Skip to content

Article 28 GDPR — enforcement

Cited in 145 decisions · €100.1M total fines · median €50,500 · top authority: 🇪🇺Italian Data Protection Authority (Garante) (50)

Date ↓ Company / party Authority Articles Fine
2025-03-24 Hospital
Non-compliance with general data processing principles
🇪🇺 Croatian Data Protection Authority (azop) Art. 13Art. 14Art. 25Art. 28 €4,000
2025-03-24 Hospital
Non-compliance with general data processing principles
🇪🇺 Croatian Data Protection Authority (azop) Art. 13Art. 14Art. 25Art. 28 €4,000
2025-02-05 MARINA SALUD, S.A.
Non-compliance with general data processing principles
🇪🇺 Spanish Data Protection Authority (aepd) Art. 28 €500,000
2025-01-16 Realmaps S.r.l.
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 7Art. 12 €100,000
2024-12-23 LÍNEA DIRECTA ASEGURADORA, S.A.
Insufficient legal basis for data processing
🇪🇺 Spanish Data Protection Authority (aepd) Art. 6Art. 28 €300,000
2024-11-27 E.ON Energia spa
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 7Art. 12 €892,783
2024-11-20 POLAND DPA: Insufficient technical and organisational measures to ensure information security
Insufficient technical and organisational measures to ensure information security
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 5Art. 25Art. 28Art. 32 €358,000
2024-11-20 POLAND DPA: Insufficient technical and organisational measures to ensure information security
Insufficient technical and organisational measures to ensure information security
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 28Art. 32 €4,700
2024-11-13 Foodinho Srl
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 9Art. 12 €5,000,000
2024-11-13 Illumia Spa
Insufficient technical and organisational measures to ensure information security
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 7Art. 24 €678,897
2024-07-17 Hera Comm S.p.A.
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 12Art. 15Art. 24 €5,000,000
2024-06-20 Municipality of Nepi
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 28Art. 2 €20,000
2024-06-06 Eni Plenitude S.p.A.
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 24Art. 25 €6,419,631
2024-06-06 Covid 19 Test Lab
Insufficient technical and organisational measures to ensure information security
🇪🇺 Austrian Data Protection Authority (dsb) Art. 9Art. 5Art. 28Art. 32 €100,000
2024-04-11 Olimpia S.r.l.
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 24Art. 25 €100,000
2024-04-11 Facile.Energy S.r.l.
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 24Art. 25 €100,000
2024-02-08 NTT Data Italia S.P.A
Insufficient fulfilment of data breach notification obligations
🇪🇺 Italian Data Protection Authority (Garante) Art. 28Art. 33 €800,000
2024-02-01 HISPAPOST, S.A.
Insufficient fulfilment of data breach notification obligations
🇪🇺 Spanish Data Protection Authority (aepd) Art. 28 €36,000
2023-12-06 City of Kópavogur
Non-compliance with general data processing principles
🇪🇺 Icelandic data protection authority ('Persónuvernd') Art. 5Art. 24Art. 28 €20,000
2023-12-06 City of Hafnarfjörður
Non-compliance with general data processing principles
🇪🇺 Icelandic data protection authority ('Persónuvernd') Art. 5Art. 24Art. 28 €18,600
2023-12-06 Garðabær municipality
Non-compliance with general data processing principles
🇪🇺 Icelandic data protection authority ('Persónuvernd') Art. 5Art. 24Art. 28 €16,600
2023-12-06 Reykjanesbær municipality
Non-compliance with general data processing principles
🇪🇺 Icelandic data protection authority ('Persónuvernd') Art. 5Art. 24Art. 28 €16,600
2023-12-06 City of Reykjavik
Non-compliance with general data processing principles
🇪🇺 Icelandic data protection authority ('Persónuvernd') Art. 5Art. 24Art. 28 €13,300
2023-10-12 GROUPE CANAL +
Insufficient fulfilment of data subjects rights
🇪🇺 French Data Protection Authority (CNIL) Art. 7Art. 12Art. 13Art. 14 €600,000
2023-07-18 Municipality of Modica
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 12Art. 13Art. 25 €45,000