Skip to content

Article 32 GDPR — enforcement

Cited in 762 decisions · €504.3M total fines · median €15,600 · top authority: 🇪🇺Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) (175)

Date ↓ Company / party Authority Articles Fine
2020-12-03 Östergötland Region
Insufficient technical and organisational measures to ensure information security
🇪🇺 Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) Art. 5Art. 32 €243,800
2020-12-03 Municipality of Indre Østfold
Insufficient technical and organisational measures to ensure information security
🇪🇺 Norwegian Supervisory Authority (Datatilsynet) Art. 6Art. 32 €18,840
2020-12-02 Losada Advocats S.L.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5Art. 32 €10,000
2020-12-02 Comercio Online Levante, S.L.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5Art. 32 €3,000
2020-11-24 City of Stockholm
Insufficient technical and organisational measures to ensure information security
🇪🇺 Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) Art. 5Art. 32 €394,000
2020-11-24 Dada Creation S.R.L.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 32Art. 33 €5,000
2020-11-18 Carrefour France
Non-compliance with general data processing principles
🇪🇺 French Data Protection Authority (CNIL) Art. 5Art. 12Art. 13Art. 15 €2,250,000
2020-11-13 Ticketmaster UK Limited
Insufficient technical and organisational measures to ensure information security
🇪🇺 Information Commissioner (ICO) Art. 5Art. 32 €1,405,000
2020-11-12 Vodafone Italia S.p.A.
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 7Art. 15 €12,251,601
2020-11-11 Telecoms provider (1&1 Telecom GmbH)
Insufficient technical and organisational measures to ensure information security
🇪🇺 The Federal Commissioner for Data Protection and Freedom of Information (BfDI) Art. 32 €900,000
2020-11-10 Miguel Ibáñez Bezanilla, S.L.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Spanish Data Protection Authority (aepd) Art. 13Art. 32 €3,000
2020-10-30 Marriott International, Inc
Insufficient technical and organisational measures to ensure information security
🇪🇺 Information Commissioner (ICO) Art. 32 €20,450,000
2020-10-24 Private Individual
Non-compliance with general data processing principles
🇪🇺 Data Protection Authority of Sachsen-Anhalt Art. 5Art. 32 €200
2020-10-22 Cyprus Police
Insufficient technical and organisational measures to ensure information security
🇪🇺 Cypriot Data Protection Commissioner Art. 32 €6,000
2020-10-19 Bank of Cyprus Public Company Ltd
Insufficient technical and organisational measures to ensure information security
🇪🇺 Cypriot Data Protection Commissioner Art. 5Art. 15Art. 32Art. 33 €15,000
2020-10-16 British Airways
Insufficient technical and organisational measures to ensure information security
🇪🇺 Information Commissioner (ICO) Art. 5Art. 32 €22,046,000
2020-10-15 S.C. Marsorom S.R.L.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 32 €3,000
2020-09-30 Azienda Ospedaliera di Rilievo Nazionale 'Antonio Cardarelli' (Private Hospital)
Insufficient technical and organisational measures to ensure information security
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 13Art. 28 €80,000
2020-09-30 Scanshare s.r.l.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 9Art. 32 €60,000
2020-09-08 Warsaw University of Life Sciences
Insufficient technical and organisational measures to ensure information security
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 32 €11,200
2020-09-08 Sanatatea Press Group S.R.L.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 5Art. 32 €2,000
2020-09-07 Istituto Comprensivo Statale Crucoli Torretta
Insufficient technical and organisational measures to ensure information security
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 32 €2,000
2020-09-03 Bergen Municipality
Insufficient technical and organisational measures to ensure information security
🇪🇺 Norwegian Supervisory Authority (Datatilsynet) Art. 5Art. 32 €276,000
2020-09-01 Apartment building owners association
Insufficient legal basis for data processing
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 5Art. 6Art. 12Art. 13 €500
2020-08-18 Cork University Maternity Hospital
Insufficient technical and organisational measures to ensure information security
🇪🇺 Data Protection Authority of Ireland Art. 5Art. 32 €65,000