Article 32 GDPR — enforcement
Cited in 762 decisions · €504.3M total fines · median €15,600 · top authority: 🇪🇺Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) (175)
| Date ↓ | Company / party | Authority | Articles | Fine |
|---|---|---|---|---|
| 2023-12-11 | Veranda Obor S.A. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 32 | €3,000 |
| 2023-12-07 | Azienda socio sanitaria territoriale nord Milano, C.F. Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 9Art. 25Art. 32 | €40,000 |
| 2023-12-07 | Hora Credit IFN SA Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 12Art. 15Art. 32Art. 33 | €24,000 |
| 2023-11-27 | Norwegian Labor and Welfare Administration Insufficient technical and organisational measures to ensure information security | 🇪🇺 Norwegian Supervisory Authority (Datatilsynet) | Art. 5Art. 24Art. 25Art. 32 | €1,700,000 |
| 2023-11-24 | Pharmacy owner Non-compliance with general data processing principles | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5Art. 32 | €10,000 |
| 2023-11-22 | Open University of Cyprus Insufficient technical and organisational measures to ensure information security | 🇪🇺 Cypriot Data Protection Commissioner | Art. 5Art. 32 | €45,000 |
| 2023-11-16 | FORO ASTURIAS Non-compliance with general data processing principles | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5Art. 32 | €20,000 |
| 2023-11-16 | Cluster S.r.l. Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 32 | €18,000 |
| 2023-11-13 | Rompetrol Downstream SRL Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 32 | €110,000 |
| 2023-11-07 | THE BEE LOGISTICS, S.L. Non-compliance with general data processing principles | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5Art. 32 | €70,000 |
| 2023-11-07 | Indcap AB Insufficient technical and organisational measures to ensure information security | 🇪🇺 Data Protection Authority of Sweden | Art. 32 | €43,000 |
| 2023-11-07 | Homeowners' association Non-compliance with general data processing principles | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5Art. 32 | €1,000 |
| 2023-11-03 | OTP BANK ROMANIA SA Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 32 | €3,000 |
| 2023-11-03 | SINDICATO LIBRE DE TRANSPORTES Insufficient technical and organisational measures to ensure information security | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5Art. 32 | €2,000 |
| 2023-11-02 | INSTITUT MARQUÉS OBSTETRICIA I GINECOLOGIA, S.L.P. Non-compliance with general data processing principles | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5Art. 32Art. 34 | €48,000 |
| 2023-10-26 | CAIXABANK, S.A. Non-compliance with general data processing principles | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5Art. 25Art. 32 | €5,000,000 |
| 2023-10-26 | Ophthalmologic institute Non-compliance with general data processing principles | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5Art. 32 | €7,000 |
| 2023-10-25 | ENDESA ENERGÍA, S.A.U. Non-compliance with general data processing principles | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5Art. 32Art. 33Art. 34 | €6,100,000 |
| 2023-10-24 | Mensajero SRL Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 32 | €3,000 |
| 2023-10-20 | BANCO BILBAO VIZCAYA ARGENTARIA, S.A. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 25Art. 32 | €800,000 |
| 2023-10-12 | GROUPE CANAL + Insufficient fulfilment of data subjects rights | 🇪🇺 French Data Protection Authority (CNIL) | Art. 7Art. 12Art. 13Art. 14 | €600,000 |
| 2023-10-12 | Azienda socio sanitaria territoriale di Lodi CF Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 9Art. 32 | €40,000 |
| 2023-10-10 | ILUNION SEGURIDAD, S.A. Non-compliance with general data processing principles | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5Art. 32 | €15,000 |
| 2023-10-10 | NORDETIA CLINICS MÓSTOLES S.L. Non-compliance with general data processing principles | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5Art. 32 | €1,500 |
| 2023-10-05 | Debt collection company Insufficient legal basis for data processing | 🇪🇺 Croatian Data Protection Authority (azop) | Art. 5Art. 6Art. 12Art. 13 | €5,470,000 |