GDPR enforcement in 2025
718 decisions · €1.2B total fines · ← 2024 · 2026 →
| Date ↓ | Company / party | Authority | Articles | Fine |
|---|---|---|---|---|
| 2025-06-26 | Alliance for the Union of Romanians Party Non-compliance with general data processing principles | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 5Art. 6Art. 25Art. 32 | €25,000 |
| 2025-06-26 | SC Tremend Software Consulting SRL Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 32 | €3,000 |
| 2025-06-26 | Selgros Cash & Carry SRL Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 32 | €3,000 |
| 2025-06-26 | Selgros Cash & Carry SRL Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 32 | €3,000 |
| 2025-06-26 | SC Tremend Software Consulting SRL Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 32 | €3,000 |
| 2025-06-26 | SC Piramida Trade Invest SRL Non-compliance with general data processing principles | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 5Art. 6Art. 12Art. 15 | €3,000 |
| 2025-06-26 | SC Piramida Trade Invest SRL Non-compliance with general data processing principles | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 5Art. 6Art. 12Art. 15 | €3,000 |
| 2025-06-25 | Vodafone – PANAFON A.E.E.T. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Hellenic Data Protection Authority (HDPA) | Art. 5Art. 28 | €550,000 |
| 2025-06-25 | Vodafone – PANAFON A.E.E.T. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Hellenic Data Protection Authority (HDPA) | Art. 5Art. 28 | €550,000 |
| 2025-06-25 | KARAMBELAS KONSTANTINOS & CO. E.E. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Hellenic Data Protection Authority (HDPA) | Art. 29Art. 32 | €40,000 |
| 2025-06-25 | KARAMBELAS KONSTANTINOS & CO. E.E. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Hellenic Data Protection Authority (HDPA) | Art. 29Art. 32 | €40,000 |
| 2025-06-24 | Birthlink Insufficient technical and organisational measures to ensure information security | 🇪🇺 Information Commissioner (ICO) | Art. 5Art. 32Art. 33 | €20,725 |
| 2025-06-24 | Birthlink Insufficient technical and organisational measures to ensure information security | 🇪🇺 Information Commissioner (ICO) | Art. 5Art. 32Art. 33 | €20,725 |
| 2025-06-24 | Shield of David - K.I.D.A.F. Non-compliance with general data processing principles | 🇪🇺 Hellenic Data Protection Authority (HDPA) | Art. 5Art. 12Art. 13Art. 15 | €10,000 |
| 2025-06-24 | Shield of David - K.I.D.A.F. Non-compliance with general data processing principles | 🇪🇺 Hellenic Data Protection Authority (HDPA) | Art. 5Art. 12Art. 13Art. 15 | €10,000 |
| 2025-06-24 | General Hospital of the University of Larissa Insufficient fulfilment of data subjects rights | 🇪🇺 Hellenic Data Protection Authority (HDPA) | Art. 5Art. 14Art. 15 | €7,000 |
| 2025-06-24 | General Hospital of the University of Larissa Insufficient fulfilment of data subjects rights | 🇪🇺 Hellenic Data Protection Authority (HDPA) | Art. 5Art. 14Art. 15 | €7,000 |
| 2025-06-23 | City of Dublin Education and Training Board Insufficient technical and organisational measures to ensure information security | 🇪🇺 Data Protection Authority of Ireland | Art. 5Art. 32Art. 33Art. 34 | €125,000 |
| 2025-06-23 | City of Dublin Education and Training Board Insufficient technical and organisational measures to ensure information security | 🇪🇺 Data Protection Authority of Ireland | Art. 5Art. 32Art. 33Art. 34 | €125,000 |
| 2025-06-23 | Piraeus Bank S.A. Insufficient legal basis for data processing | 🇪🇺 Hellenic Data Protection Authority (HDPA) | Art. 5Art. 6 | €50,000 |
| 2025-06-23 | Piraeus Bank S.A. Insufficient legal basis for data processing | 🇪🇺 Hellenic Data Protection Authority (HDPA) | Art. 5Art. 6 | €50,000 |
| 2025-06-23 | Vodafone Romania S.A. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 25 | €4,000 |
| 2025-06-23 | Vodafone Romania S.A. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 25 | €4,000 |
| 2025-06-23 | Municipal Social Welfare Center Aleksandrów Insufficient technical and organisational measures to ensure information security | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 32 | €3,500 |
| 2025-06-23 | Municipal Social Welfare Center Aleksandrów Insufficient technical and organisational measures to ensure information security | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 32 | €3,500 |