Article 28 GDPR — enforcement
Cited in 145 decisions · €100.1M total fines · median €50,500 · top authority: 🇪🇺Italian Data Protection Authority (Garante) (50)
| Date ↓ | Company / party | Authority | Articles | Fine |
|---|---|---|---|---|
| 2021-05-25 | Vodafone España, SAU Insufficient technical and organisational measures to ensure information security | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 28 | €100,000 |
| 2021-03-11 | Vodafone España, S.A.U. Insufficient fulfilment of data subjects rights | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 28Art. 24Art. 44Art. 21 | €8,150,000 |
| 2021-02-11 | Roma Capitale Insufficient technical and organisational measures to ensure information security | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 28Art. 32 | €350,000 |
| 2021-02-11 | Vamavi Phone S.L. Insufficient fulfilment of data subjects rights | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 48Art. 21Art. 23Art. 28 | €24,000 |
| 2021-02-11 | Krajowa Szkoła Sądownictwa i Prokuratury Insufficient technical and organisational measures to ensure information security | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 5Art. 25Art. 28Art. 32 | €22,200 |
| 2021-01-27 | Family Service / N.D.P.K. nv. Insufficient legal basis for data processing | 🇪🇺 Belgian Data Protection Authority (APD) | Art. 5Art. 6Art. 7Art. 13 | €50,000 |
| 2021-01-14 | Regione Lazio Insufficient data processing agreement | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 28 | €75,000 |
| 2021-01-01 | SLOVAKIA DPA: Non-compliance with general data processing principles Non-compliance with general data processing principles | 🇪🇺 Slovak Data Protection Office | Art. 5Art. 28 | €40,000 |
| 2020-12-17 | Roma Capitale (Rome Municipality) Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 13Art. 14Art. 28 | €500,000 |
| 2020-12-17 | Azienda Unità Sanitaria Locale Toscana Sud Est Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 13Art. 14Art. 28 | €100,000 |
| 2020-12-17 | Miropass S.r.l. Insufficient legal basis for data processing | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 9Art. 28 | €40,000 |
| 2020-12-07 | Perfomeclic Insufficient legal basis for data processing | 🇪🇺 French Data Protection Authority (CNIL) | Art. 5Art. 14Art. 21Art. 28 | €7,300 |
| 2020-10-03 | Avata Hispania, S.L. Insufficient legal basis for data processing | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5Art. 6Art. 28 | €3,000 |
| 2020-09-30 | Azienda Ospedaliera di Rilievo Nazionale 'Antonio Cardarelli' (Private Hospital) Insufficient technical and organisational measures to ensure information security | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 13Art. 28 | €80,000 |
| 2020-09-25 | Legal Person Insufficient legal basis for data processing | 🇪🇺 Czech Data Protection Auhtority (UOOU) | Art. 5Art. 13Art. 28Art. 30 | €400 |
| 2020-07-13 | Merlini s.r.l. Insufficient legal basis for data processing | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 7Art. 28 | €200,000 |
| 2020-01-01 | Healthcare provider Insufficient fulfilment of information obligations | 🇪🇺 Czech Data Protection Auhtority (UOOU) | Art. 5Art. 12Art. 28 | — |
| 2019-10-18 | Major of Aleksandrów Kujawski Insufficient data processing agreement | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 28 | €9,380 |
| 2019-01-01 | Unknown Company Insufficient fulfilment of data subjects rights | 🇪🇺 Data Protection Authority of Brandenburg | Art. 15Art. 28 | €50,000 |
| 2018-12-17 | Kolibri Image
Regina und Dirk Maass GbR Insufficient data processing agreement | 🇪🇺 Data Protection Authority of Hamburg | Art. 28 | €5,000 |
← previous 126–145 of 145