Article 28 GDPR — enforcement
Cited in 145 decisions · €100.1M total fines · median €50,500 · top authority: 🇪🇺Italian Data Protection Authority (Garante) (50)
| Date ↓ | Company / party | Authority | Articles | Fine |
|---|---|---|---|---|
| 2023-06-22 | Autostrade per l'Italia spa Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 13Art. 28 | €1,000,000 |
| 2023-06-08 | KG COM Non-compliance with general data processing principles | 🇪🇺 French Data Protection Authority (CNIL) | Art. 5Art. 6Art. 9Art. 12 | €150,000 |
| 2023-05-04 | Debt collection agency Insufficient technical and organisational measures to ensure information security | 🇪🇺 Croatian Data Protection Authority (azop) | Art. 6Art. 13Art. 28Art. 32 | €2,265,000 |
| 2023-04-27 | Ama S.p.a. Insufficient legal basis for data processing | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 28Art. 29Art. 32Art. 2 | €239,000 |
| 2023-04-27 | Roma Capitale Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 9Art. 28Art. 29 | €176,000 |
| 2023-04-13 | Mas s.r.l. Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 7Art. 13 | €500,000 |
| 2023-04-13 | Mas s.r.l.s. Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 7Art. 13 | €200,000 |
| 2023-03-23 | La Risorsa Umana.it s.r.l. Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 13Art. 28 | €40,000 |
| 2023-03-16 | CITYSCOOT Non-compliance with general data processing principles | 🇪🇺 French Data Protection Authority (CNIL) | Art. 5Art. 28Art. 82 | €125,000 |
| 2023-03-02 | Razmataz Live s.r.l.. Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 28 | €1,000 |
| 2023-02-07 | Housing association Insufficient fulfilment of data breach notification obligations | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 5Art. 28Art. 33Art. 34 | €321 |
| 2022-12-15 | Verizon Connect Italy S.p.A. Insufficient legal basis for data processing | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 28 | €30,000 |
| 2022-12-15 | Societatea Energetică Electrica S.A. Insufficient data processing agreement | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 28 | €5,000 |
| 2022-11-07 | INFORMÁTICA MÉDICA, S.L. Insufficient data processing agreement | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 28 | €60,000 |
| 2022-11-02 | Portuguese National Statistical Institute Non-compliance with general data processing principles | 🇪🇺 Portuguese Data Protection Authority (CNPD) | Art. 5Art. 9Art. 12Art. 13 | €4,300,000 |
| 2022-10-06 | Alpha Exploration Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 7Art. 12 | €2,000,000 |
| 2022-09-07 | Sułkowice Cultural Center Insufficient data processing agreement | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 28 | €530 |
| 2022-08-28 | SOLIVESA MASTER FRANCHISE S.L. Insufficient fulfilment of data subjects rights | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 28Art. 48 | €5,600 |
| 2022-07-26 | Volkswagen Insufficient fulfilment of information obligations | 🇪🇺 Data Protection Authority of Niedersachsen | Art. 13Art. 28Art. 30Art. 35 | €1,100,000 |
| 2022-07-22 | ESVETEL, S.L. Insufficient fulfilment of data subjects rights | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 28Art. 48 | €40,000 |
| 2022-07-21 | Acqua Novara.VCO S.p.a. Insufficient legal basis for data processing | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 28Art. 2 | €20,000 |
| 2022-07-21 | Ginosa municipality Insufficient legal basis for data processing | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 28Art. 2 | €5,000 |
| 2022-06-08 | Wens Experience SRL Insufficient data processing agreement | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 28 | €1,500 |
| 2022-04-28 | Amiu S.p.A. Insufficient legal basis for data processing | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 28Art. 37 | €200,000 |
| 2022-04-28 | Tarento municipality Insufficient fulfilment of information obligations | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 12Art. 13Art. 14 | €150,000 |