Skip to content

Article 24 GDPR — enforcement

Cited in 131 decisions · €896.5M total fines · median €25,500 · top authority: 🇪🇺Italian Data Protection Authority (Garante) (52)

Date ↓ Company / party Authority Articles Fine
2023-07-18 Company
Insufficient technical and organisational measures to ensure information security
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 5Art. 24Art. 25Art. 32 €3,400
2023-05-17 Website operator
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 12Art. 13 €60,000
2023-05-16 Municipality
Insufficient technical and organisational measures to ensure information security
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 5Art. 24Art. 25Art. 32 €6,700
2023-02-08 Company
Insufficient technical and organisational measures to ensure information security
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 5Art. 24Art. 25Art. 32 €7,200
2023-02-06 I&S Limited Kft
Non-compliance with general data processing principles
🇪🇺 Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) Art. 5Art. 6Art. 9Art. 13 €80,500
2023-02-03 Epic Ltd.
Insufficient legal basis for data processing
🇪🇺 Cypriot Data Protection Commissioner Art. 6Art. 24Art. 32 €3,250
2023-01-19 Szczecin-Centrum District Court
Insufficient technical and organisational measures to ensure information security
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 5Art. 24Art. 25Art. 32 €6,400
2023-01-01 MALTA DPA: Insufficient fulfilment of data subjects rights
Insufficient fulfilment of data subjects rights
🇪🇺 Data Protection Commissioner of Malta Art. 5Art. 12Art. 13Art. 14 €2,500
2022-12-15 Edison Energia S.p.A.
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 7Art. 12 €4,900,000
2022-11-24 Areti spa
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 12Art. 15Art. 24 €1,000,000
2022-10-20 Douglas Italia S.p.a.
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 7Art. 12 €1,400,000
2022-09-15 Lazio Region
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 9Art. 12 €100,000
2022-09-05 Meta Platforms, Inc.
Non-compliance with general data processing principles
🇪🇺 Data Protection Authority of Ireland Art. 5Art. 6Art. 12Art. 24 €405,000,000
2022-08-23 Company
Insufficient technical and organisational measures to ensure information security
🇪🇺 Belgian Data Protection Authority (APD) Art. 5Art. 24Art. 32 €2,500
2022-08-05 Colosseo S.r.l.
Insufficient fulfilment of data subjects rights
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 12Art. 15 €1,000
2022-08-05 Mister Brick S.a.s.
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 12Art. 15 €1,000
2022-08-01 Policoro municipality
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 12Art. 13Art. 24 €26,000
2022-07-13 Manx Care Ltd
Non-compliance with general data processing principles
🇪🇺 Information Commissioner of Isle of Man Art. 5Art. 24Art. 25Art. 32 €202,000
2022-06-30 Continental Automotive Romania SRL
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 24Art. 32 €2,000
2022-05-25 Roularta Media Group
Insufficient legal basis for data processing
🇪🇺 Belgian Data Protection Authority (APD) Art. 5Art. 6Art. 7Art. 12 €50,000
2022-02-08 Budapest Bank Zrt.
Insufficient legal basis for data processing
🇪🇺 Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) Art. 5Art. 6Art. 12Art. 13 €634,000
2022-02-02 IAB Europe
Insufficient legal basis for data processing
🇪🇺 Belgian Data Protection Authority (APD) Art. 5Art. 6Art. 9Art. 12 €0
2022-01-26 Slane Credit Union Ltd.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Data Protection Authority of Ireland Art. 5Art. 24Art. 28Art. 30 €5,000
2022-01-19 Fortum Marketing and Sales Polska S.A.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 5Art. 24Art. 25Art. 28 €1,000,000
2022-01-01 Bank of Cyprus Public Company Ltd.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Cypriot Data Protection Commissioner Art. 5Art. 24Art. 32 €17,000