GDPR enforcement in 2025
718 decisions · €1.2B total fines · ← 2024 · 2026 →
| Date ↓ | Company / party | Authority | Articles | Fine |
|---|---|---|---|---|
| 2025-08-04 | Comune di Venezia Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 25Art. 32 | €10,000 |
| 2025-08-04 | Comune di Venezia Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 25Art. 32 | €10,000 |
| 2025-08-04 | Non-Public Health Care Institution Insufficient technical and organisational measures to ensure information security | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 5Art. 25Art. 32 | €7,700 |
| 2025-08-04 | Non-Public Health Care Institution Insufficient technical and organisational measures to ensure information security | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 5Art. 25Art. 32 | €7,700 |
| 2025-08-04 | Linea Stampalibera Società Cooperativa r.I. Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5 | €2,000 |
| 2025-08-04 | Linea Stampalibera Società Cooperativa r.I. Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5 | €2,000 |
| 2025-08-04 | Police Officer Insufficient legal basis for data processing | 🇪🇺 Information Commissioner (ICO) | €230 | |
| 2025-08-04 | Police Officer Insufficient legal basis for data processing | 🇪🇺 Information Commissioner (ICO) | €230 | |
| 2025-07-29 | Legal Entity Insufficient legal basis for data processing | 🇪🇺 Slovenian Supervisory Authority (Informacijski pooblaščenec) | Art. 5Art. 6 | €11,614 |
| 2025-07-28 | Entrepreneur Insufficient cooperation with supervisory authority | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 58 | €4,400 |
| 2025-07-28 | Entrepreneur Insufficient cooperation with supervisory authority | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 58 | €4,400 |
| 2025-07-25 | Legal Entity Insufficient data processing agreement | 🇪🇺 Slovenian Supervisory Authority (Informacijski pooblaščenec) | Art. 28 | €5,810 |
| 2025-07-25 | Legal Entity Insufficient technical and organisational measures to ensure information security | 🇪🇺 Slovenian Supervisory Authority (Informacijski pooblaščenec) | Art. 32 | €5,020 |
| 2025-07-24 | Debt Collector Insufficient fulfilment of data subjects rights | 🇪🇺 Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | Art. 6Art. 17 | €26,400 |
| 2025-07-23 | SATI S.p.A. Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 9 | €10,000 |
| 2025-07-23 | Order of Nursing Professions of Viterbo Insufficient technical and organisational measures to ensure information security | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 32 | €10,000 |
| 2025-07-23 | SATI S.p.A. Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 9 | €10,000 |
| 2025-07-23 | Order of Nursing Professions of Viterbo Insufficient technical and organisational measures to ensure information security | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 32 | €10,000 |
| 2025-07-23 | Agricola International SA Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 32 | €5,000 |
| 2025-07-23 | Agricola International SA Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 32 | €5,000 |
| 2025-07-22 | HEP-Toplinarstvo Insufficient technical and organisational measures to ensure information security | 🇭🇷 Croatian Data Protection Authority (azop) | Art. 31Art. 32 | €320,000 |
| 2025-07-22 | Information and Communication Company Insufficient technical and organisational measures to ensure information security | 🇭🇷 Croatian Data Protection Authority (azop) | Art. 32 | €50,000 |
| 2025-07-22 | Legal Entity Insufficient legal basis for data processing | 🇪🇺 Slovenian Supervisory Authority (Informacijski pooblaščenec) | Art. 6Art. 9 | €2,200 |
| 2025-07-21 | McDonald’s Polska Sp. z o.o. Non-compliance with general data processing principles | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 5Art. 25Art. 28Art. 38 | €3,955,000 |
| 2025-07-21 | McDonald’s Polska Sp. z o.o. Non-compliance with general data processing principles | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 5Art. 25Art. 28Art. 38 | €3,955,000 |