Article 25 GDPR — enforcement
Cited in 206 decisions · €920.8M total fines · median €50,000 · top authority: 🇪🇺Italian Data Protection Authority (Garante) (69)
| Date ↓ | Company / party | Authority | Articles | Fine |
|---|---|---|---|---|
| 2025-10-09 | FT Solutions S.r.l. Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 7Art. 12 | €5,000 |
| 2025-10-09 | FT Solutions S.r.l. Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 7Art. 12 | €5,000 |
| 2025-09-11 | Casa di Cura Città di Roma Insufficient technical and organisational measures to ensure information security | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 9Art. 25Art. 32 | €12,000 |
| 2025-09-11 | Casa di Cura Città di Roma Insufficient technical and organisational measures to ensure information security | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 9Art. 25Art. 32 | €12,000 |
| 2025-09-08 | S-Pankki Oyj Insufficient technical and organisational measures to ensure information security | 🇪🇺 Deputy Data Protection Ombudsman | Art. 5Art. 25Art. 32 | €1,800,000 |
| 2025-09-08 | S-Pankki Oyj Insufficient technical and organisational measures to ensure information security | 🇪🇺 Deputy Data Protection Ombudsman | Art. 5Art. 25Art. 32 | €1,800,000 |
| 2025-08-04 | Ospedaliero-Universitaria Careggi Insufficient technical and organisational measures to ensure information security | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 9Art. 25Art. 32 | €80,000 |
| 2025-08-04 | Ospedaliero-Universitaria Careggi Insufficient technical and organisational measures to ensure information security | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 9Art. 25Art. 32 | €80,000 |
| 2025-08-04 | Comune di Venezia Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 25Art. 32 | €10,000 |
| 2025-08-04 | Comune di Venezia Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 25Art. 32 | €10,000 |
| 2025-08-04 | Non-Public Health Care Institution Insufficient technical and organisational measures to ensure information security | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 5Art. 25Art. 32 | €7,700 |
| 2025-08-04 | Non-Public Health Care Institution Insufficient technical and organisational measures to ensure information security | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 5Art. 25Art. 32 | €7,700 |
| 2025-07-21 | McDonald’s Polska Sp. z o.o. Non-compliance with general data processing principles | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 5Art. 25Art. 28Art. 38 | €3,955,000 |
| 2025-07-21 | McDonald’s Polska Sp. z o.o. Non-compliance with general data processing principles | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 5Art. 25Art. 28Art. 38 | €3,955,000 |
| 2025-07-21 | 24/7 Communication Sp. z o.o. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 5Art. 25Art. 38 | €43,000 |
| 2025-07-21 | 24/7 Communication Sp. z o.o. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 5Art. 25Art. 38 | €43,000 |
| 2025-07-21 | Hestia Publishers & Booksellers I. D. Kollaros & Co. S.A. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Hellenic Data Protection Authority (HDPA) | Art. 5Art. 25Art. 32Art. 33 | €9,000 |
| 2025-07-21 | Hestia Publishers & Booksellers I. D. Kollaros & Co. S.A. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Hellenic Data Protection Authority (HDPA) | Art. 5Art. 25Art. 32Art. 33 | €9,000 |
| 2025-06-26 | Alliance for the Union of Romanians Party Non-compliance with general data processing principles | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 5Art. 6Art. 25Art. 32 | €25,000 |
| 2025-06-26 | Alliance for the Union of Romanians Party Non-compliance with general data processing principles | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 5Art. 6Art. 25Art. 32 | €25,000 |
| 2025-06-23 | Vodafone Romania S.A. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 25 | €4,000 |
| 2025-06-23 | Vodafone Romania S.A. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 25 | €4,000 |
| 2025-04-29 | Regione Lombardia Insufficient legal basis for data processing | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 25Art. 28 | €50,000 |
| 2025-04-29 | Regione Lombardia Insufficient legal basis for data processing | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 25Art. 28 | €50,000 |
| 2025-04-29 | MA Immobiliare S.r.l.s. Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 7Art. 12 | €40,000 |