Article 32 GDPR — enforcement
Cited in 762 decisions · €504.3M total fines · median €15,600 · top authority: 🇪🇺Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) (175)
| Date ↓ | Company / party | Authority | Articles | Fine |
|---|---|---|---|---|
| 2025-09-22 | DHL PARCEL IBERIA, S.L. Non-compliance with general data processing principles | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 32 | €3,000 |
| 2025-09-11 | Casa di Cura Città di Roma Insufficient technical and organisational measures to ensure information security | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 9Art. 25Art. 32 | €12,000 |
| 2025-09-11 | Casa di Cura Città di Roma Insufficient technical and organisational measures to ensure information security | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 9Art. 25Art. 32 | €12,000 |
| 2025-09-09 | Unita Turism Holding S.A. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 32 | €5,000 |
| 2025-09-09 | Unita Turism Holding S.A. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 32 | €5,000 |
| 2025-09-08 | S-Pankki Oyj Insufficient technical and organisational measures to ensure information security | 🇪🇺 Deputy Data Protection Ombudsman | Art. 5Art. 25Art. 32 | €1,800,000 |
| 2025-09-08 | S-Pankki Oyj Insufficient technical and organisational measures to ensure information security | 🇪🇺 Deputy Data Protection Ombudsman | Art. 5Art. 25Art. 32 | €1,800,000 |
| 2025-09-01 | La Fântâna S.R.L. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 32 | €10,000 |
| 2025-09-01 | La Fântâna S.R.L. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 32 | €10,000 |
| 2025-08-18 | SC Elite Conta SRL Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 32 | €3,000 |
| 2025-08-18 | SC Elite Conta SRL Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 32 | €3,000 |
| 2025-08-12 | REAL SOCIEDAD DE FUTBOL S.A.D. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5Art. 32 | €66,000 |
| 2025-08-12 | REAL SOCIEDAD DE FUTBOL S.A.D. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5Art. 32 | €66,000 |
| 2025-08-12 | 'FLEXICREDIT' Mutual Aid House Association Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 32 | €3,000 |
| 2025-08-12 | 'FLEXICREDIT' Mutual Aid House Association Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 32 | €3,000 |
| 2025-08-11 | BIZUM, S.L. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 32 | €80,000 |
| 2025-08-11 | BIZUM, S.L. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 32 | €80,000 |
| 2025-08-05 | Bank of Cyprus Public Company Limited Insufficient technical and organisational measures to ensure information security | 🇨🇾 Cypriot Data Protection Commissioner | Art. 5Art. 24Art. 32 | €25,000 |
| 2025-08-04 | Ospedaliero-Universitaria Careggi Insufficient technical and organisational measures to ensure information security | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 9Art. 25Art. 32 | €80,000 |
| 2025-08-04 | Ospedaliero-Universitaria Careggi Insufficient technical and organisational measures to ensure information security | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 9Art. 25Art. 32 | €80,000 |
| 2025-08-04 | Comune di Venezia Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 25Art. 32 | €10,000 |
| 2025-08-04 | Comune di Venezia Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 25Art. 32 | €10,000 |
| 2025-08-04 | Non-Public Health Care Institution Insufficient technical and organisational measures to ensure information security | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 5Art. 25Art. 32 | €7,700 |
| 2025-08-04 | Non-Public Health Care Institution Insufficient technical and organisational measures to ensure information security | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 5Art. 25Art. 32 | €7,700 |
| 2025-07-25 | Legal Entity Insufficient technical and organisational measures to ensure information security | 🇪🇺 Slovenian Supervisory Authority (Informacijski pooblaščenec) | Art. 32 | €5,020 |