Act.
During the CNIL's investigations it found that while TikTok offered a button to accept cookies, users could not refuse them as easily (with several clicks required).
In addition, users were not informed in a sufficiently precise manner of the purposes of the cookies, either on the first-level information banner or in the context of the choice interface accessible after clicking on a link in the banner.
Ireland's Data Protection Commission (DPC) has concluded an own-volition inquiry into TikTok's compliance with the GDPR.
The regulator identified a number of concerns, including that the platform failed to provide sufficient transparency information to younger users and implemented 'dark patterns' by nudging users towards more privacy-intrusive options in the registration process.
The DPC has issued a reprimand, an order for TikTok to bring its data processing into compliance within three months and an administrative fine of €345m.
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) imposed a fine of €750,000 on TikTok for violating the privacy of young children.
The information provided by TikTok to Dutch users when installing and using the app was in English and therefore not readily understandable.
By not offering their privacy statement in Dutch, TikTok failed to provide an adequate explanation of how the app collects, processes and uses personal data.
The KVKK has fined TikTok TRY1.75m for not taking all necessary measures to ensure the appropriate level of security to prevent unlawful processing of personal data.
The KVKK also instructed TikTok to translate its Terms of Service into Turkish and to update its privacy and cookies policy texts in line with the country's regulations.
The Information Commissioner’s Office (ICO) has issued a £12.7m fine to TikTok for a number of breaches of data protection law, including failing to use children’s personal data lawfully.
The ICO estimates that TikTok allowed up to 1.4m UK children under 13 to use its platform in 2020 despite its own rules not allowing them to create an account without parental consent.
TikTok “did not do enough” to check who was using their platform and take sufficient action to remove the underage children that were.
TIM had not complied with the GDPR whereby it clearly establishes the obligation of the data controller to demonstrate the consent of the data subject.
In this context, the Garante outlined that with regard to several marketing messages/calls from TIM, the company did not have any valid documentation demonstrating the consent of the recipients of TIM's commercial communications.
With regard to the data breach experienced by TIM, it had not acted on the breach over time, failing to detect and address the incident for a long time.
The KVKK has fined Amazon's Twitch service TRY2m following a data breach that affected over 35,000 individuals in Turkey.
The KVKK found that Twitch has failed to take adequate security measures (including risk and threat assessments) ahead of the breach and only did so after the event, and that it had failed to report the breach upon discovery.
The Data Protection Commission (DPC) sanctioned Twitter for failure to notify a data breach and to adequately document it.
The decision was the first one to go through the dispute resolution process set out in Article 65 of the GDPR, which allows a DPA of another country to raise objections to a decision of the lead DPA.
The Federal Trade Commission (FTC) has charged Twitter with deceptively using account security data, in this case phone numbers and email addresses, to sell targeted advertising.
Twitter’s deception violates a 2011 FTC order that explicitly prohibited the company from misrepresenting its privacy and security practices.
The FTC and the US Department of Justice (DOJ) have ordered Twitter to pay a $150m penalty and to cease profiting from deceptively collected data.
In February 2020, the FCC issued a Notice of Apparent Liability against Verizon for apparently disclosing its customers’ location information, without their consent, to a third party who was not authorised to receive it.
The regulator proposed a fine of $48,318,750 for failing to take reasonable steps to protect its customers’ location information.
Having taken into account additional factual evidence provided by Verizon, the FCC reduced the proposed penalty by $1,417,500.
The AEPD found that Vodafone did not implement appropriate security measures to prevent fraudulent replication of SIM cards.
Following complaints lodged by some Vodafone customers, the AEPD found that fraudsters obtained a replica of the complainant's SIM cards because Vodafone had not properly checked the identity of those who requested them.
Vodafone also failed to prevent the circumvention of its security measures against identity theft.
The Data Protection Commission (DPC) fined WhatsApp for a breach of transparency obligations under the GDPR.
The fine is significantly higher than the DPC’s initial proposal, following the intervention of the European Data Protection Board (EDPB).
WhatsApp appealed the decision, which was dismissed by the EU's General Court in December 2022.
The Garante found Wind Tre in breach of the GDPR under several respects, mainly related to promotional activities.
The KVKK has fined X TRY1.47m for not processing personal data lawfully and for not taking the necessary technical and administrative measures to ensure an appropriate level of security.
It launched an ex officio investigation following an announcement on X's website that email addresses or phone numbers obtained from users for security and safety purposes were mistakenly used for advertising purposes.
The KVKK determined that this breached principles of Turkey's data protection law, such as acting in good faith and limitation of purpose.