Article 32 GDPR — enforcement
Cited in 762 decisions · €504.3M total fines · median €15,600 · top authority: 🇪🇺Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) (175)
| Date ↓ | Company / party | Authority | Articles | Fine |
|---|---|---|---|---|
| 2022-04-28 | Istituto Nazionale Assicurazione Infortuni sul Lavoro Insufficient technical and organisational measures to ensure information security | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 9Art. 32 | €50,000 |
| 2022-04-26 | ASST di Lodi Insufficient technical and organisational measures to ensure information security | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 9Art. 32 | €1,000 |
| 2022-04-22 | Political party Insufficient technical and organisational measures to ensure information security | 🇪🇺 Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | Art. 5Art. 32 | €8,000 |
| 2022-04-15 | DEDALUS BIOLOGIE Insufficient technical and organisational measures to ensure information security | 🇪🇺 French Data Protection Authority (CNIL) | Art. 28Art. 29Art. 32 | €1,500,000 |
| 2022-04-11 | BASER COMERCIALIZADORA DE REFERENCIA, S.A. Insufficient legal basis for data processing | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 6Art. 32 | €150,000 |
| 2022-04-07 | Dutch Tax and Customs Administration Non-compliance with general data processing principles | 🇪🇺 Dutch Supervisory Authority for Data Protection (AP) | Art. 5Art. 6Art. 32Art. 35 | €3,700,000 |
| 2022-04-07 | Azienda ospedaliera di Perugia Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 13Art. 14Art. 25 | €40,000 |
| 2022-04-07 | Tecnomed Trento s.r.l. Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 13Art. 29Art. 32 | €10,000 |
| 2022-04-05 | Bank of Ireland Insufficient technical and organisational measures to ensure information security | 🇪🇺 Data Protection Authority of Ireland | Art. 32Art. 33Art. 34 | €463,000 |
| 2022-03-28 | Condor SA Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 32 | €2,000 |
| 2022-03-24 | Brav s.r.l. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 32 | €10,000 |
| 2022-03-22 | English School Cyprus Insufficient technical and organisational measures to ensure information security | 🇪🇺 Cypriot Data Protection Commissioner | Art. 32 | €4,000 |
| 2022-03-21 | English School staff union (ESSA) Insufficient technical and organisational measures to ensure information security | 🇪🇺 Cypriot Data Protection Commissioner | Art. 32 | €5,000 |
| 2022-03-10 | Azienda USL Toscana Centro Insufficient technical and organisational measures to ensure information security | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 9Art. 32 | €10,000 |
| 2022-03-08 | Retail company (name not available at the moment) Insufficient technical and organisational measures to ensure information security | 🇪🇺 Croatian Data Protection Authority (azop) | Art. 32 | €89,250 |
| 2022-03-04 | Norwegian Parliament Insufficient technical and organisational measures to ensure information security | 🇪🇺 Norwegian Supervisory Authority (Datatilsynet) | Art. 5Art. 32 | €195,000 |
| 2022-02-24 | Dutch Foreign Ministry Insufficient technical and organisational measures to ensure information security | 🇪🇺 Dutch Supervisory Authority for Data Protection (AP) | Art. 13Art. 32 | €565,000 |
| 2022-02-10 | Scanshare S.r.l. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 28Art. 32 | €10,000 |
| 2022-02-02 | Lillestrøm Municipality Insufficient technical and organisational measures to ensure information security | 🇪🇺 Norwegian Supervisory Authority (Datatilsynet) | Art. 5Art. 6Art. 32 | €30,000 |
| 2022-02-02 | IAB Europe Insufficient legal basis for data processing | 🇪🇺 Belgian Data Protection Authority (APD) | Art. 5Art. 6Art. 9Art. 12 | €0 |
| 2022-01-27 | OTE Group Insufficient technical and organisational measures to ensure information security | 🇪🇺 Hellenic Data Protection Authority (HDPA) | Art. 32 | €3,200,000 |
| 2022-01-27 | EU DisinfoLab Non-compliance with general data processing principles | 🇪🇺 Belgian Data Protection Authority (APD) | Art. 5Art. 6Art. 9Art. 12 | €2,800 |
| 2022-01-27 | Researcher Non-compliance with general data processing principles | 🇪🇺 Belgian Data Protection Authority (APD) | Art. 5Art. 6Art. 9Art. 12 | €1,200 |
| 2022-01-26 | Uppsala hospital board Insufficient technical and organisational measures to ensure information security | 🇪🇺 Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) | Art. 5Art. 32 | €152,000 |
| 2022-01-26 | Uppsala regional board Insufficient technical and organisational measures to ensure information security | 🇪🇺 Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) | Art. 32 | €28,500 |