Article 35 GDPR — enforcement
Cited in 88 decisions · €509.0M total fines · median €55,000 · top authority: 🇪🇺Italian Data Protection Authority (Garante) (31)
| Date ↓ | Company / party | Authority | Articles | Fine |
|---|---|---|---|---|
| 2025-06-12 | Departement of Social Security Insufficient legal basis for data processing | 🇪🇺 Data Protection Authority of Ireland | Art. 5Art. 6Art. 9Art. 13 | €550,000 |
| 2025-04-29 | Regione Lombardia Insufficient legal basis for data processing | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 25Art. 28 | €50,000 |
| 2025-04-29 | Regione Lombardia Insufficient legal basis for data processing | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 25Art. 28 | €50,000 |
| 2025-03-13 | Azienda regionale per lo sviluppo e per i servizi in agricoltura (ARSAC) Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 13Art. 25 | €50,000 |
| 2025-02-04 | Real estate company Non-compliance with general data processing principles | 🇪🇺 French Data Protection Authority (CNIL) | Art. 5Art. 6Art. 12Art. 13 | €40,000 |
| 2025-01-16 | Realmaps S.r.l. Insufficient legal basis for data processing | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 7Art. 12 | €100,000 |
| 2024-12-20 | LIGA NACIONAL DE FÚTBOL PROFESIONAL Insufficient technical and organisational measures to ensure information security | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 35 | €1,000,000 |
| 2024-12-18 | Company Insufficient technical and organisational measures to ensure information security | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 38Art. 30Art. 35 | €135,600 |
| 2024-12-17 | Hospital Insufficient technical and organisational measures to ensure information security | 🇪🇺 Belgian Data Protection Authority (APD) | Art. 5Art. 24Art. 32Art. 35 | €200,000 |
| 2024-12-10 | GENERALI ESPAÑA, SOCIEDAD ANONIMA DE SEGUROS Y REASEGUROS Insufficient technical and organisational measures to ensure information security | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5Art. 25Art. 32Art. 35 | €4,000,000 |
| 2024-11-22 | CARTONAJES BAÑERES, S.A. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 15Art. 35 | €220,000 |
| 2024-11-22 | CARTONAJES BAÑERES, S.A Insufficient technical and organisational measures to ensure information security | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 15Art. 35 | €220,000 |
| 2024-11-13 | Foodinho Srl Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 9Art. 12 | €5,000,000 |
| 2024-04-02 | Greek Ministry of Immigration and Asylum Insufficient technical and organisational measures to ensure information security | 🇪🇺 Hellenic Data Protection Authority (HDPA) | Art. 25Art. 31Art. 35 | €175,000 |
| 2024-02-12 | CTC EXTERNALIZACIÓN, S.L Insufficient fulfilment of information obligations | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 13Art. 32Art. 35 | €365,000 |
| 2024-01-15 | International Card Services B.V. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Dutch Supervisory Authority for Data Protection (AP) | Art. 35 | €150,000 |
| 2023-11-28 | Östersund Municipality's Department for Children and Education Insufficient technical and organisational measures to ensure information security | 🇪🇺 Data Protection Authority of Sweden | Art. 35 | €26,500 |
| 2023-11-16 | Comune di Castel Goffredo Insufficient legal basis for data processing | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 12Art. 13 | €50,000 |
| 2023-09-25 | Athens Urban Transport Organization Non-compliance with general data processing principles | 🇪🇺 Hellenic Data Protection Authority (HDPA) | Art. 5Art. 25Art. 35 | €50,000 |
| 2023-06-08 | Rinascente S.p.A. Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 12Art. 32Art. 35 | €300,000 |
| 2023-05-03 | GSMA LTD. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 35 | €200,000 |
| 2023-04-28 | ALBERO FORTE COMPOSITE, S.L. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 35 | €12,000 |
| 2023-01-09 | Praktiškas UAB Insufficient legal basis for data processing | 🇪🇺 Lithuanian Data Protection Authority (VDAI) | Art. 5Art. 9Art. 13Art. 30 | €6,000 |
| 2022-12-15 | Azienda Universitaria Friuli Centrale Insufficient legal basis for data processing | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 9Art. 14Art. 35 | €55,000 |
| 2022-12-15 | Azienda Universitaria Friuli Occidentale Insufficient legal basis for data processing | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 9Art. 14Art. 35 | €55,000 |