Article 32 GDPR — enforcement
Cited in 762 decisions · €504.3M total fines · median €15,600 · top authority: 🇪🇺Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) (175)
| Date ↓ | Company / party | Authority | Articles | Fine |
|---|---|---|---|---|
| 2026-01-19 | Continental Automotive Products SRL Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 5Art. 32 | €15,000 |
| 2026-01-13 | PREMIER RESTAURANTS ROMANIA SRL Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 28Art. 32 | €8,000 |
| 2026-01-13 | PREMIER RESTAURANTS ROMANIA SRL Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 28Art. 32 | €8,000 |
| 2026-01-08 | FREE MOBILE Insufficient technical and organisational measures to ensure information security | 🇪🇺 French Data Protection Authority (CNIL) | Art. 5Art. 32 | €27,000,000 |
| 2026-01-08 | FREE MOBILE Insufficient technical and organisational measures to ensure information security | 🇪🇺 French Data Protection Authority (CNIL) | Art. 5Art. 32 | €27,000,000 |
| 2026-01-08 | FREE Insufficient technical and organisational measures to ensure information security | 🇪🇺 French Data Protection Authority (CNIL) | Art. 32Art. 34 | €15,000,000 |
| 2026-01-08 | FREE Insufficient technical and organisational measures to ensure information security | 🇪🇺 French Data Protection Authority (CNIL) | Art. 32Art. 34 | €15,000,000 |
| 2025-12-31 | ONE WAY PRIVATE COMPANY Non-compliance with general data processing principles | 🇪🇺 Hellenic Data Protection Authority (HDPA) | Art. 5Art. 6Art. 7Art. 29 | €80,000 |
| 2025-12-31 | SIGMA & KAPPA IMPORTING SOCIÉTÉ ANONYME Insufficient technical and organisational measures to ensure information security | 🇪🇺 Hellenic Data Protection Authority (HDPA) | Art. 32 | €10,000 |
| 2025-12-31 | Thessaloniki–Thessaly Gas Supply Company S.A. Insufficient data processing agreement | 🇪🇺 Hellenic Data Protection Authority (HDPA) | Art. 28Art. 32 | €10,000 |
| 2025-12-31 | REVMA PLUS Retail S.A. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Hellenic Data Protection Authority (HDPA) | Art. 32 | €5,000 |
| 2025-12-30 | Company Non-compliance with general data processing principles | 🇪🇺 French Data Protection Authority (CNIL) | Art. 6Art. 13Art. 32Art. 35 | €3,500,000 |
| 2025-12-30 | Social Insurance Agency Insufficient technical and organisational measures to ensure information security | 🇪🇺 Slovak Data Protection Office | Art. 32 | €50,000 |
| 2025-12-30 | Social Insurance Agency Insufficient technical and organisational measures to ensure information security | 🇪🇺 Slovak Data Protection Office | Art. 32 | €50,000 |
| 2025-12-30 | Slovak Telekom Insufficient technical and organisational measures to ensure information security | 🇪🇺 Slovak Data Protection Office | Art. 32 | €40,000 |
| 2025-12-30 | Slovak Telekom Insufficient technical and organisational measures to ensure information security | 🇪🇺 Slovak Data Protection Office | Art. 32 | €40,000 |
| 2025-12-30 | Madrileña Red de Gas Insufficient technical and organisational measures to ensure information security | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 32 | €12,000 |
| 2025-12-30 | Madrileña Red de Gas Insufficient technical and organisational measures to ensure information security | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 32 | €12,000 |
| 2025-12-30 | Roumasport S.R.L Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 32 | €10,000 |
| 2025-12-30 | Roumasport S.R.L Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 32 | €10,000 |
| 2025-12-30 | Individual entrepreneur - no further details published Insufficient technical and organisational measures to ensure information security | 🇪🇺 Czech Data Protection Auhtority (UOOU) | Art. 32 | €980 |
| 2025-12-30 | Individual entrepreneur - no further details published Insufficient technical and organisational measures to ensure information security | 🇪🇺 Czech Data Protection Auhtority (UOOU) | Art. 32 | €980 |
| 2025-12-30 | SLOVAKIA DPA: Insufficient technical and organisational measures to ensure information security Insufficient technical and organisational measures to ensure information security | 🇪🇺 Slovak Data Protection Office | Art. 5Art. 32 | — |
| 2025-12-30 | SLOVAKIA DPA: Insufficient technical and organisational measures to ensure information security Insufficient technical and organisational measures to ensure information security | 🇪🇺 Slovak Data Protection Office | Art. 5Art. 32 | — |
| 2025-12-30 | SLOVENAKIË: Onvoldoende technische en organisatorische maatregelen om de informatiebeveiliging te waarborgen. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Slovak Data Protection Office | Art. 5Art. 32 | — |