Skip to content

Article 25 GDPR — enforcement

Cited in 206 decisions · €920.8M total fines · median €50,000 · top authority: 🇪🇺Italian Data Protection Authority (Garante) (69)

Date ↓ Company / party Authority Articles Fine
2023-03-23 Bolzano municipality
Insufficient technical and organisational measures to ensure information security
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 25Art. 32Art. 33 €30,000
2023-03-02 Azienda sanitaria locale di Bari
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 9Art. 25 €50,000
2023-02-23 Ediscom S.p.a.
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 7Art. 14 €300,000
2023-02-08 Company
Insufficient technical and organisational measures to ensure information security
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 5Art. 24Art. 25Art. 32 €7,200
2023-02-06 I&S Limited Kft
Non-compliance with general data processing principles
🇪🇺 Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) Art. 5Art. 6Art. 9Art. 13 €80,500
2023-01-19 Szczecin-Centrum District Court
Insufficient technical and organisational measures to ensure information security
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 5Art. 24Art. 25Art. 32 €6,400
2022-12-15 Edison Energia S.p.A.
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 7Art. 12 €4,900,000
2022-12-09 Viking Line Oy Abp
Non-compliance with general data processing principles
🇪🇺 Deputy Data Protection Ombudsman Art. 5Art. 12Art. 13Art. 15 €230,000
2022-12-09 Casa Rusu S.R.L.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 25Art. 32 €2,000
2022-11-25 OTP LEASING ROMANIA IFN SA
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 25Art. 32 €3,000
2022-11-16 Raiffeisen Bank SA
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 25Art. 32 €28,000
2022-11-10 DISCORD INC.
Non-compliance with general data processing principles
🇪🇺 French Data Protection Authority (CNIL) Art. 5Art. 13Art. 25Art. 32 €800,000
2022-11-10 Azienda Usl Valle d'Aosta
Insufficient technical and organisational measures to ensure information security
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 9Art. 25Art. 32 €40,000
2022-11-03 Burwebs S.L.
Non-compliance with general data processing principles
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5Art. 12Art. 13Art. 25 €75,000
2022-11-02 Mayor
Insufficient technical and organisational measures to ensure information security
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 5Art. 25Art. 32 €1,700
2022-10-31 TECHPUMP SOLUTIONS S.L.
Non-compliance with general data processing principles
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5Art. 6Art. 8Art. 12 €525,000
2022-10-20 Douglas Italia S.p.a.
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 7Art. 12 €1,400,000
2022-09-22 Bitfactor SRL
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 25Art. 32 €2,000
2022-09-19 Banca Comercială Română SA
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 25Art. 32 €2,000
2022-09-05 Meta Platforms, Inc.
Non-compliance with general data processing principles
🇪🇺 Data Protection Authority of Ireland Art. 5Art. 6Art. 12Art. 24 €405,000,000
2022-08-08 IDIKA SA
Non-compliance with general data processing principles
🇪🇺 Hellenic Data Protection Authority (HDPA) Art. 5Art. 25 €5,000
2022-07-21 Telecommunications company
Insufficient technical and organisational measures to ensure information security
🇪🇺 Croatian Data Protection Authority (azop) Art. 25Art. 32 €285,000
2022-07-13 Manx Care Ltd
Non-compliance with general data processing principles
🇪🇺 Information Commissioner of Isle of Man Art. 5Art. 24Art. 25Art. 32 €202,000
2022-05-26 Azienda sanitaria universitaria Friuli Centrale
Insufficient technical and organisational measures to ensure information security
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 9Art. 25Art. 32 €70,000
2022-05-26 Azienda sanitaria universitaria Friuli Occidentale
Insufficient technical and organisational measures to ensure information security
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 9Art. 25Art. 32 €50,000