Skip to content

GDPR enforcement in 2025

718 decisions · €1.2B total fines · ← 2024 · 2026 →

Date ↓ Company / party Authority Articles Fine
2025-12-15 Arnhem and Nijmegen University of Applied Sciences
Insufficient technical and organisational measures to ensure information security
🇪🇺 Dutch Supervisory Authority for Data Protection (AP) Art. 32 €175,000
2025-12-12 Chief Constable of the Police Service of Scotland
Insufficient technical and organisational measures to ensure information security
🇬🇧 Information Commissioner (ICO) Art. 5Art. 25Art. 32Art. 33 €75,700
2025-12-11 MOBIUS SOLUTIONS LTD
Non-compliance with general data processing principles
🇪🇺 French Data Protection Authority (CNIL) Art. 28Art. 29Art. 30 €1,000,000
2025-12-11 MOBIUS SOLUTIONS LTD
Non-compliance with general data processing principles
🇪🇺 French Data Protection Authority (CNIL) Art. 28Art. 29Art. 30 €1,000,000
2025-12-11 Legal Entity
Insufficient legal basis for data processing
🇪🇺 Slovenian Supervisory Authority (Informacijski pooblaščenec) Art. 5Art. 6 €75,474
2025-12-10 University of Limerick
Insufficient technical and organisational measures to ensure information security
🇮🇪 Data Protection Authority of Ireland Art. 5Art. 30Art. 32Art. 33 €98,000
2025-12-10 Crowd Entertainment Limited
Insufficient fulfilment of data subjects rights
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 12Art. 15 €15,000
2025-12-10 Crowd Entertainment Limited
Insufficient fulfilment of data subjects rights
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 12Art. 15 €15,000
2025-12-08 Legal Entity
Insufficient fulfilment of data subjects rights
🇪🇺 Slovenian Supervisory Authority (Informacijski pooblaščenec) Art. 12Art. 13 €5,100
2025-12-08 Compania de Apa Oltenia S.A.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 29Art. 32 €1,000
2025-12-08 Compania de Apa Oltenia S.A.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 29Art. 32 €1,000
2025-12-04 Comune di Tuscania
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 12Art. 13 €12,000
2025-12-04 Istituto Comprensivo Centro di Casalecchio di Reno
Insufficient fulfilment of data subjects rights
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6 €2,000
2025-12-04 Istituto Comprensivo Centro di Casalecchio di Reno
Insufficient fulfilment of data subjects rights
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6 €2,000
2025-12-04 Legal Entity
Insufficient technical and organisational measures to ensure information security
🇪🇺 Slovenian Supervisory Authority (Informacijski pooblaščenec) Art. 32 €1,300
2025-12-04 Roverbella Comprehensive School
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 9 €1,000
2025-12-04 'Principe Umberto di Savoia' State Scientific and Linguistic High School
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 9Art. 13 €1,000
2025-12-03 TIGER MEDIA INC.
Insufficient legal basis for data processing
🇪🇸 Spanish Data Protection Authority (aepd) Art. 6Art. 27 €72,000
2025-12-01 RISING SUN CAR RENTAL S..L.
Non-compliance with general data processing principles
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5Art. 13 €3,600
2025-12-01 RISING SUN CAR RENTAL S..L.
Non-compliance with general data processing principles
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5Art. 13 €3,600
2025-12-01 DELAFRUIT, S.L.
Non-compliance with general data processing principles
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5 €3,600
2025-12-01 DELAFRUIT, S.L.
Non-compliance with general data processing principles
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5 €3,600
2025-11-28 SPRINTER MEGACENTROS DEL DEPORTE, S.L.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5Art. 34 €1,560,000
2025-11-28 SPRINTER MEGACENTROS DEL DEPORTE, S.L.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5Art. 34 €1,560,000
2025-11-27 AMERICAN EXPRESS CARTE FRANCE
Insufficient legal basis for data processing
🇪🇺 French Data Protection Authority (CNIL) Art. 82 €1,500,000