Skip to content

Article 28 GDPR — enforcement

Cited in 145 decisions · €100.1M total fines · median €50,500 · top authority: 🇪🇺Italian Data Protection Authority (Garante) (50)

Date ↓ Company / party Authority Articles Fine
2022-04-15 DEDALUS BIOLOGIE
Insufficient technical and organisational measures to ensure information security
🇪🇺 French Data Protection Authority (CNIL) Art. 28Art. 29Art. 32 €1,500,000
2022-04-07 ISWEB S.p.A.
Insufficient data processing agreement
🇪🇺 Italian Data Protection Authority (Garante) Art. 28 €40,000
2022-04-01 Company
Insufficient fulfilment of data subjects rights
🇪🇺 Belgian Data Protection Authority (APD) Art. 5Art. 6Art. 15Art. 17 €7,500
2022-02-10 Scanshare S.r.l.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Italian Data Protection Authority (Garante) Art. 28Art. 32 €10,000
2022-02-04 SEGURCAIXA ADESLAS, S.A. DE SEGUROS Y REASEGUROS
Insufficient legal basis for data processing
🇪🇺 Spanish Data Protection Authority (aepd) Art. 6Art. 17Art. 28 €300,000
2022-01-27 Cosmote Mobile Telecommunications S.A.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Hellenic Data Protection Authority (HDPA) Art. 5Art. 13Art. 14Art. 25 €6,000,000
2022-01-26 Slane Credit Union Ltd.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Data Protection Authority of Ireland Art. 5Art. 24Art. 28Art. 30 €5,000
2022-01-19 Fortum Marketing and Sales Polska S.A.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 5Art. 24Art. 25Art. 28 €1,000,000
2022-01-19 PIKA Sp. z o.o.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 28Art. 32 €53,000
2022-01-01 PRINTAFORM Ltd.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Cypriot Data Protection Commissioner Art. 28Art. 32 €3,750
2022-01-01 Universal Life Insurance Public Co Ltd.
Insufficient data processing agreement
🇪🇺 Cypriot Data Protection Commissioner Art. 24Art. 28 €3,500
2022-01-01 Bank
Insufficient technical and organisational measures to ensure information security
🇪🇺 Data Protection Authority of Brandenburg Art. 28Art. 32
2022-01-01 Aid organization
Insufficient technical and organisational measures to ensure information security
🇪🇺 Data Protection Authority of Brandenburg Art. 28Art. 32
2021-12-28 SLIMPAY
Insufficient technical and organisational measures to ensure information security
🇪🇺 French Data Protection Authority (CNIL) Art. 28Art. 32Art. 34 €180,000
2021-12-08 One Way Private Company
Insufficient technical and organisational measures to ensure information security
🇪🇺 Hellenic Data Protection Authority (HDPA) Art. 28Art. 32Art. 11 €30,000
2021-11-23 Icelandic Ministry of Industry and Innovation
Non-compliance with general data processing principles
🇪🇺 Icelandic data protection authority ('Persónuvernd') Art. 5Art. 6Art. 7Art. 13 €51,000
2021-11-23 YAY ehf.
Non-compliance with general data processing principles
🇪🇺 Icelandic data protection authority ('Persónuvernd') Art. 5Art. 6Art. 28Art. 32 €27,200
2021-09-27 Ferde AS
Non-compliance with general data processing principles
🇪🇺 Norwegian Supervisory Authority (Datatilsynet) Art. 5Art. 28Art. 32Art. 44 €496,000
2021-09-16 Sky Italia S.r.l.
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 7Art. 12 €3,296,326
2021-08-24 Actamedica SRL
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 28Art. 32Art. 33 €3,000
2021-07-26 Monsanto Company
Insufficient fulfilment of information obligations
🇪🇺 French Data Protection Authority (CNIL) Art. 14Art. 28 €400,000
2021-07-22 Roma Capitale
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 12Art. 13Art. 25 €800,000
2021-07-06 Marbella Resorts S.L.
Insufficient data processing agreement
🇪🇺 Spanish Data Protection Authority (aepd) Art. 28 €4,200
2021-06-24 Magazine publisher
Insufficient legal basis for data processing
🇪🇺 Deputy Data Protection Ombudsman Art. 5Art. 7Art. 12Art. 21 €8,500
2021-06-10 aiComply S.r.l.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Italian Data Protection Authority (Garante) Art. 28Art. 32 €40,000