Skip to content

Article 32 GDPR — enforcement

Cited in 762 decisions · €504.3M total fines · median €15,600 · top authority: 🇪🇺Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) (175)

Date ↓ Company / party Authority Articles Fine
2026-01-19 Continental Automotive Products SRL
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 5Art. 32 €15,000
2026-01-13 PREMIER RESTAURANTS ROMANIA SRL
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 28Art. 32 €8,000
2026-01-13 PREMIER RESTAURANTS ROMANIA SRL
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 28Art. 32 €8,000
2026-01-08 FREE MOBILE
Insufficient technical and organisational measures to ensure information security
🇪🇺 French Data Protection Authority (CNIL) Art. 5Art. 32 €27,000,000
2026-01-08 FREE MOBILE
Insufficient technical and organisational measures to ensure information security
🇪🇺 French Data Protection Authority (CNIL) Art. 5Art. 32 €27,000,000
2026-01-08 FREE
Insufficient technical and organisational measures to ensure information security
🇪🇺 French Data Protection Authority (CNIL) Art. 32Art. 34 €15,000,000
2026-01-08 FREE
Insufficient technical and organisational measures to ensure information security
🇪🇺 French Data Protection Authority (CNIL) Art. 32Art. 34 €15,000,000
2025-12-31 ONE WAY PRIVATE COMPANY
Non-compliance with general data processing principles
🇪🇺 Hellenic Data Protection Authority (HDPA) Art. 5Art. 6Art. 7Art. 29 €80,000
2025-12-31 SIGMA & KAPPA IMPORTING SOCIÉTÉ ANONYME
Insufficient technical and organisational measures to ensure information security
🇪🇺 Hellenic Data Protection Authority (HDPA) Art. 32 €10,000
2025-12-31 Thessaloniki–Thessaly Gas Supply Company S.A.
Insufficient data processing agreement
🇪🇺 Hellenic Data Protection Authority (HDPA) Art. 28Art. 32 €10,000
2025-12-31 REVMA PLUS Retail S.A.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Hellenic Data Protection Authority (HDPA) Art. 32 €5,000
2025-12-30 Company
Non-compliance with general data processing principles
🇪🇺 French Data Protection Authority (CNIL) Art. 6Art. 13Art. 32Art. 35 €3,500,000
2025-12-30 Social Insurance Agency
Insufficient technical and organisational measures to ensure information security
🇪🇺 Slovak Data Protection Office Art. 32 €50,000
2025-12-30 Social Insurance Agency
Insufficient technical and organisational measures to ensure information security
🇪🇺 Slovak Data Protection Office Art. 32 €50,000
2025-12-30 Slovak Telekom
Insufficient technical and organisational measures to ensure information security
🇪🇺 Slovak Data Protection Office Art. 32 €40,000
2025-12-30 Slovak Telekom
Insufficient technical and organisational measures to ensure information security
🇪🇺 Slovak Data Protection Office Art. 32 €40,000
2025-12-30 Madrileña Red de Gas
Insufficient technical and organisational measures to ensure information security
🇪🇺 Spanish Data Protection Authority (aepd) Art. 32 €12,000
2025-12-30 Madrileña Red de Gas
Insufficient technical and organisational measures to ensure information security
🇪🇺 Spanish Data Protection Authority (aepd) Art. 32 €12,000
2025-12-30 Roumasport S.R.L
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 32 €10,000
2025-12-30 Roumasport S.R.L
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 32 €10,000
2025-12-30 Individual entrepreneur - no further details published
Insufficient technical and organisational measures to ensure information security
🇪🇺 Czech Data Protection Auhtority (UOOU) Art. 32 €980
2025-12-30 Individual entrepreneur - no further details published
Insufficient technical and organisational measures to ensure information security
🇪🇺 Czech Data Protection Auhtority (UOOU) Art. 32 €980
2025-12-30 SLOVAKIA DPA: Insufficient technical and organisational measures to ensure information security
Insufficient technical and organisational measures to ensure information security
🇪🇺 Slovak Data Protection Office Art. 5Art. 32
2025-12-30 SLOVAKIA DPA: Insufficient technical and organisational measures to ensure information security
Insufficient technical and organisational measures to ensure information security
🇪🇺 Slovak Data Protection Office Art. 5Art. 32
2025-12-30 SLOVENAKIË: Onvoldoende technische en organisatorische maatregelen om de informatiebeveiliging te waarborgen.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Slovak Data Protection Office Art. 5Art. 32