Skip to content

Article 34 GDPR — enforcement

Cited in 60 decisions · €83.1M total fines · median €26,350 · top authority: 🇪🇺Polish National Personal Data Protection Office (UODO) (24)

Date ↓ Company / party Authority Articles Fine
2026-03-26 Intesa Sanpaolo S.p.A.
Insufficient technical and organisational measures to ensure information security
🇮🇹 Italian Data Protection Authority (Garante) Art. 5Art. 24Art. 32Art. 34 €31,800,000
2026-02-10 Fundację Lumus
Non-compliance with general data processing principles
🇵🇱 Polish National Personal Data Protection Office (UODO) Art. 33Art. 34Art. 37Art. 38 €5,220
2026-01-08 FREE
Insufficient technical and organisational measures to ensure information security
🇪🇺 French Data Protection Authority (CNIL) Art. 32Art. 34 €15,000,000
2026-01-08 FREE
Insufficient technical and organisational measures to ensure information security
🇪🇺 French Data Protection Authority (CNIL) Art. 32Art. 34 €15,000,000
2025-12-10 University of Limerick
Insufficient technical and organisational measures to ensure information security
🇮🇪 Data Protection Authority of Ireland Art. 5Art. 30Art. 32Art. 33 €98,000
2025-11-28 SPRINTER MEGACENTROS DEL DEPORTE, S.L.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5Art. 34 €1,560,000
2025-11-28 SPRINTER MEGACENTROS DEL DEPORTE, S.L.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5Art. 34 €1,560,000
2025-10-23 Court Bailiff
Insufficient fulfilment of data breach notification obligations
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 33Art. 34 €5,000
2025-10-23 Court Bailiff
Insufficient fulfilment of data breach notification obligations
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 33Art. 34 €5,000
2025-07-21 Hestia Publishers & Booksellers I. D. Kollaros & Co. S.A.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Hellenic Data Protection Authority (HDPA) Art. 5Art. 25Art. 32Art. 33 €9,000
2025-07-21 Hestia Publishers & Booksellers I. D. Kollaros & Co. S.A.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Hellenic Data Protection Authority (HDPA) Art. 5Art. 25Art. 32Art. 33 €9,000
2025-06-23 City of Dublin Education and Training Board
Insufficient technical and organisational measures to ensure information security
🇪🇺 Data Protection Authority of Ireland Art. 5Art. 32Art. 33Art. 34 €125,000
2025-06-23 City of Dublin Education and Training Board
Insufficient technical and organisational measures to ensure information security
🇪🇺 Data Protection Authority of Ireland Art. 5Art. 32Art. 33Art. 34 €125,000
2025-03-24 Hospital
Insufficient technical and organisational measures to ensure information security
🇪🇺 Croatian Data Protection Authority (azop) Art. 13Art. 32Art. 33Art. 34 €3,000
2025-03-14 CENTROS COMERCIALES CARREFOUR, S.A.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5Art. 32Art. 34 €3,200,000
2025-01-10 National Bank of Greece S.A
Insufficient technical and organisational measures to ensure information security
🇬🇷 Hellenic Data Protection Authority (HDPA) Art. 5Art. 15Art. 25Art. 32 €120,000
2024-11-26 Hospital
Insufficient fulfilment of data breach notification obligations
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 33Art. 34 €6,900
2024-10-18 Vilnius District Municipality Administration
Insufficient technical and organisational measures to ensure information security
🇪🇺 Lithuanian Data Protection Authority (VDAI) Art. 5Art. 32Art. 34 €9,000
2024-09-02 National Prosecutor's Office
Insufficient legal basis for data processing
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 6Art. 9Art. 33Art. 34 €19,800
2024-08-20 mBank
Insufficient fulfilment of data breach notification obligations
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 34 €940,000
2024-06-13 Healthcare facility
Insufficient technical and organisational measures to ensure information security
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 24Art. 25Art. 32Art. 34 €9,200
2024-06-06 Covid 19 Test Lab
Insufficient technical and organisational measures to ensure information security
🇪🇺 Austrian Data Protection Authority (dsb) Art. 9Art. 5Art. 28Art. 32 €100,000
2024-03-12 Santander Bank Polska S.A.
Insufficient fulfilment of data breach notification obligations
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 33Art. 34 €326,000
2024-01-18 POLAND DPA: Insufficient fulfilment of data breach notification obligations
Insufficient fulfilment of data breach notification obligations
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 33Art. 34 €2,300
2023-12-20 Polish Minister of Health
Insufficient technical and organisational measures to ensure information security
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 25Art. 32Art. 34 €23,000