Article 25 GDPR — enforcement
Cited in 206 decisions · €920.8M total fines · median €50,000 · top authority: 🇪🇺Italian Data Protection Authority (Garante) (69)
| Date ↓ | Company / party | Authority | Articles | Fine |
|---|---|---|---|---|
| 2023-10-20 | BANCO BILBAO VIZCAYA ARGENTARIA, S.A. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 25Art. 32 | €800,000 |
| 2023-10-12 | Scionti Selezioni Superiori S.r.l. Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 7Art. 12 | €70,000 |
| 2023-09-28 | Asl Napoli 3 Sud Insufficient technical and organisational measures to ensure information security | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 25Art. 32 | €30,000 |
| 2023-09-25 | Athens Urban Transport Organization Non-compliance with general data processing principles | 🇪🇺 Hellenic Data Protection Authority (HDPA) | Art. 5Art. 25Art. 35 | €50,000 |
| 2023-09-13 | Zagreb Holding d.o.o. Insufficient fulfilment of information obligations | 🇪🇺 Croatian Data Protection Authority (azop) | Art. 13Art. 25 | €25,000 |
| 2023-09-01 | TikTok Limited Non-compliance with general data processing principles | 🇪🇺 Data Protection Authority of Ireland | Art. 5Art. 12Art. 13Art. 24 | €345,000,000 |
| 2023-08-21 | Uipath SRL Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 25Art. 32 | €70,000 |
| 2023-07-28 | Open Bank, S.A. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 25Art. 32 | €2,500,000 |
| 2023-07-18 | Municipality of Modica Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 12Art. 13Art. 25 | €45,000 |
| 2023-07-18 | Compara Facile S.r.l. Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 7Art. 12 | €40,000 |
| 2023-07-18 | Company Insufficient technical and organisational measures to ensure information security | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 5Art. 24Art. 25Art. 32 | €3,400 |
| 2023-07-03 | Heilsuveru Insufficient technical and organisational measures to ensure information security | 🇪🇺 Icelandic data protection authority ('Persónuvernd') | Art. 5Art. 25Art. 32 | €81,000 |
| 2023-06-28 | Sjúkratyringur Íslands Insufficient technical and organisational measures to ensure information security | 🇪🇺 Icelandic data protection authority ('Persónuvernd') | Art. 5Art. 25Art. 32 | €13,400 |
| 2023-06-12 | Piraeus Bank Non-compliance with general data processing principles | 🇪🇺 Hellenic Data Protection Authority (HDPA) | Art. 5Art. 6Art. 15Art. 25 | €210,000 |
| 2023-06-01 | Azienda Usl Toscana Sud Est. Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 9Art. 25Art. 2 | €20,000 |
| 2023-05-31 | Company Insufficient technical and organisational measures to ensure information security | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 5Art. 25Art. 32Art. 33 | €10,600 |
| 2023-05-29 | NOVA TELECOMMUNICATIONS & MEDIA ΜΟΝΟΠΡΟΣΩΠΗ
Α.Ε., Insufficient fulfilment of data subjects rights | 🇪🇺 Hellenic Data Protection Authority (HDPA) | Art. 12Art. 15Art. 21Art. 25 | €150,000 |
| 2023-05-18 | Sports betting operator Insufficient legal basis for data processing | 🇪🇺 Croatian Data Protection Authority (azop) | Art. 6Art. 13Art. 25Art. 32 | €380,000 |
| 2023-05-18 | AUTOMOBILE BAVARIA SRL Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 32Art. 25 | €18,000 |
| 2023-05-17 | Website operator Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 12Art. 13 | €60,000 |
| 2023-05-16 | Municipality Insufficient technical and organisational measures to ensure information security | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 5Art. 24Art. 25Art. 32 | €6,700 |
| 2023-05-05 | Municipality Insufficient technical and organisational measures to ensure information security | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 5Art. 25Art. 32 | €2,200 |
| 2023-04-20 | Disciplinary officer Insufficient technical and organisational measures to ensure information security | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 5Art. 25Art. 32 | €5,400 |
| 2023-04-14 | Sorgenia S.p.a. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 12Art. 25 | €676,956 |
| 2023-04-14 | Green Network S.p.A. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 25 | €237,800 |