Article 33 GDPR — enforcement
Cited in 118 decisions · €34.3M total fines · median €20,363 · top authority: 🇪🇺Polish National Personal Data Protection Office (UODO) (25)
| Date ↓ | Company / party | Authority | Articles | Fine |
|---|---|---|---|---|
| 2026-05-29 | Unicredit Bank SA Insufficient technical and organisational measures to ensure information security | 🇷🇴 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 32Art. 33 | €12,000 |
| 2026-05-08 | Permanent TSB Insufficient technical and organisational measures to ensure information security | 🇮🇪 Data Protection Authority of Ireland | Art. 5Art. 32Art. 33 | €277,500 |
| 2026-04-07 | Housing Associaction Insufficient fulfilment of data breach notification obligations | 🇵🇱 Polish National Personal Data Protection Office (UODO) | Art. 33 | €2,350 |
| 2026-02-10 | Fundację Lumus Non-compliance with general data processing principles | 🇵🇱 Polish National Personal Data Protection Office (UODO) | Art. 33Art. 34Art. 37Art. 38 | €5,220 |
| 2025-12-12 | Chief Constable of the Police Service of Scotland Insufficient technical and organisational measures to ensure information security | 🇬🇧 Information Commissioner (ICO) | Art. 5Art. 25Art. 32Art. 33 | €75,700 |
| 2025-12-10 | University of Limerick Insufficient technical and organisational measures to ensure information security | 🇮🇪 Data Protection Authority of Ireland | Art. 5Art. 30Art. 32Art. 33 | €98,000 |
| 2025-10-23 | Court Bailiff Insufficient fulfilment of data breach notification obligations | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 33Art. 34 | €5,000 |
| 2025-10-23 | Court Bailiff Insufficient fulfilment of data breach notification obligations | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 33Art. 34 | €5,000 |
| 2025-09-18 | SAMARITAINE SAS Non-compliance with general data processing principles | 🇪🇺 French Data Protection Authority (CNIL) | Art. 5Art. 33Art. 38 | €100,000 |
| 2025-09-18 | SAMARITAINE SAS Non-compliance with general data processing principles | 🇪🇺 French Data Protection Authority (CNIL) | Art. 5Art. 33Art. 38 | €100,000 |
| 2025-09-04 | Company Insufficient fulfilment of data breach notification obligations | 🇪🇺 Austrian Data Protection Authority (dsb) | Art. 33 | €870 |
| 2025-09-04 | Company Insufficient fulfilment of data breach notification obligations | 🇪🇺 Austrian Data Protection Authority (dsb) | Art. 33 | €870 |
| 2025-07-21 | Hestia Publishers & Booksellers I. D. Kollaros & Co. S.A. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Hellenic Data Protection Authority (HDPA) | Art. 5Art. 25Art. 32Art. 33 | €9,000 |
| 2025-07-21 | Hestia Publishers & Booksellers I. D. Kollaros & Co. S.A. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Hellenic Data Protection Authority (HDPA) | Art. 5Art. 25Art. 32Art. 33 | €9,000 |
| 2025-07-18 | ADMINISTRACIONES BENIPON, S.L. Insufficient fulfilment of data breach notification obligations | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 28Art. 33 | €1,100 |
| 2025-07-18 | ADMINISTRACIONES BENIPON, S.L. Insufficient fulfilment of data breach notification obligations | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 28Art. 33 | €1,100 |
| 2025-07-10 | Poste Vita S.p.a. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 33 | €80,000 |
| 2025-07-10 | Poste Vita S.p.a. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 33 | €80,000 |
| 2025-06-24 | Birthlink Insufficient technical and organisational measures to ensure information security | 🇪🇺 Information Commissioner (ICO) | Art. 5Art. 32Art. 33 | €20,725 |
| 2025-06-24 | Birthlink Insufficient technical and organisational measures to ensure information security | 🇪🇺 Information Commissioner (ICO) | Art. 5Art. 32Art. 33 | €20,725 |
| 2025-06-23 | City of Dublin Education and Training Board Insufficient technical and organisational measures to ensure information security | 🇪🇺 Data Protection Authority of Ireland | Art. 5Art. 32Art. 33Art. 34 | €125,000 |
| 2025-06-23 | City of Dublin Education and Training Board Insufficient technical and organisational measures to ensure information security | 🇪🇺 Data Protection Authority of Ireland | Art. 5Art. 32Art. 33Art. 34 | €125,000 |
| 2025-04-25 | SC Travel Planner SRL Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 12Art. 15Art. 32Art. 33 | €6,000 |
| 2025-04-25 | SC Travel Planner SRL Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 12Art. 15Art. 32Art. 33 | €6,000 |
| 2025-04-14 | DPP Law Ltd. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Information Commissioner (ICO) | Art. 5Art. 32Art. 33 | €70,300 |
1–25 of 118 next →