Precedent corpus - 52 cases
Precedent
DPA enforcement decisions and regulator guidance that the ConsentMark grade attaches to. Every case carries its primary source, a Wayback snapshot, and the ConsentMark interpretation. Each case has a stable permalink at /precedent/<slug>.
Programmatic access
Download the corpus as JSON: /precedent/registry.v1.json. Schema version 1; cached for one hour. Use this for ingestion into ML pipelines, citation tooling, or regulator-tracking dashboards.
DPC (Ireland)
- DPC (Ireland) IN-21-9-22025-04-30
TikTok Technology Limited
TikTok transferred EEA user data to the People's Republic of China without verifying that the protections offered by Chinese law were essentially equivalent to those under EU law, breaching Article 46(1) GDPR; and failed to inform users about the transfers and the remote access by personnel in China, breaching the transparency obligation in Article 13(1)(f) GDPR.
EUR 530M
- DPC (Ireland) IN-18-10-12024-12-12
Meta Platforms Ireland Limited
After the September 2018 incident in which user access tokens granted attackers entry to circa 29 million Facebook accounts, Meta omitted required information from its breach notification (Article 33(3)), failed to document the breach adequately (Article 33(5)), and failed to ensure data protection by design and by default (Articles 25(1) and 25(2)) - the tokens granted broader access than necessary, contrary to the minimisation-by-default obligation.
EUR 251M
- DPC (Ireland) IN-18-08-32024-10-22
LinkedIn Ireland Unlimited Company
LinkedIn unlawfully processed third-party (non-member) and member personal data for behavioural analysis and targeted advertising; consent was not valid, legitimate interests did not apply, and contractual necessity was not satisfied - infringing Articles 6(1), 5(1)(a) and the transparency duties in Articles 13 and 14 GDPR.
EUR 310M
- DPC (Ireland) IN-19-4-12024-09-26
Meta Platforms Ireland Limited
Meta inadvertently stored the passwords of "hundreds of millions" of Facebook users in plaintext on internal systems, breaching Articles 5(1)(f) and 32(1) GDPR for failing to ensure appropriate security of processing; and failed to notify the personal data breach within 72 hours and to document it adequately, breaching Articles 33(1) and 33(5) GDPR.
EUR 91M
- DPC (Ireland) IN-20-37-12024-03-08
Groupon Ireland Operations Limited
Groupon demanded photographic government-issued identification to verify the identity of a complainant who had requested access and erasure, despite less intrusive alternatives being available, breaching the data-minimisation principle in Article 5(1)(c) GDPR; Groupon also continued to process the complainant's personal data after the erasure request without a valid Article 6(1) basis, breaching Article 17(1) GDPR.
No monetary penalty
- DPC (Ireland) IN-20-39-12024-03-07
Apple Distribution International Limited
Apple retained a hashed version of a complainant's email address after processing an Article 17 erasure request and did not inform the data subject of the retention, the legal basis or the recipients of the data, breaching the transparency obligations in Article 13(1)(c) and 13(1)(d) GDPR; the retention itself was lawful under Article 6(1)(f) but the non-disclosure was not.
No monetary penalty
- DPC (Ireland) IN-20-38-12024-01-31
Airbnb Ireland UC
Airbnb required a copy of a government-issued identity document both to complete account registration and to process the user's erasure request, despite the complainant having provided minimal personal data before requesting deletion; the collection breached Article 5(1)(c) GDPR (data minimisation) and lacked a valid Article 6(1) basis, in particular as a precondition to action an Article 17 request.
No monetary penalty
- DPC (Ireland) IN-21-9-12023-09-01
TikTok Technology Limited
TikTok's public-by-default account settings and the Family Pairing feature failed to provide age-appropriate protection for users aged 13-17, breaching Articles 5(1)(a), 5(1)(c), 5(1)(f), 12(1), 13(1)(e), 24(1), 25(1) and 25(2) GDPR; consent flows for child users were not presented in an objective, neutral way.
