GDPR enforcement in 2025
718 decisions · €1.2B total fines · ← 2024 · 2026 →
| Date ↓ | Company / party | Authority | Articles | Fine |
|---|---|---|---|---|
| 2025-12-15 | Arnhem and Nijmegen University of Applied Sciences Insufficient technical and organisational measures to ensure information security | 🇪🇺 Dutch Supervisory Authority for Data Protection (AP) | Art. 32 | €175,000 |
| 2025-12-12 | Chief Constable of the Police Service of Scotland Insufficient technical and organisational measures to ensure information security | 🇬🇧 Information Commissioner (ICO) | Art. 5Art. 25Art. 32Art. 33 | €75,700 |
| 2025-12-11 | MOBIUS SOLUTIONS LTD Non-compliance with general data processing principles | 🇪🇺 French Data Protection Authority (CNIL) | Art. 28Art. 29Art. 30 | €1,000,000 |
| 2025-12-11 | MOBIUS SOLUTIONS LTD Non-compliance with general data processing principles | 🇪🇺 French Data Protection Authority (CNIL) | Art. 28Art. 29Art. 30 | €1,000,000 |
| 2025-12-11 | Legal Entity Insufficient legal basis for data processing | 🇪🇺 Slovenian Supervisory Authority (Informacijski pooblaščenec) | Art. 5Art. 6 | €75,474 |
| 2025-12-10 | University of Limerick Insufficient technical and organisational measures to ensure information security | 🇮🇪 Data Protection Authority of Ireland | Art. 5Art. 30Art. 32Art. 33 | €98,000 |
| 2025-12-10 | Crowd Entertainment Limited Insufficient fulfilment of data subjects rights | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 12Art. 15 | €15,000 |
| 2025-12-10 | Crowd Entertainment Limited Insufficient fulfilment of data subjects rights | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 12Art. 15 | €15,000 |
| 2025-12-08 | Legal Entity Insufficient fulfilment of data subjects rights | 🇪🇺 Slovenian Supervisory Authority (Informacijski pooblaščenec) | Art. 12Art. 13 | €5,100 |
| 2025-12-08 | Compania de Apa Oltenia S.A. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 29Art. 32 | €1,000 |
| 2025-12-08 | Compania de Apa Oltenia S.A. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 29Art. 32 | €1,000 |
| 2025-12-04 | Comune di Tuscania Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 12Art. 13 | €12,000 |
| 2025-12-04 | Istituto Comprensivo Centro di Casalecchio di Reno Insufficient fulfilment of data subjects rights | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6 | €2,000 |
| 2025-12-04 | Istituto Comprensivo Centro di Casalecchio di Reno Insufficient fulfilment of data subjects rights | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6 | €2,000 |
| 2025-12-04 | Legal Entity Insufficient technical and organisational measures to ensure information security | 🇪🇺 Slovenian Supervisory Authority (Informacijski pooblaščenec) | Art. 32 | €1,300 |
| 2025-12-04 | Roverbella Comprehensive School Insufficient legal basis for data processing | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 9 | €1,000 |
| 2025-12-04 | 'Principe Umberto di Savoia' State Scientific and Linguistic High School Insufficient legal basis for data processing | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 9Art. 13 | €1,000 |
| 2025-12-03 | TIGER MEDIA INC. Insufficient legal basis for data processing | 🇪🇸 Spanish Data Protection Authority (aepd) | Art. 6Art. 27 | €72,000 |
| 2025-12-01 | RISING SUN CAR RENTAL S..L. Non-compliance with general data processing principles | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5Art. 13 | €3,600 |
| 2025-12-01 | RISING SUN CAR RENTAL S..L. Non-compliance with general data processing principles | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5Art. 13 | €3,600 |
| 2025-12-01 | DELAFRUIT, S.L. Non-compliance with general data processing principles | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5 | €3,600 |
| 2025-12-01 | DELAFRUIT, S.L. Non-compliance with general data processing principles | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5 | €3,600 |
| 2025-11-28 | SPRINTER MEGACENTROS DEL DEPORTE, S.L. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5Art. 34 | €1,560,000 |
| 2025-11-28 | SPRINTER MEGACENTROS DEL DEPORTE, S.L. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5Art. 34 | €1,560,000 |
| 2025-11-27 | AMERICAN EXPRESS CARTE FRANCE Insufficient legal basis for data processing | 🇪🇺 French Data Protection Authority (CNIL) | Art. 82 | €1,500,000 |