GDPR enforcement in 2021
531 decisions · €1.3B total fines · ← 2020 · 2022 →
| Date ↓ | Company / party | Authority | Articles | Fine |
|---|---|---|---|---|
| 2021-12-16 | Banco Bilbao Vizcaya Argentaria S.A. Insufficient legal basis for data processing | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 6 | €60,000 |
| 2021-12-16 | Motor insurance center Non-compliance with general data processing principles | 🇪🇺 Deputy Data Protection Ombudsman | Art. 5Art. 25 | €52,000 |
| 2021-12-16 | FCA Italy s.p.a. Insufficient fulfilment of data subjects rights | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 12 | €20,000 |
| 2021-12-16 | Corradi s.r.l. Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 13Art. 157 | €20,000 |
| 2021-12-16 | Municipality of Frederiksberg Insufficient technical and organisational measures to ensure information security | 🇪🇺 Danish Data Protection Authority (Datatilsynet) | Art. 32 | €13,450 |
| 2021-12-16 | Centro di Medicina preventiva s.r.l. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 25Art. 32Art. 37 | €10,000 |
| 2021-12-16 | Travel agency Insufficient technical and organisational measures to ensure information security | 🇪🇺 Deputy Data Protection Ombudsman | Art. 5Art. 17Art. 25Art. 32 | €6,500 |
| 2021-12-16 | Private individual Insufficient fulfilment of information obligations | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 13 | €1,200 |
| 2021-12-16 | Università Telematica Internazionale Uninettuno Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5 | €1,000 |
| 2021-12-16 | Enel Energia S.p.A Insufficient legal basis for data processing | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 12Art. 13 | €0 |
| 2021-12-14 | IZA OBRAS Y PROMOCIONES, S.A. Non-compliance with general data processing principles | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5 | €50,000 |
| 2021-12-13 | Grindr LLC Insufficient legal basis for data processing | 🇪🇺 Norwegian Supervisory Authority (Datatilsynet) | Art. 6Art. 9 | €6,300,000 |
| 2021-12-13 | Elektro & Automasjon Systemer AS Insufficient legal basis for data processing | 🇪🇺 Norwegian Supervisory Authority (Datatilsynet) | Art. 6 | €20,000 |
| 2021-12-13 | SC Nobiotic Pharma SRL Insufficient cooperation with supervisory authority | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 58 | €2,000 |
| 2021-12-09 | Limerick City and County Council Insufficient fulfilment of data subjects rights | 🇪🇺 Data Protection Authority of Ireland | Art. 13Art. 12Art. 15 | €110,000 |
| 2021-12-09 | Warsaw University of Technology Insufficient technical and organisational measures to ensure information security | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 5Art. 24Art. 25Art. 32 | €10,000 |
| 2021-12-08 | One Way Private Company Insufficient technical and organisational measures to ensure information security | 🇪🇺 Hellenic Data Protection Authority (HDPA) | Art. 28Art. 32Art. 11 | €30,000 |
| 2021-12-08 | BELGIUM DPA: Insufficient fulfilment of data subjects rights Insufficient fulfilment of data subjects rights | 🇪🇺 Belgian Data Protection Authority (APD) | Art. 12Art. 14Art. 15Art. 17 | €10,000 |
| 2021-12-07 | Psykoterapiakeskus Vastaamo Non-compliance with general data processing principles | 🇪🇺 Deputy Data Protection Ombudsman | Art. 5Art. 33Art. 34 | €608,000 |
| 2021-12-07 | NBQ Technology, S.A.U. Insufficient legal basis for data processing | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 6 | €24,000 |
| 2021-12-06 | Telekom Romania Communications SA Non-compliance with general data processing principles | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 5Art. 17 | €6,000 |
| 2021-12-03 | Store owner Insufficient fulfilment of information obligations | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 13 | €1,000 |
| 2021-12-03 | Lawyer Insufficient legal basis for data processing | 🇪🇺 Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | Art. 5Art. 6Art. 9 | €843 |
| 2021-12-02 | Irish Teacher Council Insufficient technical and organisational measures to ensure information security | 🇪🇺 Data Protection Authority of Ireland | Art. 5Art. 32Art. 33 | €60,000 |
| 2021-12-02 | Casa di cura Fondazione Gaetano e Piera Borghi s.r.l. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 32 | €30,000 |