GDPR enforcement in 2024
318 decisions · €148.0M total fines · ← 2023 · 2025 →
| Date ↓ | Company / party | Authority | Articles | Fine |
|---|---|---|---|---|
| 2024-03-12 | Santander Bank Polska S.A. Insufficient fulfilment of data breach notification obligations | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 33Art. 34 | €326,000 |
| 2024-03-12 | Toyota Bank Polska S.A. Insufficient fulfilment of data breach notification obligations | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 33 | €18,000 |
| 2024-03-07 | Centro Riparazioni Piacentino S.p.A. Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 13 | €20,000 |
| 2024-03-07 | Banca di Credito Cooperativo Appulo Lucana soc. cooperativa Insufficient fulfilment of data subjects rights | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 12Art. 15 | €20,000 |
| 2024-03-07 | Bar Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 13Art. 114 | €2,000 |
| 2024-03-07 | DENTAL REY-GAR, S.L. Insufficient cooperation with supervisory authority | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 58 | €1,000 |
| 2024-03-06 | Verkkokauppa.com Non-compliance with general data processing principles | 🇪🇺 Deputy Data Protection Ombudsman | Art. 5Art. 25 | €856,000 |
| 2024-03-05 | EURO MINI STORAGE ROMANIA SRL Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 24Art. 32 | €5,000 |
| 2024-03-01 | Vodafone España, S.A.U. Insufficient legal basis for data processing | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 6 | €200,000 |
| 2024-02-29 | Vodafone España, S.A.U. Insufficient legal basis for data processing | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 6 | €200,000 |
| 2024-02-28 | Hellenic Post (ΕΛΛΗΝΙΚΑ ΤΑΧΥΔΡΟΜΕΙΑ ΑΝΩΝΥΜΗ ΕΤΑΙΡΕΙΑ) Insufficient technical and organisational measures to ensure information security | 🇪🇺 Hellenic Data Protection Authority (HDPA) | Art. 5Art. 32 | €2,995,140 |
| 2024-02-26 | Company Insufficient legal basis for data processing | 🇭🇷 Croatian Data Protection Authority (azop) | Art. 6Art. 7Art. 13 | €20,000 |
| 2024-02-26 | VESTA CEU ROMÂNIA SRL. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 32 | €3,000 |
| 2024-02-23 | TELEFÓNICA DE ESPAÑA, S.A.U. Insufficient cooperation with supervisory authority | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 58 | €90,000 |
| 2024-02-22 | Azienda Trasporto Passeggeri Emilia-Romagna S.p.A. Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 7Art. 12 | €50,000 |
| 2024-02-22 | Camera di Commercio Industria Artigianato e Agricoltura Insufficient legal basis for data processing | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 2 | €2,000 |
| 2024-02-19 | Private individual Insufficient cooperation with supervisory authority | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 58 | €400 |
| 2024-02-19 | Private individual Insufficient cooperation with supervisory authority | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 58 | €400 |
| 2024-02-13 | VODAFONE ESPAÑA, S.A.U. Insufficient legal basis for data processing | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 6 | €100,000 |
| 2024-02-13 | IBERIA LÍNEAS AÉREAS DE ESPAÑA, S.A. OPERADORA. Insufficient fulfilment of data subjects rights | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 15 | €40,000 |
| 2024-02-13 | ASNEF-EQUIFAX, SERVICIOS DE INFORMACIÓN SOBRE SOLVENCIA Y CRÉDITO, S.L. Insufficient fulfilment of data subjects rights | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 15 | €4,000 |
| 2024-02-12 | CTC EXTERNALIZACIÓN, S.L Insufficient fulfilment of information obligations | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 13Art. 32Art. 35 | €365,000 |
| 2024-02-08 | UniCredit S.p.a. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 32 | €2,800,000 |
| 2024-02-08 | NTT Data Italia S.P.A Insufficient fulfilment of data breach notification obligations | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 28Art. 33 | €800,000 |
| 2024-02-08 | Medtronic Italia Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 9Art. 12Art. 13 | €300,000 |