GDPR enforcement in 2021
531 decisions · €1.3B total fines · ← 2020 · 2022 →
| Date ↓ | Company / party | Authority | Articles | Fine |
|---|---|---|---|---|
| 2021-02-11 | Istituti ospedalieri bergamaschi Insufficient technical and organisational measures to ensure information security | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 9Art. 32 | €45,000 |
| 2021-02-11 | Vamavi Phone S.L. Insufficient fulfilment of data subjects rights | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 48Art. 21Art. 23Art. 28 | €24,000 |
| 2021-02-11 | Krajowa Szkoła Sądownictwa i Prokuratury Insufficient technical and organisational measures to ensure information security | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 5Art. 25Art. 28Art. 32 | €22,200 |
| 2021-02-11 | Fondazione di religione e di culto “Casa sollievo della sofferenza” Opera di San Pio da Pietrelcina Insufficient legal basis for data processing | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 9 | €5,000 |
| 2021-02-10 | ING Bank N.V. Amsterdam - Bucharest office Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 29Art. 32 | €1,000 |
| 2021-02-09 | Lursoft IT SIA Insufficient legal basis for data processing | 🇪🇺 Data State Inspectorate (DSI) | Art. 6 | €65,000 |
| 2021-02-09 | Predase Servicios Integrales S.L. Insufficient fulfilment of information obligations | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 13 | €5,000 |
| 2021-02-08 | Private Person Non-compliance with general data processing principles | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5 | €5,000 |
| 2021-02-08 | Patio Ancestral S.L. Insufficient legal basis for data processing | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 6 | €3,000 |
| 2021-02-04 | Orthodontic Clinic Insufficient technical and organisational measures to ensure information security | 🇪🇺 Dutch Supervisory Authority for Data Protection (AP) | Art. 32 | €12,000 |
| 2021-02-04 | Private Person Non-compliance with general data processing principles | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5 | €2,000 |
| 2021-02-03 | Iberdrola Clientes Insufficient fulfilment of data subjects rights | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5Art. 17 | €100,000 |
| 2021-02-03 | Cyberbook AS Insufficient legal basis for data processing | 🇪🇺 Norwegian Supervisory Authority (Datatilsynet) | Art. 5Art. 6 | €19,300 |
| 2021-02-02 | Legal Person Insufficient fulfilment of data subjects rights | 🇪🇺 Czech Data Protection Auhtority (UOOU) | Art. 17 | €400 |
| 2021-02-01 | Xfera Moviles S.A. Insufficient cooperation with supervisory authority | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 58 | €24,000 |
| 2021-02-01 | IDFINANCE Spain, S.L. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5 | €3,000 |
| 2021-02-01 | Legal Person Insufficient fulfilment of data subjects rights | 🇪🇺 Czech Data Protection Auhtority (UOOU) | Art. 17 | €80 |
| 2021-01-27 | FRANCE DPA: Insufficient technical and organisational measures to ensure information security Insufficient technical and organisational measures to ensure information security | 🇪🇺 French Data Protection Authority (CNIL) | Art. 32 | €150,000 |
| 2021-01-27 | FRANCE DPA: Insufficient technical and organisational measures to ensure information security Insufficient technical and organisational measures to ensure information security | 🇪🇺 French Data Protection Authority (CNIL) | Art. 32 | €75,000 |
| 2021-01-27 | Azienda USL della Romagna Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 9Art. 32 | €50,000 |
| 2021-01-27 | Family Service / N.D.P.K. nv. Insufficient legal basis for data processing | 🇪🇺 Belgian Data Protection Authority (APD) | Art. 5Art. 6Art. 7Art. 13 | €50,000 |
| 2021-01-27 | Azienda Ospedaliero Universitaria Senese Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 9 | €50,000 |
| 2021-01-27 | City of Rome (Roma capitale) Insufficient legal basis for data processing | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 2 | €10,000 |
| 2021-01-27 | Azienda Ospedaliero Universitaria di Parma Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 9 | €10,000 |
| 2021-01-22 | BELGIUM DPA: Insufficient technical and organisational measures to ensure information security Insufficient technical and organisational measures to ensure information security | 🇪🇺 Belgian Data Protection Authority (APD) | Art. 5Art. 24Art. 32Art. 33 | €25,000 |