Skip to content

Article 34 GDPR — enforcement

Cited in 60 decisions · €83.1M total fines · median €26,350 · top authority: 🇪🇺Polish National Personal Data Protection Office (UODO) (24)

Date ↓ Company / party Authority Articles Fine
2023-12-19 District Court Krakow
Insufficient fulfilment of data breach notification obligations
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 33Art. 34 €2,300
2023-11-02 INSTITUT MARQUÉS OBSTETRICIA I GINECOLOGIA, S.L.P.
Non-compliance with general data processing principles
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5Art. 32Art. 34 €48,000
2023-10-25 ENDESA ENERGÍA, S.A.U.
Non-compliance with general data processing principles
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5Art. 32Art. 33Art. 34 €6,100,000
2023-07-12 Company
Insufficient fulfilment of data breach notification obligations
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 33Art. 34 €2,500
2023-05-31 Company
Insufficient technical and organisational measures to ensure information security
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 5Art. 25Art. 32Art. 33 €10,600
2023-03-01 Housing cooperative
Insufficient fulfilment of data breach notification obligations
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 33Art. 34 €11,100
2023-02-07 Housing association
Insufficient fulfilment of data breach notification obligations
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 5Art. 28Art. 33Art. 34 €321
2023-02-02 Piraeus Bank
Non-compliance with general data processing principles
🇪🇺 Hellenic Data Protection Authority (HDPA) Art. 5Art. 33Art. 34 €30,000
2022-07-13 Manx Care Ltd
Non-compliance with general data processing principles
🇪🇺 Information Commissioner of Isle of Man Art. 5Art. 24Art. 25Art. 32 €202,000
2022-07-06 Głównego Geodetę Kraju
Insufficient fulfilment of data breach notification obligations
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 33Art. 34 €12,450
2022-07-06 University Hospital of the Medical University of Warsaw
Insufficient fulfilment of data breach notification obligations
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 33Art. 34 €2,120
2022-04-05 Bank of Ireland
Insufficient technical and organisational measures to ensure information security
🇪🇺 Data Protection Authority of Ireland Art. 32Art. 33Art. 34 €463,000
2022-04-04 Piraeus Bank
Non-compliance with general data processing principles
🇪🇺 Hellenic Data Protection Authority (HDPA) Art. 5Art. 33Art. 34 €10,000
2022-01-19 Santander Bank Polska S. A.
Insufficient fulfilment of data breach notification obligations
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 34 €117,000
2022-01-17 C-Planet (IT Solutions) Limited
Insufficient technical and organisational measures to ensure information security
🇪🇺 Data Protection Commissioner of Malta Art. 5Art. 6Art. 9Art. 14 €65,000
2022-01-01 MALTA DPA: Non-compliance with general data processing principles
Non-compliance with general data processing principles
🇪🇺 Data Protection Commissioner of Malta Art. 5Art. 6Art. 9Art. 32 €65,000
2021-12-28 SLIMPAY
Insufficient technical and organisational measures to ensure information security
🇪🇺 French Data Protection Authority (CNIL) Art. 28Art. 32Art. 34 €180,000
2021-12-07 Psykoterapiakeskus Vastaamo
Non-compliance with general data processing principles
🇪🇺 Deputy Data Protection Ombudsman Art. 5Art. 33Art. 34 €608,000
2021-10-14 Bank Millennium S.A
Insufficient fulfilment of data breach notification obligations
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 33Art. 34 €78,000
2021-06-30 Fundację Promocji Mediacji i Edukacji Prawnej Lex Nostra
Insufficient fulfilment of data breach notification obligations
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 33Art. 34 €3,000
2021-06-21 Sopockie Towarzystwo Ubezpieczeń ERGO Hestia S.A.
Insufficient fulfilment of data breach notification obligations
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 33Art. 34 €35,300
2021-04-22 Cyfrowy Polsat S.A.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Polish Data Protection Authority (UODO) Art. 24Art. 32Art. 34 €245,000
2021-03-25 Fastweb S.p.A.
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 7Art. 12 €4,500,000
2021-03-24 Budapest Főváros Kormányhivatala XI. kerületi Hivatalát (11th District Public Health Department of the Government Office of the Capital City Budapest)
Insufficient technical and organisational measures to ensure information security
🇪🇺 Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) Art. 32Art. 33Art. 34 €27,700
2021-01-22 BELGIUM DPA: Insufficient technical and organisational measures to ensure information security
Insufficient technical and organisational measures to ensure information security
🇪🇺 Belgian Data Protection Authority (APD) Art. 5Art. 24Art. 32Art. 33 €25,000