Article 24 GDPR — enforcement
Cited in 131 decisions · €896.5M total fines · median €25,500 · top authority: 🇪🇺Italian Data Protection Authority (Garante) (52)
| Date ↓ | Company / party | Authority | Articles | Fine |
|---|---|---|---|---|
| 2022-01-01 | Hermes Airport Ltd. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Cypriot Data Protection Commissioner | Art. 24Art. 32 | €6,000 |
| 2022-01-01 | Cypriot Ministry of Defense Insufficient technical and organisational measures to ensure information security | 🇪🇺 Cypriot Data Protection Commissioner | Art. 24Art. 32 | €5,000 |
| 2022-01-01 | Cyprus Electricity Authority Insufficient technical and organisational measures to ensure information security | 🇪🇺 Cypriot Data Protection Commissioner | Art. 5Art. 24Art. 32 | €5,000 |
| 2022-01-01 | Universal Life Insurance Public Co Ltd. Insufficient data processing agreement | 🇪🇺 Cypriot Data Protection Commissioner | Art. 24Art. 28 | €3,500 |
| 2022-01-01 | MALTA DPA: Insufficient technical and organisational measures to ensure information security Insufficient technical and organisational measures to ensure information security | 🇪🇺 Data Protection Commissioner of Malta | Art. 24Art. 32 | €2,500 |
| 2021-12-16 | Enel Energia S.p.A Insufficient legal basis for data processing | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 12Art. 13 | €0 |
| 2021-12-09 | Warsaw University of Technology Insufficient technical and organisational measures to ensure information security | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 5Art. 24Art. 25Art. 32 | €10,000 |
| 2021-09-16 | La Prima S.r.l. Insufficient legal basis for data processing | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 24Art. 25 | €5,000 |
| 2021-06-24 | Magazine publisher Insufficient legal basis for data processing | 🇪🇺 Deputy Data Protection Ombudsman | Art. 5Art. 7Art. 12Art. 21 | €8,500 |
| 2021-05-28 | BRAbank ASA Insufficient technical and organisational measures to ensure information security | 🇪🇺 Norwegian Supervisory Authority (Datatilsynet) | Art. 24Art. 32 | €39,700 |
| 2021-04-22 | Cyfrowy Polsat S.A. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Polish Data Protection Authority (UODO) | Art. 24Art. 32Art. 34 | €245,000 |
| 2021-04-20 | Website operator Non-compliance with general data processing principles | 🇪🇺 Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | Art. 5Art. 24 | €2,800 |
| 2021-03-25 | Fastweb S.p.A. Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 7Art. 12 | €4,500,000 |
| 2021-03-23 | Irish Credit Bureau DAC Insufficient technical and organisational measures to ensure information security | 🇪🇺 Data Protection Authority of Ireland | Art. 5Art. 24Art. 25 | €90,000 |
| 2021-03-15 | Asker Municipality Insufficient technical and organisational measures to ensure information security | 🇪🇺 Norwegian Supervisory Authority (Datatilsynet) | Art. 5Art. 6Art. 32Art. 24 | €100,000 |
| 2021-03-15 | Ålesund Municipality Insufficient technical and organisational measures to ensure information security | 🇪🇺 Norwegian Supervisory Authority (Datatilsynet) | Art. 32Art. 24Art. 35 | €4,900 |
| 2021-03-11 | Vodafone España, S.A.U. Insufficient fulfilment of data subjects rights | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 28Art. 24Art. 44Art. 21 | €8,150,000 |
| 2021-02-26 | Nacionaliniam visuomenės sveikatos centrui (NVSC) Non-compliance with general data processing principles | 🇪🇺 Lithuanian Data Protection Authority (VDAI) | Art. 5Art. 13Art. 24Art. 32 | €12,000 |
| 2021-02-26 | IT sprendimai sėkmei Non-compliance with general data processing principles | 🇪🇺 Lithuanian Data Protection Authority (VDAI) | Art. 5Art. 13Art. 24Art. 32 | €3,000 |
| 2021-01-27 | Family Service / N.D.P.K. nv. Insufficient legal basis for data processing | 🇪🇺 Belgian Data Protection Authority (APD) | Art. 5Art. 6Art. 7Art. 13 | €50,000 |
| 2021-01-22 | BELGIUM DPA: Insufficient technical and organisational measures to ensure information security Insufficient technical and organisational measures to ensure information security | 🇪🇺 Belgian Data Protection Authority (APD) | Art. 5Art. 24Art. 32Art. 33 | €25,000 |
| 2021-01-01 | Restaurant Insufficient technical and organisational measures to ensure information security | 🇪🇺 Data Protection Authority of Saarland | Art. 24Art. 32 | — |
| 2020-12-23 | BELGIUM DPA: Insufficient fulfilment of data subjects rights Insufficient fulfilment of data subjects rights | 🇪🇺 Belgian Data Protection Authority (APD) | Art. 14Art. 12Art. 15Art. 5 | €50,000 |
| 2020-12-23 | BELGIUM DPA: Insufficient fulfilment of data subjects rights Insufficient fulfilment of data subjects rights | 🇪🇺 Belgian Data Protection Authority (APD) | Art. 14Art. 12Art. 6Art. 5 | €15,000 |
| 2020-11-12 | Vodafone Italia S.p.A. Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 7Art. 15 | €12,251,601 |