Skip to content

Article 37 GDPR — enforcement

Cited in 60 decisions · €6.6M total fines · median €6,000 · top authority: 🇪🇺Italian Data Protection Authority (Garante) (37)

Date ↓ Company / party Authority Articles Fine
2024-04-11 Libero Consorzio comunale di Enna
Insufficient involvement of data protection officer
🇪🇺 Italian Data Protection Authority (Garante) Art. 37Art. 38 €6,000
2024-01-31 Municipality of Siracusa
Insufficient involvement of data protection officer
🇪🇺 Italian Data Protection Authority (Garante) Art. 37 €5,000
2024-01-31 Provincia di Sassari
Insufficient involvement of data protection officer
🇪🇺 Italian Data Protection Authority (Garante) Art. 37 €2,000
2024-01-31 Provincia di Catanzaro
Insufficient involvement of data protection officer
🇪🇺 Italian Data Protection Authority (Garante) Art. 37 €2,000
2024-01-31 Libero Consorzio comunale di Caltanissetta
Insufficient involvement of data protection officer
🇪🇺 Italian Data Protection Authority (Garante) Art. 37 €2,000
2024-01-29 Ministry of Rural Development and Food
Insufficient involvement of data protection officer
🇪🇺 Hellenic Data Protection Authority (HDPA) Art. 31Art. 37 €25,000
2024-01-24 Municipality
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 9Art. 37 €6,000
2023-12-12 Kourou municipality
Insufficient cooperation with supervisory authority
🇪🇺 French Data Protection Authority (CNIL) Art. 31Art. 37 €5,000
2023-07-18 Municipality of Modica
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 12Art. 13Art. 25 €45,000
2023-04-20 KFC RESTAURANTS SPAIN, S.L.
Insufficient involvement of data protection officer
🇪🇺 Spanish Data Protection Authority (aepd) Art. 13Art. 37 €25,000
2022-12-15 Comune di Borgia
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 9Art. 37 €5,000
2022-11-10 Poliambulatorio Radiologico 'il Sorriso' S.r.l.
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 13Art. 37 €15,000
2022-11-10 Cisterna di Latina municipality
Insufficient fulfilment of data subjects rights
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 12Art. 37 €5,000
2022-11-10 Cisterna di Latina Municipality
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 12Art. 37 €5,000
2022-11-02 Setúbal municipality
Non-compliance with general data processing principles
🇪🇺 Portuguese Data Protection Authority (CNPD) Art. 5Art. 13Art. 37 €180,000
2022-05-12 Villabate municipality
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 37Art. 38 €6,000
2022-04-28 Amiu S.p.A.
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 28Art. 37 €200,000
2022-03-10 Azienda sanitaria provinciale di Caltanissetta
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 12Art. 15 €6,000
2022-02-02 IAB Europe
Insufficient legal basis for data processing
🇪🇺 Belgian Data Protection Authority (APD) Art. 5Art. 6Art. 9Art. 12 €0
2021-12-29 Greek Ministry of Tourism
Insufficient technical and organisational measures to ensure information security
🇪🇺 Hellenic Data Protection Authority (HDPA) Art. 13Art. 32Art. 33Art. 37 €75,000
2021-12-16 Centro di Medicina preventiva s.r.l.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 25Art. 32Art. 37 €10,000
2021-10-27 Company
Insufficient involvement of data protection officer
🇪🇺 National Commission for Data Protection (CNPD) Art. 37Art. 38Art. 39 €18,700
2021-10-13 LUXEMBOURG DPA: Insufficient involvement of data protection officer
Insufficient involvement of data protection officer
🇪🇺 National Commission for Data Protection (CNPD) Art. 37Art. 38Art. 39 €18,000
2021-09-29 ACONCAGUA JUEGOS S.A.
Insufficient involvement of data protection officer
🇪🇺 Spanish Data Protection Authority (aepd) Art. 37 €10,000
2021-07-22 Deliveroo Italy s.r.l.
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 13Art. 22Art. 25 €2,500,000