Skip to content

GDPR enforcement in 2021

531 decisions · €1.3B total fines · ← 2020 · 2022 →

Date ↓ Company / party Authority Articles Fine
2021-10-27 Company
Insufficient involvement of data protection officer
🇪🇺 National Commission for Data Protection (CNPD) Art. 37Art. 38Art. 39 €18,700
2021-10-27 LUXEMBOURG DPA: Insufficient involvement of data protection officer
Insufficient involvement of data protection officer
🇪🇺 National Commission for Data Protection (CNPD) Art. 38Art. 39 €15,400
2021-10-27 Car importer
Insufficient legal basis for data processing
🇪🇺 Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) Art. 5Art. 6Art. 12Art. 13 €13,500
2021-10-26 Vodafone España, S.A.U.
Insufficient legal basis for data processing
🇪🇺 Spanish Data Protection Authority (aepd) Art. 6 €64,000
2021-10-26 VODAFONE SERVICIOS, S.L.U.
Insufficient legal basis for data processing
🇪🇺 Spanish Data Protection Authority (aepd) Art. 6 €40,000
2021-10-26 VODAFONE SERVICIOS, S.L.U.
Insufficient legal basis for data processing
🇪🇺 Spanish Data Protection Authority (aepd) Art. 6 €40,000
2021-10-26 SERVICIOS LOGÍSTICOS MARTORELL SIGLO XXI, S.L.
Non-compliance with general data processing principles
🇪🇺 Spanish Data Protection Authority (aepd) Art. 35 €16,000
2021-10-26 Bank
Non-compliance with general data processing principles
🇪🇺 Bulgarian Commission for Personal Data Protection (KZLD) Art. 5 €380
2021-10-25 MERCEDES GERENCIA, S.L.
Insufficient cooperation with supervisory authority
🇪🇺 Spanish Data Protection Authority (aepd) Art. 58 €3,000
2021-10-21 CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U.
Insufficient legal basis for data processing
🇪🇺 Spanish Data Protection Authority (aepd) Art. 6 €3,000,000
2021-10-21 Glove Technology SRL
Insufficient legal basis for data processing
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 5Art. 6 €5,000
2021-10-19 Vodafone España, S.A.U.
Insufficient fulfilment of data subjects rights
🇪🇺 Spanish Data Protection Authority (aepd) Art. 21 €70,000
2021-10-19 Vodafone España, S.A.U.
Insufficient legal basis for data processing
🇪🇺 Spanish Data Protection Authority (aepd) Art. 6 €40,000
2021-10-19 BEEPING FULFILMENT S.L.
Insufficient fulfilment of information obligations
🇪🇺 Spanish Data Protection Authority (aepd) Art. 13 €2,000
2021-10-18 Østre Toten municipality
Insufficient technical and organisational measures to ensure information security
🇪🇺 Norwegian Supervisory Authority (Datatilsynet) Art. 5Art. 32 €412,000
2021-10-18 HIV Scotland
Insufficient technical and organisational measures to ensure information security
🇪🇺 Information Commissioner (ICO) Art. 5Art. 32 €11,800
2021-10-14 Bank Millennium S.A
Insufficient fulfilment of data breach notification obligations
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 33Art. 34 €78,000
2021-10-14 ΚΑΠΑ ΛΑΜΔΑ ΩΜΕΓΑ ΔΙΑΦΗΜΙΣΤΙΚΗ ΕΜΠΟΡΙΚΗ ΜΟΝΟΠΡΟΣΩΠΗ ΕΤΑΙΡΕΙΑ ΠΕΡΙΟΡΙΣΜΕΝΗΣ ΕΥΘΥΝΗΣ
Insufficient legal basis for data processing
🇪🇺 Hellenic Data Protection Authority (HDPA) Art. 6Art. 12Art. 21 €20,000
2021-10-14 Health Protection Agency of Sardinia (ATS)
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 9 €8,000
2021-10-13 Vodafone España, S.A.U.
Non-compliance with general data processing principles
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5Art. 32 €40,000
2021-10-13 LUXEMBOURG DPA: Insufficient involvement of data protection officer
Insufficient involvement of data protection officer
🇪🇺 National Commission for Data Protection (CNPD) Art. 37Art. 38Art. 39 €18,000
2021-10-13 LUXEMBOURG DPA: Insufficient involvement of data protection officer
Insufficient involvement of data protection officer
🇪🇺 National Commission for Data Protection (CNPD) Art. 38Art. 39 €13,200
2021-10-11 MAF.COM ESQUI CLUB
Insufficient legal basis for data processing
🇪🇺 Spanish Data Protection Authority (aepd) Art. 7 €10,000
2021-10-08 ORANGE ESPAGNE, S.A.U.
Insufficient legal basis for data processing
🇪🇺 Spanish Data Protection Authority (aepd) Art. 6 €30,000
2021-10-06 LUXEMBOURG DPA: Non-compliance with general data processing principles
Non-compliance with general data processing principles
🇪🇺 National Commission for Data Protection (CNPD) Art. 5Art. 13 €5,300