EUR 345M
- DPC (Ireland) IN-20-8-12023-05-12
Meta Platforms Ireland Limited
Meta Ireland's transfers of Facebook user personal data from the EU/EEA to the United States, made on the basis of updated Standard Contractual Clauses, did not address the risks identified by the Court of Justice in Schrems II and so breached Article 46(1) GDPR; the DPC ordered suspension of future transfers and a six-month deadline to cease unlawful processing and storage in the US.
EUR 1200M
- DPC (Ireland) IN-20-7-22023-02-27
Bank of Ireland Group plc
A series of ten personal data breaches in the Bank of Ireland 365 mobile banking application resulted in unauthorised users gaining access to other customers' accounts; Bank of Ireland failed to implement appropriate technical and organisational measures to ensure the integrity and confidentiality of personal data, breaching Article 5(1)(f) GDPR and the security-of-processing obligation in Article 32(1) GDPR.
EUR 750k
- DPC (Ireland) IN-18-5-62023-01-12
WhatsApp Ireland Limited
WhatsApp could not lawfully rely on Article 6(1)(b) GDPR (necessity for performance of a contract) as the legal basis for processing personal data for service-improvement and security purposes; the forced-acceptance presentation of the May 2018 Terms of Service did not provide a freely-given consent under Article 6(1)(a) either, breaching the lawfulness and transparency principles of Article 5 GDPR.
EUR 5.5M
- DPC (Ireland) IN-18-5-52022-12-31
Meta Platforms Ireland Limited
Meta Ireland could not rely on the contract legal basis (Article 6(1)(b) GDPR) to process Facebook users' personal data for behavioural advertising; the processing therefore lacked any valid lawful basis and breached transparency obligations under Articles 12 and 13(1)(c).
EUR 210M
- DPC (Ireland) IN-21-4-22022-11-25
Meta Platforms Ireland Limited
Facebook Search, the Messenger Contact Importer and the Instagram Contact Importer, as deployed between May 2018 and September 2019, failed to implement appropriate technical and organisational measures to ensure data protection by design and by default, breaching Articles 25(1) and 25(2) GDPR; the design enabled unauthenticated enumeration of personal data tied to phone numbers and email addresses, a "data scraping" pattern Meta had not designed-out.
EUR 265M
- DPC (Ireland) IN-20-7-42022-09-02
Meta Platforms Ireland Limited
Instagram child users (aged 13-17) who operated business accounts had their phone numbers and email addresses exposed publicly, and child personal accounts defaulted to public visibility, breaching Articles 5(1)(a), 5(1)(c), 6(1), 12(1), 24(1), 25(1), 25(2) and 35(1) GDPR; the DPC issued a reprimand and ordered remedial action alongside the fine.
EUR 405M
- DPC (Ireland) IN-19-6-12022-04-27
Twitter International Company
Twitter required photographic identification to verify the identity of a complainant requesting erasure under Article 17, despite the complainant being authenticated to the account, breaching Articles 5(1)(c) and 6(1) GDPR; Twitter also failed to process the erasure within the statutory period in Article 17(1) and did not inform the data subject of the action taken within one month as required by Article 12(3) GDPR.
No monetary penalty
ICO (United Kingdom)
- ICO (United Kingdom) reddit-2026-022026-02-23
Reddit, Inc.
Reddit did not apply any robust age-assurance mechanism on its UK service and therefore had no lawful basis under Article 6 or Article 8 UK GDPR for processing the personal data of UK children under 13; the lawfulness and fairness principle in Article 5(1)(a) was breached and Reddit had not carried out a data protection impact assessment to assess and mitigate risks to children, in breach of Article 35 UK GDPR, before January 2025.
EUR 17M
- ICO (United Kingdom) lastpass-2025-112025-11-20
LastPass UK Limited
In August 2022 an attacker compromised the corporate laptop of an EU-based LastPass employee and then a US-based employee's personal laptop used for work, capturing a master credential and accessing the LastPass backup database to take customer names, email addresses, phone numbers and stored website URLs of up to 1.6 million UK customers; LastPass had not implemented appropriate controls around BYOD device usage, breaching Article 5(1)(f) and Article 32(1) UK GDPR.
