Skip to content

Article 24 GDPR — enforcement

Cited in 131 decisions · €896.5M total fines · median €25,500 · top authority: 🇪🇺Italian Data Protection Authority (Garante) (52)

Date ↓ Company / party Authority Articles Fine
2022-01-01 Hermes Airport Ltd.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Cypriot Data Protection Commissioner Art. 24Art. 32 €6,000
2022-01-01 Cypriot Ministry of Defense
Insufficient technical and organisational measures to ensure information security
🇪🇺 Cypriot Data Protection Commissioner Art. 24Art. 32 €5,000
2022-01-01 Cyprus Electricity Authority
Insufficient technical and organisational measures to ensure information security
🇪🇺 Cypriot Data Protection Commissioner Art. 5Art. 24Art. 32 €5,000
2022-01-01 Universal Life Insurance Public Co Ltd.
Insufficient data processing agreement
🇪🇺 Cypriot Data Protection Commissioner Art. 24Art. 28 €3,500
2022-01-01 MALTA DPA: Insufficient technical and organisational measures to ensure information security
Insufficient technical and organisational measures to ensure information security
🇪🇺 Data Protection Commissioner of Malta Art. 24Art. 32 €2,500
2021-12-16 Enel Energia S.p.A
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 12Art. 13 €0
2021-12-09 Warsaw University of Technology
Insufficient technical and organisational measures to ensure information security
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 5Art. 24Art. 25Art. 32 €10,000
2021-09-16 La Prima S.r.l.
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 24Art. 25 €5,000
2021-06-24 Magazine publisher
Insufficient legal basis for data processing
🇪🇺 Deputy Data Protection Ombudsman Art. 5Art. 7Art. 12Art. 21 €8,500
2021-05-28 BRAbank ASA
Insufficient technical and organisational measures to ensure information security
🇪🇺 Norwegian Supervisory Authority (Datatilsynet) Art. 24Art. 32 €39,700
2021-04-22 Cyfrowy Polsat S.A.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Polish Data Protection Authority (UODO) Art. 24Art. 32Art. 34 €245,000
2021-04-20 Website operator
Non-compliance with general data processing principles
🇪🇺 Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) Art. 5Art. 24 €2,800
2021-03-25 Fastweb S.p.A.
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 7Art. 12 €4,500,000
2021-03-23 Irish Credit Bureau DAC
Insufficient technical and organisational measures to ensure information security
🇪🇺 Data Protection Authority of Ireland Art. 5Art. 24Art. 25 €90,000
2021-03-15 Asker Municipality
Insufficient technical and organisational measures to ensure information security
🇪🇺 Norwegian Supervisory Authority (Datatilsynet) Art. 5Art. 6Art. 32Art. 24 €100,000
2021-03-15 Ålesund Municipality
Insufficient technical and organisational measures to ensure information security
🇪🇺 Norwegian Supervisory Authority (Datatilsynet) Art. 32Art. 24Art. 35 €4,900
2021-03-11 Vodafone España, S.A.U.
Insufficient fulfilment of data subjects rights
🇪🇺 Spanish Data Protection Authority (aepd) Art. 28Art. 24Art. 44Art. 21 €8,150,000
2021-02-26 Nacionaliniam visuomenės sveikatos centrui (NVSC)
Non-compliance with general data processing principles
🇪🇺 Lithuanian Data Protection Authority (VDAI) Art. 5Art. 13Art. 24Art. 32 €12,000
2021-02-26 IT sprendimai sėkmei
Non-compliance with general data processing principles
🇪🇺 Lithuanian Data Protection Authority (VDAI) Art. 5Art. 13Art. 24Art. 32 €3,000
2021-01-27 Family Service / N.D.P.K. nv.
Insufficient legal basis for data processing
🇪🇺 Belgian Data Protection Authority (APD) Art. 5Art. 6Art. 7Art. 13 €50,000
2021-01-22 BELGIUM DPA: Insufficient technical and organisational measures to ensure information security
Insufficient technical and organisational measures to ensure information security
🇪🇺 Belgian Data Protection Authority (APD) Art. 5Art. 24Art. 32Art. 33 €25,000
2021-01-01 Restaurant
Insufficient technical and organisational measures to ensure information security
🇪🇺 Data Protection Authority of Saarland Art. 24Art. 32
2020-12-23 BELGIUM DPA: Insufficient fulfilment of data subjects rights
Insufficient fulfilment of data subjects rights
🇪🇺 Belgian Data Protection Authority (APD) Art. 14Art. 12Art. 15Art. 5 €50,000
2020-12-23 BELGIUM DPA: Insufficient fulfilment of data subjects rights
Insufficient fulfilment of data subjects rights
🇪🇺 Belgian Data Protection Authority (APD) Art. 14Art. 12Art. 6Art. 5 €15,000
2020-11-12 Vodafone Italia S.p.A.
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 7Art. 15 €12,251,601