Article 32 GDPR — enforcement
Cited in 762 decisions · €504.3M total fines · median €15,600 · top authority: 🇪🇺Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) (175)
| Date ↓ | Company / party | Authority | Articles | Fine |
|---|---|---|---|---|
| 2025-10-28 | SIA 'ZZ Dats' Insufficient technical and organisational measures to ensure information security | 🇪🇺 Data State Inspectorate (DSI) | Art. 32 | €300,000 |
| 2025-10-28 | SIA 'ZZ Dats' Insufficient technical and organisational measures to ensure information security | 🇪🇺 Data State Inspectorate (DSI) | Art. 32 | €300,000 |
| 2025-10-23 | Aktia Pankki Oyj Insufficient technical and organisational measures to ensure information security | 🇪🇺 Deputy Data Protection Ombudsman | Art. 5Art. 25Art. 32 | €865,000 |
| 2025-10-23 | Aktia Pankki Oyj Insufficient technical and organisational measures to ensure information security | 🇪🇺 Deputy Data Protection Ombudsman | Art. 5Art. 25Art. 32 | €865,000 |
| 2025-10-20 | S.P.E.E.H. HIDROELECTRICA SA Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 32 | €5,000 |
| 2025-10-20 | S.P.E.E.H. HIDROELECTRICA SA Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 32 | €5,000 |
| 2025-10-16 | PRIME TRANSACTION SA Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 32 | €2,000 |
| 2025-10-16 | PRIME TRANSACTION SA Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 32 | €2,000 |
| 2025-10-15 | CAPITA PLC Insufficient technical and organisational measures to ensure information security | 🇪🇺 Information Commissioner (ICO) | Art. 5Art. 32 | €9,180,000 |
| 2025-10-15 | CAPITA PLC Insufficient technical and organisational measures to ensure information security | 🇪🇺 Information Commissioner (ICO) | Art. 5Art. 32 | €9,180,000 |
| 2025-10-15 | CAPITA PENSION SOLUTIONS LIMITED Insufficient technical and organisational measures to ensure information security | 🇪🇺 Information Commissioner (ICO) | Art. 32 | €6,880,000 |
| 2025-10-15 | CAPITA PENSION SOLUTIONS LIMITED Insufficient technical and organisational measures to ensure information security | 🇪🇺 Information Commissioner (ICO) | Art. 32 | €6,880,000 |
| 2025-10-13 | Vellea Home SRL Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 32 | €5,000 |
| 2025-10-13 | Vellea Home SRL Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 32 | €5,000 |
| 2025-10-09 | EON ENERGIE ROMANIA S.A. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 32 | €25,000 |
| 2025-10-09 | EON ENERGIE ROMANIA S.A. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 32 | €25,000 |
| 2025-10-09 | FT Solutions S.r.l. Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 7Art. 12 | €5,000 |
| 2025-10-09 | FT Solutions S.r.l. Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 7Art. 12 | €5,000 |
| 2025-10-03 | THE RED KIWI, S.L. Insufficient legal basis for data processing | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5Art. 32 | €30,000 |
| 2025-10-03 | THE RED KIWI, S.L. Insufficient legal basis for data processing | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5Art. 32 | €30,000 |
| 2025-09-25 | S.C. PRIMONET RO S.R.L. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 32 | €20,000 |
| 2025-09-25 | S.C. PRIMONET RO S.R.L. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 32 | €20,000 |
| 2025-09-23 | Property manager Insufficient technical and organisational measures to ensure information security | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 32 | €600 |
| 2025-09-23 | Property manager Insufficient technical and organisational measures to ensure information security | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 32 | €600 |
| 2025-09-22 | DHL PARCEL IBERIA, S.L. Non-compliance with general data processing principles | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 32 | €3,000 |