EUR 1.4M
- ICO (United Kingdom) capita-2025-102025-10-15
Capita plc and Capita Pension Services Limited
In March 2023 a ransomware actor obtained access to Capita's corporate environment via a malware-bearing download on a Capita employee laptop and exfiltrated personal data of approximately 6.6 million people, including pension members of 325 client schemes; Capita had been aware of the underlying vulnerabilities, did not treat the early indicators as a security incident, and lacked adequate technical and organisational measures, breaching Article 5(1)(f) and Article 32 UK GDPR.
EUR 16M
- ICO (United Kingdom) 23andme-2025-062025-06-05
23andMe, Inc.
Credential-stuffing attackers reused passwords from unrelated breaches to log into 23andMe accounts and, via the DNA-Relatives feature, exfiltrated the genetic and personal data of around 155,592 UK users; 23andMe had not mandated multi-factor authentication, took four days to shut compromised accounts and force resets, and notified the ICO ten days late, breaching Articles 5(1)(f), 32(1) and 33(1) UK GDPR.
EUR 2.7M
- ICO (United Kingdom) advanced-2025-032025-03-27
Advanced Computer Software Group Limited
In August 2022 ransomware actors gained access to Advanced's systems through a customer-portal account that did not require multi-factor authentication, and exfiltrated personal information including sensitive health and care data of 79,404 UK individuals, causing widespread disruption to NHS services; Advanced failed to implement appropriate technical and organisational measures to ensure security of processing under Article 32(1) UK GDPR.
EUR 3.7M
- ICO (United Kingdom) psni-2024-102024-10-04
Chief Constable of the Police Service of Northern Ireland
A spreadsheet released as part of a freedom-of-information response contained a hidden tab disclosing the surnames, initials, ranks and roles of all 9,483 PSNI officers and staff to the public internet; the controller had not implemented appropriate technical and organisational measures to identify the hidden data before release, breaching Articles 5(1)(f), 32(1) and 32(2) UK GDPR.
EUR 870k
- ICO (United Kingdom) bonne-terre-limited-2024-092024-09-02
Bonne Terre Limited (trading as Sky Betting and Gaming)
Between 10 January and 3 March 2023, Sky Betting and Gaming shared users' personal data with advertising technology companies via cookies set the moment a user reached the SkyBet website, before any option to accept or reject advertising cookies was presented - unlawful, non-transparent and unfair processing under UK GDPR.
No monetary penalty
- ICO (United Kingdom) tiktok-2023-042023-04-04
TikTok Information Technologies UK Limited and TikTok Inc.
Between May 2018 and July 2020, TikTok processed the personal data of up to 1.4 million UK children under 13 who used the platform without parental consent; failed to provide adequate information to users about how their data would be collected, used and shared; and failed to ensure the personal data of UK users was processed lawfully, fairly and in a transparent manner - breaching Articles 5(1)(a), 8 and 12 UK GDPR.
EUR 15M
- ICO (United Kingdom) easylife-2022-102022-10-04
Easylife Ltd
Easylife profiled customers based on items purchased from its non-health catalogue to make assumptions about their medical conditions and then used those profiles to market health products, processing special- category data within Article 9 UK GDPR without an Article 9(2) lawful basis; also made 1,345,732 unsolicited direct marketing calls to individuals registered with the Telephone Preference Service in breach of regulation 21 PECR.
EUR 1.5M
- ICO (United Kingdom) marriott-2020-102020-10-30
Marriott International, Inc.
An attacker placed a web shell on a Starwood guest-reservations system in or around July 2014 and maintained undetected access through Marriott's 2016 acquisition until September 2018, exfiltrating up to 339 million guest records (including 7 million UK records); Marriott failed to implement appropriate security measures to protect the personal data and to assess the Starwood IT estate adequately on acquisition, breaching Article 5(1)(f) and Article 32 GDPR.
