Article 33 GDPR — enforcement
Cited in 118 decisions · €34.3M total fines · median €20,363 · top authority: 🇪🇺Polish National Personal Data Protection Office (UODO) (25)
| Date ↓ | Company / party | Authority | Articles | Fine |
|---|---|---|---|---|
| 2025-04-14 | DPP Law Ltd. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Information Commissioner (ICO) | Art. 5Art. 32Art. 33 | €70,300 |
| 2025-03-25 | NTT DATA ROMANIA S.A. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 32Art. 33 | €25,000 |
| 2025-03-25 | NTT DATA ROMANIA S.A. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 32Art. 33 | €25,000 |
| 2025-03-24 | Hospital Insufficient technical and organisational measures to ensure information security | 🇪🇺 Croatian Data Protection Authority (azop) | Art. 13Art. 32Art. 33Art. 34 | €3,000 |
| 2025-01-10 | National Bank of Greece S.A Insufficient technical and organisational measures to ensure information security | 🇬🇷 Hellenic Data Protection Authority (HDPA) | Art. 5Art. 15Art. 25Art. 32 | €120,000 |
| 2024-11-26 | Hospital Insufficient fulfilment of data breach notification obligations | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 33Art. 34 | €6,900 |
| 2024-11-22 | Maynooth University Insufficient technical and organisational measures to ensure information security | 🇪🇺 Data Protection Authority of Ireland | Art. 5Art. 32Art. 33 | €40,000 |
| 2024-09-13 | Hospital Insufficient technical and organisational measures to ensure information security | 🇪🇺 Croatian Data Protection Authority (azop) | Art. 5Art. 6Art. 12Art. 13 | €190,000 |
| 2024-09-02 | National Prosecutor's Office Insufficient legal basis for data processing | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 6Art. 9Art. 33Art. 34 | €19,800 |
| 2024-07-04 | Postel S.p.A Insufficient technical and organisational measures to ensure information security | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 25Art. 32Art. 33 | €900,000 |
| 2024-06-27 | METRO SA Insufficient technical and organisational measures to ensure information security | 🇪🇺 Hellenic Data Protection Authority (HDPA) | Art. 15Art. 17Art. 24Art. 32 | €50,000 |
| 2024-05-30 | PILLOW HOTELS, S.L. Non-compliance with general data processing principles | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5Art. 32Art. 33 | €4,200 |
| 2024-05-08 | DENTALCUADROS BCN S.L.P. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 32Art. 33 | €12,000 |
| 2024-04-30 | Association Insufficient fulfilment of data breach notification obligations | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 33 | €210 |
| 2024-03-21 | Azienda sanitaria locale Roma 3 Insufficient fulfilment of data breach notification obligations | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 33 | €10,000 |
| 2024-03-12 | Santander Bank Polska S.A. Insufficient fulfilment of data breach notification obligations | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 33Art. 34 | €326,000 |
| 2024-03-12 | Toyota Bank Polska S.A. Insufficient fulfilment of data breach notification obligations | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 33 | €18,000 |
| 2024-02-08 | NTT Data Italia S.P.A Insufficient fulfilment of data breach notification obligations | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 28Art. 33 | €800,000 |
| 2024-01-18 | POLAND DPA: Insufficient fulfilment of data breach notification obligations Insufficient fulfilment of data breach notification obligations | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 33Art. 34 | €2,300 |
| 2023-12-19 | District Court Krakow Insufficient fulfilment of data breach notification obligations | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 33Art. 34 | €2,300 |
| 2023-12-12 | AUSTRIA DPA: Insufficient fulfilment of data breach notification obligations Insufficient fulfilment of data breach notification obligations | 🇪🇺 Austrian Data Protection Authority (dsb) | Art. 31Art. 33 | €5,900 |
| 2023-12-07 | Hora Credit IFN SA Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 12Art. 15Art. 32Art. 33 | €24,000 |
| 2023-10-25 | ENDESA ENERGÍA, S.A.U. Non-compliance with general data processing principles | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5Art. 32Art. 33Art. 34 | €6,100,000 |
| 2023-10-18 | Insurance company Insufficient fulfilment of data breach notification obligations | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 33 | €24,000 |
| 2023-10-12 | GROUPE CANAL + Insufficient fulfilment of data subjects rights | 🇪🇺 French Data Protection Authority (CNIL) | Art. 7Art. 12Art. 13Art. 14 | €600,000 |