GDPR enforcement in 2025
718 decisions · €1.2B total fines · ← 2024 · 2026 →
| Date ↓ | Company / party | Authority | Articles | Fine |
|---|---|---|---|---|
| 2025-09-25 | Comune di Isola del Gran Sasso Insufficient legal basis for data processing | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 10Art. 12 | €3,000 |
| 2025-09-25 | Green.mec. s.r.l. Insufficient fulfilment of data subjects rights | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 13Art. 15 | €1,000 |
| 2025-09-25 | Green.mec. s.r.l. Insufficient fulfilment of data subjects rights | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 13Art. 15 | €1,000 |
| 2025-09-25 | SERVACE S.L. Non-compliance with general data processing principles | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5Art. 6 | €840 |
| 2025-09-25 | SERVACE S.L. Non-compliance with general data processing principles | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5Art. 6 | €840 |
| 2025-09-23 | Property manager Insufficient technical and organisational measures to ensure information security | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 32 | €600 |
| 2025-09-23 | Property manager Insufficient technical and organisational measures to ensure information security | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 32 | €600 |
| 2025-09-22 | DHL PARCEL IBERIA, S.L. Non-compliance with general data processing principles | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 32 | €3,000 |
| 2025-09-22 | DHL PARCEL IBERIA, S.L. Non-compliance with general data processing principles | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 32 | €3,000 |
| 2025-09-18 | SAMARITAINE SAS Non-compliance with general data processing principles | 🇪🇺 French Data Protection Authority (CNIL) | Art. 5Art. 33Art. 38 | €100,000 |
| 2025-09-18 | SAMARITAINE SAS Non-compliance with general data processing principles | 🇪🇺 French Data Protection Authority (CNIL) | Art. 5Art. 33Art. 38 | €100,000 |
| 2025-09-18 | Dr. Max SRL Insufficient fulfilment of data subjects rights | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 12Art. 17 | €1,000 |
| 2025-09-18 | Dr. Max SRL Insufficient fulfilment of data subjects rights | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 12Art. 17 | €1,000 |
| 2025-09-17 | SERVICIOS FINANCIEROS CARREFOUR, E.F.C. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5 | €1,500,000 |
| 2025-09-17 | SERVICIOS FINANCIEROS CARREFOUR, E.F.C. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5 | €1,500,000 |
| 2025-09-17 | DIGI SPAIN TELECOM, S.L.U. Insufficient legal basis for data processing | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 6 | €150,000 |
| 2025-09-17 | DIGI SPAIN TELECOM, S.L.U. Insufficient legal basis for data processing | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 6 | €150,000 |
| 2025-09-12 | POLAND DPA: Lack of appointment of data protection officer Lack of appointment of data protection officer | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 38 | €2,670 |
| 2025-09-12 | POLEN, Autoriteit voor gegevensbescherming: Gebrek aan benoeming van een functionaris voor gegevensbescherming. Lack of appointment of data protection officer | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 38 | €2,670 |
| 2025-09-11 | Comune di Nichelino Insufficient legal basis for data processing | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 12Art. 16 | €18,000 |
| 2025-09-11 | Comune di Nichelino Insufficient legal basis for data processing | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 12Art. 16 | €18,000 |
| 2025-09-11 | Ministry of the Interior - Department of Firefighters, Public Rescue, and Civil Defense - Provincial Command of Florence Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 9 | €12,000 |
| 2025-09-11 | Casa di Cura Città di Roma Insufficient technical and organisational measures to ensure information security | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 9Art. 25Art. 32 | €12,000 |
| 2025-09-11 | Casa di Cura Città di Roma Insufficient technical and organisational measures to ensure information security | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 9Art. 25Art. 32 | €12,000 |
| 2025-09-11 | Ministry of the Interior - Department of Firefighters, Public Rescue, and Civil Defense - Provincial Command of Florence Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 9 | €12,000 |