EUR 21M
- ICO (United Kingdom) ba-2020-102020-10-16
British Airways plc
Between 22 June and 5 September 2018 a Magecart-style skimming attacker injected code into the BA website and mobile app payment pages and exfiltrated names, addresses, payment-card data and BA log- in credentials of approximately 429,612 customers and staff; British Airways failed to implement appropriate technical and organisational measures to secure the processing, breaching Article 5(1)(f) and Article 32 GDPR.
EUR 23M
CNIL (France)
- CNIL (France) SAN-2025-0112025-11-27
AMERICAN EXPRESS CARTE FRANCE
American Express recorded the content of customer-service calls without demonstrating necessity for the processing, breaching the data-minimisation principle in Article 5(1)(c) GDPR; and the cookie-consent-withdrawal mechanism on its website did not effectively stop the reading of previously-set cookies, breaching the consent-withdrawal limb of Article 82 of the French Data Protection Act.
EUR 1.5M
- CNIL (France) SAN-2025-0102025-11-20
LES PUBLICATIONS CONDE NAST
Trackers were deposited on users' terminals before any consent action, in breach of Article 82 of the French Data Protection Act; the information presented in the banner did not describe the purposes of the trackers accurately; and trackers continued to be read after users had refused or withdrawn consent. The asymmetry between the ease of acceptance and the difficulty of refusal also undermined the freely-given character of any consent obtained.
EUR 750k
- CNIL (France) SAN-2025-0042025-09-01
GOOGLE LLC and GOOGLE IRELAND LIMITED
During Google-account creation, advertising cookies were deposited on users' terminals without freely-given consent because the implications of the proposed "cookie wall" were not explained sufficiently for an informed choice; and inserting advertisements between messages in the Gmail inbox amounts to electronic prospecting under Article L. 34-5 CPCE, requiring prior consent that Google did not obtain.
EUR 325M
- CNIL (France) SAN-2025-0052025-09-01
INFINITE STYLES SERVICES CO. LIMITED
Advertising and measurement cookies were deposited on users' terminals as soon as they arrived on shein.com, before any consent action was taken; this breached the prior-consent requirement of Article 82 of the French Data Protection Act (the national transposition of Article 5(3) ePrivacy), as the user had no opportunity to express or refuse consent before the read/write operation.
EUR 150M
- CNIL (France) SAN-2025-0012025-05-15
SOLOCAL MARKETING SERVICES
Solocal Marketing Services carried out electronic prospecting campaigns directed at several million recipients without a freely- given, specific, informed and unambiguous consent for those communications, breaching Article L. 34-5 CPCE and Articles 6(1)(a) and 7 GDPR; the company also transferred the contacts to commercial partners without a documented legal basis for the onward processing.
EUR 900k
- CNIL (France) SAN-2024-0192024-11-14
ORANGE SA
Orange displayed commercial advertisements between users' email messages in its webmail interface, a form of electronic prospecting requiring prior consent under Article L. 34-5 CPCE that Orange did not obtain; and continued to read information stored on users' terminals through cookies after the user had withdrawn consent, in breach of Article 82 of the French Data Protection Act.
EUR 50M
- CNIL (France) SAN-2024-0022024-01-31
DE PARTICULIER A PARTICULIER (PAP)
PAP retained user account data and inactive-user data beyond the period necessary for the purposes for which they were processed, breaching Article 5(1)(e) GDPR; failed to provide complete information to data subjects in breach of Article 13; did not frame its relationship with a processor with the contractual safeguards required by Article 28; and stored credentials without an appropriately strong hashing function and in plain text in some logs, breaching Article 32.
EUR 100k
- CNIL (France) SAN-2023-0242023-12-29
YAHOO EMEA LIMITED
Around twenty advertising cookies were deposited on the user's terminal on yahoo.com despite no expressed consent, and Yahoo! Mail users who withdrew consent were told they would lose access to the service - both breaches of Article 82 of the French Data Protection Act.
