Article 32 GDPR — enforcement
Cited in 762 decisions · €504.3M total fines · median €15,600 · top authority: 🇪🇺Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) (175)
| Date ↓ | Company / party | Authority | Articles | Fine |
|---|---|---|---|---|
| 2025-01-16 | Realmaps S.r.l. Insufficient legal basis for data processing | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 7Art. 12 | €100,000 |
| 2025-01-10 | National Bank of Greece S.A Insufficient technical and organisational measures to ensure information security | 🇬🇷 Hellenic Data Protection Authority (HDPA) | Art. 5Art. 15Art. 25Art. 32 | €120,000 |
| 2025-01-03 | Unirea Medical Center S.R.L. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 24Art. 32 | €2,000 |
| 2024-12-23 | Panek SA Insufficient technical and organisational measures to ensure information security | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 32 | €357,000 |
| 2024-12-18 | ATRIUM LEX SFC Insufficient fulfilment of information obligations | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 13Art. 32 | €100,000 |
| 2024-12-17 | Sambla Group Oy Insufficient technical and organisational measures to ensure information security | 🇪🇺 Deputy Data Protection Ombudsman | Art. 5Art. 25Art. 32 | €950,000 |
| 2024-12-17 | Hospital Insufficient technical and organisational measures to ensure information security | 🇪🇺 Belgian Data Protection Authority (APD) | Art. 5Art. 24Art. 32Art. 35 | €200,000 |
| 2024-12-10 | GENERALI ESPAÑA, SOCIEDAD ANONIMA DE SEGUROS Y REASEGUROS Insufficient technical and organisational measures to ensure information security | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5Art. 25Art. 32Art. 35 | €4,000,000 |
| 2024-11-22 | Maynooth University Insufficient technical and organisational measures to ensure information security | 🇪🇺 Data Protection Authority of Ireland | Art. 5Art. 32Art. 33 | €40,000 |
| 2024-11-20 | POLAND DPA: Insufficient technical and organisational measures to ensure information security Insufficient technical and organisational measures to ensure information security | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 5Art. 25Art. 28Art. 32 | €358,000 |
| 2024-11-20 | POLAND DPA: Insufficient technical and organisational measures to ensure information security Insufficient technical and organisational measures to ensure information security | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 28Art. 32 | €4,700 |
| 2024-11-20 | Company Non-compliance with general data processing principles | 🇪🇺 National Commission for Data Protection (CNPD) | Art. 5Art. 6Art. 13Art. 25 | €2,300 |
| 2024-11-13 | Foodinho Srl Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 9Art. 12 | €5,000,000 |
| 2024-11-13 | Illumia Spa Insufficient technical and organisational measures to ensure information security | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 7Art. 24 | €678,897 |
| 2024-11-13 | Sligo County Council Non-compliance with general data processing principles | 🇪🇺 Data Protection Authority of Ireland | Art. 5Art. 13Art. 24Art. 25 | €29,500 |
| 2024-11-13 | COYARE SLU Non-compliance with general data processing principles | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5Art. 32 | €2,500 |
| 2024-11-11 | Correo Inteligente Postal, S.L. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5Art. 32 | €200,000 |
| 2024-11-07 | KAFFA KOFFEE ORGANISATION, S.L. Non-compliance with general data processing principles | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5Art. 32 | €2,000 |
| 2024-11-02 | OpenAI OpCo LLC Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 12Art. 13 | €15,000,000 |
| 2024-10-28 | Vodafone Romania S.A. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 32 | €5,000 |
| 2024-10-21 | Grue municipality Insufficient technical and organisational measures to ensure information security | 🇪🇺 Norwegian Supervisory Authority (Datatilsynet) | Art. 24Art. 32 | €20,800 |
| 2024-10-18 | Vilnius District Municipality Administration Insufficient technical and organisational measures to ensure information security | 🇪🇺 Lithuanian Data Protection Authority (VDAI) | Art. 5Art. 32Art. 34 | €9,000 |
| 2024-10-16 | Your Consulting SRL Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 25Art. 32 | €3,000 |
| 2024-09-26 | Police Service of Northern Ireland Insufficient technical and organisational measures to ensure information security | 🇪🇺 Information Commissioner (ICO) | Art. 5Art. 32 | €904,000 |
| 2024-09-17 | Constanța South Container Terminal SRL Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 32 | €3,000 |