Skip to content

Article 25 GDPR — enforcement

Cited in 206 decisions · €920.8M total fines · median €50,000 · top authority: 🇪🇺Italian Data Protection Authority (Garante) (69)

Date ↓ Company / party Authority Articles Fine
2026-05-26 IQVIA OPERATIONS FRANCE
Non-compliance with general data processing principles
🇫🇷 French Data Protection Authority (CNIL) Art. 14Art. 25 €5,000,000
2026-05-12 Isabel SA
Insufficient fulfilment of data subjects rights
🇧🇪 Belgian Data Protection Authority (APD) Art. 5Art. 12Art. 13Art. 15 €120,000
2026-04-17 Poste Italiane S.p.a.
Non-compliance with general data processing principles
🇮🇹 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 13Art. 25 €6,624,000
2026-04-17 Postepay S.p.a.
Non-compliance with general data processing principles
🇮🇹 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 13Art. 25 €5,877,000
2026-03-12 INPS – Istituto nazionale previdenza sociale
Insufficient technical and organisational measures to ensure information security
🇮🇹 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 9Art. 10 €40,000
2026-02-26 Flamel S.r.l.
Non-compliance with general data processing principles
🇮🇹 Italian Data Protection Authority (Garante) Art. 8Art. 11Art. 25Art. 39 €15,000
2026-02-19 Your Consulting SRL
Insufficient technical and organisational measures to ensure information security
🇷🇴 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 25Art. 32 €3,000
2026-02-12 Sole Trader
Insufficient legal basis for data processing
🇮🇹 Italian Data Protection Authority (Garante) Art. 5Art. 13Art. 25 €1,500
2026-01-29 Università Telematica e-Campus
Insufficient legal basis for data processing
🇮🇹 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 9Art. 25 €50,000
2026-01-20 Slovenia DPA: Insufficient technical and organisational measures to ensure information security
Insufficient technical and organisational measures to ensure information security
🇸🇮 Slovenian Supervisory Authority (Informacijski pooblaščenec) Art. 25 €4,850
2025-12-22 CURENERGÍA COMERCIALIZADOR DE ÚLTIMO RECURSO S.A.U.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Spanish Data Protection Authority (aepd) Art. 25 €500,000
2025-12-22 CURENERGÍA COMERCIALIZADOR DE ÚLTIMO RECURSO S.A.U.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Spanish Data Protection Authority (aepd) Art. 25 €500,000
2025-12-18 Bank
Non-compliance with general data processing principles
🇭🇷 Croatian Data Protection Authority (azop) Art. 5Art. 6Art. 13Art. 25 €1,500,000
2025-12-12 Chief Constable of the Police Service of Scotland
Insufficient technical and organisational measures to ensure information security
🇬🇧 Information Commissioner (ICO) Art. 5Art. 25Art. 32Art. 33 €75,700
2025-11-27 Aimag S.p.A.
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 7Art. 13 €300,000
2025-11-27 Aimag S.p.A.
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 7Art. 13 €300,000
2025-11-26 Cucina di Fabio S.R.L.
Insufficient legal basis for data processing
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 6Art. 15Art. 17Art. 25 €3,000
2025-11-26 Cucina di Fabio S.R.L.
Insufficient legal basis for data processing
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 6Art. 15Art. 17Art. 25 €3,000
2025-11-21 IDCQ HOSPITALES Y SANIDAD, S.L.U.
Non-compliance with general data processing principles
🇪🇺 Spanish Data Protection Authority (aepd) Art. 6Art. 9Art. 25 €1,200,000
2025-11-15 Powiatowego Inspektora Sanitarnego w Policach
Insufficient technical and organisational measures to ensure information security
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 5Art. 24Art. 25Art. 32 €4,750
2025-11-15 Powiatowego Inspektora Sanitarnego w Policach
Insufficient technical and organisational measures to ensure information security
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 5Art. 24Art. 25Art. 32 €4,750
2025-10-23 Aktia Pankki Oyj
Insufficient technical and organisational measures to ensure information security
🇪🇺 Deputy Data Protection Ombudsman Art. 5Art. 25Art. 32 €865,000
2025-10-23 Aktia Pankki Oyj
Insufficient technical and organisational measures to ensure information security
🇪🇺 Deputy Data Protection Ombudsman Art. 5Art. 25Art. 32 €865,000
2025-10-09 Municipality of Moschato–Tavros
Insufficient legal basis for data processing
🇪🇺 Hellenic Data Protection Authority (HDPA) Art. 5Art. 12Art. 13Art. 25 €10,000
2025-10-09 Municipality of Moschato–Tavros
Insufficient legal basis for data processing
🇪🇺 Hellenic Data Protection Authority (HDPA) Art. 5Art. 12Art. 13Art. 25 €10,000