Skip to content

Article 28 GDPR — enforcement

Cited in 145 decisions · €100.1M total fines · median €50,500 · top authority: 🇪🇺Italian Data Protection Authority (Garante) (50)

Date ↓ Company / party Authority Articles Fine
2021-05-25 Vodafone España, SAU
Insufficient technical and organisational measures to ensure information security
🇪🇺 Spanish Data Protection Authority (aepd) Art. 28 €100,000
2021-03-11 Vodafone España, S.A.U.
Insufficient fulfilment of data subjects rights
🇪🇺 Spanish Data Protection Authority (aepd) Art. 28Art. 24Art. 44Art. 21 €8,150,000
2021-02-11 Roma Capitale
Insufficient technical and organisational measures to ensure information security
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 28Art. 32 €350,000
2021-02-11 Vamavi Phone S.L.
Insufficient fulfilment of data subjects rights
🇪🇺 Spanish Data Protection Authority (aepd) Art. 48Art. 21Art. 23Art. 28 €24,000
2021-02-11 Krajowa Szkoła Sądownictwa i Prokuratury
Insufficient technical and organisational measures to ensure information security
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 5Art. 25Art. 28Art. 32 €22,200
2021-01-27 Family Service / N.D.P.K. nv.
Insufficient legal basis for data processing
🇪🇺 Belgian Data Protection Authority (APD) Art. 5Art. 6Art. 7Art. 13 €50,000
2021-01-14 Regione Lazio
Insufficient data processing agreement
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 28 €75,000
2021-01-01 SLOVAKIA DPA: Non-compliance with general data processing principles
Non-compliance with general data processing principles
🇪🇺 Slovak Data Protection Office Art. 5Art. 28 €40,000
2020-12-17 Roma Capitale (Rome Municipality)
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 13Art. 14Art. 28 €500,000
2020-12-17 Azienda Unità Sanitaria Locale Toscana Sud Est
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 13Art. 14Art. 28 €100,000
2020-12-17 Miropass S.r.l.
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 9Art. 28 €40,000
2020-12-07 Perfomeclic
Insufficient legal basis for data processing
🇪🇺 French Data Protection Authority (CNIL) Art. 5Art. 14Art. 21Art. 28 €7,300
2020-10-03 Avata Hispania, S.L.
Insufficient legal basis for data processing
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5Art. 6Art. 28 €3,000
2020-09-30 Azienda Ospedaliera di Rilievo Nazionale 'Antonio Cardarelli' (Private Hospital)
Insufficient technical and organisational measures to ensure information security
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 13Art. 28 €80,000
2020-09-25 Legal Person
Insufficient legal basis for data processing
🇪🇺 Czech Data Protection Auhtority (UOOU) Art. 5Art. 13Art. 28Art. 30 €400
2020-07-13 Merlini s.r.l.
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 7Art. 28 €200,000
2020-01-01 Healthcare provider
Insufficient fulfilment of information obligations
🇪🇺 Czech Data Protection Auhtority (UOOU) Art. 5Art. 12Art. 28
2019-10-18 Major of Aleksandrów Kujawski
Insufficient data processing agreement
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 28 €9,380
2019-01-01 Unknown Company
Insufficient fulfilment of data subjects rights
🇪🇺 Data Protection Authority of Brandenburg Art. 15Art. 28 €50,000
2018-12-17 Kolibri Image Regina und Dirk Maass GbR
Insufficient data processing agreement
🇪🇺 Data Protection Authority of Hamburg Art. 28 €5,000