GDPR enforcement in 2020
414 decisions · €172.0M total fines · ← 2019 · 2021 →
| Date ↓ | Company / party | Authority | Articles | Fine |
|---|---|---|---|---|
| 2020-12-17 | University College Dublin Insufficient technical and organisational measures to ensure information security | 🇪🇺 Data Protection Authority of Ireland | Art. 5Art. 32Art. 33 | €70,000 |
| 2020-12-17 | Miropass S.r.l. Insufficient legal basis for data processing | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 9Art. 28 | €40,000 |
| 2020-12-17 | Comune di Luino Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 37 | €10,000 |
| 2020-12-17 | Doctor Insufficient technical and organisational measures to ensure information security | 🇪🇺 French Data Protection Authority (CNIL) | Art. 32Art. 33 | €6,000 |
| 2020-12-17 | Comune di Santo Stefano Belbo Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6 | €4,000 |
| 2020-12-17 | Doctor Insufficient technical and organisational measures to ensure information security | 🇪🇺 French Data Protection Authority (CNIL) | Art. 32Art. 33 | €3,000 |
| 2020-12-17 | Ordine degli Assistenti Sociali della Regione Lazio Insufficient fulfilment of data subjects rights | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 12 | €2,000 |
| 2020-12-16 | HUNGARY DPA: Insufficient legal basis for data processing Insufficient legal basis for data processing | 🇪🇺 Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | Art. 5Art. 6Art. 9Art. 12 | €97,150 |
| 2020-12-16 | Robinson Tours Ltd. (Robinson Tours Idegenforgalmi és Szolgáltató Kft.) Insufficient technical and organisational measures to ensure information security | 🇪🇺 Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | Art. 25Art. 32Art. 34 | €55,400 |
| 2020-12-16 | HUNGARY DPA: Insufficient fulfilment of information obligations Insufficient fulfilment of information obligations | 🇪🇺 Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | Art. 5Art. 13 | €1,940 |
| 2020-12-16 | Next Time Media Agency Ltd. (Next Time Media Ügynökség Kft.) Insufficient technical and organisational measures to ensure information security | 🇪🇺 Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | Art. 32 | €1,385 |
| 2020-12-15 | Twitter International Company Insufficient fulfilment of data breach notification obligations | 🇪🇺 Data Protection Authority of Ireland | Art. 33 | €450,000 |
| 2020-12-15 | Uppsalahem AB Insufficient legal basis for data processing | 🇪🇺 Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) | Art. 5Art. 6 | €29,500 |
| 2020-12-15 | HH Invest SIA Insufficient fulfilment of information obligations | 🇪🇺 Data State Inspectorate (DSI) | Art. 13 | €15,000 |
| 2020-12-15 | Online Services Insufficient fulfilment of information obligations | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 13Art. 8Art. 6 | €10,000 |
| 2020-12-15 | LATVIA DPA: Insufficient legal basis for data processing Insufficient legal basis for data processing | 🇪🇺 Data State Inspectorate (DSI) | Art. 5Art. 6 | €6,250 |
| 2020-12-14 | Virgin Mobile Polska Insufficient technical and organisational measures to ensure information security | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 5Art. 25Art. 32 | €443,000 |
| 2020-12-11 | Banco Bilbao Vizcaya Argentaria, S.A. Insufficient fulfilment of information obligations | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 6Art. 13 | €5,000,000 |
| 2020-12-11 | Umeå University Insufficient technical and organisational measures to ensure information security | 🇪🇺 Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) | Art. 5Art. 32 | €54,000 |
| 2020-12-11 | Cosmetic Medical Limited Insufficient cooperation with supervisory authority | 🇪🇺 Information Commissioner of Isle of Man | Art. 31 | €3,250 |
| 2020-12-10 | Booking.com B.V. Insufficient fulfilment of data breach notification obligations | 🇪🇺 Dutch Supervisory Authority for Data Protection (AP) | Art. 33 | €475,000 |
| 2020-12-10 | Budapesti Műszaki és Gazdaságtudományi Egyetem (Budapest University of Technology and Economics) Insufficient legal basis for data processing | 🇪🇺 Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | Art. 5Art. 6Art. 9Art. 12 | €22,200 |
| 2020-12-10 | Borjamotor, S.A. Insufficient legal basis for data processing | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 7 | €4,000 |
| 2020-12-09 | Xfera Moviles S.A. Insufficient legal basis for data processing | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 6 | €40,000 |
| 2020-12-09 | TUiR Warta S.A. Insufficient fulfilment of data breach notification obligations | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 33Art. 34 | €18,850 |