Skip to content

Article 25 GDPR — enforcement

Cited in 206 decisions · €920.8M total fines · median €50,000 · top authority: 🇪🇺Italian Data Protection Authority (Garante) (69)

Date ↓ Company / party Authority Articles Fine
2022-05-09 Otavamedia Oy
Insufficient fulfilment of data subjects rights
🇪🇺 Deputy Data Protection Ombudsman Art. 5Art. 12Art. 15Art. 17 €85,000
2022-04-07 Azienda ospedaliera di Perugia
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 13Art. 14Art. 25 €40,000
2022-02-08 Budapest Bank Zrt.
Insufficient legal basis for data processing
🇪🇺 Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) Art. 5Art. 6Art. 12Art. 13 €634,000
2022-01-27 Cosmote Mobile Telecommunications S.A.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Hellenic Data Protection Authority (HDPA) Art. 5Art. 13Art. 14Art. 25 €6,000,000
2022-01-19 Fortum Marketing and Sales Polska S.A.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 5Art. 24Art. 25Art. 28 €1,000,000
2021-12-28 FREE MOBILE
Insufficient fulfilment of data subjects rights
🇪🇺 French Data Protection Authority (CNIL) Art. 12Art. 15Art. 21Art. 25 €300,000
2021-12-26 Medical clinic
Insufficient fulfilment of information obligations
🇪🇺 Deputy Data Protection Ombudsman Art. 5Art. 12Art. 13Art. 15 €5,000
2021-12-16 Motor insurance center
Non-compliance with general data processing principles
🇪🇺 Deputy Data Protection Ombudsman Art. 5Art. 25 €52,000
2021-12-16 Centro di Medicina preventiva s.r.l.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 25Art. 32Art. 37 €10,000
2021-12-16 Travel agency
Insufficient technical and organisational measures to ensure information security
🇪🇺 Deputy Data Protection Ombudsman Art. 5Art. 17Art. 25Art. 32 €6,500
2021-12-16 Enel Energia S.p.A
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 12Art. 13 €0
2021-12-09 Warsaw University of Technology
Insufficient technical and organisational measures to ensure information security
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 5Art. 24Art. 25Art. 32 €10,000
2021-11-23 Icelandic Ministry of Industry and Innovation
Non-compliance with general data processing principles
🇪🇺 Icelandic data protection authority ('Persónuvernd') Art. 5Art. 6Art. 7Art. 13 €51,000
2021-10-04 PREMIUMMEDIA ΠΑΡΑΓΩΓΗ ΟΠΤΙΚΟ-ΑΚΟΥΣΤΙΚΩΝ ΕΡΓΩΝ ΙΔΙΩΤΙΚΗ ΚΕΦΑΛΑΙΟΥΧΙΚΗ ΕΤΑΙΡΙΑ
Insufficient fulfilment of data subjects rights
🇪🇺 Hellenic Data Protection Authority (HDPA) Art. 21Art. 25 €5,000
2021-09-16 Bocconi University
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 9Art. 13 €200,000
2021-09-16 La Prima S.r.l.
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 24Art. 25 €5,000
2021-08-13 President of the Zgierz District Court
Insufficient technical and organisational measures to ensure information security
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 5Art. 25Art. 32 €2,200
2021-07-26 Mercadona S.A.
Insufficient legal basis for data processing
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5Art. 6Art. 9Art. 12 €2,520,000
2021-07-22 Deliveroo Italy s.r.l.
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 13Art. 22Art. 25 €2,500,000
2021-07-22 Roma Capitale
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 12Art. 13Art. 25 €800,000
2021-06-18 Magyar Telekom Nyrt.
Insufficient fulfilment of data subjects rights
🇪🇺 Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) Art. 5Art. 6Art. 12Art. 17 €28,400
2021-06-10 Foodinho s.r.l.
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 13Art. 22Art. 25 €2,600,000
2021-06-10 Aeroporto Guglielmo Marconi di Bologna S.p.a.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 25Art. 32 €40,000
2021-05-12 KARIERA A.E.
Insufficient fulfilment of data subjects rights
🇪🇺 Hellenic Data Protection Authority (HDPA) Art. 17Art. 21Art. 25 €5,000
2021-05-04 EDP Comercializadora, S.A.U.
Insufficient fulfilment of information obligations
🇪🇺 Spanish Data Protection Authority (aepd) Art. 13Art. 25 €1,500,000