Skip to content

Article 25 GDPR — enforcement

Cited in 206 decisions · €920.8M total fines · median €50,000 · top authority: 🇪🇺Italian Data Protection Authority (Garante) (69)

Date ↓ Company / party Authority Articles Fine
2024-11-20 POLAND DPA: Insufficient technical and organisational measures to ensure information security
Insufficient technical and organisational measures to ensure information security
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 5Art. 25Art. 28Art. 32 €358,000
2024-11-20 Company
Non-compliance with general data processing principles
🇪🇺 National Commission for Data Protection (CNPD) Art. 5Art. 6Art. 13Art. 25 €2,300
2024-11-13 Foodinho Srl
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 9Art. 12 €5,000,000
2024-11-13 Illumia Spa
Insufficient technical and organisational measures to ensure information security
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 7Art. 24 €678,897
2024-11-13 Sligo County Council
Non-compliance with general data processing principles
🇪🇺 Data Protection Authority of Ireland Art. 5Art. 13Art. 24Art. 25 €29,500
2024-11-02 OpenAI OpCo LLC
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 12Art. 13 €15,000,000
2024-10-16 Your Consulting SRL
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 25Art. 32 €3,000
2024-07-04 Postel S.p.A
Insufficient technical and organisational measures to ensure information security
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 25Art. 32Art. 33 €900,000
2024-06-20 Fastweb S.p.A.
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 7Art. 12 €1,000,000
2024-06-13 Healthcare facility
Insufficient technical and organisational measures to ensure information security
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 24Art. 25Art. 32Art. 34 €9,200
2024-06-06 Eni Plenitude S.p.A.
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 24Art. 25 €6,419,631
2024-05-09 Azienda ospedale università di Padova
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 9Art. 25Art. 32 €75,000
2024-04-29 Res-Gastro M. Gaweł Sp. k.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 24Art. 25Art. 32 €56,000
2024-04-24 Committee
Insufficient technical and organisational measures to ensure information security
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 5Art. 25Art. 32 €2,500
2024-04-11 Olimpia S.r.l.
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 24Art. 25 €100,000
2024-04-11 Facile.Energy S.r.l.
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 24Art. 25 €100,000
2024-04-02 Greek Ministry of Immigration and Asylum
Insufficient technical and organisational measures to ensure information security
🇪🇺 Hellenic Data Protection Authority (HDPA) Art. 25Art. 31Art. 35 €175,000
2024-03-06 Verkkokauppa.com
Non-compliance with general data processing principles
🇪🇺 Deputy Data Protection Ombudsman Art. 5Art. 25 €856,000
2024-01-17 Centrum Medyczne Ujastek Sp. z o.o.
Non-compliance with general data processing principles
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 5Art. 6Art. 9Art. 13 €273,000
2024-01-16 Black Tiger Belgium
Insufficient fulfilment of information obligations
🇪🇺 Belgian Data Protection Authority (APD) Art. 5Art. 6Art. 12Art. 14 €174,640
2024-01-04 Website operator
Insufficient fulfilment of data subjects rights
🇪🇺 Austrian Data Protection Authority (dsb) Art. 17Art. 25Art. 58 €10,000
2023-12-20 Polish Minister of Health
Insufficient technical and organisational measures to ensure information security
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 25Art. 32Art. 34 €23,000
2023-12-07 Azienda socio sanitaria territoriale nord Milano, C.F.
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 9Art. 25Art. 32 €40,000
2023-11-27 Norwegian Labor and Welfare Administration
Insufficient technical and organisational measures to ensure information security
🇪🇺 Norwegian Supervisory Authority (Datatilsynet) Art. 5Art. 24Art. 25Art. 32 €1,700,000
2023-10-26 CAIXABANK, S.A.
Non-compliance with general data processing principles
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5Art. 25Art. 32 €5,000,000