Skip to content

Article 37 GDPR — enforcement

Cited in 60 decisions · €6.6M total fines · median €6,000 · top authority: 🇪🇺Italian Data Protection Authority (Garante) (37)

Date ↓ Company / party Authority Articles Fine
2026-02-10 Fundację Lumus
Non-compliance with general data processing principles
🇵🇱 Polish National Personal Data Protection Office (UODO) Art. 33Art. 34Art. 37Art. 38 €5,220
2025-10-23 'Statista Aldo Moro' Higher Education Institute in Fara Sabina
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 37 €4,000
2025-10-23 'Statista Aldo Moro' Higher Education Institute in Fara Sabina
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 37 €4,000
2025-10-23 Comune di Avola
Lack of appointment of data protection officer
🇪🇺 Italian Data Protection Authority (Garante) Art. 37 €2,000
2025-10-23 Comune di Avola
Lack of appointment of data protection officer
🇪🇺 Italian Data Protection Authority (Garante) Art. 37 €2,000
2025-10-09 Interprovincial Order of Medical Radiology Technicians and Technical Health Professions in Rehabilitation and Prevention of AQ - CH - PE - TE
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 37 €6,000
2025-10-09 Interprovincial Order of Medical Radiology Technicians and Technical Health Professions in Rehabilitation and Prevention of AQ - CH - PE - TE
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 37 €6,000
2025-09-11 Municipality of Buccino
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 9Art. 13 €6,000
2025-09-11 Municipality of Buccino
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 9Art. 13 €6,000
2025-07-10 Nursery School “La Combricola Dei Birichini Di Betty”
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 7Art. 12 €10,000
2025-07-10 Nursery School “La Combricola Dei Birichini Di Betty”
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 7Art. 12 €10,000
2025-07-10 Comune di Conversano
Lack of appointment of data protection officer
🇪🇺 Italian Data Protection Authority (Garante) Art. 37 €3,000
2025-07-10 Comune di Conversano
Lack of appointment of data protection officer
🇪🇺 Italian Data Protection Authority (Garante) Art. 37 €3,000
2025-04-02 Hospital
Non-compliance with general data processing principles
🇲🇹 Data Protection Commissioner of Malta Art. 5Art. 6Art. 14Art. 16 €20,000
2025-03-27 Municipality of Palma di Montechiaro
Lack of appointment of data protection officer
🇪🇺 Italian Data Protection Authority (Garante) Art. 37 €3,000
2025-03-27 Municipality of Palma di Montechiaro
Lack of appointment of data protection officer
🇪🇺 Italian Data Protection Authority (Garante) Art. 37 €3,000
2025-03-24 Casino
Lack of appointment of data protection officer
🇪🇺 Croatian Data Protection Authority (azop) Art. 37 €12,000
2025-03-24 Oil and fat manufacturer
Lack of appointment of data protection officer
🇪🇺 Croatian Data Protection Authority (azop) Art. 37 €10,000
2025-03-10 Telenor ASA.
Non-compliance with general data processing principles
🇪🇺 Norwegian Supervisory Authority (Datatilsynet) Art. 24Art. 37Art. 38 €338,000
2025-01-16 Realmaps S.r.l.
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 7Art. 12 €100,000
2024-12-14 Maddaloni municipality
Insufficient involvement of data protection officer
🇪🇺 Italian Data Protection Authority (Garante) Art. 37 €2,000
2024-12-14 Torre Annunziata municipality
Insufficient involvement of data protection officer
🇪🇺 Italian Data Protection Authority (Garante) Art. 37 €2,000
2024-10-18 POLAND DPA: Insufficient involvement of data protection officer
Insufficient involvement of data protection officer
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 37 €5,800
2024-07-22 Municipality of Korou
Insufficient involvement of data protection officer
🇪🇺 French Data Protection Authority (CNIL) Art. 31Art. 37 €6,900
2024-06-06 Comune di Ustica
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 9Art. 37 €500