Skip to content

Article 28 GDPR — enforcement

Cited in 145 decisions · €100.1M total fines · median €50,500 · top authority: 🇪🇺Italian Data Protection Authority (Garante) (50)

Date ↓ Company / party Authority Articles Fine
2026-05-12 Société Wallonne des Eaux
Insufficient legal basis for data processing
🇧🇪 Belgian Data Protection Authority (APD) Art. 5Art. 12Art. 13Art. 28 €86,000
2026-04-17 Poste Italiane S.p.a.
Non-compliance with general data processing principles
🇮🇹 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 13Art. 25 €6,624,000
2026-04-17 Postepay S.p.a.
Non-compliance with general data processing principles
🇮🇹 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 13Art. 25 €5,877,000
2026-03-25 RENAULT COMMERCIAL ROUMANIE S.R.L.
Insufficient technical and organisational measures to ensure information security
🇷🇴 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 28Art. 32 €125,000
2026-03-12 Enel Energia S.p.A.
Insufficient legal basis for data processing
🇮🇹 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 7Art. 24 €563,052
2026-02-26 S.M. Trattamento Acqua di XX
Insufficient legal basis for data processing
🇮🇹 Italian Data Protection Authority (Garante) Art. 4Art. 5Art. 6Art. 7 €30,000
2026-02-26 Ministero delle Imprese e del Made in Italy
Insufficient data processing agreement
🇮🇹 Italian Data Protection Authority (Garante) Art. 28 €15,000
2026-02-26 Ministero dell’Economia e delle Finanze
Insufficient legal basis for data processing
🇮🇹 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 28 €12,000
2026-02-12 Depurazione Acqua S.r.l.
Insufficient legal basis for data processing
🇮🇹 Italian Data Protection Authority (Garante) Art. 4Art. 5Art. 6Art. 7 €15,000
2026-02-12 Comune di Velletri
Non-compliance with general data processing principles
🇮🇹 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 12Art. 13 €2,000
2026-01-13 PREMIER RESTAURANTS ROMANIA SRL
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 28Art. 32 €8,000
2026-01-13 PREMIER RESTAURANTS ROMANIA SRL
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 28Art. 32 €8,000
2025-12-31 Thessaloniki–Thessaly Gas Supply Company S.A.
Insufficient data processing agreement
🇪🇺 Hellenic Data Protection Authority (HDPA) Art. 28Art. 32 €10,000
2025-12-18 Pioneer Hi-Bred Italia Sementi s.r.l.
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 28 €120,000
2025-12-11 MOBIUS SOLUTIONS LTD
Non-compliance with general data processing principles
🇪🇺 French Data Protection Authority (CNIL) Art. 28Art. 29Art. 30 €1,000,000
2025-12-11 MOBIUS SOLUTIONS LTD
Non-compliance with general data processing principles
🇪🇺 French Data Protection Authority (CNIL) Art. 28Art. 29Art. 30 €1,000,000
2025-12-04 Comune di Tuscania
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 12Art. 13 €12,000
2025-11-24 Telecommunications operator (operator of electronic communications networks and services)
Non-compliance with general data processing principles
🇪🇺 Croatian Data Protection Authority (azop) Art. 5Art. 6Art. 12Art. 13 €4,500,000
2025-11-24 Telecommunications operator (operator of electronic communications networks and services)
Non-compliance with general data processing principles
🇪🇺 Croatian Data Protection Authority (azop) Art. 5Art. 6Art. 12Art. 13 €4,500,000
2025-10-22 SENDING TRANSPORTE Y COMUNICACIÓN, S.A.
Insufficient data processing agreement
🇪🇺 Spanish Data Protection Authority (aepd) Art. 28 €80,000
2025-10-22 SENDING TRANSPORTE Y COMUNICACIÓN, S.A.
Insufficient data processing agreement
🇪🇺 Spanish Data Protection Authority (aepd) Art. 28 €80,000
2025-09-04 Sociedad de Gestión de Activos Procedentes de la Reestructuración Bancaria S.A.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5Art. 28 €180,000
2025-09-04 Sociedad de Gestión de Activos Procedentes de la Reestructuración Bancaria S.A.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5Art. 28 €180,000
2025-08-25 YUNEXPRESS SPAIN, S.L.
Insufficient data processing agreement
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5Art. 28 €5,400
2025-08-25 YUNEXPRESS SPAIN, S.L.
Insufficient data processing agreement
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5Art. 28 €5,400