Article 32 GDPR — enforcement
Cited in 762 decisions · €504.3M total fines · median €15,600 · top authority: 🇪🇺Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) (175)
| Date ↓ | Company / party | Authority | Articles | Fine |
|---|---|---|---|---|
| 2021-12-16 | Municipality of Frederiksberg Insufficient technical and organisational measures to ensure information security | 🇪🇺 Danish Data Protection Authority (Datatilsynet) | Art. 32 | €13,450 |
| 2021-12-16 | Centro di Medicina preventiva s.r.l. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 25Art. 32Art. 37 | €10,000 |
| 2021-12-16 | Travel agency Insufficient technical and organisational measures to ensure information security | 🇪🇺 Deputy Data Protection Ombudsman | Art. 5Art. 17Art. 25Art. 32 | €6,500 |
| 2021-12-09 | Warsaw University of Technology Insufficient technical and organisational measures to ensure information security | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 5Art. 24Art. 25Art. 32 | €10,000 |
| 2021-12-08 | One Way Private Company Insufficient technical and organisational measures to ensure information security | 🇪🇺 Hellenic Data Protection Authority (HDPA) | Art. 28Art. 32Art. 11 | €30,000 |
| 2021-12-02 | Irish Teacher Council Insufficient technical and organisational measures to ensure information security | 🇪🇺 Data Protection Authority of Ireland | Art. 5Art. 32Art. 33 | €60,000 |
| 2021-12-02 | Casa di cura Fondazione Gaetano e Piera Borghi s.r.l. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 32 | €30,000 |
| 2021-12-02 | Ica s.r.l. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 32 | €30,000 |
| 2021-12-02 | Società Med Store Saronno s.r.l. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 32 | €7,000 |
| 2021-11-29 | UAB Prime Leasing Insufficient technical and organisational measures to ensure information security | 🇪🇺 Lithuanian Data Protection Authority (VDAI) | Art. 32 | €110,000 |
| 2021-11-26 | Valoris Center S.R.L. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 29Art. 32 | €2,000 |
| 2021-11-25 | Cabinet Office Insufficient technical and organisational measures to ensure information security | 🇪🇺 Information Commissioner (ICO) | Art. 5Art. 32 | €585,000 |
| 2021-11-23 | Icelandic Ministry of Industry and Innovation Non-compliance with general data processing principles | 🇪🇺 Icelandic data protection authority ('Persónuvernd') | Art. 5Art. 6Art. 7Art. 13 | €51,000 |
| 2021-11-23 | YAY ehf. Non-compliance with general data processing principles | 🇪🇺 Icelandic data protection authority ('Persónuvernd') | Art. 5Art. 6Art. 28Art. 32 | €27,200 |
| 2021-11-14 | Vodafone România SA Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 32Art. 3 | €2,900 |
| 2021-11-12 | Transavia Insufficient technical and organisational measures to ensure information security | 🇪🇺 Dutch Supervisory Authority for Data Protection (AP) | Art. 32 | €400,000 |
| 2021-11-04 | Régie autonome des transports parisiens Non-compliance with general data processing principles | 🇪🇺 French Data Protection Authority (CNIL) | Art. 5Art. 32 | €400,000 |
| 2021-11-01 | S.P.E.E.H. Hidroelectrica S.A. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 32 | €5,000 |
| 2021-11-01 | IKEA ROMÂNIA SA Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 32 | €1,000 |
| 2021-10-18 | Østre Toten municipality Insufficient technical and organisational measures to ensure information security | 🇪🇺 Norwegian Supervisory Authority (Datatilsynet) | Art. 5Art. 32 | €412,000 |
| 2021-10-18 | HIV Scotland Insufficient technical and organisational measures to ensure information security | 🇪🇺 Information Commissioner (ICO) | Art. 5Art. 32 | €11,800 |
| 2021-10-13 | Vodafone España, S.A.U. Non-compliance with general data processing principles | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5Art. 32 | €40,000 |
| 2021-10-05 | CLUB DEPORTIVO SANSUEÑA, S.L. Insufficient legal basis for data processing | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5Art. 6Art. 32 | €4,000 |
| 2021-09-29 | Danish Cancer Society Insufficient technical and organisational measures to ensure information security | 🇪🇺 Danish Data Protection Authority (Datatilsynet) | Art. 32 | €107,000 |
| 2021-09-27 | Ferde AS Non-compliance with general data processing principles | 🇪🇺 Norwegian Supervisory Authority (Datatilsynet) | Art. 5Art. 28Art. 32Art. 44 | €496,000 |