Article 28 GDPR — enforcement
Cited in 145 decisions · €100.1M total fines · median €50,500 · top authority: 🇪🇺Italian Data Protection Authority (Garante) (50)
| Date ↓ | Company / party | Authority | Articles | Fine |
|---|---|---|---|---|
| 2025-03-24 | Hospital Non-compliance with general data processing principles | 🇪🇺 Croatian Data Protection Authority (azop) | Art. 13Art. 14Art. 25Art. 28 | €4,000 |
| 2025-03-24 | Hospital Non-compliance with general data processing principles | 🇪🇺 Croatian Data Protection Authority (azop) | Art. 13Art. 14Art. 25Art. 28 | €4,000 |
| 2025-02-05 | MARINA SALUD, S.A. Non-compliance with general data processing principles | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 28 | €500,000 |
| 2025-01-16 | Realmaps S.r.l. Insufficient legal basis for data processing | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 7Art. 12 | €100,000 |
| 2024-12-23 | LÍNEA DIRECTA ASEGURADORA, S.A. Insufficient legal basis for data processing | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 6Art. 28 | €300,000 |
| 2024-11-27 | E.ON Energia spa Insufficient legal basis for data processing | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 7Art. 12 | €892,783 |
| 2024-11-20 | POLAND DPA: Insufficient technical and organisational measures to ensure information security Insufficient technical and organisational measures to ensure information security | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 5Art. 25Art. 28Art. 32 | €358,000 |
| 2024-11-20 | POLAND DPA: Insufficient technical and organisational measures to ensure information security Insufficient technical and organisational measures to ensure information security | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 28Art. 32 | €4,700 |
| 2024-11-13 | Foodinho Srl Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 9Art. 12 | €5,000,000 |
| 2024-11-13 | Illumia Spa Insufficient technical and organisational measures to ensure information security | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 7Art. 24 | €678,897 |
| 2024-07-17 | Hera Comm S.p.A. Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 12Art. 15Art. 24 | €5,000,000 |
| 2024-06-20 | Municipality of Nepi Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 28Art. 2 | €20,000 |
| 2024-06-06 | Eni Plenitude S.p.A. Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 24Art. 25 | €6,419,631 |
| 2024-06-06 | Covid 19 Test Lab Insufficient technical and organisational measures to ensure information security | 🇪🇺 Austrian Data Protection Authority (dsb) | Art. 9Art. 5Art. 28Art. 32 | €100,000 |
| 2024-04-11 | Olimpia S.r.l. Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 24Art. 25 | €100,000 |
| 2024-04-11 | Facile.Energy S.r.l. Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 24Art. 25 | €100,000 |
| 2024-02-08 | NTT Data Italia S.P.A Insufficient fulfilment of data breach notification obligations | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 28Art. 33 | €800,000 |
| 2024-02-01 | HISPAPOST, S.A. Insufficient fulfilment of data breach notification obligations | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 28 | €36,000 |
| 2023-12-06 | City of Kópavogur Non-compliance with general data processing principles | 🇪🇺 Icelandic data protection authority ('Persónuvernd') | Art. 5Art. 24Art. 28 | €20,000 |
| 2023-12-06 | City of Hafnarfjörður Non-compliance with general data processing principles | 🇪🇺 Icelandic data protection authority ('Persónuvernd') | Art. 5Art. 24Art. 28 | €18,600 |
| 2023-12-06 | Garðabær municipality Non-compliance with general data processing principles | 🇪🇺 Icelandic data protection authority ('Persónuvernd') | Art. 5Art. 24Art. 28 | €16,600 |
| 2023-12-06 | Reykjanesbær municipality Non-compliance with general data processing principles | 🇪🇺 Icelandic data protection authority ('Persónuvernd') | Art. 5Art. 24Art. 28 | €16,600 |
| 2023-12-06 | City of Reykjavik Non-compliance with general data processing principles | 🇪🇺 Icelandic data protection authority ('Persónuvernd') | Art. 5Art. 24Art. 28 | €13,300 |
| 2023-10-12 | GROUPE CANAL + Insufficient fulfilment of data subjects rights | 🇪🇺 French Data Protection Authority (CNIL) | Art. 7Art. 12Art. 13Art. 14 | €600,000 |
| 2023-07-18 | Municipality of Modica Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 12Art. 13Art. 25 | €45,000 |