Article 28 GDPR — enforcement
Cited in 145 decisions · €100.1M total fines · median €50,500 · top authority: 🇪🇺Italian Data Protection Authority (Garante) (50)
| Date ↓ | Company / party | Authority | Articles | Fine |
|---|---|---|---|---|
| 2026-05-12 | Société Wallonne des Eaux Insufficient legal basis for data processing | 🇧🇪 Belgian Data Protection Authority (APD) | Art. 5Art. 12Art. 13Art. 28 | €86,000 |
| 2026-04-17 | Poste Italiane S.p.a. Non-compliance with general data processing principles | 🇮🇹 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 13Art. 25 | €6,624,000 |
| 2026-04-17 | Postepay S.p.a. Non-compliance with general data processing principles | 🇮🇹 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 13Art. 25 | €5,877,000 |
| 2026-03-25 | RENAULT COMMERCIAL ROUMANIE S.R.L. Insufficient technical and organisational measures to ensure information security | 🇷🇴 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 28Art. 32 | €125,000 |
| 2026-03-12 | Enel Energia S.p.A. Insufficient legal basis for data processing | 🇮🇹 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 7Art. 24 | €563,052 |
| 2026-02-26 | S.M. Trattamento Acqua di XX Insufficient legal basis for data processing | 🇮🇹 Italian Data Protection Authority (Garante) | Art. 4Art. 5Art. 6Art. 7 | €30,000 |
| 2026-02-26 | Ministero delle Imprese e del Made in Italy Insufficient data processing agreement | 🇮🇹 Italian Data Protection Authority (Garante) | Art. 28 | €15,000 |
| 2026-02-26 | Ministero dell’Economia e delle Finanze Insufficient legal basis for data processing | 🇮🇹 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 28 | €12,000 |
| 2026-02-12 | Depurazione Acqua S.r.l. Insufficient legal basis for data processing | 🇮🇹 Italian Data Protection Authority (Garante) | Art. 4Art. 5Art. 6Art. 7 | €15,000 |
| 2026-02-12 | Comune di Velletri Non-compliance with general data processing principles | 🇮🇹 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 12Art. 13 | €2,000 |
| 2026-01-13 | PREMIER RESTAURANTS ROMANIA SRL Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 28Art. 32 | €8,000 |
| 2026-01-13 | PREMIER RESTAURANTS ROMANIA SRL Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 28Art. 32 | €8,000 |
| 2025-12-31 | Thessaloniki–Thessaly Gas Supply Company S.A. Insufficient data processing agreement | 🇪🇺 Hellenic Data Protection Authority (HDPA) | Art. 28Art. 32 | €10,000 |
| 2025-12-18 | Pioneer Hi-Bred Italia Sementi s.r.l. Insufficient legal basis for data processing | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 28 | €120,000 |
| 2025-12-11 | MOBIUS SOLUTIONS LTD Non-compliance with general data processing principles | 🇪🇺 French Data Protection Authority (CNIL) | Art. 28Art. 29Art. 30 | €1,000,000 |
| 2025-12-11 | MOBIUS SOLUTIONS LTD Non-compliance with general data processing principles | 🇪🇺 French Data Protection Authority (CNIL) | Art. 28Art. 29Art. 30 | €1,000,000 |
| 2025-12-04 | Comune di Tuscania Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 12Art. 13 | €12,000 |
| 2025-11-24 | Telecommunications operator (operator of electronic communications networks and services) Non-compliance with general data processing principles | 🇪🇺 Croatian Data Protection Authority (azop) | Art. 5Art. 6Art. 12Art. 13 | €4,500,000 |
| 2025-11-24 | Telecommunications operator (operator of electronic communications networks and services) Non-compliance with general data processing principles | 🇪🇺 Croatian Data Protection Authority (azop) | Art. 5Art. 6Art. 12Art. 13 | €4,500,000 |
| 2025-10-22 | SENDING TRANSPORTE Y COMUNICACIÓN, S.A. Insufficient data processing agreement | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 28 | €80,000 |
| 2025-10-22 | SENDING TRANSPORTE Y COMUNICACIÓN, S.A. Insufficient data processing agreement | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 28 | €80,000 |
| 2025-09-04 | Sociedad de Gestión de Activos Procedentes de la Reestructuración Bancaria S.A. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5Art. 28 | €180,000 |
| 2025-09-04 | Sociedad de Gestión de Activos Procedentes de la Reestructuración Bancaria S.A. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5Art. 28 | €180,000 |
| 2025-08-25 | YUNEXPRESS SPAIN, S.L. Insufficient data processing agreement | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5Art. 28 | €5,400 |
| 2025-08-25 | YUNEXPRESS SPAIN, S.L. Insufficient data processing agreement | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5Art. 28 | €5,400 |
1–25 of 145 next →