Skip to content

GDPR enforcement in 2021

531 decisions · €1.3B total fines · ← 2020 · 2022 →

Date ↓ Company / party Authority Articles Fine
2021-12-16 Banco Bilbao Vizcaya Argentaria S.A.
Insufficient legal basis for data processing
🇪🇺 Spanish Data Protection Authority (aepd) Art. 6 €60,000
2021-12-16 Motor insurance center
Non-compliance with general data processing principles
🇪🇺 Deputy Data Protection Ombudsman Art. 5Art. 25 €52,000
2021-12-16 FCA Italy s.p.a.
Insufficient fulfilment of data subjects rights
🇪🇺 Italian Data Protection Authority (Garante) Art. 12 €20,000
2021-12-16 Corradi s.r.l.
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 13Art. 157 €20,000
2021-12-16 Municipality of Frederiksberg
Insufficient technical and organisational measures to ensure information security
🇪🇺 Danish Data Protection Authority (Datatilsynet) Art. 32 €13,450
2021-12-16 Centro di Medicina preventiva s.r.l.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 25Art. 32Art. 37 €10,000
2021-12-16 Travel agency
Insufficient technical and organisational measures to ensure information security
🇪🇺 Deputy Data Protection Ombudsman Art. 5Art. 17Art. 25Art. 32 €6,500
2021-12-16 Private individual
Insufficient fulfilment of information obligations
🇪🇺 Spanish Data Protection Authority (aepd) Art. 13 €1,200
2021-12-16 Università Telematica Internazionale Uninettuno
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5 €1,000
2021-12-16 Enel Energia S.p.A
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 12Art. 13 €0
2021-12-14 IZA OBRAS Y PROMOCIONES, S.A.
Non-compliance with general data processing principles
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5 €50,000
2021-12-13 Grindr LLC
Insufficient legal basis for data processing
🇪🇺 Norwegian Supervisory Authority (Datatilsynet) Art. 6Art. 9 €6,300,000
2021-12-13 Elektro & Automasjon Systemer AS
Insufficient legal basis for data processing
🇪🇺 Norwegian Supervisory Authority (Datatilsynet) Art. 6 €20,000
2021-12-13 SC Nobiotic Pharma SRL
Insufficient cooperation with supervisory authority
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 58 €2,000
2021-12-09 Limerick City and County Council
Insufficient fulfilment of data subjects rights
🇪🇺 Data Protection Authority of Ireland Art. 13Art. 12Art. 15 €110,000
2021-12-09 Warsaw University of Technology
Insufficient technical and organisational measures to ensure information security
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 5Art. 24Art. 25Art. 32 €10,000
2021-12-08 One Way Private Company
Insufficient technical and organisational measures to ensure information security
🇪🇺 Hellenic Data Protection Authority (HDPA) Art. 28Art. 32Art. 11 €30,000
2021-12-08 BELGIUM DPA: Insufficient fulfilment of data subjects rights
Insufficient fulfilment of data subjects rights
🇪🇺 Belgian Data Protection Authority (APD) Art. 12Art. 14Art. 15Art. 17 €10,000
2021-12-07 Psykoterapiakeskus Vastaamo
Non-compliance with general data processing principles
🇪🇺 Deputy Data Protection Ombudsman Art. 5Art. 33Art. 34 €608,000
2021-12-07 NBQ Technology, S.A.U.
Insufficient legal basis for data processing
🇪🇺 Spanish Data Protection Authority (aepd) Art. 6 €24,000
2021-12-06 Telekom Romania Communications SA
Non-compliance with general data processing principles
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 5Art. 17 €6,000
2021-12-03 Store owner
Insufficient fulfilment of information obligations
🇪🇺 Spanish Data Protection Authority (aepd) Art. 13 €1,000
2021-12-03 Lawyer
Insufficient legal basis for data processing
🇪🇺 Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) Art. 5Art. 6Art. 9 €843
2021-12-02 Irish Teacher Council
Insufficient technical and organisational measures to ensure information security
🇪🇺 Data Protection Authority of Ireland Art. 5Art. 32Art. 33 €60,000
2021-12-02 Casa di cura Fondazione Gaetano e Piera Borghi s.r.l.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 32 €30,000