GDPR enforcement in 2025
718 decisions · €1.2B total fines · ← 2024 · 2026 →
| Date ↓ | Company / party | Authority | Articles | Fine |
|---|---|---|---|---|
| 2025-12-31 | ONE WAY PRIVATE COMPANY Non-compliance with general data processing principles | 🇪🇺 Hellenic Data Protection Authority (HDPA) | Art. 5Art. 6Art. 7Art. 29 | €80,000 |
| 2025-12-31 | Thessaloniki–Thessaly Gas Supply Company S.A. Insufficient data processing agreement | 🇪🇺 Hellenic Data Protection Authority (HDPA) | Art. 28Art. 32 | €10,000 |
| 2025-12-31 | SIGMA & KAPPA IMPORTING SOCIÉTÉ ANONYME Insufficient technical and organisational measures to ensure information security | 🇪🇺 Hellenic Data Protection Authority (HDPA) | Art. 32 | €10,000 |
| 2025-12-31 | I Mathisi Insufficient fulfilment of data subjects rights | 🇬🇷 Hellenic Data Protection Authority (HDPA) | Art. 12Art. 15Art. 31 | €6,000 |
| 2025-12-31 | REVMA PLUS Retail S.A. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Hellenic Data Protection Authority (HDPA) | Art. 32 | €5,000 |
| 2025-12-30 | Company Non-compliance with general data processing principles | 🇪🇺 French Data Protection Authority (CNIL) | Art. 6Art. 13Art. 32Art. 35 | €3,500,000 |
| 2025-12-30 | ENDESA (energy supplyer) Insufficient legal basis for data processing | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5 | €60,000 |
| 2025-12-30 | ENDESA (energy supplyer) Insufficient legal basis for data processing | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5 | €60,000 |
| 2025-12-30 | Debt collecting agancy (GESTIÓN DE COBROS, YO COBRO SL) Insufficient legal basis for data processing | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5 | €60,000 |
| 2025-12-30 | Debt collecting agancy (GESTIÓN DE COBROS, YO COBRO SL) Insufficient legal basis for data processing | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5 | €60,000 |
| 2025-12-30 | Social Insurance Agency Insufficient technical and organisational measures to ensure information security | 🇪🇺 Slovak Data Protection Office | Art. 32 | €50,000 |
| 2025-12-30 | Social Insurance Agency Insufficient technical and organisational measures to ensure information security | 🇪🇺 Slovak Data Protection Office | Art. 32 | €50,000 |
| 2025-12-30 | Slovak Telekom Insufficient technical and organisational measures to ensure information security | 🇪🇺 Slovak Data Protection Office | Art. 32 | €40,000 |
| 2025-12-30 | Slovak Telekom Insufficient technical and organisational measures to ensure information security | 🇪🇺 Slovak Data Protection Office | Art. 32 | €40,000 |
| 2025-12-30 | Vodafone España, S.A.U. Insufficient fulfilment of data subjects rights | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5 | €27,000 |
| 2025-12-30 | Vodafone España, S.A.U. Insufficient fulfilment of data subjects rights | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5 | €27,000 |
| 2025-12-30 | Telecommunications company Insufficient legal basis for data processing | 🇪🇺 Croatian Data Protection Authority (azop) | Art. 6Art. 5 | €20,000 |
| 2025-12-30 | Telecommunications company Insufficient legal basis for data processing | 🇪🇺 Croatian Data Protection Authority (azop) | Art. 6Art. 5 | €20,000 |
| 2025-12-30 | Madrileña Red de Gas Insufficient technical and organisational measures to ensure information security | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 32 | €12,000 |
| 2025-12-30 | Madrileña Red de Gas Insufficient technical and organisational measures to ensure information security | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 32 | €12,000 |
| 2025-12-30 | Roumasport S.R.L Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 32 | €10,000 |
| 2025-12-30 | Ikea Ibérica Insufficient legal basis for data processing | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 6 | €10,000 |
| 2025-12-30 | Ikea Ibérica Insufficient legal basis for data processing | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 6 | €10,000 |
| 2025-12-30 | Roumasport S.R.L Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 32 | €10,000 |
| 2025-12-30 | Restaurant (SANTI 3000, S.L.) Insufficient legal basis for data processing | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5Art. 6 | €9,600 |
1–25 of 718 next →