Article 25 GDPR — enforcement
Cited in 206 decisions · €920.8M total fines · median €50,000 · top authority: 🇪🇺Italian Data Protection Authority (Garante) (69)
| Date ↓ | Company / party | Authority | Articles | Fine |
|---|---|---|---|---|
| 2024-11-20 | POLAND DPA: Insufficient technical and organisational measures to ensure information security Insufficient technical and organisational measures to ensure information security | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 5Art. 25Art. 28Art. 32 | €358,000 |
| 2024-11-20 | Company Non-compliance with general data processing principles | 🇪🇺 National Commission for Data Protection (CNPD) | Art. 5Art. 6Art. 13Art. 25 | €2,300 |
| 2024-11-13 | Foodinho Srl Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 9Art. 12 | €5,000,000 |
| 2024-11-13 | Illumia Spa Insufficient technical and organisational measures to ensure information security | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 7Art. 24 | €678,897 |
| 2024-11-13 | Sligo County Council Non-compliance with general data processing principles | 🇪🇺 Data Protection Authority of Ireland | Art. 5Art. 13Art. 24Art. 25 | €29,500 |
| 2024-11-02 | OpenAI OpCo LLC Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 12Art. 13 | €15,000,000 |
| 2024-10-16 | Your Consulting SRL Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 25Art. 32 | €3,000 |
| 2024-07-04 | Postel S.p.A Insufficient technical and organisational measures to ensure information security | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 25Art. 32Art. 33 | €900,000 |
| 2024-06-20 | Fastweb S.p.A. Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 7Art. 12 | €1,000,000 |
| 2024-06-13 | Healthcare facility Insufficient technical and organisational measures to ensure information security | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 24Art. 25Art. 32Art. 34 | €9,200 |
| 2024-06-06 | Eni Plenitude S.p.A. Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 24Art. 25 | €6,419,631 |
| 2024-05-09 | Azienda ospedale università di Padova Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 9Art. 25Art. 32 | €75,000 |
| 2024-04-29 | Res-Gastro M. Gaweł Sp. k. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 24Art. 25Art. 32 | €56,000 |
| 2024-04-24 | Committee Insufficient technical and organisational measures to ensure information security | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 5Art. 25Art. 32 | €2,500 |
| 2024-04-11 | Olimpia S.r.l. Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 24Art. 25 | €100,000 |
| 2024-04-11 | Facile.Energy S.r.l. Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 24Art. 25 | €100,000 |
| 2024-04-02 | Greek Ministry of Immigration and Asylum Insufficient technical and organisational measures to ensure information security | 🇪🇺 Hellenic Data Protection Authority (HDPA) | Art. 25Art. 31Art. 35 | €175,000 |
| 2024-03-06 | Verkkokauppa.com Non-compliance with general data processing principles | 🇪🇺 Deputy Data Protection Ombudsman | Art. 5Art. 25 | €856,000 |
| 2024-01-17 | Centrum Medyczne Ujastek Sp. z o.o. Non-compliance with general data processing principles | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 5Art. 6Art. 9Art. 13 | €273,000 |
| 2024-01-16 | Black Tiger Belgium Insufficient fulfilment of information obligations | 🇪🇺 Belgian Data Protection Authority (APD) | Art. 5Art. 6Art. 12Art. 14 | €174,640 |
| 2024-01-04 | Website operator Insufficient fulfilment of data subjects rights | 🇪🇺 Austrian Data Protection Authority (dsb) | Art. 17Art. 25Art. 58 | €10,000 |
| 2023-12-20 | Polish Minister of Health Insufficient technical and organisational measures to ensure information security | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 25Art. 32Art. 34 | €23,000 |
| 2023-12-07 | Azienda socio sanitaria territoriale nord Milano, C.F. Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 9Art. 25Art. 32 | €40,000 |
| 2023-11-27 | Norwegian Labor and Welfare Administration Insufficient technical and organisational measures to ensure information security | 🇪🇺 Norwegian Supervisory Authority (Datatilsynet) | Art. 5Art. 24Art. 25Art. 32 | €1,700,000 |
| 2023-10-26 | CAIXABANK, S.A. Non-compliance with general data processing principles | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5Art. 25Art. 32 | €5,000,000 |