Skip to content

Article 33 GDPR — enforcement

Cited in 118 decisions · €34.3M total fines · median €20,363 · top authority: 🇪🇺Polish National Personal Data Protection Office (UODO) (25)

Date ↓ Company / party Authority Articles Fine
2025-04-14 DPP Law Ltd.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Information Commissioner (ICO) Art. 5Art. 32Art. 33 €70,300
2025-03-25 NTT DATA ROMANIA S.A.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 32Art. 33 €25,000
2025-03-25 NTT DATA ROMANIA S.A.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 32Art. 33 €25,000
2025-03-24 Hospital
Insufficient technical and organisational measures to ensure information security
🇪🇺 Croatian Data Protection Authority (azop) Art. 13Art. 32Art. 33Art. 34 €3,000
2025-01-10 National Bank of Greece S.A
Insufficient technical and organisational measures to ensure information security
🇬🇷 Hellenic Data Protection Authority (HDPA) Art. 5Art. 15Art. 25Art. 32 €120,000
2024-11-26 Hospital
Insufficient fulfilment of data breach notification obligations
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 33Art. 34 €6,900
2024-11-22 Maynooth University
Insufficient technical and organisational measures to ensure information security
🇪🇺 Data Protection Authority of Ireland Art. 5Art. 32Art. 33 €40,000
2024-09-13 Hospital
Insufficient technical and organisational measures to ensure information security
🇪🇺 Croatian Data Protection Authority (azop) Art. 5Art. 6Art. 12Art. 13 €190,000
2024-09-02 National Prosecutor's Office
Insufficient legal basis for data processing
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 6Art. 9Art. 33Art. 34 €19,800
2024-07-04 Postel S.p.A
Insufficient technical and organisational measures to ensure information security
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 25Art. 32Art. 33 €900,000
2024-06-27 METRO SA
Insufficient technical and organisational measures to ensure information security
🇪🇺 Hellenic Data Protection Authority (HDPA) Art. 15Art. 17Art. 24Art. 32 €50,000
2024-05-30 PILLOW HOTELS, S.L.
Non-compliance with general data processing principles
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5Art. 32Art. 33 €4,200
2024-05-08 DENTALCUADROS BCN S.L.P.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Spanish Data Protection Authority (aepd) Art. 32Art. 33 €12,000
2024-04-30 Association
Insufficient fulfilment of data breach notification obligations
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 33 €210
2024-03-21 Azienda sanitaria locale Roma 3
Insufficient fulfilment of data breach notification obligations
🇪🇺 Italian Data Protection Authority (Garante) Art. 33 €10,000
2024-03-12 Santander Bank Polska S.A.
Insufficient fulfilment of data breach notification obligations
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 33Art. 34 €326,000
2024-03-12 Toyota Bank Polska S.A.
Insufficient fulfilment of data breach notification obligations
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 33 €18,000
2024-02-08 NTT Data Italia S.P.A
Insufficient fulfilment of data breach notification obligations
🇪🇺 Italian Data Protection Authority (Garante) Art. 28Art. 33 €800,000
2024-01-18 POLAND DPA: Insufficient fulfilment of data breach notification obligations
Insufficient fulfilment of data breach notification obligations
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 33Art. 34 €2,300
2023-12-19 District Court Krakow
Insufficient fulfilment of data breach notification obligations
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 33Art. 34 €2,300
2023-12-12 AUSTRIA DPA: Insufficient fulfilment of data breach notification obligations
Insufficient fulfilment of data breach notification obligations
🇪🇺 Austrian Data Protection Authority (dsb) Art. 31Art. 33 €5,900
2023-12-07 Hora Credit IFN SA
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 12Art. 15Art. 32Art. 33 €24,000
2023-10-25 ENDESA ENERGÍA, S.A.U.
Non-compliance with general data processing principles
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5Art. 32Art. 33Art. 34 €6,100,000
2023-10-18 Insurance company
Insufficient fulfilment of data breach notification obligations
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 33 €24,000
2023-10-12 GROUPE CANAL +
Insufficient fulfilment of data subjects rights
🇪🇺 French Data Protection Authority (CNIL) Art. 7Art. 12Art. 13Art. 14 €600,000