Skip to content

Article 33 GDPR — enforcement

Cited in 118 decisions · €34.3M total fines · median €20,363 · top authority: 🇪🇺Polish National Personal Data Protection Office (UODO) (25)

Date ↓ Company / party Authority Articles Fine
2026-05-29 Unicredit Bank SA
Insufficient technical and organisational measures to ensure information security
🇷🇴 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 32Art. 33 €12,000
2026-05-08 Permanent TSB
Insufficient technical and organisational measures to ensure information security
🇮🇪 Data Protection Authority of Ireland Art. 5Art. 32Art. 33 €277,500
2026-04-07 Housing Associaction
Insufficient fulfilment of data breach notification obligations
🇵🇱 Polish National Personal Data Protection Office (UODO) Art. 33 €2,350
2026-02-10 Fundację Lumus
Non-compliance with general data processing principles
🇵🇱 Polish National Personal Data Protection Office (UODO) Art. 33Art. 34Art. 37Art. 38 €5,220
2025-12-12 Chief Constable of the Police Service of Scotland
Insufficient technical and organisational measures to ensure information security
🇬🇧 Information Commissioner (ICO) Art. 5Art. 25Art. 32Art. 33 €75,700
2025-12-10 University of Limerick
Insufficient technical and organisational measures to ensure information security
🇮🇪 Data Protection Authority of Ireland Art. 5Art. 30Art. 32Art. 33 €98,000
2025-10-23 Court Bailiff
Insufficient fulfilment of data breach notification obligations
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 33Art. 34 €5,000
2025-10-23 Court Bailiff
Insufficient fulfilment of data breach notification obligations
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 33Art. 34 €5,000
2025-09-18 SAMARITAINE SAS
Non-compliance with general data processing principles
🇪🇺 French Data Protection Authority (CNIL) Art. 5Art. 33Art. 38 €100,000
2025-09-18 SAMARITAINE SAS
Non-compliance with general data processing principles
🇪🇺 French Data Protection Authority (CNIL) Art. 5Art. 33Art. 38 €100,000
2025-09-04 Company
Insufficient fulfilment of data breach notification obligations
🇪🇺 Austrian Data Protection Authority (dsb) Art. 33 €870
2025-09-04 Company
Insufficient fulfilment of data breach notification obligations
🇪🇺 Austrian Data Protection Authority (dsb) Art. 33 €870
2025-07-21 Hestia Publishers & Booksellers I. D. Kollaros & Co. S.A.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Hellenic Data Protection Authority (HDPA) Art. 5Art. 25Art. 32Art. 33 €9,000
2025-07-21 Hestia Publishers & Booksellers I. D. Kollaros & Co. S.A.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Hellenic Data Protection Authority (HDPA) Art. 5Art. 25Art. 32Art. 33 €9,000
2025-07-18 ADMINISTRACIONES BENIPON, S.L.
Insufficient fulfilment of data breach notification obligations
🇪🇺 Spanish Data Protection Authority (aepd) Art. 28Art. 33 €1,100
2025-07-18 ADMINISTRACIONES BENIPON, S.L.
Insufficient fulfilment of data breach notification obligations
🇪🇺 Spanish Data Protection Authority (aepd) Art. 28Art. 33 €1,100
2025-07-10 Poste Vita S.p.a.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 33 €80,000
2025-07-10 Poste Vita S.p.a.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 33 €80,000
2025-06-24 Birthlink
Insufficient technical and organisational measures to ensure information security
🇪🇺 Information Commissioner (ICO) Art. 5Art. 32Art. 33 €20,725
2025-06-24 Birthlink
Insufficient technical and organisational measures to ensure information security
🇪🇺 Information Commissioner (ICO) Art. 5Art. 32Art. 33 €20,725
2025-06-23 City of Dublin Education and Training Board
Insufficient technical and organisational measures to ensure information security
🇪🇺 Data Protection Authority of Ireland Art. 5Art. 32Art. 33Art. 34 €125,000
2025-06-23 City of Dublin Education and Training Board
Insufficient technical and organisational measures to ensure information security
🇪🇺 Data Protection Authority of Ireland Art. 5Art. 32Art. 33Art. 34 €125,000
2025-04-25 SC Travel Planner SRL
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 12Art. 15Art. 32Art. 33 €6,000
2025-04-25 SC Travel Planner SRL
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 12Art. 15Art. 32Art. 33 €6,000
2025-04-14 DPP Law Ltd.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Information Commissioner (ICO) Art. 5Art. 32Art. 33 €70,300