The Czech Supervisory Authority imposed a fine of 13.9 million EUR on a company for infringing Article 6 and Article 13 of the GDPR by transferring personal data of approximately 100 million users without proper legal basis and misinforming users about the data transfers, claiming they were anonymized for statistical purposes. The authority found that the internet browsing history of users, even when pseudonymized, could still constitute personal data with the potential for re-identification
The decision, issued in April 2024 after an appeal process, confirmed the liability of the controller and the imposition of the fine, emphasizing the seriousness of the violation by a cybersecurity expert offering data protection tools to the public. https://www.edpb.europa.eu/news/news/2024/czech-sa-imposed-fine-139-million-eur-infringement-art-6-and-art-13-gdpr_en