Article 37 GDPR — enforcement
Cited in 60 decisions · €6.6M total fines · median €6,000 · top authority: 🇪🇺Italian Data Protection Authority (Garante) (37)
| Date ↓ | Company / party | Authority | Articles | Fine |
|---|---|---|---|---|
| 2024-04-11 | Libero Consorzio comunale di Enna Insufficient involvement of data protection officer | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 37Art. 38 | €6,000 |
| 2024-01-31 | Municipality of Siracusa Insufficient involvement of data protection officer | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 37 | €5,000 |
| 2024-01-31 | Provincia di Sassari Insufficient involvement of data protection officer | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 37 | €2,000 |
| 2024-01-31 | Provincia di Catanzaro Insufficient involvement of data protection officer | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 37 | €2,000 |
| 2024-01-31 | Libero Consorzio comunale di Caltanissetta Insufficient involvement of data protection officer | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 37 | €2,000 |
| 2024-01-29 | Ministry of Rural Development and Food Insufficient involvement of data protection officer | 🇪🇺 Hellenic Data Protection Authority (HDPA) | Art. 31Art. 37 | €25,000 |
| 2024-01-24 | Municipality Insufficient legal basis for data processing | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 9Art. 37 | €6,000 |
| 2023-12-12 | Kourou municipality Insufficient cooperation with supervisory authority | 🇪🇺 French Data Protection Authority (CNIL) | Art. 31Art. 37 | €5,000 |
| 2023-07-18 | Municipality of Modica Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 12Art. 13Art. 25 | €45,000 |
| 2023-04-20 | KFC RESTAURANTS SPAIN, S.L. Insufficient involvement of data protection officer | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 13Art. 37 | €25,000 |
| 2022-12-15 | Comune di Borgia Insufficient legal basis for data processing | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 9Art. 37 | €5,000 |
| 2022-11-10 | Poliambulatorio Radiologico 'il Sorriso' S.r.l. Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 13Art. 37 | €15,000 |
| 2022-11-10 | Cisterna di Latina municipality Insufficient fulfilment of data subjects rights | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 12Art. 37 | €5,000 |
| 2022-11-10 | Cisterna di Latina Municipality Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 12Art. 37 | €5,000 |
| 2022-11-02 | Setúbal municipality Non-compliance with general data processing principles | 🇪🇺 Portuguese Data Protection Authority (CNPD) | Art. 5Art. 13Art. 37 | €180,000 |
| 2022-05-12 | Villabate municipality Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 37Art. 38 | €6,000 |
| 2022-04-28 | Amiu S.p.A. Insufficient legal basis for data processing | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 28Art. 37 | €200,000 |
| 2022-03-10 | Azienda sanitaria provinciale di Caltanissetta Insufficient legal basis for data processing | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 12Art. 15 | €6,000 |
| 2022-02-02 | IAB Europe Insufficient legal basis for data processing | 🇪🇺 Belgian Data Protection Authority (APD) | Art. 5Art. 6Art. 9Art. 12 | €0 |
| 2021-12-29 | Greek Ministry of Tourism Insufficient technical and organisational measures to ensure information security | 🇪🇺 Hellenic Data Protection Authority (HDPA) | Art. 13Art. 32Art. 33Art. 37 | €75,000 |
| 2021-12-16 | Centro di Medicina preventiva s.r.l. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 25Art. 32Art. 37 | €10,000 |
| 2021-10-27 | Company Insufficient involvement of data protection officer | 🇪🇺 National Commission for Data Protection (CNPD) | Art. 37Art. 38Art. 39 | €18,700 |
| 2021-10-13 | LUXEMBOURG DPA: Insufficient involvement of data protection officer Insufficient involvement of data protection officer | 🇪🇺 National Commission for Data Protection (CNPD) | Art. 37Art. 38Art. 39 | €18,000 |
| 2021-09-29 | ACONCAGUA JUEGOS S.A. Insufficient involvement of data protection officer | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 37 | €10,000 |
| 2021-07-22 | Deliveroo Italy s.r.l. Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 13Art. 22Art. 25 | €2,500,000 |