EUR 10M
- CNIL (France) SAN-2023-0092023-06-15
CRITEO SA
Criteo processed user navigation data for behavioural-advertising retargeting without verifying that the consent collected by its partner publishers met the freely-given, specific, informed and unambiguous standard, breaching Article 6(1)(a) and 7 GDPR; provided insufficient information to data subjects under Articles 12 and 13; and failed to give effect to access and erasure requests under Articles 15 and 17 across the data-broker network.
EUR 40M
- CNIL (France) SAN-2022-0272022-12-29
TIKTOK TECHNOLOGY LIMITED and TIKTOK INFORMATION TECHNOLOGIES UK LIMITED
On tiktok.com, users could accept cookies in a single click but had to navigate multiple steps to refuse them, breaching the symmetry-of- refusal limb of Article 82 of the French Data Protection Act; the information provided about the purposes of the cookies was also incomplete, undermining the informed-consent limb of the same article.
EUR 5.0M
- CNIL (France) SAN-2022-0232022-12-19
MICROSOFT IRELAND OPERATIONS LIMITED
Advertising cookies were deposited on users' terminals when they arrived on bing.com without their prior consent, and the consent interface did not offer a "refuse" mechanism with the same simplicity as the "accept" mechanism, breaching the freely-given and equivalent- refusal limbs of Article 82 of the French Data Protection Act.
EUR 60M
- CNIL (France) SAN-2021-0242021-12-31
FACEBOOK IRELAND LIMITED
Facebook deposited cookies on the terminals of users visiting facebook.com without their prior consent and offered no equivalent "refuse" option alongside the "accept" option at the first interaction; users had to click through to a secondary panel to refuse, breaching the freely-given and equivalent-refusal limbs of Article 82 of the French Data Protection Act.
EUR 60M
- CNIL (France) SAN-2021-0232021-12-31
GOOGLE LLC and GOOGLE IRELAND LIMITED
Cookies were deposited on the terminals of users visiting google.fr without their prior consent, and the consent interface did not offer an equivalent refusal control alongside the acceptance control at the first interaction; users had to navigate to a secondary panel to refuse, breaching the freely-given and equivalent-refusal limbs of Article 82 of the French Data Protection Act.
EUR 150M
- CNIL (France) SAN-2020-0132020-12-07
AMAZON EUROPE CORE
When a user visited amazon.fr - including by following an advertisement link from a third-party site - a substantial number of advertising cookies were deposited on the terminal without any action on the user's part, and before any information was provided; the banner shown did not describe the purposes of those cookies or how to refuse them, in breach of Article 82 of the French Data Protection Act.
EUR 35M
- CNIL (France) SAN-2020-0122020-12-07
GOOGLE LLC and GOOGLE IRELAND LIMITED
Advertising cookies were automatically deposited on the user's terminal on google.fr without prior consent, and the information notice did not explain the purposes of all cookies or the means available to refuse them - a breach of Article 82 of the French Data Protection Act (the French transposition of Article 5(3) ePrivacy).
EUR 100M
- CNIL (France) DELIB-2020-0922020-09-17
Commission Nationale de l'Informatique et des Libertés
The controller must offer users the option to accept and to refuse read/write operations on their terminal with the same degree of simplicity (Article 2.4, "Modalités du refus"); withdrawing consent must be as easy as giving it, and the means of withdrawal must be signposted before consent is collected (Article 3, "Retrait et gestion du consentement").
No monetary penalty
EDPB (European Data Protection Board)
- EDPB (European Data Protection Board) GL-01-20252025-01-16
European Data Protection Board
Pseudonymised data which could be attributed to an individual by the use of additional information remains information relating to an identifiable natural person and is therefore personal data within the meaning of Article 4(1) GDPR. Pseudonymisation can support Article 5, Article 25 and Article 32 compliance but does not, by itself, take the data outside the GDPR's material scope.
