Article 25 GDPR — enforcement
Cited in 206 decisions · €920.8M total fines · median €50,000 · top authority: 🇪🇺Italian Data Protection Authority (Garante) (69)
| Date ↓ | Company / party | Authority | Articles | Fine |
|---|---|---|---|---|
| 2021-05-04 | EDP Energía, S.A.U Insufficient fulfilment of information obligations | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 13Art. 25 | €1,500,000 |
| 2021-04-21 | ParkkiPate Oy Insufficient fulfilment of data subjects rights | 🇪🇺 Deputy Data Protection Ombudsman | Art. 5Art. 12Art. 14Art. 15 | €75,000 |
| 2021-04-21 | Fondazione Policlinico Tor Vergata di Roma Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 13Art. 25Art. 32 | €15,000 |
| 2021-04-15 | Comune di Palermo Insufficient technical and organisational measures to ensure information security | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 25Art. 32 | €40,000 |
| 2021-03-25 | Fastweb S.p.A. Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 7Art. 12 | €4,500,000 |
| 2021-03-23 | Irish Credit Bureau DAC Insufficient technical and organisational measures to ensure information security | 🇪🇺 Data Protection Authority of Ireland | Art. 5Art. 24Art. 25 | €90,000 |
| 2021-03-11 | Planet Group Spa Insufficient legal basis for data processing | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 21Art. 12 | €80,000 |
| 2021-02-25 | Istituto Nazionale Previdenza Sociale (INPS) Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 25Art. 35 | €300,000 |
| 2021-02-23 | Deutsche Wohnen SE Non-compliance with general data processing principles | 🇪🇺 Data Protection Authority of Berlin | Art. 5Art. 25 | €0 |
| 2021-02-11 | Krajowa Szkoła Sądownictwa i Prokuratury Insufficient technical and organisational measures to ensure information security | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 5Art. 25Art. 28Art. 32 | €22,200 |
| 2021-01-27 | Family Service / N.D.P.K. nv. Insufficient legal basis for data processing | 🇪🇺 Belgian Data Protection Authority (APD) | Art. 5Art. 6Art. 7Art. 13 | €50,000 |
| 2021-01-01 | Company Insufficient technical and organisational measures to ensure information security | 🇪🇺 Data Protection Authority of Niedersachsen | Art. 25Art. 32 | — |
| 2020-12-17 | ID Finance Poland Sp. z o.o. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 5Art. 25Art. 32 | €235,300 |
| 2020-12-16 | Robinson Tours Ltd. (Robinson Tours Idegenforgalmi és Szolgáltató Kft.) Insufficient technical and organisational measures to ensure information security | 🇪🇺 Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | Art. 25Art. 32Art. 34 | €55,400 |
| 2020-12-14 | Virgin Mobile Polska Insufficient technical and organisational measures to ensure information security | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 5Art. 25Art. 32 | €443,000 |
| 2020-11-25 | Private Individual Insufficient legal basis for data processing | 🇪🇺 Belgian Data Protection Authority (APD) | Art. 6Art. 25 | €1,500 |
| 2020-11-12 | Vodafone Italia S.p.A. Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 7Art. 15 | €12,251,601 |
| 2020-10-23 | Deichmann Cipőkereskedelmi Korlátolt Felelősségű Társaságnak Insufficient fulfilment of data subjects rights | 🇪🇺 Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | Art. 12Art. 15Art. 18Art. 25 | €54,800 |
| 2020-09-01 | Apartment building owners association Insufficient legal basis for data processing | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 5Art. 6Art. 12Art. 13 | €500 |
| 2020-07-13 | Wind Tre S.p.A. Insufficient legal basis for data processing | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 12Art. 24 | €16,700,000 |
| 2020-07-13 | Iliad Italia S.p.A. Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 25 | €800,000 |
| 2020-02-20 | T.K. EOOD Insufficient technical and organisational measures to ensure information security | 🇪🇺 Data Protection Commision of Bulgaria (KZLD) | Art. 25Art. 32 | €2,560 |
| 2020-02-20 | L.E. EOOD Insufficient technical and organisational measures to ensure information security | 🇪🇺 Data Protection Commision of Bulgaria (KZLD) | Art. 25Art. 32Art. 6 | €2,560 |
| 2019-12-11 | Unknown Company Non-compliance with general data processing principles | 🇪🇺 Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | Art. 5Art. 6Art. 13Art. 24 | €1,430 |
| 2019-12-10 | Hora Credit IFN SA Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 5Art. 25Art. 32Art. 33 | €14,000 |