Skip to content

Article 32 GDPR — enforcement

Cited in 762 decisions · €504.3M total fines · median €15,600 · top authority: 🇪🇺Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) (175)

Date ↓ Company / party Authority Articles Fine
2025-01-16 Realmaps S.r.l.
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 7Art. 12 €100,000
2025-01-10 National Bank of Greece S.A
Insufficient technical and organisational measures to ensure information security
🇬🇷 Hellenic Data Protection Authority (HDPA) Art. 5Art. 15Art. 25Art. 32 €120,000
2025-01-03 Unirea Medical Center S.R.L.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 24Art. 32 €2,000
2024-12-23 Panek SA
Insufficient technical and organisational measures to ensure information security
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 32 €357,000
2024-12-18 ATRIUM LEX SFC
Insufficient fulfilment of information obligations
🇪🇺 Spanish Data Protection Authority (aepd) Art. 13Art. 32 €100,000
2024-12-17 Sambla Group Oy
Insufficient technical and organisational measures to ensure information security
🇪🇺 Deputy Data Protection Ombudsman Art. 5Art. 25Art. 32 €950,000
2024-12-17 Hospital
Insufficient technical and organisational measures to ensure information security
🇪🇺 Belgian Data Protection Authority (APD) Art. 5Art. 24Art. 32Art. 35 €200,000
2024-12-10 GENERALI ESPAÑA, SOCIEDAD ANONIMA DE SEGUROS Y REASEGUROS
Insufficient technical and organisational measures to ensure information security
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5Art. 25Art. 32Art. 35 €4,000,000
2024-11-22 Maynooth University
Insufficient technical and organisational measures to ensure information security
🇪🇺 Data Protection Authority of Ireland Art. 5Art. 32Art. 33 €40,000
2024-11-20 POLAND DPA: Insufficient technical and organisational measures to ensure information security
Insufficient technical and organisational measures to ensure information security
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 5Art. 25Art. 28Art. 32 €358,000
2024-11-20 POLAND DPA: Insufficient technical and organisational measures to ensure information security
Insufficient technical and organisational measures to ensure information security
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 28Art. 32 €4,700
2024-11-20 Company
Non-compliance with general data processing principles
🇪🇺 National Commission for Data Protection (CNPD) Art. 5Art. 6Art. 13Art. 25 €2,300
2024-11-13 Foodinho Srl
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 9Art. 12 €5,000,000
2024-11-13 Illumia Spa
Insufficient technical and organisational measures to ensure information security
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 7Art. 24 €678,897
2024-11-13 Sligo County Council
Non-compliance with general data processing principles
🇪🇺 Data Protection Authority of Ireland Art. 5Art. 13Art. 24Art. 25 €29,500
2024-11-13 COYARE SLU
Non-compliance with general data processing principles
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5Art. 32 €2,500
2024-11-11 Correo Inteligente Postal, S.L.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5Art. 32 €200,000
2024-11-07 KAFFA KOFFEE ORGANISATION, S.L.
Non-compliance with general data processing principles
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5Art. 32 €2,000
2024-11-02 OpenAI OpCo LLC
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 12Art. 13 €15,000,000
2024-10-28 Vodafone Romania S.A.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 32 €5,000
2024-10-21 Grue municipality
Insufficient technical and organisational measures to ensure information security
🇪🇺 Norwegian Supervisory Authority (Datatilsynet) Art. 24Art. 32 €20,800
2024-10-18 Vilnius District Municipality Administration
Insufficient technical and organisational measures to ensure information security
🇪🇺 Lithuanian Data Protection Authority (VDAI) Art. 5Art. 32Art. 34 €9,000
2024-10-16 Your Consulting SRL
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 25Art. 32 €3,000
2024-09-26 Police Service of Northern Ireland
Insufficient technical and organisational measures to ensure information security
🇪🇺 Information Commissioner (ICO) Art. 5Art. 32 €904,000
2024-09-17 Constanța South Container Terminal SRL
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 32 €3,000