Skip to content

Article 38 GDPR — enforcement

Cited in 33 decisions · €10.0M total fines · median €18,700 · top authority: 🇪🇺Polish National Personal Data Protection Office (UODO) (8)

Date ↓ Company / party Authority Articles Fine
2026-02-10 Fundację Lumus
Non-compliance with general data processing principles
🇵🇱 Polish National Personal Data Protection Office (UODO) Art. 33Art. 34Art. 37Art. 38 €5,220
2026-01-02 Polish Postal Service
Lack of appointment of data protection officer
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 38 €232,379
2025-09-18 SAMARITAINE SAS
Non-compliance with general data processing principles
🇪🇺 French Data Protection Authority (CNIL) Art. 5Art. 33Art. 38 €100,000
2025-09-18 SAMARITAINE SAS
Non-compliance with general data processing principles
🇪🇺 French Data Protection Authority (CNIL) Art. 5Art. 33Art. 38 €100,000
2025-09-12 POLEN, Autoriteit voor gegevensbescherming: Gebrek aan benoeming van een functionaris voor gegevensbescherming.
Lack of appointment of data protection officer
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 38 €2,670
2025-09-12 POLAND DPA: Lack of appointment of data protection officer
Lack of appointment of data protection officer
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 38 €2,670
2025-07-21 McDonald’s Polska Sp. z o.o.
Non-compliance with general data processing principles
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 5Art. 25Art. 28Art. 38 €3,955,000
2025-07-21 McDonald’s Polska Sp. z o.o.
Non-compliance with general data processing principles
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 5Art. 25Art. 28Art. 38 €3,955,000
2025-07-21 24/7 Communication Sp. z o.o.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 5Art. 25Art. 38 €43,000
2025-07-21 24/7 Communication Sp. z o.o.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 5Art. 25Art. 38 €43,000
2025-07-10 Nursery School “La Combricola Dei Birichini Di Betty”
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 7Art. 12 €10,000
2025-07-10 Nursery School “La Combricola Dei Birichini Di Betty”
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 7Art. 12 €10,000
2025-03-24 Company
Insufficient legal basis for data processing
🇪🇺 Croatian Data Protection Authority (azop) Art. 5Art. 6Art. 12Art. 14 €40,000
2025-03-24 Company
Insufficient legal basis for data processing
🇪🇺 Croatian Data Protection Authority (azop) Art. 5Art. 6Art. 12Art. 14 €40,000
2025-03-10 Telenor ASA.
Non-compliance with general data processing principles
🇪🇺 Norwegian Supervisory Authority (Datatilsynet) Art. 24Art. 37Art. 38 €338,000
2024-12-18 Company
Insufficient technical and organisational measures to ensure information security
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 38Art. 30Art. 35 €135,600
2024-10-16 Company
Lack of appointment of data protection officer
🇪🇺 Austrian Data Protection Authority (dsb) Art. 38 €5,000
2024-09-13 Hospital
Insufficient technical and organisational measures to ensure information security
🇪🇺 Croatian Data Protection Authority (azop) Art. 5Art. 6Art. 12Art. 13 €190,000
2024-04-11 Libero Consorzio comunale di Enna
Insufficient involvement of data protection officer
🇪🇺 Italian Data Protection Authority (Garante) Art. 37Art. 38 €6,000
2023-11-02 APOLLONIA TOPCO, S.L.
Non-compliance with general data processing principles
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5Art. 38 €30,000
2023-09-26 Hotel
Insufficient legal basis for data processing
🇪🇺 Croatian Data Protection Authority (azop) Art. 6Art. 13Art. 32Art. 38 €15,000
2023-01-01 MALTA DPA: Insufficient fulfilment of data subjects rights
Insufficient fulfilment of data subjects rights
🇪🇺 Data Protection Commissioner of Malta Art. 5Art. 12Art. 13Art. 14 €2,500
2022-11-10 Conservatorio di Musica S. Cecilia di Roma
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 38Art. 2 €6,000
2022-09-20 Company
Insufficient involvement of data protection officer
🇪🇺 Data Protection Authority of Berlin Art. 38 €525,000
2022-08-01 Policoro municipality
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 12Art. 13Art. 24 €26,000