Skip to content

GDPR enforcement in 2020

414 decisions · €172.0M total fines · ← 2019 · 2021 →

Date ↓ Company / party Authority Articles Fine
2020-12-17 University College Dublin
Insufficient technical and organisational measures to ensure information security
🇪🇺 Data Protection Authority of Ireland Art. 5Art. 32Art. 33 €70,000
2020-12-17 Miropass S.r.l.
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 9Art. 28 €40,000
2020-12-17 Comune di Luino
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 37 €10,000
2020-12-17 Doctor
Insufficient technical and organisational measures to ensure information security
🇪🇺 French Data Protection Authority (CNIL) Art. 32Art. 33 €6,000
2020-12-17 Comune di Santo Stefano Belbo
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6 €4,000
2020-12-17 Doctor
Insufficient technical and organisational measures to ensure information security
🇪🇺 French Data Protection Authority (CNIL) Art. 32Art. 33 €3,000
2020-12-17 Ordine degli Assistenti Sociali della Regione Lazio
Insufficient fulfilment of data subjects rights
🇪🇺 Italian Data Protection Authority (Garante) Art. 12 €2,000
2020-12-16 HUNGARY DPA: Insufficient legal basis for data processing
Insufficient legal basis for data processing
🇪🇺 Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) Art. 5Art. 6Art. 9Art. 12 €97,150
2020-12-16 Robinson Tours Ltd. (Robinson Tours Idegenforgalmi és Szolgáltató Kft.)
Insufficient technical and organisational measures to ensure information security
🇪🇺 Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) Art. 25Art. 32Art. 34 €55,400
2020-12-16 HUNGARY DPA: Insufficient fulfilment of information obligations
Insufficient fulfilment of information obligations
🇪🇺 Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) Art. 5Art. 13 €1,940
2020-12-16 Next Time Media Agency Ltd. (Next Time Media Ügynökség Kft.)
Insufficient technical and organisational measures to ensure information security
🇪🇺 Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) Art. 32 €1,385
2020-12-15 Twitter International Company
Insufficient fulfilment of data breach notification obligations
🇪🇺 Data Protection Authority of Ireland Art. 33 €450,000
2020-12-15 Uppsalahem AB
Insufficient legal basis for data processing
🇪🇺 Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) Art. 5Art. 6 €29,500
2020-12-15 HH Invest SIA
Insufficient fulfilment of information obligations
🇪🇺 Data State Inspectorate (DSI) Art. 13 €15,000
2020-12-15 Online Services
Insufficient fulfilment of information obligations
🇪🇺 Spanish Data Protection Authority (aepd) Art. 13Art. 8Art. 6 €10,000
2020-12-15 LATVIA DPA: Insufficient legal basis for data processing
Insufficient legal basis for data processing
🇪🇺 Data State Inspectorate (DSI) Art. 5Art. 6 €6,250
2020-12-14 Virgin Mobile Polska
Insufficient technical and organisational measures to ensure information security
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 5Art. 25Art. 32 €443,000
2020-12-11 Banco Bilbao Vizcaya Argentaria, S.A.
Insufficient fulfilment of information obligations
🇪🇺 Spanish Data Protection Authority (aepd) Art. 6Art. 13 €5,000,000
2020-12-11 Umeå University
Insufficient technical and organisational measures to ensure information security
🇪🇺 Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) Art. 5Art. 32 €54,000
2020-12-11 Cosmetic Medical Limited
Insufficient cooperation with supervisory authority
🇪🇺 Information Commissioner of Isle of Man Art. 31 €3,250
2020-12-10 Booking.com B.V.
Insufficient fulfilment of data breach notification obligations
🇪🇺 Dutch Supervisory Authority for Data Protection (AP) Art. 33 €475,000
2020-12-10 Budapesti Műszaki és Gazdaságtudományi Egyetem (Budapest University of Technology and Economics)
Insufficient legal basis for data processing
🇪🇺 Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) Art. 5Art. 6Art. 9Art. 12 €22,200
2020-12-10 Borjamotor, S.A.
Insufficient legal basis for data processing
🇪🇺 Spanish Data Protection Authority (aepd) Art. 7 €4,000
2020-12-09 Xfera Moviles S.A.
Insufficient legal basis for data processing
🇪🇺 Spanish Data Protection Authority (aepd) Art. 6 €40,000
2020-12-09 TUiR Warta S.A.
Insufficient fulfilment of data breach notification obligations
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 33Art. 34 €18,850