Skip to content

GDPR enforcement in 2025

718 decisions · €1.2B total fines · ← 2024 · 2026 →

Date ↓ Company / party Authority Articles Fine
2025-09-11 Migliarino San Rossore Massaciuccoli Regional Park Authority
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 20 €8,000
2025-09-11 Migliarino San Rossore Massaciuccoli Regional Park Authority
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 20 €8,000
2025-09-11 Company
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 13 €6,000
2025-09-11 Company
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 13 €6,000
2025-09-11 Municipality of Buccino
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 9Art. 13 €6,000
2025-09-11 Municipality of Buccino
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 9Art. 13 €6,000
2025-09-11 Giada FM S.r.l.
Insufficient fulfilment of data subjects rights
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 12Art. 15 €1,000
2025-09-11 Giada FM S.r.l.
Insufficient fulfilment of data subjects rights
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 12Art. 15 €1,000
2025-09-09 Unita Turism Holding S.A.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 32 €5,000
2025-09-09 Unita Turism Holding S.A.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 32 €5,000
2025-09-08 S-Pankki Oyj
Insufficient technical and organisational measures to ensure information security
🇪🇺 Deputy Data Protection Ombudsman Art. 5Art. 25Art. 32 €1,800,000
2025-09-08 S-Pankki Oyj
Insufficient technical and organisational measures to ensure information security
🇪🇺 Deputy Data Protection Ombudsman Art. 5Art. 25Art. 32 €1,800,000
2025-09-05 Allium UPI
Insufficient technical and organisational measures to ensure information security
🇪🇺 Estonian Data Protection Authority (AKI) €3,000,000
2025-09-05 Allium UPI
Insufficient technical and organisational measures to ensure information security
🇪🇺 Estonian Data Protection Authority (AKI) €3,000,000
2025-09-05 Bakery Chain
Non-compliance with general data processing principles
🇪🇺 Austrian Data Protection Authority (dsb) Art. 5Art. 6 €33,500
2025-09-05 Bakery Chain
Non-compliance with general data processing principles
🇪🇺 Austrian Data Protection Authority (dsb) Art. 5Art. 6 €33,500
2025-09-04 Sociedad de Gestión de Activos Procedentes de la Reestructuración Bancaria S.A.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5Art. 28 €180,000
2025-09-04 Sociedad de Gestión de Activos Procedentes de la Reestructuración Bancaria S.A.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5Art. 28 €180,000
2025-09-04 Landlord
Insufficient legal basis for data processing
🇪🇺 Belgian Data Protection Authority (APD) Art. 5Art. 6 €9,700
2025-09-04 Landlord
Insufficient legal basis for data processing
🇪🇺 Belgian Data Protection Authority (APD) Art. 5Art. 6 €9,700
2025-09-04 Company
Insufficient fulfilment of data breach notification obligations
🇪🇺 Austrian Data Protection Authority (dsb) Art. 33 €870
2025-09-04 Company
Insufficient fulfilment of data breach notification obligations
🇪🇺 Austrian Data Protection Authority (dsb) Art. 33 €870
2025-09-02 ILVA A/S
Non-compliance with general data processing principles
🇪🇺 Danish Data Protection Authority (Datatilsynet) €200,900
2025-09-02 ILVA A/S
Non-compliance with general data processing principles
🇪🇺 Danish Data Protection Authority (Datatilsynet) €200,900
2025-09-01 GOOGLE LLC
Insufficient legal basis for data processing
🇪🇺 French Data Protection Authority (CNIL) Art. 82 €200,000,000