Skip to content

Article 25 GDPR — enforcement

Cited in 206 decisions · €920.8M total fines · median €50,000 · top authority: 🇪🇺Italian Data Protection Authority (Garante) (69)

Date ↓ Company / party Authority Articles Fine
2025-10-09 FT Solutions S.r.l.
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 7Art. 12 €5,000
2025-10-09 FT Solutions S.r.l.
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 7Art. 12 €5,000
2025-09-11 Casa di Cura Città di Roma
Insufficient technical and organisational measures to ensure information security
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 9Art. 25Art. 32 €12,000
2025-09-11 Casa di Cura Città di Roma
Insufficient technical and organisational measures to ensure information security
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 9Art. 25Art. 32 €12,000
2025-09-08 S-Pankki Oyj
Insufficient technical and organisational measures to ensure information security
🇪🇺 Deputy Data Protection Ombudsman Art. 5Art. 25Art. 32 €1,800,000
2025-09-08 S-Pankki Oyj
Insufficient technical and organisational measures to ensure information security
🇪🇺 Deputy Data Protection Ombudsman Art. 5Art. 25Art. 32 €1,800,000
2025-08-04 Ospedaliero-Universitaria Careggi
Insufficient technical and organisational measures to ensure information security
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 9Art. 25Art. 32 €80,000
2025-08-04 Ospedaliero-Universitaria Careggi
Insufficient technical and organisational measures to ensure information security
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 9Art. 25Art. 32 €80,000
2025-08-04 Comune di Venezia
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 25Art. 32 €10,000
2025-08-04 Comune di Venezia
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 25Art. 32 €10,000
2025-08-04 Non-Public Health Care Institution
Insufficient technical and organisational measures to ensure information security
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 5Art. 25Art. 32 €7,700
2025-08-04 Non-Public Health Care Institution
Insufficient technical and organisational measures to ensure information security
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 5Art. 25Art. 32 €7,700
2025-07-21 McDonald’s Polska Sp. z o.o.
Non-compliance with general data processing principles
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 5Art. 25Art. 28Art. 38 €3,955,000
2025-07-21 McDonald’s Polska Sp. z o.o.
Non-compliance with general data processing principles
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 5Art. 25Art. 28Art. 38 €3,955,000
2025-07-21 24/7 Communication Sp. z o.o.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 5Art. 25Art. 38 €43,000
2025-07-21 24/7 Communication Sp. z o.o.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 5Art. 25Art. 38 €43,000
2025-07-21 Hestia Publishers & Booksellers I. D. Kollaros & Co. S.A.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Hellenic Data Protection Authority (HDPA) Art. 5Art. 25Art. 32Art. 33 €9,000
2025-07-21 Hestia Publishers & Booksellers I. D. Kollaros & Co. S.A.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Hellenic Data Protection Authority (HDPA) Art. 5Art. 25Art. 32Art. 33 €9,000
2025-06-26 Alliance for the Union of Romanians Party
Non-compliance with general data processing principles
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 5Art. 6Art. 25Art. 32 €25,000
2025-06-26 Alliance for the Union of Romanians Party
Non-compliance with general data processing principles
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 5Art. 6Art. 25Art. 32 €25,000
2025-06-23 Vodafone Romania S.A.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 25 €4,000
2025-06-23 Vodafone Romania S.A.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 25 €4,000
2025-04-29 Regione Lombardia
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 25Art. 28 €50,000
2025-04-29 Regione Lombardia
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 25Art. 28 €50,000
2025-04-29 MA Immobiliare S.r.l.s.
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 7Art. 12 €40,000