GDPR enforcement in 2025
718 decisions · €1.2B total fines · ← 2024 · 2026 →
| Date ↓ | Company / party | Authority | Articles | Fine |
|---|---|---|---|---|
| 2025-09-11 | Migliarino San Rossore Massaciuccoli Regional Park Authority Insufficient legal basis for data processing | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 20 | €8,000 |
| 2025-09-11 | Migliarino San Rossore Massaciuccoli Regional Park Authority Insufficient legal basis for data processing | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 20 | €8,000 |
| 2025-09-11 | Company Insufficient legal basis for data processing | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 13 | €6,000 |
| 2025-09-11 | Company Insufficient legal basis for data processing | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 13 | €6,000 |
| 2025-09-11 | Municipality of Buccino Insufficient legal basis for data processing | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 9Art. 13 | €6,000 |
| 2025-09-11 | Municipality of Buccino Insufficient legal basis for data processing | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 9Art. 13 | €6,000 |
| 2025-09-11 | Giada FM S.r.l. Insufficient fulfilment of data subjects rights | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 12Art. 15 | €1,000 |
| 2025-09-11 | Giada FM S.r.l. Insufficient fulfilment of data subjects rights | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 12Art. 15 | €1,000 |
| 2025-09-09 | Unita Turism Holding S.A. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 32 | €5,000 |
| 2025-09-09 | Unita Turism Holding S.A. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 32 | €5,000 |
| 2025-09-08 | S-Pankki Oyj Insufficient technical and organisational measures to ensure information security | 🇪🇺 Deputy Data Protection Ombudsman | Art. 5Art. 25Art. 32 | €1,800,000 |
| 2025-09-08 | S-Pankki Oyj Insufficient technical and organisational measures to ensure information security | 🇪🇺 Deputy Data Protection Ombudsman | Art. 5Art. 25Art. 32 | €1,800,000 |
| 2025-09-05 | Allium UPI Insufficient technical and organisational measures to ensure information security | 🇪🇺 Estonian Data Protection Authority (AKI) | €3,000,000 | |
| 2025-09-05 | Allium UPI Insufficient technical and organisational measures to ensure information security | 🇪🇺 Estonian Data Protection Authority (AKI) | €3,000,000 | |
| 2025-09-05 | Bakery Chain Non-compliance with general data processing principles | 🇪🇺 Austrian Data Protection Authority (dsb) | Art. 5Art. 6 | €33,500 |
| 2025-09-05 | Bakery Chain Non-compliance with general data processing principles | 🇪🇺 Austrian Data Protection Authority (dsb) | Art. 5Art. 6 | €33,500 |
| 2025-09-04 | Sociedad de Gestión de Activos Procedentes de la Reestructuración Bancaria S.A. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5Art. 28 | €180,000 |
| 2025-09-04 | Sociedad de Gestión de Activos Procedentes de la Reestructuración Bancaria S.A. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5Art. 28 | €180,000 |
| 2025-09-04 | Landlord Insufficient legal basis for data processing | 🇪🇺 Belgian Data Protection Authority (APD) | Art. 5Art. 6 | €9,700 |
| 2025-09-04 | Landlord Insufficient legal basis for data processing | 🇪🇺 Belgian Data Protection Authority (APD) | Art. 5Art. 6 | €9,700 |
| 2025-09-04 | Company Insufficient fulfilment of data breach notification obligations | 🇪🇺 Austrian Data Protection Authority (dsb) | Art. 33 | €870 |
| 2025-09-04 | Company Insufficient fulfilment of data breach notification obligations | 🇪🇺 Austrian Data Protection Authority (dsb) | Art. 33 | €870 |
| 2025-09-02 | ILVA A/S Non-compliance with general data processing principles | 🇪🇺 Danish Data Protection Authority (Datatilsynet) | €200,900 | |
| 2025-09-02 | ILVA A/S Non-compliance with general data processing principles | 🇪🇺 Danish Data Protection Authority (Datatilsynet) | €200,900 | |
| 2025-09-01 | GOOGLE LLC Insufficient legal basis for data processing | 🇪🇺 French Data Protection Authority (CNIL) | Art. 82 | €200,000,000 |