Skip to content

Article 25 GDPR — enforcement

Cited in 206 decisions · €920.8M total fines · median €50,000 · top authority: 🇪🇺Italian Data Protection Authority (Garante) (69)

Date ↓ Company / party Authority Articles Fine
2021-05-04 EDP Energía, S.A.U
Insufficient fulfilment of information obligations
🇪🇺 Spanish Data Protection Authority (aepd) Art. 13Art. 25 €1,500,000
2021-04-21 ParkkiPate Oy
Insufficient fulfilment of data subjects rights
🇪🇺 Deputy Data Protection Ombudsman Art. 5Art. 12Art. 14Art. 15 €75,000
2021-04-21 Fondazione Policlinico Tor Vergata di Roma
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 13Art. 25Art. 32 €15,000
2021-04-15 Comune di Palermo
Insufficient technical and organisational measures to ensure information security
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 25Art. 32 €40,000
2021-03-25 Fastweb S.p.A.
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 7Art. 12 €4,500,000
2021-03-23 Irish Credit Bureau DAC
Insufficient technical and organisational measures to ensure information security
🇪🇺 Data Protection Authority of Ireland Art. 5Art. 24Art. 25 €90,000
2021-03-11 Planet Group Spa
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 21Art. 12 €80,000
2021-02-25 Istituto Nazionale Previdenza Sociale (INPS)
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 25Art. 35 €300,000
2021-02-23 Deutsche Wohnen SE
Non-compliance with general data processing principles
🇪🇺 Data Protection Authority of Berlin Art. 5Art. 25 €0
2021-02-11 Krajowa Szkoła Sądownictwa i Prokuratury
Insufficient technical and organisational measures to ensure information security
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 5Art. 25Art. 28Art. 32 €22,200
2021-01-27 Family Service / N.D.P.K. nv.
Insufficient legal basis for data processing
🇪🇺 Belgian Data Protection Authority (APD) Art. 5Art. 6Art. 7Art. 13 €50,000
2021-01-01 Company
Insufficient technical and organisational measures to ensure information security
🇪🇺 Data Protection Authority of Niedersachsen Art. 25Art. 32
2020-12-17 ID Finance Poland Sp. z o.o.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 5Art. 25Art. 32 €235,300
2020-12-16 Robinson Tours Ltd. (Robinson Tours Idegenforgalmi és Szolgáltató Kft.)
Insufficient technical and organisational measures to ensure information security
🇪🇺 Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) Art. 25Art. 32Art. 34 €55,400
2020-12-14 Virgin Mobile Polska
Insufficient technical and organisational measures to ensure information security
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 5Art. 25Art. 32 €443,000
2020-11-25 Private Individual
Insufficient legal basis for data processing
🇪🇺 Belgian Data Protection Authority (APD) Art. 6Art. 25 €1,500
2020-11-12 Vodafone Italia S.p.A.
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 7Art. 15 €12,251,601
2020-10-23 Deichmann Cipőkereskedelmi Korlátolt Felelősségű Társaságnak
Insufficient fulfilment of data subjects rights
🇪🇺 Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) Art. 12Art. 15Art. 18Art. 25 €54,800
2020-09-01 Apartment building owners association
Insufficient legal basis for data processing
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 5Art. 6Art. 12Art. 13 €500
2020-07-13 Wind Tre S.p.A.
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 12Art. 24 €16,700,000
2020-07-13 Iliad Italia S.p.A.
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 25 €800,000
2020-02-20 T.K. EOOD
Insufficient technical and organisational measures to ensure information security
🇪🇺 Data Protection Commision of Bulgaria (KZLD) Art. 25Art. 32 €2,560
2020-02-20 L.E. EOOD
Insufficient technical and organisational measures to ensure information security
🇪🇺 Data Protection Commision of Bulgaria (KZLD) Art. 25Art. 32Art. 6 €2,560
2019-12-11 Unknown Company
Non-compliance with general data processing principles
🇪🇺 Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) Art. 5Art. 6Art. 13Art. 24 €1,430
2019-12-10 Hora Credit IFN SA
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 5Art. 25Art. 32Art. 33 €14,000