Skip to content

Article 32 GDPR — enforcement

Cited in 762 decisions · €504.3M total fines · median €15,600 · top authority: 🇪🇺Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) (175)

Date ↓ Company / party Authority Articles Fine
2021-12-16 Municipality of Frederiksberg
Insufficient technical and organisational measures to ensure information security
🇪🇺 Danish Data Protection Authority (Datatilsynet) Art. 32 €13,450
2021-12-16 Centro di Medicina preventiva s.r.l.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 25Art. 32Art. 37 €10,000
2021-12-16 Travel agency
Insufficient technical and organisational measures to ensure information security
🇪🇺 Deputy Data Protection Ombudsman Art. 5Art. 17Art. 25Art. 32 €6,500
2021-12-09 Warsaw University of Technology
Insufficient technical and organisational measures to ensure information security
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 5Art. 24Art. 25Art. 32 €10,000
2021-12-08 One Way Private Company
Insufficient technical and organisational measures to ensure information security
🇪🇺 Hellenic Data Protection Authority (HDPA) Art. 28Art. 32Art. 11 €30,000
2021-12-02 Irish Teacher Council
Insufficient technical and organisational measures to ensure information security
🇪🇺 Data Protection Authority of Ireland Art. 5Art. 32Art. 33 €60,000
2021-12-02 Casa di cura Fondazione Gaetano e Piera Borghi s.r.l.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 32 €30,000
2021-12-02 Ica s.r.l.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 32 €30,000
2021-12-02 Società Med Store Saronno s.r.l.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 32 €7,000
2021-11-29 UAB Prime Leasing
Insufficient technical and organisational measures to ensure information security
🇪🇺 Lithuanian Data Protection Authority (VDAI) Art. 32 €110,000
2021-11-26 Valoris Center S.R.L.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 29Art. 32 €2,000
2021-11-25 Cabinet Office
Insufficient technical and organisational measures to ensure information security
🇪🇺 Information Commissioner (ICO) Art. 5Art. 32 €585,000
2021-11-23 Icelandic Ministry of Industry and Innovation
Non-compliance with general data processing principles
🇪🇺 Icelandic data protection authority ('Persónuvernd') Art. 5Art. 6Art. 7Art. 13 €51,000
2021-11-23 YAY ehf.
Non-compliance with general data processing principles
🇪🇺 Icelandic data protection authority ('Persónuvernd') Art. 5Art. 6Art. 28Art. 32 €27,200
2021-11-14 Vodafone România SA
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 32Art. 3 €2,900
2021-11-12 Transavia
Insufficient technical and organisational measures to ensure information security
🇪🇺 Dutch Supervisory Authority for Data Protection (AP) Art. 32 €400,000
2021-11-04 Régie autonome des transports parisiens
Non-compliance with general data processing principles
🇪🇺 French Data Protection Authority (CNIL) Art. 5Art. 32 €400,000
2021-11-01 S.P.E.E.H. Hidroelectrica S.A.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 32 €5,000
2021-11-01 IKEA ROMÂNIA SA
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 32 €1,000
2021-10-18 Østre Toten municipality
Insufficient technical and organisational measures to ensure information security
🇪🇺 Norwegian Supervisory Authority (Datatilsynet) Art. 5Art. 32 €412,000
2021-10-18 HIV Scotland
Insufficient technical and organisational measures to ensure information security
🇪🇺 Information Commissioner (ICO) Art. 5Art. 32 €11,800
2021-10-13 Vodafone España, S.A.U.
Non-compliance with general data processing principles
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5Art. 32 €40,000
2021-10-05 CLUB DEPORTIVO SANSUEÑA, S.L.
Insufficient legal basis for data processing
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5Art. 6Art. 32 €4,000
2021-09-29 Danish Cancer Society
Insufficient technical and organisational measures to ensure information security
🇪🇺 Danish Data Protection Authority (Datatilsynet) Art. 32 €107,000
2021-09-27 Ferde AS
Non-compliance with general data processing principles
🇪🇺 Norwegian Supervisory Authority (Datatilsynet) Art. 5Art. 28Art. 32Art. 44 €496,000