Skip to content

Article 32 GDPR — enforcement

Cited in 762 decisions · €504.3M total fines · median €15,600 · top authority: 🇪🇺Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) (175)

Date ↓ Company / party Authority Articles Fine
2026-06-12 Națională Poșta Română
Insufficient technical and organisational measures to ensure information security
🇷🇴 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 32 €5,000
2026-06-02 Minister of Justice
Insufficient technical and organisational measures to ensure information security
🇵🇱 Polish National Personal Data Protection Office (UODO) Art. 32 €23,540
2026-05-29 Unicredit Bank SA
Insufficient technical and organisational measures to ensure information security
🇷🇴 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 32Art. 33 €12,000
2026-05-08 Permanent TSB
Insufficient technical and organisational measures to ensure information security
🇮🇪 Data Protection Authority of Ireland Art. 5Art. 32Art. 33 €277,500
2026-05-07 South Staffordshire Plc
Insufficient technical and organisational measures to ensure information security
🇬🇧 Information Commissioner (ICO) Art. 5Art. 32 €1,112,100
2026-04-30 BLUE PROJECTS INDUSTRIES S.R.L.
Insufficient technical and organisational measures to ensure information security
🇷🇴 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 32 €2,500
2026-04-17 Poste Italiane S.p.a.
Non-compliance with general data processing principles
🇮🇹 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 13Art. 25 €6,624,000
2026-04-17 Postepay S.p.a.
Non-compliance with general data processing principles
🇮🇹 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 13Art. 25 €5,877,000
2026-04-17 Business Owner
Insufficient legal basis for data processing
🇮🇹 Italian Data Protection Authority (Garante) Art. 5Art. 13Art. 32 €2,000
2026-04-03 BLUE PROJECTS S.R.L.
Insufficient technical and organisational measures to ensure information security
🇷🇴 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 32 €2,500
2026-03-27 Legal Person
Insufficient technical and organisational measures to ensure information security
🇸🇮 Slovenian Supervisory Authority (Informacijski pooblaščenec) Art. 32 €13,491
2026-03-26 Intesa Sanpaolo S.p.A.
Insufficient technical and organisational measures to ensure information security
🇮🇹 Italian Data Protection Authority (Garante) Art. 5Art. 24Art. 32Art. 34 €31,800,000
2026-03-25 RENAULT COMMERCIAL ROUMANIE S.R.L.
Insufficient technical and organisational measures to ensure information security
🇷🇴 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 28Art. 32 €125,000
2026-03-23 ING Bank NV Amsterdam – Sucursala București S.A.
Insufficient technical and organisational measures to ensure information security
🇷🇴 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 32 €4,000
2026-03-12 Hanako s.r.l.
Insufficient technical and organisational measures to ensure information security
🇮🇹 Italian Data Protection Authority (Garante) Art. 5Art. 13Art. 32 €2,000
2026-03-12 Liceo Scientifico Morgagni di Roma
Insufficient technical and organisational measures to ensure information security
🇮🇹 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 9Art. 32 €2,000
2026-02-26 Dedalus Italia S.p.A.
Insufficient technical and organisational measures to ensure information security
🇮🇹 Italian Data Protection Authority (Garante) Art. 32 €32,000
2026-02-19 Your Consulting SRL
Insufficient technical and organisational measures to ensure information security
🇷🇴 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 25Art. 32 €3,000
2026-02-16 Slovenia DPA: Insufficient technical and organisational measures to ensure information security
Insufficient technical and organisational measures to ensure information security
🇸🇮 Slovenian Supervisory Authority (Informacijski pooblaščenec) Art. 32 €5,500
2026-02-05 DPD Polska sp. z o.o.
Insufficient data processing agreement
🇵🇱 Polish National Personal Data Protection Office (UODO) Art. 5Art. 24Art. 29Art. 32 €2,682,000
2026-02-04 GENPACT ROMANIA SRL
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 32 €10,000
2026-02-03 FREE TECHNOLOGIES EXCOM, S.L.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Spanish Data Protection Authority (aepd) Art. 32 €10,000
2026-01-26 Sportadmin i Skandinavien AB
Insufficient technical and organisational measures to ensure information security
🇪🇺 Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) Art. 32 €565,000
2026-01-22 FRANCE TRAVAIL
Insufficient technical and organisational measures to ensure information security
🇪🇺 French Data Protection Authority (CNIL) Art. 32 €5,000,000
2026-01-19 Continental Automotive Products SRL
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 5Art. 32 €15,000