Article 29 GDPR — enforcement
Cited in 30 decisions · €12.8M total fines · median €40,000 · top authority: 🇪🇺Italian Data Protection Authority (Garante) (11)
| Date ↓ | Company / party | Authority | Articles | Fine |
|---|---|---|---|---|
| 2026-04-17 | Framos Italia s.r.l. Non-compliance with general data processing principles | 🇮🇹 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 12Art. 13 | €5,000 |
| 2026-02-05 | DPD Polska sp. z o.o. Insufficient data processing agreement | 🇵🇱 Polish National Personal Data Protection Office (UODO) | Art. 5Art. 24Art. 29Art. 32 | €2,682,000 |
| 2025-12-31 | ONE WAY PRIVATE COMPANY Non-compliance with general data processing principles | 🇪🇺 Hellenic Data Protection Authority (HDPA) | Art. 5Art. 6Art. 7Art. 29 | €80,000 |
| 2025-12-11 | MOBIUS SOLUTIONS LTD Non-compliance with general data processing principles | 🇪🇺 French Data Protection Authority (CNIL) | Art. 28Art. 29Art. 30 | €1,000,000 |
| 2025-12-11 | MOBIUS SOLUTIONS LTD Non-compliance with general data processing principles | 🇪🇺 French Data Protection Authority (CNIL) | Art. 28Art. 29Art. 30 | €1,000,000 |
| 2025-12-08 | Compania de Apa Oltenia S.A. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 29Art. 32 | €1,000 |
| 2025-12-08 | Compania de Apa Oltenia S.A. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 29Art. 32 | €1,000 |
| 2025-12-04 | 'Principe Umberto di Savoia' State Scientific and Linguistic High School Insufficient legal basis for data processing | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 9Art. 13 | €1,000 |
| 2025-06-25 | KARAMBELAS KONSTANTINOS & CO. E.E. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Hellenic Data Protection Authority (HDPA) | Art. 29Art. 32 | €40,000 |
| 2025-06-25 | KARAMBELAS KONSTANTINOS & CO. E.E. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Hellenic Data Protection Authority (HDPA) | Art. 29Art. 32 | €40,000 |
| 2025-04-10 | Network of Agencies and Companies Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 7Art. 13 | €850,000 |
| 2025-04-10 | Network of Agencies and Companies Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 7Art. 13 | €850,000 |
| 2025-01-16 | Realmaps S.r.l. Insufficient legal basis for data processing | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 7Art. 12 | €100,000 |
| 2024-04-23 | ALPHA BANK ROMANIA SA. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 29Art. 32 | €2,000 |
| 2023-04-27 | Ama S.p.a. Insufficient legal basis for data processing | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 28Art. 29Art. 32Art. 2 | €239,000 |
| 2023-04-27 | Roma Capitale Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 9Art. 28Art. 29 | €176,000 |
| 2023-04-13 | Mas s.r.l. Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 7Art. 13 | €500,000 |
| 2023-04-13 | Mas s.r.l.s. Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 7Art. 13 | €200,000 |
| 2022-12-27 | Kaufland Romania SCS Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 29Art. 32 | €3,000 |
| 2022-09-06 | EDYTE SA Insufficient legal basis for data processing | 🇪🇺 Hellenic Data Protection Authority (HDPA) | Art. 29 | €5,000 |
| 2022-08-29 | Alpha Bank Romania SA Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 29Art. 32 | €1,000 |
| 2022-06-03 | Kaufland Romania SCS Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 29Art. 32 | €2,000 |
| 2022-05-12 | LORIS FUEL SHOP SRL Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 29Art. 32 | €1,000 |
| 2022-04-15 | DEDALUS BIOLOGIE Insufficient technical and organisational measures to ensure information security | 🇪🇺 French Data Protection Authority (CNIL) | Art. 28Art. 29Art. 32 | €1,500,000 |
| 2022-04-07 | Tecnomed Trento s.r.l. Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 13Art. 29Art. 32 | €10,000 |
1–25 of 30 next →