Skip to content

Article 33 GDPR — enforcement

Cited in 118 decisions · €34.3M total fines · median €20,363 · top authority: 🇪🇺Polish National Personal Data Protection Office (UODO) (25)

Date ↓ Company / party Authority Articles Fine
2020-11-24 Dada Creation S.R.L.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 32Art. 33 €5,000
2020-11-18 Carrefour France
Non-compliance with general data processing principles
🇪🇺 French Data Protection Authority (CNIL) Art. 5Art. 12Art. 13Art. 15 €2,250,000
2020-11-12 Vodafone Italia S.p.A.
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 7Art. 15 €12,251,601
2020-10-19 Bank of Cyprus Public Company Ltd
Insufficient technical and organisational measures to ensure information security
🇪🇺 Cypriot Data Protection Commissioner Art. 5Art. 15Art. 32Art. 33 €15,000
2020-07-02 Saunier-Tec Mantenimientos de Calor y Frio, SL.
Insufficient fulfilment of data breach notification obligations
🇪🇺 Spanish Data Protection Authority (aepd) Art. 33 €3,600
2020-06-30 Tusla Child and Family Agency
Insufficient fulfilment of data breach notification obligations
🇪🇺 Data Protection Authority of Ireland Art. 33 €40,000
2020-06-30 Lejre Municipality
Non-compliance with general data processing principles
🇪🇺 Danish Data Protection Authority (Datatilsynet) Art. 5Art. 6Art. 33Art. 34 €6,700
2020-06-16 PVV Overijssel
Insufficient fulfilment of data breach notification obligations
🇪🇺 Dutch Supervisory Authority for Data Protection (AP) Art. 33 €7,500
2020-04-29 National Government Service Centre (NGSC)
Insufficient fulfilment of data breach notification obligations
🇪🇺 Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) Art. 33Art. 34 €18,700
2019-12-10 Hora Credit IFN SA
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 5Art. 25Art. 32Art. 33 €14,000
2019-10-24 Military Hospital
Insufficient fulfilment of data breach notification obligations
🇪🇺 Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) Art. 32Art. 33 €7,400
2019-10-09 Vreau Credit SRL
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 32Art. 33 €20,000
2019-06-25 HUNGARY DPA: Insufficient fulfilment of data breach notification obligations
Insufficient fulfilment of data breach notification obligations
🇪🇺 Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) Art. 33 €15,150
2019-05-21 Directorate of Social and Child Welfare Institutions of the Ferencvaros District of Budapest
Insufficient fulfilment of data breach notification obligations
🇪🇺 Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) Art. 33 €286
2019-05-16 Payment service provider UAB MisterTango
Insufficient fulfilment of data breach notification obligations
🇪🇺 Lithuanian Data Protection Authority (VDAI) Art. 5Art. 32Art. 33 €61,500
2019-04-05 Hungarian political party
Insufficient fulfilment of data breach notification obligations
🇪🇺 Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) Art. 33Art. 34 €34,375
2019-01-01 Hamburger Verkehrsverbund GmbH (HVV GmbH)
Insufficient fulfilment of data breach notification obligations
🇪🇺 Data Protection Authority of Hamburg Art. 33Art. 34 €20,000
2018-01-01 GERMANY DPA: Insufficient fulfilment of data breach notification obligations
Insufficient fulfilment of data breach notification obligations
🇪🇺 Data Protection Authority of Hamburg Art. 33Art. 34 €20,000