Skip to content

Article 33 GDPR — enforcement

Cited in 118 decisions · €34.3M total fines · median €20,363 · top authority: 🇪🇺Polish National Personal Data Protection Office (UODO) (25)

Date ↓ Company / party Authority Articles Fine
2022-01-01 Covid-19 test center
Insufficient legal basis for data processing
🇪🇺 Data Protection Authority of Hessen Art. 6Art. 33 €16,400
2022-01-01 Logistics company
Insufficient technical and organisational measures to ensure information security
🇪🇺 Data Protection Authority of Hamburg Art. 32Art. 33
2022-01-01 Company
Insufficient fulfilment of data breach notification obligations
🇪🇺 Data Protection Authority of Bremen Art. 33
2021-12-29 Greek Ministry of Tourism
Insufficient technical and organisational measures to ensure information security
🇪🇺 Hellenic Data Protection Authority (HDPA) Art. 13Art. 32Art. 33Art. 37 €75,000
2021-12-07 Psykoterapiakeskus Vastaamo
Non-compliance with general data processing principles
🇪🇺 Deputy Data Protection Ombudsman Art. 5Art. 33Art. 34 €608,000
2021-12-02 Irish Teacher Council
Insufficient technical and organisational measures to ensure information security
🇪🇺 Data Protection Authority of Ireland Art. 5Art. 32Art. 33 €60,000
2021-10-14 Bank Millennium S.A
Insufficient fulfilment of data breach notification obligations
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 33Art. 34 €78,000
2021-08-24 Actamedica SRL
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 28Art. 32Art. 33 €3,000
2021-08-05 Insurance company
Insufficient technical and organisational measures to ensure information security
🇪🇺 National Commission for Data Protection (CNPD) Art. 5Art. 32Art. 33 €135,000
2021-06-30 Fundację Promocji Mediacji i Edukacji Prawnej Lex Nostra
Insufficient fulfilment of data breach notification obligations
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 33Art. 34 €3,000
2021-06-21 Sopockie Towarzystwo Ubezpieczeń ERGO Hestia S.A.
Insufficient fulfilment of data breach notification obligations
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 33Art. 34 €35,300
2021-03-25 Fastweb S.p.A.
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 7Art. 12 €4,500,000
2021-03-24 Budapest Főváros Kormányhivatala XI. kerületi Hivatalát (11th District Public Health Department of the Government Office of the Capital City Budapest)
Insufficient technical and organisational measures to ensure information security
🇪🇺 Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) Art. 32Art. 33Art. 34 €27,700
2021-03-15 Air Europa Lineas Aereas, SA.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Spanish Data Protection Authority (aepd) Art. 32Art. 33 €600,000
2021-03-03 Hellenic Bank
Insufficient technical and organisational measures to ensure information security
🇪🇺 Cypriot Data Protection Commissioner Art. 5Art. 32Art. 33 €25,000
2021-01-22 BELGIUM DPA: Insufficient technical and organisational measures to ensure information security
Insufficient technical and organisational measures to ensure information security
🇪🇺 Belgian Data Protection Authority (APD) Art. 5Art. 24Art. 32Art. 33 €25,000
2021-01-11 Enea S.A.
Insufficient fulfilment of data breach notification obligations
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 33 €30,000
2021-01-05 Śląski Uniwersytet Medyczny (Medical University of Silesia)
Insufficient fulfilment of data breach notification obligations
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 33Art. 34 €5,500
2020-12-28 Towarzystwo Ubezpieczeń i Reasekuracji WARTA S.A.
Insufficient fulfilment of data breach notification obligations
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 33Art. 34 €18,930
2020-12-17 University College Dublin
Insufficient technical and organisational measures to ensure information security
🇪🇺 Data Protection Authority of Ireland Art. 5Art. 32Art. 33 €70,000
2020-12-17 Doctor
Insufficient technical and organisational measures to ensure information security
🇪🇺 French Data Protection Authority (CNIL) Art. 32Art. 33 €6,000
2020-12-17 Doctor
Insufficient technical and organisational measures to ensure information security
🇪🇺 French Data Protection Authority (CNIL) Art. 32Art. 33 €3,000
2020-12-15 Twitter International Company
Insufficient fulfilment of data breach notification obligations
🇪🇺 Data Protection Authority of Ireland Art. 33 €450,000
2020-12-10 Booking.com B.V.
Insufficient fulfilment of data breach notification obligations
🇪🇺 Dutch Supervisory Authority for Data Protection (AP) Art. 33 €475,000
2020-12-09 TUiR Warta S.A.
Insufficient fulfilment of data breach notification obligations
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 33Art. 34 €18,850