Article 28 GDPR — enforcement
Cited in 145 decisions · €100.1M total fines · median €50,500 · top authority: 🇪🇺Italian Data Protection Authority (Garante) (50)
| Date ↓ | Company / party | Authority | Articles | Fine |
|---|---|---|---|---|
| 2025-07-25 | Legal Entity Insufficient data processing agreement | 🇪🇺 Slovenian Supervisory Authority (Informacijski pooblaščenec) | Art. 28 | €5,810 |
| 2025-07-21 | McDonald’s Polska Sp. z o.o. Non-compliance with general data processing principles | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 5Art. 25Art. 28Art. 38 | €3,955,000 |
| 2025-07-21 | McDonald’s Polska Sp. z o.o. Non-compliance with general data processing principles | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 5Art. 25Art. 28Art. 38 | €3,955,000 |
| 2025-07-18 | ADMINISTRACIONES BENIPON, S.L. Insufficient fulfilment of data breach notification obligations | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 28Art. 33 | €1,100 |
| 2025-07-18 | ADMINISTRACIONES BENIPON, S.L. Insufficient fulfilment of data breach notification obligations | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 28Art. 33 | €1,100 |
| 2025-06-25 | Vodafone – PANAFON A.E.E.T. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Hellenic Data Protection Authority (HDPA) | Art. 5Art. 28 | €550,000 |
| 2025-06-25 | Vodafone – PANAFON A.E.E.T. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Hellenic Data Protection Authority (HDPA) | Art. 5Art. 28 | €550,000 |
| 2025-06-16 | ALBOR ENERGÍA S.L. Insufficient legal basis for data processing | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 28 | €12,000 |
| 2025-06-16 | ALBOR ENERGÍA S.L. Insufficient legal basis for data processing | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 28 | €12,000 |
| 2025-06-04 | Noi Compriamo Auto.it S.r.l. Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 12Art. 24 | €45,000 |
| 2025-06-04 | Noi Compriamo Auto.it S.r.l. Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 12Art. 24 | €45,000 |
| 2025-04-29 | Energia Verde S.p.A. Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 7Art. 12 | €100,000 |
| 2025-04-29 | Energia Verde S.p.A. Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 7Art. 12 | €100,000 |
| 2025-04-29 | Regione Lombardia Insufficient legal basis for data processing | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 25Art. 28 | €50,000 |
| 2025-04-29 | Regione Lombardia Insufficient legal basis for data processing | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 25Art. 28 | €50,000 |
| 2025-04-29 | Cooperativa Sociale Quadrifoglio Insufficient technical and organisational measures to ensure information security | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 28Art. 32 | €20,000 |
| 2025-04-29 | Cooperativa Sociale Quadrifoglio Insufficient technical and organisational measures to ensure information security | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 28Art. 32 | €20,000 |
| 2025-04-14 | LÃSER METALPRINT 3D, S.L. Insufficient data processing agreement | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 28 | €6,000 |
| 2025-04-14 | LÃSER METALPRINT 3D, S.L. Insufficient data processing agreement | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 28 | €6,000 |
| 2025-04-10 | Acea Energia S.p.A. Insufficient legal basis for data processing | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 7Art. 13 | €3,000,000 |
| 2025-04-10 | Acea Energia S.p.A. Insufficient legal basis for data processing | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 7Art. 13 | €3,000,000 |
| 2025-04-10 | Network of Agencies and Companies Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 7Art. 13 | €850,000 |
| 2025-04-10 | Network of Agencies and Companies Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 7Art. 13 | €850,000 |
| 2025-03-28 | SCHOOL FITNESS HOLIDAY & FRANCHISING, S.L. Insufficient legal basis for data processing | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5Art. 7Art. 28 | €21,600 |
| 2025-03-28 | SCHOOL FITNESS HOLIDAY & FRANCHISING, S.L. Insufficient legal basis for data processing | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5Art. 7Art. 28 | €21,600 |