Article 33 GDPR — enforcement
Cited in 118 decisions · €34.3M total fines · median €20,363 · top authority: 🇪🇺Polish National Personal Data Protection Office (UODO) (25)
| Date ↓ | Company / party | Authority | Articles | Fine |
|---|---|---|---|---|
| 2022-01-01 | Covid-19 test center Insufficient legal basis for data processing | 🇪🇺 Data Protection Authority of Hessen | Art. 6Art. 33 | €16,400 |
| 2022-01-01 | Logistics company Insufficient technical and organisational measures to ensure information security | 🇪🇺 Data Protection Authority of Hamburg | Art. 32Art. 33 | — |
| 2022-01-01 | Company Insufficient fulfilment of data breach notification obligations | 🇪🇺 Data Protection Authority of Bremen | Art. 33 | — |
| 2021-12-29 | Greek Ministry of Tourism Insufficient technical and organisational measures to ensure information security | 🇪🇺 Hellenic Data Protection Authority (HDPA) | Art. 13Art. 32Art. 33Art. 37 | €75,000 |
| 2021-12-07 | Psykoterapiakeskus Vastaamo Non-compliance with general data processing principles | 🇪🇺 Deputy Data Protection Ombudsman | Art. 5Art. 33Art. 34 | €608,000 |
| 2021-12-02 | Irish Teacher Council Insufficient technical and organisational measures to ensure information security | 🇪🇺 Data Protection Authority of Ireland | Art. 5Art. 32Art. 33 | €60,000 |
| 2021-10-14 | Bank Millennium S.A Insufficient fulfilment of data breach notification obligations | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 33Art. 34 | €78,000 |
| 2021-08-24 | Actamedica SRL Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 28Art. 32Art. 33 | €3,000 |
| 2021-08-05 | Insurance company Insufficient technical and organisational measures to ensure information security | 🇪🇺 National Commission for Data Protection (CNPD) | Art. 5Art. 32Art. 33 | €135,000 |
| 2021-06-30 | Fundację Promocji Mediacji i Edukacji Prawnej Lex Nostra Insufficient fulfilment of data breach notification obligations | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 33Art. 34 | €3,000 |
| 2021-06-21 | Sopockie Towarzystwo Ubezpieczeń ERGO Hestia S.A. Insufficient fulfilment of data breach notification obligations | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 33Art. 34 | €35,300 |
| 2021-03-25 | Fastweb S.p.A. Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 7Art. 12 | €4,500,000 |
| 2021-03-24 | Budapest Főváros Kormányhivatala XI. kerületi Hivatalát (11th District Public Health Department of the Government Office of the Capital City Budapest) Insufficient technical and organisational measures to ensure information security | 🇪🇺 Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | Art. 32Art. 33Art. 34 | €27,700 |
| 2021-03-15 | Air Europa Lineas Aereas, SA. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 32Art. 33 | €600,000 |
| 2021-03-03 | Hellenic Bank Insufficient technical and organisational measures to ensure information security | 🇪🇺 Cypriot Data Protection Commissioner | Art. 5Art. 32Art. 33 | €25,000 |
| 2021-01-22 | BELGIUM DPA: Insufficient technical and organisational measures to ensure information security Insufficient technical and organisational measures to ensure information security | 🇪🇺 Belgian Data Protection Authority (APD) | Art. 5Art. 24Art. 32Art. 33 | €25,000 |
| 2021-01-11 | Enea S.A. Insufficient fulfilment of data breach notification obligations | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 33 | €30,000 |
| 2021-01-05 | Śląski Uniwersytet Medyczny (Medical University of Silesia) Insufficient fulfilment of data breach notification obligations | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 33Art. 34 | €5,500 |
| 2020-12-28 | Towarzystwo Ubezpieczeń i Reasekuracji WARTA S.A. Insufficient fulfilment of data breach notification obligations | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 33Art. 34 | €18,930 |
| 2020-12-17 | University College Dublin Insufficient technical and organisational measures to ensure information security | 🇪🇺 Data Protection Authority of Ireland | Art. 5Art. 32Art. 33 | €70,000 |
| 2020-12-17 | Doctor Insufficient technical and organisational measures to ensure information security | 🇪🇺 French Data Protection Authority (CNIL) | Art. 32Art. 33 | €6,000 |
| 2020-12-17 | Doctor Insufficient technical and organisational measures to ensure information security | 🇪🇺 French Data Protection Authority (CNIL) | Art. 32Art. 33 | €3,000 |
| 2020-12-15 | Twitter International Company Insufficient fulfilment of data breach notification obligations | 🇪🇺 Data Protection Authority of Ireland | Art. 33 | €450,000 |
| 2020-12-10 | Booking.com B.V. Insufficient fulfilment of data breach notification obligations | 🇪🇺 Dutch Supervisory Authority for Data Protection (AP) | Art. 33 | €475,000 |
| 2020-12-09 | TUiR Warta S.A. Insufficient fulfilment of data breach notification obligations | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 33Art. 34 | €18,850 |