Skip to content

GDPR enforcement in 2021

531 decisions · €1.3B total fines · ← 2020 · 2022 →

Date ↓ Company / party Authority Articles Fine
2021-02-11 Istituti ospedalieri bergamaschi
Insufficient technical and organisational measures to ensure information security
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 9Art. 32 €45,000
2021-02-11 Vamavi Phone S.L.
Insufficient fulfilment of data subjects rights
🇪🇺 Spanish Data Protection Authority (aepd) Art. 48Art. 21Art. 23Art. 28 €24,000
2021-02-11 Krajowa Szkoła Sądownictwa i Prokuratury
Insufficient technical and organisational measures to ensure information security
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 5Art. 25Art. 28Art. 32 €22,200
2021-02-11 Fondazione di religione e di culto “Casa sollievo della sofferenza” Opera di San Pio da Pietrelcina
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 9 €5,000
2021-02-10 ING Bank N.V. Amsterdam - Bucharest office
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 29Art. 32 €1,000
2021-02-09 Lursoft IT SIA
Insufficient legal basis for data processing
🇪🇺 Data State Inspectorate (DSI) Art. 6 €65,000
2021-02-09 Predase Servicios Integrales S.L.
Insufficient fulfilment of information obligations
🇪🇺 Spanish Data Protection Authority (aepd) Art. 13 €5,000
2021-02-08 Private Person
Non-compliance with general data processing principles
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5 €5,000
2021-02-08 Patio Ancestral S.L.
Insufficient legal basis for data processing
🇪🇺 Spanish Data Protection Authority (aepd) Art. 6 €3,000
2021-02-04 Orthodontic Clinic
Insufficient technical and organisational measures to ensure information security
🇪🇺 Dutch Supervisory Authority for Data Protection (AP) Art. 32 €12,000
2021-02-04 Private Person
Non-compliance with general data processing principles
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5 €2,000
2021-02-03 Iberdrola Clientes
Insufficient fulfilment of data subjects rights
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5Art. 17 €100,000
2021-02-03 Cyberbook AS
Insufficient legal basis for data processing
🇪🇺 Norwegian Supervisory Authority (Datatilsynet) Art. 5Art. 6 €19,300
2021-02-02 Legal Person
Insufficient fulfilment of data subjects rights
🇪🇺 Czech Data Protection Auhtority (UOOU) Art. 17 €400
2021-02-01 Xfera Moviles S.A.
Insufficient cooperation with supervisory authority
🇪🇺 Spanish Data Protection Authority (aepd) Art. 58 €24,000
2021-02-01 IDFINANCE Spain, S.L.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5 €3,000
2021-02-01 Legal Person
Insufficient fulfilment of data subjects rights
🇪🇺 Czech Data Protection Auhtority (UOOU) Art. 17 €80
2021-01-27 FRANCE DPA: Insufficient technical and organisational measures to ensure information security
Insufficient technical and organisational measures to ensure information security
🇪🇺 French Data Protection Authority (CNIL) Art. 32 €150,000
2021-01-27 FRANCE DPA: Insufficient technical and organisational measures to ensure information security
Insufficient technical and organisational measures to ensure information security
🇪🇺 French Data Protection Authority (CNIL) Art. 32 €75,000
2021-01-27 Azienda USL della Romagna
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 9Art. 32 €50,000
2021-01-27 Family Service / N.D.P.K. nv.
Insufficient legal basis for data processing
🇪🇺 Belgian Data Protection Authority (APD) Art. 5Art. 6Art. 7Art. 13 €50,000
2021-01-27 Azienda Ospedaliero Universitaria Senese
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 9 €50,000
2021-01-27 City of Rome (Roma capitale)
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 2 €10,000
2021-01-27 Azienda Ospedaliero Universitaria di Parma
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 9 €10,000
2021-01-22 BELGIUM DPA: Insufficient technical and organisational measures to ensure information security
Insufficient technical and organisational measures to ensure information security
🇪🇺 Belgian Data Protection Authority (APD) Art. 5Art. 24Art. 32Art. 33 €25,000