Article 25 GDPR — enforcement
Cited in 206 decisions · €920.8M total fines · median €50,000 · top authority: 🇪🇺Italian Data Protection Authority (Garante) (69)
| Date ↓ | Company / party | Authority | Articles | Fine |
|---|---|---|---|---|
| 2022-05-09 | Otavamedia Oy Insufficient fulfilment of data subjects rights | 🇪🇺 Deputy Data Protection Ombudsman | Art. 5Art. 12Art. 15Art. 17 | €85,000 |
| 2022-04-07 | Azienda ospedaliera di Perugia Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 13Art. 14Art. 25 | €40,000 |
| 2022-02-08 | Budapest Bank Zrt. Insufficient legal basis for data processing | 🇪🇺 Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | Art. 5Art. 6Art. 12Art. 13 | €634,000 |
| 2022-01-27 | Cosmote Mobile Telecommunications S.A. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Hellenic Data Protection Authority (HDPA) | Art. 5Art. 13Art. 14Art. 25 | €6,000,000 |
| 2022-01-19 | Fortum Marketing and Sales Polska S.A. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 5Art. 24Art. 25Art. 28 | €1,000,000 |
| 2021-12-28 | FREE MOBILE Insufficient fulfilment of data subjects rights | 🇪🇺 French Data Protection Authority (CNIL) | Art. 12Art. 15Art. 21Art. 25 | €300,000 |
| 2021-12-26 | Medical clinic Insufficient fulfilment of information obligations | 🇪🇺 Deputy Data Protection Ombudsman | Art. 5Art. 12Art. 13Art. 15 | €5,000 |
| 2021-12-16 | Motor insurance center Non-compliance with general data processing principles | 🇪🇺 Deputy Data Protection Ombudsman | Art. 5Art. 25 | €52,000 |
| 2021-12-16 | Centro di Medicina preventiva s.r.l. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 25Art. 32Art. 37 | €10,000 |
| 2021-12-16 | Travel agency Insufficient technical and organisational measures to ensure information security | 🇪🇺 Deputy Data Protection Ombudsman | Art. 5Art. 17Art. 25Art. 32 | €6,500 |
| 2021-12-16 | Enel Energia S.p.A Insufficient legal basis for data processing | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 12Art. 13 | €0 |
| 2021-12-09 | Warsaw University of Technology Insufficient technical and organisational measures to ensure information security | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 5Art. 24Art. 25Art. 32 | €10,000 |
| 2021-11-23 | Icelandic Ministry of Industry and Innovation Non-compliance with general data processing principles | 🇪🇺 Icelandic data protection authority ('Persónuvernd') | Art. 5Art. 6Art. 7Art. 13 | €51,000 |
| 2021-10-04 | PREMIUMMEDIA ΠΑΡΑΓΩΓΗ ΟΠΤΙΚΟ-ΑΚΟΥΣΤΙΚΩΝ ΕΡΓΩΝ ΙΔΙΩΤΙΚΗ ΚΕΦΑΛΑΙΟΥΧΙΚΗ ΕΤΑΙΡΙΑ Insufficient fulfilment of data subjects rights | 🇪🇺 Hellenic Data Protection Authority (HDPA) | Art. 21Art. 25 | €5,000 |
| 2021-09-16 | Bocconi University Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 9Art. 13 | €200,000 |
| 2021-09-16 | La Prima S.r.l. Insufficient legal basis for data processing | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 24Art. 25 | €5,000 |
| 2021-08-13 | President of the Zgierz District Court Insufficient technical and organisational measures to ensure information security | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 5Art. 25Art. 32 | €2,200 |
| 2021-07-26 | Mercadona S.A. Insufficient legal basis for data processing | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5Art. 6Art. 9Art. 12 | €2,520,000 |
| 2021-07-22 | Deliveroo Italy s.r.l. Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 13Art. 22Art. 25 | €2,500,000 |
| 2021-07-22 | Roma Capitale Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 12Art. 13Art. 25 | €800,000 |
| 2021-06-18 | Magyar Telekom Nyrt. Insufficient fulfilment of data subjects rights | 🇪🇺 Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | Art. 5Art. 6Art. 12Art. 17 | €28,400 |
| 2021-06-10 | Foodinho s.r.l. Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 13Art. 22Art. 25 | €2,600,000 |
| 2021-06-10 | Aeroporto Guglielmo Marconi di Bologna S.p.a. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 25Art. 32 | €40,000 |
| 2021-05-12 | KARIERA A.E. Insufficient fulfilment of data subjects rights | 🇪🇺 Hellenic Data Protection Authority (HDPA) | Art. 17Art. 21Art. 25 | €5,000 |
| 2021-05-04 | EDP Comercializadora, S.A.U. Insufficient fulfilment of information obligations | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 13Art. 25 | €1,500,000 |