GDPR enforcement in 2021
531 decisions · €1.3B total fines · ← 2020 · 2022 →
| Date ↓ | Company / party | Authority | Articles | Fine |
|---|---|---|---|---|
| 2021-10-27 | Company Insufficient involvement of data protection officer | 🇪🇺 National Commission for Data Protection (CNPD) | Art. 37Art. 38Art. 39 | €18,700 |
| 2021-10-27 | LUXEMBOURG DPA: Insufficient involvement of data protection officer Insufficient involvement of data protection officer | 🇪🇺 National Commission for Data Protection (CNPD) | Art. 38Art. 39 | €15,400 |
| 2021-10-27 | Car importer Insufficient legal basis for data processing | 🇪🇺 Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | Art. 5Art. 6Art. 12Art. 13 | €13,500 |
| 2021-10-26 | Vodafone España, S.A.U. Insufficient legal basis for data processing | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 6 | €64,000 |
| 2021-10-26 | VODAFONE SERVICIOS, S.L.U. Insufficient legal basis for data processing | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 6 | €40,000 |
| 2021-10-26 | VODAFONE SERVICIOS, S.L.U. Insufficient legal basis for data processing | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 6 | €40,000 |
| 2021-10-26 | SERVICIOS LOGÍSTICOS MARTORELL SIGLO XXI, S.L. Non-compliance with general data processing principles | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 35 | €16,000 |
| 2021-10-26 | Bank Non-compliance with general data processing principles | 🇪🇺 Bulgarian Commission for Personal Data Protection (KZLD) | Art. 5 | €380 |
| 2021-10-25 | MERCEDES GERENCIA, S.L. Insufficient cooperation with supervisory authority | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 58 | €3,000 |
| 2021-10-21 | CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U. Insufficient legal basis for data processing | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 6 | €3,000,000 |
| 2021-10-21 | Glove Technology SRL Insufficient legal basis for data processing | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 5Art. 6 | €5,000 |
| 2021-10-19 | Vodafone España, S.A.U. Insufficient fulfilment of data subjects rights | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 21 | €70,000 |
| 2021-10-19 | Vodafone España, S.A.U. Insufficient legal basis for data processing | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 6 | €40,000 |
| 2021-10-19 | BEEPING FULFILMENT S.L. Insufficient fulfilment of information obligations | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 13 | €2,000 |
| 2021-10-18 | Østre Toten municipality Insufficient technical and organisational measures to ensure information security | 🇪🇺 Norwegian Supervisory Authority (Datatilsynet) | Art. 5Art. 32 | €412,000 |
| 2021-10-18 | HIV Scotland Insufficient technical and organisational measures to ensure information security | 🇪🇺 Information Commissioner (ICO) | Art. 5Art. 32 | €11,800 |
| 2021-10-14 | Bank Millennium S.A Insufficient fulfilment of data breach notification obligations | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 33Art. 34 | €78,000 |
| 2021-10-14 | ΚΑΠΑ ΛΑΜΔΑ ΩΜΕΓΑ ΔΙΑΦΗΜΙΣΤΙΚΗ ΕΜΠΟΡΙΚΗ ΜΟΝΟΠΡΟΣΩΠΗ ΕΤΑΙΡΕΙΑ ΠΕΡΙΟΡΙΣΜΕΝΗΣ ΕΥΘΥΝΗΣ Insufficient legal basis for data processing | 🇪🇺 Hellenic Data Protection Authority (HDPA) | Art. 6Art. 12Art. 21 | €20,000 |
| 2021-10-14 | Health Protection Agency of Sardinia (ATS) Insufficient legal basis for data processing | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 9 | €8,000 |
| 2021-10-13 | Vodafone España, S.A.U. Non-compliance with general data processing principles | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5Art. 32 | €40,000 |
| 2021-10-13 | LUXEMBOURG DPA: Insufficient involvement of data protection officer Insufficient involvement of data protection officer | 🇪🇺 National Commission for Data Protection (CNPD) | Art. 37Art. 38Art. 39 | €18,000 |
| 2021-10-13 | LUXEMBOURG DPA: Insufficient involvement of data protection officer Insufficient involvement of data protection officer | 🇪🇺 National Commission for Data Protection (CNPD) | Art. 38Art. 39 | €13,200 |
| 2021-10-11 | MAF.COM ESQUI CLUB Insufficient legal basis for data processing | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 7 | €10,000 |
| 2021-10-08 | ORANGE ESPAGNE, S.A.U. Insufficient legal basis for data processing | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 6 | €30,000 |
| 2021-10-06 | LUXEMBOURG DPA: Non-compliance with general data processing principles Non-compliance with general data processing principles | 🇪🇺 National Commission for Data Protection (CNPD) | Art. 5Art. 13 | €5,300 |