Skip to content

GDPR enforcement in 2025

718 decisions · €1.2B total fines · ← 2024 · 2026 →

Date ↓ Company / party Authority Articles Fine
2025-06-26 Alliance for the Union of Romanians Party
Non-compliance with general data processing principles
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 5Art. 6Art. 25Art. 32 €25,000
2025-06-26 SC Tremend Software Consulting SRL
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 32 €3,000
2025-06-26 Selgros Cash & Carry SRL
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 32 €3,000
2025-06-26 Selgros Cash & Carry SRL
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 32 €3,000
2025-06-26 SC Tremend Software Consulting SRL
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 32 €3,000
2025-06-26 SC Piramida Trade Invest SRL
Non-compliance with general data processing principles
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 5Art. 6Art. 12Art. 15 €3,000
2025-06-26 SC Piramida Trade Invest SRL
Non-compliance with general data processing principles
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 5Art. 6Art. 12Art. 15 €3,000
2025-06-25 Vodafone – PANAFON A.E.E.T.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Hellenic Data Protection Authority (HDPA) Art. 5Art. 28 €550,000
2025-06-25 Vodafone – PANAFON A.E.E.T.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Hellenic Data Protection Authority (HDPA) Art. 5Art. 28 €550,000
2025-06-25 KARAMBELAS KONSTANTINOS & CO. E.E.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Hellenic Data Protection Authority (HDPA) Art. 29Art. 32 €40,000
2025-06-25 KARAMBELAS KONSTANTINOS & CO. E.E.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Hellenic Data Protection Authority (HDPA) Art. 29Art. 32 €40,000
2025-06-24 Birthlink
Insufficient technical and organisational measures to ensure information security
🇪🇺 Information Commissioner (ICO) Art. 5Art. 32Art. 33 €20,725
2025-06-24 Birthlink
Insufficient technical and organisational measures to ensure information security
🇪🇺 Information Commissioner (ICO) Art. 5Art. 32Art. 33 €20,725
2025-06-24 Shield of David - K.I.D.A.F.
Non-compliance with general data processing principles
🇪🇺 Hellenic Data Protection Authority (HDPA) Art. 5Art. 12Art. 13Art. 15 €10,000
2025-06-24 Shield of David - K.I.D.A.F.
Non-compliance with general data processing principles
🇪🇺 Hellenic Data Protection Authority (HDPA) Art. 5Art. 12Art. 13Art. 15 €10,000
2025-06-24 General Hospital of the University of Larissa
Insufficient fulfilment of data subjects rights
🇪🇺 Hellenic Data Protection Authority (HDPA) Art. 5Art. 14Art. 15 €7,000
2025-06-24 General Hospital of the University of Larissa
Insufficient fulfilment of data subjects rights
🇪🇺 Hellenic Data Protection Authority (HDPA) Art. 5Art. 14Art. 15 €7,000
2025-06-23 City of Dublin Education and Training Board
Insufficient technical and organisational measures to ensure information security
🇪🇺 Data Protection Authority of Ireland Art. 5Art. 32Art. 33Art. 34 €125,000
2025-06-23 City of Dublin Education and Training Board
Insufficient technical and organisational measures to ensure information security
🇪🇺 Data Protection Authority of Ireland Art. 5Art. 32Art. 33Art. 34 €125,000
2025-06-23 Piraeus Bank S.A.
Insufficient legal basis for data processing
🇪🇺 Hellenic Data Protection Authority (HDPA) Art. 5Art. 6 €50,000
2025-06-23 Piraeus Bank S.A.
Insufficient legal basis for data processing
🇪🇺 Hellenic Data Protection Authority (HDPA) Art. 5Art. 6 €50,000
2025-06-23 Vodafone Romania S.A.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 25 €4,000
2025-06-23 Vodafone Romania S.A.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 25 €4,000
2025-06-23 Municipal Social Welfare Center Aleksandrów
Insufficient technical and organisational measures to ensure information security
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 32 €3,500
2025-06-23 Municipal Social Welfare Center Aleksandrów
Insufficient technical and organisational measures to ensure information security
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 32 €3,500