Article 38 GDPR — enforcement
Cited in 33 decisions · €10.0M total fines · median €18,700 · top authority: 🇪🇺Polish National Personal Data Protection Office (UODO) (8)
| Date ↓ | Company / party | Authority | Articles | Fine |
|---|---|---|---|---|
| 2026-02-10 | Fundację Lumus Non-compliance with general data processing principles | 🇵🇱 Polish National Personal Data Protection Office (UODO) | Art. 33Art. 34Art. 37Art. 38 | €5,220 |
| 2026-01-02 | Polish Postal Service Lack of appointment of data protection officer | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 38 | €232,379 |
| 2025-09-18 | SAMARITAINE SAS Non-compliance with general data processing principles | 🇪🇺 French Data Protection Authority (CNIL) | Art. 5Art. 33Art. 38 | €100,000 |
| 2025-09-18 | SAMARITAINE SAS Non-compliance with general data processing principles | 🇪🇺 French Data Protection Authority (CNIL) | Art. 5Art. 33Art. 38 | €100,000 |
| 2025-09-12 | POLEN, Autoriteit voor gegevensbescherming: Gebrek aan benoeming van een functionaris voor gegevensbescherming. Lack of appointment of data protection officer | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 38 | €2,670 |
| 2025-09-12 | POLAND DPA: Lack of appointment of data protection officer Lack of appointment of data protection officer | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 38 | €2,670 |
| 2025-07-21 | McDonald’s Polska Sp. z o.o. Non-compliance with general data processing principles | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 5Art. 25Art. 28Art. 38 | €3,955,000 |
| 2025-07-21 | McDonald’s Polska Sp. z o.o. Non-compliance with general data processing principles | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 5Art. 25Art. 28Art. 38 | €3,955,000 |
| 2025-07-21 | 24/7 Communication Sp. z o.o. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 5Art. 25Art. 38 | €43,000 |
| 2025-07-21 | 24/7 Communication Sp. z o.o. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 5Art. 25Art. 38 | €43,000 |
| 2025-07-10 | Nursery School “La Combricola Dei Birichini Di Betty” Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 7Art. 12 | €10,000 |
| 2025-07-10 | Nursery School “La Combricola Dei Birichini Di Betty” Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 7Art. 12 | €10,000 |
| 2025-03-24 | Company Insufficient legal basis for data processing | 🇪🇺 Croatian Data Protection Authority (azop) | Art. 5Art. 6Art. 12Art. 14 | €40,000 |
| 2025-03-24 | Company Insufficient legal basis for data processing | 🇪🇺 Croatian Data Protection Authority (azop) | Art. 5Art. 6Art. 12Art. 14 | €40,000 |
| 2025-03-10 | Telenor ASA. Non-compliance with general data processing principles | 🇪🇺 Norwegian Supervisory Authority (Datatilsynet) | Art. 24Art. 37Art. 38 | €338,000 |
| 2024-12-18 | Company Insufficient technical and organisational measures to ensure information security | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 38Art. 30Art. 35 | €135,600 |
| 2024-10-16 | Company Lack of appointment of data protection officer | 🇪🇺 Austrian Data Protection Authority (dsb) | Art. 38 | €5,000 |
| 2024-09-13 | Hospital Insufficient technical and organisational measures to ensure information security | 🇪🇺 Croatian Data Protection Authority (azop) | Art. 5Art. 6Art. 12Art. 13 | €190,000 |
| 2024-04-11 | Libero Consorzio comunale di Enna Insufficient involvement of data protection officer | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 37Art. 38 | €6,000 |
| 2023-11-02 | APOLLONIA TOPCO, S.L. Non-compliance with general data processing principles | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5Art. 38 | €30,000 |
| 2023-09-26 | Hotel Insufficient legal basis for data processing | 🇪🇺 Croatian Data Protection Authority (azop) | Art. 6Art. 13Art. 32Art. 38 | €15,000 |
| 2023-01-01 | MALTA DPA: Insufficient fulfilment of data subjects rights Insufficient fulfilment of data subjects rights | 🇪🇺 Data Protection Commissioner of Malta | Art. 5Art. 12Art. 13Art. 14 | €2,500 |
| 2022-11-10 | Conservatorio di Musica S. Cecilia di Roma Insufficient legal basis for data processing | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 38Art. 2 | €6,000 |
| 2022-09-20 | Company Insufficient involvement of data protection officer | 🇪🇺 Data Protection Authority of Berlin | Art. 38 | €525,000 |
| 2022-08-01 | Policoro municipality Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 12Art. 13Art. 24 | €26,000 |
1–25 of 33 next →