Article 28 GDPR — enforcement
Cited in 145 decisions · €100.1M total fines · median €50,500 · top authority: 🇪🇺Italian Data Protection Authority (Garante) (50)
| Date ↓ | Company / party | Authority | Articles | Fine |
|---|---|---|---|---|
| 2022-04-15 | DEDALUS BIOLOGIE Insufficient technical and organisational measures to ensure information security | 🇪🇺 French Data Protection Authority (CNIL) | Art. 28Art. 29Art. 32 | €1,500,000 |
| 2022-04-07 | ISWEB S.p.A. Insufficient data processing agreement | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 28 | €40,000 |
| 2022-04-01 | Company Insufficient fulfilment of data subjects rights | 🇪🇺 Belgian Data Protection Authority (APD) | Art. 5Art. 6Art. 15Art. 17 | €7,500 |
| 2022-02-10 | Scanshare S.r.l. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 28Art. 32 | €10,000 |
| 2022-02-04 | SEGURCAIXA ADESLAS, S.A. DE SEGUROS Y REASEGUROS Insufficient legal basis for data processing | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 6Art. 17Art. 28 | €300,000 |
| 2022-01-27 | Cosmote Mobile Telecommunications S.A. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Hellenic Data Protection Authority (HDPA) | Art. 5Art. 13Art. 14Art. 25 | €6,000,000 |
| 2022-01-26 | Slane Credit Union Ltd. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Data Protection Authority of Ireland | Art. 5Art. 24Art. 28Art. 30 | €5,000 |
| 2022-01-19 | Fortum Marketing and Sales Polska S.A. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 5Art. 24Art. 25Art. 28 | €1,000,000 |
| 2022-01-19 | PIKA Sp. z o.o. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 28Art. 32 | €53,000 |
| 2022-01-01 | PRINTAFORM Ltd. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Cypriot Data Protection Commissioner | Art. 28Art. 32 | €3,750 |
| 2022-01-01 | Universal Life Insurance Public Co Ltd. Insufficient data processing agreement | 🇪🇺 Cypriot Data Protection Commissioner | Art. 24Art. 28 | €3,500 |
| 2022-01-01 | Bank Insufficient technical and organisational measures to ensure information security | 🇪🇺 Data Protection Authority of Brandenburg | Art. 28Art. 32 | — |
| 2022-01-01 | Aid organization Insufficient technical and organisational measures to ensure information security | 🇪🇺 Data Protection Authority of Brandenburg | Art. 28Art. 32 | — |
| 2021-12-28 | SLIMPAY Insufficient technical and organisational measures to ensure information security | 🇪🇺 French Data Protection Authority (CNIL) | Art. 28Art. 32Art. 34 | €180,000 |
| 2021-12-08 | One Way Private Company Insufficient technical and organisational measures to ensure information security | 🇪🇺 Hellenic Data Protection Authority (HDPA) | Art. 28Art. 32Art. 11 | €30,000 |
| 2021-11-23 | Icelandic Ministry of Industry and Innovation Non-compliance with general data processing principles | 🇪🇺 Icelandic data protection authority ('Persónuvernd') | Art. 5Art. 6Art. 7Art. 13 | €51,000 |
| 2021-11-23 | YAY ehf. Non-compliance with general data processing principles | 🇪🇺 Icelandic data protection authority ('Persónuvernd') | Art. 5Art. 6Art. 28Art. 32 | €27,200 |
| 2021-09-27 | Ferde AS Non-compliance with general data processing principles | 🇪🇺 Norwegian Supervisory Authority (Datatilsynet) | Art. 5Art. 28Art. 32Art. 44 | €496,000 |
| 2021-09-16 | Sky Italia S.r.l. Insufficient legal basis for data processing | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 7Art. 12 | €3,296,326 |
| 2021-08-24 | Actamedica SRL Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 28Art. 32Art. 33 | €3,000 |
| 2021-07-26 | Monsanto Company Insufficient fulfilment of information obligations | 🇪🇺 French Data Protection Authority (CNIL) | Art. 14Art. 28 | €400,000 |
| 2021-07-22 | Roma Capitale Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 12Art. 13Art. 25 | €800,000 |
| 2021-07-06 | Marbella Resorts S.L. Insufficient data processing agreement | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 28 | €4,200 |
| 2021-06-24 | Magazine publisher Insufficient legal basis for data processing | 🇪🇺 Deputy Data Protection Ombudsman | Art. 5Art. 7Art. 12Art. 21 | €8,500 |
| 2021-06-10 | aiComply S.r.l. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 28Art. 32 | €40,000 |