Article 32 GDPR — enforcement
Cited in 762 decisions · €504.3M total fines · median €15,600 · top authority: 🇪🇺Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) (175)
| Date ↓ | Company / party | Authority | Articles | Fine |
|---|---|---|---|---|
| 2021-09-20 | ST. OLAVS HOSPITAL HF Insufficient technical and organisational measures to ensure information security | 🇪🇺 Norwegian Supervisory Authority (Datatilsynet) | Art. 32 | €75,600 |
| 2021-09-20 | Høylandet Municipality Insufficient technical and organisational measures to ensure information security | 🇪🇺 Norwegian Supervisory Authority (Datatilsynet) | Art. 32 | €40,200 |
| 2021-09-17 | Syddanmark Region Insufficient technical and organisational measures to ensure information security | 🇪🇺 Danish Data Protection Authority (Datatilsynet) | Art. 32 | €67,200 |
| 2021-09-16 | Favrskov municipality Insufficient technical and organisational measures to ensure information security | 🇪🇺 Danish Data Protection Authority (Datatilsynet) | Art. 32 | €10,000 |
| 2021-09-08 | Midtjylland Region Insufficient technical and organisational measures to ensure information security | 🇪🇺 Danish Data Protection Authority (Datatilsynet) | Art. 32 | €53,800 |
| 2021-09-06 | APOEL FC Insufficient technical and organisational measures to ensure information security | 🇪🇺 Cypriot Data Protection Commissioner | Art. 32 | €40,000 |
| 2021-09-06 | AC Omonia Insufficient technical and organisational measures to ensure information security | 🇪🇺 Cypriot Data Protection Commissioner | Art. 32 | €40,000 |
| 2021-09-06 | Hellenic Technical Enterprises Ltd. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Cypriot Data Protection Commissioner | Art. 32 | €25,000 |
| 2021-09-02 | Automecanica Jerez, S.L. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5Art. 32Art. 21 | €4,000 |
| 2021-08-25 | Banco Bilbao Vizcaya Argentaria, S.A. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 32 | €120,000 |
| 2021-08-24 | Actamedica SRL Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 28Art. 32Art. 33 | €3,000 |
| 2021-08-23 | Agency Insufficient technical and organisational measures to ensure information security | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 32 | €1,800 |
| 2021-08-20 | MOVE Ireland Insufficient technical and organisational measures to ensure information security | 🇪🇺 Data Protection Authority of Ireland | Art. 5Art. 32 | €1,500 |
| 2021-08-17 | Danish Immigration Agency Insufficient technical and organisational measures to ensure information security | 🇪🇺 Danish Data Protection Authority (Datatilsynet) | Art. 5Art. 32 | €20,100 |
| 2021-08-13 | President of the Zgierz District Court Insufficient technical and organisational measures to ensure information security | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 5Art. 25Art. 32 | €2,200 |
| 2021-08-05 | Insurance company Insufficient technical and organisational measures to ensure information security | 🇪🇺 National Commission for Data Protection (CNPD) | Art. 5Art. 32Art. 33 | €135,000 |
| 2021-08-02 | Club Náutico el Estacio Insufficient technical and organisational measures to ensure information security | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 32 | €3,000 |
| 2021-07-22 | Deliveroo Italy s.r.l. Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 13Art. 22Art. 25 | €2,500,000 |
| 2021-07-22 | Roma Capitale Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 12Art. 13Art. 25 | €800,000 |
| 2021-07-22 | Atac s.p.a. Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 30Art. 32 | €400,000 |
| 2021-07-16 | Region of Syddanmark Insufficient technical and organisational measures to ensure information security | 🇪🇺 Danish Data Protection Authority (Datatilsynet) | Art. 32 | €67,900 |
| 2021-07-05 | Mermaids Insufficient technical and organisational measures to ensure information security | 🇪🇺 Information Commissioner (ICO) | Art. 5Art. 32 | €29,000 |
| 2021-07-05 | IT services company Insufficient technical and organisational measures to ensure information security | 🇪🇺 Croatian Data Protection Authority (azop) | Art. 32 | — |
| 2021-06-16 | Vejle Municipality Insufficient technical and organisational measures to ensure information security | 🇪🇺 Danish Data Protection Authority (Datatilsynet) | Art. 32 | €27,000 |
| 2021-06-14 | BRICO PRIVÉ Non-compliance with general data processing principles | 🇪🇺 French Data Protection Authority (CNIL) | Art. 5Art. 13Art. 17Art. 32 | €500,000 |