Article 25 GDPR — enforcement
Cited in 206 decisions · €920.8M total fines · median €50,000 · top authority: 🇪🇺Italian Data Protection Authority (Garante) (69)
| Date ↓ | Company / party | Authority | Articles | Fine |
|---|---|---|---|---|
| 2023-03-23 | Bolzano municipality Insufficient technical and organisational measures to ensure information security | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 25Art. 32Art. 33 | €30,000 |
| 2023-03-02 | Azienda sanitaria locale di Bari Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 9Art. 25 | €50,000 |
| 2023-02-23 | Ediscom S.p.a. Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 7Art. 14 | €300,000 |
| 2023-02-08 | Company Insufficient technical and organisational measures to ensure information security | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 5Art. 24Art. 25Art. 32 | €7,200 |
| 2023-02-06 | I&S Limited Kft Non-compliance with general data processing principles | 🇪🇺 Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | Art. 5Art. 6Art. 9Art. 13 | €80,500 |
| 2023-01-19 | Szczecin-Centrum District Court Insufficient technical and organisational measures to ensure information security | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 5Art. 24Art. 25Art. 32 | €6,400 |
| 2022-12-15 | Edison Energia S.p.A. Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 7Art. 12 | €4,900,000 |
| 2022-12-09 | Viking Line Oy Abp Non-compliance with general data processing principles | 🇪🇺 Deputy Data Protection Ombudsman | Art. 5Art. 12Art. 13Art. 15 | €230,000 |
| 2022-12-09 | Casa Rusu S.R.L. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 25Art. 32 | €2,000 |
| 2022-11-25 | OTP LEASING ROMANIA IFN SA Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 25Art. 32 | €3,000 |
| 2022-11-16 | Raiffeisen Bank SA Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 25Art. 32 | €28,000 |
| 2022-11-10 | DISCORD INC. Non-compliance with general data processing principles | 🇪🇺 French Data Protection Authority (CNIL) | Art. 5Art. 13Art. 25Art. 32 | €800,000 |
| 2022-11-10 | Azienda Usl Valle d'Aosta Insufficient technical and organisational measures to ensure information security | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 9Art. 25Art. 32 | €40,000 |
| 2022-11-03 | Burwebs S.L. Non-compliance with general data processing principles | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5Art. 12Art. 13Art. 25 | €75,000 |
| 2022-11-02 | Mayor Insufficient technical and organisational measures to ensure information security | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 5Art. 25Art. 32 | €1,700 |
| 2022-10-31 | TECHPUMP SOLUTIONS S.L. Non-compliance with general data processing principles | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5Art. 6Art. 8Art. 12 | €525,000 |
| 2022-10-20 | Douglas Italia S.p.a. Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 7Art. 12 | €1,400,000 |
| 2022-09-22 | Bitfactor SRL Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 25Art. 32 | €2,000 |
| 2022-09-19 | Banca Comercială Română SA Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 25Art. 32 | €2,000 |
| 2022-09-05 | Meta Platforms, Inc. Non-compliance with general data processing principles | 🇪🇺 Data Protection Authority of Ireland | Art. 5Art. 6Art. 12Art. 24 | €405,000,000 |
| 2022-08-08 | IDIKA SA Non-compliance with general data processing principles | 🇪🇺 Hellenic Data Protection Authority (HDPA) | Art. 5Art. 25 | €5,000 |
| 2022-07-21 | Telecommunications company Insufficient technical and organisational measures to ensure information security | 🇪🇺 Croatian Data Protection Authority (azop) | Art. 25Art. 32 | €285,000 |
| 2022-07-13 | Manx Care Ltd Non-compliance with general data processing principles | 🇪🇺 Information Commissioner of Isle of Man | Art. 5Art. 24Art. 25Art. 32 | €202,000 |
| 2022-05-26 | Azienda sanitaria universitaria Friuli Centrale Insufficient technical and organisational measures to ensure information security | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 9Art. 25Art. 32 | €70,000 |
| 2022-05-26 | Azienda sanitaria universitaria Friuli Occidentale Insufficient technical and organisational measures to ensure information security | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 9Art. 25Art. 32 | €50,000 |