Skip to content

Article 29 GDPR — enforcement

Cited in 30 decisions · €12.8M total fines · median €40,000 · top authority: 🇪🇺Italian Data Protection Authority (Garante) (11)

Date ↓ Company / party Authority Articles Fine
2026-04-17 Framos Italia s.r.l.
Non-compliance with general data processing principles
🇮🇹 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 12Art. 13 €5,000
2026-02-05 DPD Polska sp. z o.o.
Insufficient data processing agreement
🇵🇱 Polish National Personal Data Protection Office (UODO) Art. 5Art. 24Art. 29Art. 32 €2,682,000
2025-12-31 ONE WAY PRIVATE COMPANY
Non-compliance with general data processing principles
🇪🇺 Hellenic Data Protection Authority (HDPA) Art. 5Art. 6Art. 7Art. 29 €80,000
2025-12-11 MOBIUS SOLUTIONS LTD
Non-compliance with general data processing principles
🇪🇺 French Data Protection Authority (CNIL) Art. 28Art. 29Art. 30 €1,000,000
2025-12-11 MOBIUS SOLUTIONS LTD
Non-compliance with general data processing principles
🇪🇺 French Data Protection Authority (CNIL) Art. 28Art. 29Art. 30 €1,000,000
2025-12-08 Compania de Apa Oltenia S.A.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 29Art. 32 €1,000
2025-12-08 Compania de Apa Oltenia S.A.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 29Art. 32 €1,000
2025-12-04 'Principe Umberto di Savoia' State Scientific and Linguistic High School
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 9Art. 13 €1,000
2025-06-25 KARAMBELAS KONSTANTINOS & CO. E.E.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Hellenic Data Protection Authority (HDPA) Art. 29Art. 32 €40,000
2025-06-25 KARAMBELAS KONSTANTINOS & CO. E.E.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Hellenic Data Protection Authority (HDPA) Art. 29Art. 32 €40,000
2025-04-10 Network of Agencies and Companies
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 7Art. 13 €850,000
2025-04-10 Network of Agencies and Companies
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 7Art. 13 €850,000
2025-01-16 Realmaps S.r.l.
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 7Art. 12 €100,000
2024-04-23 ALPHA BANK ROMANIA SA.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 29Art. 32 €2,000
2023-04-27 Ama S.p.a.
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 28Art. 29Art. 32Art. 2 €239,000
2023-04-27 Roma Capitale
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 9Art. 28Art. 29 €176,000
2023-04-13 Mas s.r.l.
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 7Art. 13 €500,000
2023-04-13 Mas s.r.l.s.
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 7Art. 13 €200,000
2022-12-27 Kaufland Romania SCS
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 29Art. 32 €3,000
2022-09-06 EDYTE SA
Insufficient legal basis for data processing
🇪🇺 Hellenic Data Protection Authority (HDPA) Art. 29 €5,000
2022-08-29 Alpha Bank Romania SA
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 29Art. 32 €1,000
2022-06-03 Kaufland Romania SCS
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 29Art. 32 €2,000
2022-05-12 LORIS FUEL SHOP SRL
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 29Art. 32 €1,000
2022-04-15 DEDALUS BIOLOGIE
Insufficient technical and organisational measures to ensure information security
🇪🇺 French Data Protection Authority (CNIL) Art. 28Art. 29Art. 32 €1,500,000
2022-04-07 Tecnomed Trento s.r.l.
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 13Art. 29Art. 32 €10,000