Skip to content

GDPR enforcement in 2021

531 decisions · €1.3B total fines · ← 2020 · 2022 →

Date ↓ Company / party Authority Articles Fine
2021-04-08 LUXEMBOURG DPA: Non-compliance with general data processing principles
Non-compliance with general data processing principles
🇪🇺 National Commission for Data Protection (CNPD) Art. 5Art. 13 €2,800
2021-04-06 Promotech Digital S.L.
Insufficient fulfilment of data subjects rights
🇪🇺 Spanish Data Protection Authority (aepd) Art. 21 €2,400
2021-04-05 Stockhunters S.L.
Insufficient fulfilment of information obligations
🇪🇺 Spanish Data Protection Authority (aepd) Art. 13 €4,000
2021-04-05 Kukimbia S.L.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Spanish Data Protection Authority (aepd) Art. 32 €3,000
2021-04-05 Electrotecnica Bastida S.L.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Spanish Data Protection Authority (aepd) Art. 32 €3,000
2021-03-30 Telekom Romania Mobile Communications S.A.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 32 €10,000
2021-03-25 Fastweb S.p.A.
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 7Art. 12 €4,500,000
2021-03-25 OneDirect Srl
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 6Art. 7Art. 30Art. 31 €30,000
2021-03-25 GEDI News Network Spa
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 12 €20,000
2021-03-25 TECNOMEDICAL S.r.l.
Insufficient fulfilment of data subjects rights
🇪🇺 Italian Data Protection Authority (Garante) Art. 12Art. 15 €7,000
2021-03-25 Convitto Nazionale Statale 'Giordano Bruno' di Maddaloni (boarding school)
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 2 €6,000
2021-03-25 Comune di Castellanza
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6 €4,000
2021-03-25 Operator of a care facility
Insufficient legal basis for data processing
🇪🇺 Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) Art. 5Art. 6Art. 13 €1,425
2021-03-24 Budapest Főváros Kormányhivatala XI. kerületi Hivatalát (11th District Public Health Department of the Government Office of the Capital City Budapest)
Insufficient technical and organisational measures to ensure information security
🇪🇺 Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) Art. 32Art. 33Art. 34 €27,700
2021-03-23 Irish Credit Bureau DAC
Insufficient technical and organisational measures to ensure information security
🇪🇺 Data Protection Authority of Ireland Art. 5Art. 24Art. 25 €90,000
2021-03-23 S.C. Medicover S.R.L.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 32 €2,000
2021-03-23 Laboratorio Octogón, S.L.
Non-compliance with general data processing principles
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5 €1,000
2021-03-22 Candidate for parliamentary elections
Insufficient fulfilment of data subjects rights
🇪🇺 Hellenic Data Protection Authority (HDPA) Art. 15Art. 11 €2,000
2021-03-21 Basaren Drift AS
Insufficient legal basis for data processing
🇪🇺 Norwegian Supervisory Authority (Datatilsynet) Art. 5Art. 6Art. 13 €19,900
2021-03-19 Funeda Sp. z o.o.
Insufficient cooperation with supervisory authority
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 31Art. 58 €4,900
2021-03-18 Asesoría Alpi-Clúa S.L.
Non-compliance with general data processing principles
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5Art. 32 €3,000
2021-03-16 Vodafone España, S.A.U.
Insufficient legal basis for data processing
🇪🇺 Spanish Data Protection Authority (aepd) Art. 6 €60,000
2021-03-15 Air Europa Lineas Aereas, SA.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Spanish Data Protection Authority (aepd) Art. 32Art. 33 €600,000
2021-03-15 Asker Municipality
Insufficient technical and organisational measures to ensure information security
🇪🇺 Norwegian Supervisory Authority (Datatilsynet) Art. 5Art. 6Art. 32Art. 24 €100,000
2021-03-15 Certime S.A.
Non-compliance with general data processing principles
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5 €5,000