Skip to content

Article 28 GDPR — enforcement

Cited in 145 decisions · €100.1M total fines · median €50,500 · top authority: 🇪🇺Italian Data Protection Authority (Garante) (50)

Date ↓ Company / party Authority Articles Fine
2023-06-22 Autostrade per l'Italia spa
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 13Art. 28 €1,000,000
2023-06-08 KG COM
Non-compliance with general data processing principles
🇪🇺 French Data Protection Authority (CNIL) Art. 5Art. 6Art. 9Art. 12 €150,000
2023-05-04 Debt collection agency
Insufficient technical and organisational measures to ensure information security
🇪🇺 Croatian Data Protection Authority (azop) Art. 6Art. 13Art. 28Art. 32 €2,265,000
2023-04-27 Ama S.p.a.
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 28Art. 29Art. 32Art. 2 €239,000
2023-04-27 Roma Capitale
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 9Art. 28Art. 29 €176,000
2023-04-13 Mas s.r.l.
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 7Art. 13 €500,000
2023-04-13 Mas s.r.l.s.
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 7Art. 13 €200,000
2023-03-23 La Risorsa Umana.it s.r.l.
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 13Art. 28 €40,000
2023-03-16 CITYSCOOT
Non-compliance with general data processing principles
🇪🇺 French Data Protection Authority (CNIL) Art. 5Art. 28Art. 82 €125,000
2023-03-02 Razmataz Live s.r.l..
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 28 €1,000
2023-02-07 Housing association
Insufficient fulfilment of data breach notification obligations
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 5Art. 28Art. 33Art. 34 €321
2022-12-15 Verizon Connect Italy S.p.A.
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 28 €30,000
2022-12-15 Societatea Energetică Electrica S.A.
Insufficient data processing agreement
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 28 €5,000
2022-11-07 INFORMÁTICA MÉDICA, S.L.
Insufficient data processing agreement
🇪🇺 Spanish Data Protection Authority (aepd) Art. 28 €60,000
2022-11-02 Portuguese National Statistical Institute
Non-compliance with general data processing principles
🇪🇺 Portuguese Data Protection Authority (CNPD) Art. 5Art. 9Art. 12Art. 13 €4,300,000
2022-10-06 Alpha Exploration
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 7Art. 12 €2,000,000
2022-09-07 Sułkowice Cultural Center
Insufficient data processing agreement
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 28 €530
2022-08-28 SOLIVESA MASTER FRANCHISE S.L.
Insufficient fulfilment of data subjects rights
🇪🇺 Spanish Data Protection Authority (aepd) Art. 28Art. 48 €5,600
2022-07-26 Volkswagen
Insufficient fulfilment of information obligations
🇪🇺 Data Protection Authority of Niedersachsen Art. 13Art. 28Art. 30Art. 35 €1,100,000
2022-07-22 ESVETEL, S.L.
Insufficient fulfilment of data subjects rights
🇪🇺 Spanish Data Protection Authority (aepd) Art. 28Art. 48 €40,000
2022-07-21 Acqua Novara.VCO S.p.a.
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 28Art. 2 €20,000
2022-07-21 Ginosa municipality
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 28Art. 2 €5,000
2022-06-08 Wens Experience SRL
Insufficient data processing agreement
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 28 €1,500
2022-04-28 Amiu S.p.A.
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 28Art. 37 €200,000
2022-04-28 Tarento municipality
Insufficient fulfilment of information obligations
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 12Art. 13Art. 14 €150,000