Skip to content

Article 35 GDPR — enforcement

Cited in 88 decisions · €509.0M total fines · median €55,000 · top authority: 🇪🇺Italian Data Protection Authority (Garante) (31)

Date ↓ Company / party Authority Articles Fine
2025-06-12 Departement of Social Security
Insufficient legal basis for data processing
🇪🇺 Data Protection Authority of Ireland Art. 5Art. 6Art. 9Art. 13 €550,000
2025-04-29 Regione Lombardia
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 25Art. 28 €50,000
2025-04-29 Regione Lombardia
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 25Art. 28 €50,000
2025-03-13 Azienda regionale per lo sviluppo e per i servizi in agricoltura (ARSAC)
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 13Art. 25 €50,000
2025-02-04 Real estate company
Non-compliance with general data processing principles
🇪🇺 French Data Protection Authority (CNIL) Art. 5Art. 6Art. 12Art. 13 €40,000
2025-01-16 Realmaps S.r.l.
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 7Art. 12 €100,000
2024-12-20 LIGA NACIONAL DE FÚTBOL PROFESIONAL
Insufficient technical and organisational measures to ensure information security
🇪🇺 Spanish Data Protection Authority (aepd) Art. 35 €1,000,000
2024-12-18 Company
Insufficient technical and organisational measures to ensure information security
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 38Art. 30Art. 35 €135,600
2024-12-17 Hospital
Insufficient technical and organisational measures to ensure information security
🇪🇺 Belgian Data Protection Authority (APD) Art. 5Art. 24Art. 32Art. 35 €200,000
2024-12-10 GENERALI ESPAÑA, SOCIEDAD ANONIMA DE SEGUROS Y REASEGUROS
Insufficient technical and organisational measures to ensure information security
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5Art. 25Art. 32Art. 35 €4,000,000
2024-11-22 CARTONAJES BAÑERES, S.A.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Spanish Data Protection Authority (aepd) Art. 15Art. 35 €220,000
2024-11-22 CARTONAJES BAÑERES, S.A
Insufficient technical and organisational measures to ensure information security
🇪🇺 Spanish Data Protection Authority (aepd) Art. 15Art. 35 €220,000
2024-11-13 Foodinho Srl
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 9Art. 12 €5,000,000
2024-04-02 Greek Ministry of Immigration and Asylum
Insufficient technical and organisational measures to ensure information security
🇪🇺 Hellenic Data Protection Authority (HDPA) Art. 25Art. 31Art. 35 €175,000
2024-02-12 CTC EXTERNALIZACIÓN, S.L
Insufficient fulfilment of information obligations
🇪🇺 Spanish Data Protection Authority (aepd) Art. 13Art. 32Art. 35 €365,000
2024-01-15 International Card Services B.V.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Dutch Supervisory Authority for Data Protection (AP) Art. 35 €150,000
2023-11-28 Östersund Municipality's Department for Children and Education
Insufficient technical and organisational measures to ensure information security
🇪🇺 Data Protection Authority of Sweden Art. 35 €26,500
2023-11-16 Comune di Castel Goffredo
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 12Art. 13 €50,000
2023-09-25 Athens Urban Transport Organization
Non-compliance with general data processing principles
🇪🇺 Hellenic Data Protection Authority (HDPA) Art. 5Art. 25Art. 35 €50,000
2023-06-08 Rinascente S.p.A.
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 12Art. 32Art. 35 €300,000
2023-05-03 GSMA LTD.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Spanish Data Protection Authority (aepd) Art. 35 €200,000
2023-04-28 ALBERO FORTE COMPOSITE, S.L.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Spanish Data Protection Authority (aepd) Art. 35 €12,000
2023-01-09 Praktiškas UAB
Insufficient legal basis for data processing
🇪🇺 Lithuanian Data Protection Authority (VDAI) Art. 5Art. 9Art. 13Art. 30 €6,000
2022-12-15 Azienda Universitaria Friuli Centrale
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 9Art. 14Art. 35 €55,000
2022-12-15 Azienda Universitaria Friuli Occidentale
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 9Art. 14Art. 35 €55,000