Skip to content

GDPR enforcement in 2024

318 decisions · €148.0M total fines · ← 2023 · 2025 →

Date ↓ Company / party Authority Articles Fine
2024-03-12 Santander Bank Polska S.A.
Insufficient fulfilment of data breach notification obligations
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 33Art. 34 €326,000
2024-03-12 Toyota Bank Polska S.A.
Insufficient fulfilment of data breach notification obligations
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 33 €18,000
2024-03-07 Centro Riparazioni Piacentino S.p.A.
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 13 €20,000
2024-03-07 Banca di Credito Cooperativo Appulo Lucana soc. cooperativa
Insufficient fulfilment of data subjects rights
🇪🇺 Italian Data Protection Authority (Garante) Art. 12Art. 15 €20,000
2024-03-07 Bar
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 13Art. 114 €2,000
2024-03-07 DENTAL REY-GAR, S.L.
Insufficient cooperation with supervisory authority
🇪🇺 Spanish Data Protection Authority (aepd) Art. 58 €1,000
2024-03-06 Verkkokauppa.com
Non-compliance with general data processing principles
🇪🇺 Deputy Data Protection Ombudsman Art. 5Art. 25 €856,000
2024-03-05 EURO MINI STORAGE ROMANIA SRL
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 24Art. 32 €5,000
2024-03-01 Vodafone España, S.A.U.
Insufficient legal basis for data processing
🇪🇺 Spanish Data Protection Authority (aepd) Art. 6 €200,000
2024-02-29 Vodafone España, S.A.U.
Insufficient legal basis for data processing
🇪🇺 Spanish Data Protection Authority (aepd) Art. 6 €200,000
2024-02-28 Hellenic Post (ΕΛΛΗΝΙΚΑ ΤΑΧΥΔΡΟΜΕΙΑ ΑΝΩΝΥΜΗ ΕΤΑΙΡΕΙΑ)
Insufficient technical and organisational measures to ensure information security
🇪🇺 Hellenic Data Protection Authority (HDPA) Art. 5Art. 32 €2,995,140
2024-02-26 Company
Insufficient legal basis for data processing
🇭🇷 Croatian Data Protection Authority (azop) Art. 6Art. 7Art. 13 €20,000
2024-02-26 VESTA CEU ROMÂNIA SRL.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 32 €3,000
2024-02-23 TELEFÓNICA DE ESPAÑA, S.A.U.
Insufficient cooperation with supervisory authority
🇪🇺 Spanish Data Protection Authority (aepd) Art. 58 €90,000
2024-02-22 Azienda Trasporto Passeggeri Emilia-Romagna S.p.A.
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 7Art. 12 €50,000
2024-02-22 Camera di Commercio Industria Artigianato e Agricoltura
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 2 €2,000
2024-02-19 Private individual
Insufficient cooperation with supervisory authority
🇪🇺 Spanish Data Protection Authority (aepd) Art. 58 €400
2024-02-19 Private individual
Insufficient cooperation with supervisory authority
🇪🇺 Spanish Data Protection Authority (aepd) Art. 58 €400
2024-02-13 VODAFONE ESPAÑA, S.A.U.
Insufficient legal basis for data processing
🇪🇺 Spanish Data Protection Authority (aepd) Art. 6 €100,000
2024-02-13 IBERIA LÍNEAS AÉREAS DE ESPAÑA, S.A. OPERADORA.
Insufficient fulfilment of data subjects rights
🇪🇺 Spanish Data Protection Authority (aepd) Art. 15 €40,000
2024-02-13 ASNEF-EQUIFAX, SERVICIOS DE INFORMACIÓN SOBRE SOLVENCIA Y CRÉDITO, S.L.
Insufficient fulfilment of data subjects rights
🇪🇺 Spanish Data Protection Authority (aepd) Art. 15 €4,000
2024-02-12 CTC EXTERNALIZACIÓN, S.L
Insufficient fulfilment of information obligations
🇪🇺 Spanish Data Protection Authority (aepd) Art. 13Art. 32Art. 35 €365,000
2024-02-08 UniCredit S.p.a.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 32 €2,800,000
2024-02-08 NTT Data Italia S.P.A
Insufficient fulfilment of data breach notification obligations
🇪🇺 Italian Data Protection Authority (Garante) Art. 28Art. 33 €800,000
2024-02-08 Medtronic Italia
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 9Art. 12Art. 13 €300,000