Skip to content

Article 25 GDPR — enforcement

Cited in 206 decisions · €920.8M total fines · median €50,000 · top authority: 🇪🇺Italian Data Protection Authority (Garante) (69)

Date ↓ Company / party Authority Articles Fine
2023-10-20 BANCO BILBAO VIZCAYA ARGENTARIA, S.A.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Spanish Data Protection Authority (aepd) Art. 25Art. 32 €800,000
2023-10-12 Scionti Selezioni Superiori S.r.l.
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 7Art. 12 €70,000
2023-09-28 Asl Napoli 3 Sud
Insufficient technical and organisational measures to ensure information security
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 25Art. 32 €30,000
2023-09-25 Athens Urban Transport Organization
Non-compliance with general data processing principles
🇪🇺 Hellenic Data Protection Authority (HDPA) Art. 5Art. 25Art. 35 €50,000
2023-09-13 Zagreb Holding d.o.o.
Insufficient fulfilment of information obligations
🇪🇺 Croatian Data Protection Authority (azop) Art. 13Art. 25 €25,000
2023-09-01 TikTok Limited
Non-compliance with general data processing principles
🇪🇺 Data Protection Authority of Ireland Art. 5Art. 12Art. 13Art. 24 €345,000,000
2023-08-21 Uipath SRL
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 25Art. 32 €70,000
2023-07-28 Open Bank, S.A.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Spanish Data Protection Authority (aepd) Art. 25Art. 32 €2,500,000
2023-07-18 Municipality of Modica
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 12Art. 13Art. 25 €45,000
2023-07-18 Compara Facile S.r.l.
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 7Art. 12 €40,000
2023-07-18 Company
Insufficient technical and organisational measures to ensure information security
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 5Art. 24Art. 25Art. 32 €3,400
2023-07-03 Heilsuveru
Insufficient technical and organisational measures to ensure information security
🇪🇺 Icelandic data protection authority ('Persónuvernd') Art. 5Art. 25Art. 32 €81,000
2023-06-28 Sjúkratyringur Íslands
Insufficient technical and organisational measures to ensure information security
🇪🇺 Icelandic data protection authority ('Persónuvernd') Art. 5Art. 25Art. 32 €13,400
2023-06-12 Piraeus Bank
Non-compliance with general data processing principles
🇪🇺 Hellenic Data Protection Authority (HDPA) Art. 5Art. 6Art. 15Art. 25 €210,000
2023-06-01 Azienda Usl Toscana Sud Est.
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 9Art. 25Art. 2 €20,000
2023-05-31 Company
Insufficient technical and organisational measures to ensure information security
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 5Art. 25Art. 32Art. 33 €10,600
2023-05-29 NOVA TELECOMMUNICATIONS & MEDIA ΜΟΝΟΠΡΟΣΩΠΗ Α.Ε.,
Insufficient fulfilment of data subjects rights
🇪🇺 Hellenic Data Protection Authority (HDPA) Art. 12Art. 15Art. 21Art. 25 €150,000
2023-05-18 Sports betting operator
Insufficient legal basis for data processing
🇪🇺 Croatian Data Protection Authority (azop) Art. 6Art. 13Art. 25Art. 32 €380,000
2023-05-18 AUTOMOBILE BAVARIA SRL
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 32Art. 25 €18,000
2023-05-17 Website operator
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 12Art. 13 €60,000
2023-05-16 Municipality
Insufficient technical and organisational measures to ensure information security
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 5Art. 24Art. 25Art. 32 €6,700
2023-05-05 Municipality
Insufficient technical and organisational measures to ensure information security
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 5Art. 25Art. 32 €2,200
2023-04-20 Disciplinary officer
Insufficient technical and organisational measures to ensure information security
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 5Art. 25Art. 32 €5,400
2023-04-14 Sorgenia S.p.a.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 12Art. 25 €676,956
2023-04-14 Green Network S.p.A.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 25 €237,800