Article 25 GDPR — enforcement
Cited in 206 decisions · €920.8M total fines · median €50,000 · top authority: 🇪🇺Italian Data Protection Authority (Garante) (69)
| Date ↓ | Company / party | Authority | Articles | Fine |
|---|---|---|---|---|
| 2026-05-26 | IQVIA OPERATIONS FRANCE Non-compliance with general data processing principles | 🇫🇷 French Data Protection Authority (CNIL) | Art. 14Art. 25 | €5,000,000 |
| 2026-05-12 | Isabel SA Insufficient fulfilment of data subjects rights | 🇧🇪 Belgian Data Protection Authority (APD) | Art. 5Art. 12Art. 13Art. 15 | €120,000 |
| 2026-04-17 | Poste Italiane S.p.a. Non-compliance with general data processing principles | 🇮🇹 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 13Art. 25 | €6,624,000 |
| 2026-04-17 | Postepay S.p.a. Non-compliance with general data processing principles | 🇮🇹 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 13Art. 25 | €5,877,000 |
| 2026-03-12 | INPS – Istituto nazionale previdenza sociale Insufficient technical and organisational measures to ensure information security | 🇮🇹 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 9Art. 10 | €40,000 |
| 2026-02-26 | Flamel S.r.l. Non-compliance with general data processing principles | 🇮🇹 Italian Data Protection Authority (Garante) | Art. 8Art. 11Art. 25Art. 39 | €15,000 |
| 2026-02-19 | Your Consulting SRL Insufficient technical and organisational measures to ensure information security | 🇷🇴 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 25Art. 32 | €3,000 |
| 2026-02-12 | Sole Trader Insufficient legal basis for data processing | 🇮🇹 Italian Data Protection Authority (Garante) | Art. 5Art. 13Art. 25 | €1,500 |
| 2026-01-29 | Università Telematica e-Campus Insufficient legal basis for data processing | 🇮🇹 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 9Art. 25 | €50,000 |
| 2026-01-20 | Slovenia DPA: Insufficient technical and organisational measures to ensure information security Insufficient technical and organisational measures to ensure information security | 🇸🇮 Slovenian Supervisory Authority (Informacijski pooblaščenec) | Art. 25 | €4,850 |
| 2025-12-22 | CURENERGÍA COMERCIALIZADOR DE ÚLTIMO RECURSO S.A.U. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 25 | €500,000 |
| 2025-12-22 | CURENERGÍA COMERCIALIZADOR DE ÚLTIMO RECURSO S.A.U. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 25 | €500,000 |
| 2025-12-18 | Bank Non-compliance with general data processing principles | 🇭🇷 Croatian Data Protection Authority (azop) | Art. 5Art. 6Art. 13Art. 25 | €1,500,000 |
| 2025-12-12 | Chief Constable of the Police Service of Scotland Insufficient technical and organisational measures to ensure information security | 🇬🇧 Information Commissioner (ICO) | Art. 5Art. 25Art. 32Art. 33 | €75,700 |
| 2025-11-27 | Aimag S.p.A. Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 7Art. 13 | €300,000 |
| 2025-11-27 | Aimag S.p.A. Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 7Art. 13 | €300,000 |
| 2025-11-26 | Cucina di Fabio S.R.L. Insufficient legal basis for data processing | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 6Art. 15Art. 17Art. 25 | €3,000 |
| 2025-11-26 | Cucina di Fabio S.R.L. Insufficient legal basis for data processing | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 6Art. 15Art. 17Art. 25 | €3,000 |
| 2025-11-21 | IDCQ HOSPITALES Y SANIDAD, S.L.U. Non-compliance with general data processing principles | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 6Art. 9Art. 25 | €1,200,000 |
| 2025-11-15 | Powiatowego Inspektora Sanitarnego w Policach Insufficient technical and organisational measures to ensure information security | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 5Art. 24Art. 25Art. 32 | €4,750 |
| 2025-11-15 | Powiatowego Inspektora Sanitarnego w Policach Insufficient technical and organisational measures to ensure information security | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 5Art. 24Art. 25Art. 32 | €4,750 |
| 2025-10-23 | Aktia Pankki Oyj Insufficient technical and organisational measures to ensure information security | 🇪🇺 Deputy Data Protection Ombudsman | Art. 5Art. 25Art. 32 | €865,000 |
| 2025-10-23 | Aktia Pankki Oyj Insufficient technical and organisational measures to ensure information security | 🇪🇺 Deputy Data Protection Ombudsman | Art. 5Art. 25Art. 32 | €865,000 |
| 2025-10-09 | Municipality of Moschato–Tavros Insufficient legal basis for data processing | 🇪🇺 Hellenic Data Protection Authority (HDPA) | Art. 5Art. 12Art. 13Art. 25 | €10,000 |
| 2025-10-09 | Municipality of Moschato–Tavros Insufficient legal basis for data processing | 🇪🇺 Hellenic Data Protection Authority (HDPA) | Art. 5Art. 12Art. 13Art. 25 | €10,000 |
1–25 of 206 next →