No monetary penalty
- EDPB (European Data Protection Board) OP-08-20242024-04-17
European Data Protection Board
"In most cases, it will not be possible for large online platforms to comply with the requirements for valid consent if they confront users only with a binary choice between consenting to processing of personal data for behavioural advertising purposes and paying a fee." Large online platforms should give significant consideration to an additional free alternative without behavioural advertising.
No monetary penalty
- EDPB (European Data Protection Board) BD-02-20232023-08-02
TikTok Technology Limited
Two TikTok pop-up notifications shown to users aged 13-17 failed to present privacy options in an objective, neutral way and so breached the fairness principle in Article 5(1)(a) GDPR; the EDPB directed the Irish DPC to include findings on these dark-pattern design practices in its final decision.
No monetary penalty
- EDPB (European Data Protection Board) GL-09-20222023-03-28
European Data Protection Board
Under Article 33(1) GDPR the controller must notify the supervisory authority "without undue delay and, where feasible, not later than 72 hours after having become aware of it". A controller is "considered to have become aware" once it has a "reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised", not at the moment of the underlying compromise.
No monetary penalty
- EDPB (European Data Protection Board) GL-03-20222023-02-14
European Data Protection Board
Interface design choices that "influence users in a way that infringes on the fairness, transparency or data-protection-by-design principles of the GDPR" constitute deceptive design patterns; the Guidelines identify six categories - overloading, skipping, stirring, obstructing, fickle, and left in the dark - and state that these patterns, where they steer users towards a specific decision contrary to their data protection interests, breach Articles 5(1)(a), 12, 13, 24 and 25 GDPR.
No monetary penalty
- EDPB (European Data Protection Board) GL-07-20202021-07-07
European Data Protection Board
The notions of controller and processor are functional - they aim to allocate responsibilities according to the actual roles of the parties. A controller is the body which "determines the purposes and means" of the processing; a processor processes "on behalf of the controller". Where an entity defines what data is collected, for what purpose, with whom it is shared and for how long, it acts as a controller regardless of its self-description.
No monetary penalty
- EDPB (European Data Protection Board) GL-05-20202020-05-04
European Data Protection Board
Valid consent requires "a clear affirmative action" by which the data subject signifies agreement; "the use of pre-ticked opt-in boxes is invalid under the GDPR" and "silence or inactivity on the part of the data subject, as well as merely proceeding with a service" cannot be regarded as an active indication of choice (paragraphs 75 and 79).
No monetary penalty
AEPD (Spain)
- AEPD (Spain) PS-00002-20232023-10-25
ENDESA ENERGIA, S.A.
Endesa failed to implement appropriate security measures to protect customer data, allowing access credentials to its commercial platform to be offered for sale on third-party advertising channels and exposing the personal data of up to 4.8 million electricity and 1.2 million gas customers; the AEPD found composite breaches of Articles 5(1)(f), 32, 33, 34 and 44 GDPR (security, breach notification, notification to data subjects and international transfers).
EUR 6.1M
- AEPD (Spain) PS-00037-20222022-07-18
OPEN BANK, S.A.
openbank.es presented an initial cookie banner with an "Accept" button but no equivalent option to reject non-strictly-necessary cookies at the same interaction level, requiring users to navigate to a "Cookie settings" panel to refuse - the asymmetric design fell short of the unambiguous and freely-given consent standard required by Article 22.2 LSSI in line with Article 4(11) and 7 GDPR.
EUR 30k
- AEPD (Spain) PS-00477-20212022-03-09
VODAFONE ESPAÑA, S.A.U.
vodafone.es deposited cookies on user terminals before any consent action and provided information about cookies through a banner that did not enable users to refuse them with the same ease as accepting - infringing Article 22.2 of Law 34/2002 (LSSI), the Spanish national transposition of Article 5(3) of the ePrivacy Directive.
EUR 70k