Article 5 GDPR — enforcement
Cited in 1,715 decisions · €1.8B total fines · median €10,000 · top authority: 🇪🇺Spanish Data Protection Authority (aepd) (541)
| Date ↓ | Company / party | Authority | Articles | Fine |
|---|---|---|---|---|
| 2025-09-04 | Landlord Insufficient legal basis for data processing | 🇪🇺 Belgian Data Protection Authority (APD) | Art. 5Art. 6 | €9,700 |
| 2025-09-04 | Landlord Insufficient legal basis for data processing | 🇪🇺 Belgian Data Protection Authority (APD) | Art. 5Art. 6 | €9,700 |
| 2025-09-01 | Primary School Insufficient legal basis for data processing | 🇭🇷 Croatian Data Protection Authority (azop) | Art. 5Art. 6 | €2,000 |
| 2025-08-26 | ING Bank Śląski Insufficient legal basis for data processing | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 5Art. 6 | €4,323,250 |
| 2025-08-26 | ING Bank Śląski Insufficient legal basis for data processing | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 5Art. 6 | €4,323,250 |
| 2025-08-25 | YUNEXPRESS SPAIN, S.L. Insufficient data processing agreement | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5Art. 28 | €5,400 |
| 2025-08-25 | YUNEXPRESS SPAIN, S.L. Insufficient data processing agreement | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5Art. 28 | €5,400 |
| 2025-08-25 | LEIVA BUS, S.L. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5 | €1,800 |
| 2025-08-25 | LEIVA BUS, S.L. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5 | €1,800 |
| 2025-08-22 | GRUPO BONATEL SL Insufficient technical and organisational measures to ensure information security | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5 | €18,000 |
| 2025-08-22 | GRUPO BONATEL SL Insufficient technical and organisational measures to ensure information security | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5 | €18,000 |
| 2025-08-22 | BANCO INVERSIS, S.A. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5 | €6,000 |
| 2025-08-22 | BANCO INVERSIS, S.A. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5 | €6,000 |
| 2025-08-14 | WORLD 2 MEET, S.L. Non-compliance with general data processing principles | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5 | €42,000 |
| 2025-08-14 | WORLD 2 MEET, S.L. Non-compliance with general data processing principles | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5 | €42,000 |
| 2025-08-12 | REAL SOCIEDAD DE FUTBOL S.A.D. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5Art. 32 | €66,000 |
| 2025-08-12 | REAL SOCIEDAD DE FUTBOL S.A.D. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5Art. 32 | €66,000 |
| 2025-08-12 | GACM SEGUROS GENERALES, COMPAÑIA DE SEGUROS Y REASEGUROS S.A.U. Non-compliance with general data processing principles | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5 | €4,800 |
| 2025-08-12 | GACM SEGUROS GENERALES, COMPAÑIA DE SEGUROS Y REASEGUROS S.A.U. Non-compliance with general data processing principles | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5 | €4,800 |
| 2025-08-12 | REAL FEDERACIÓN ESPAÑOLA DE TENIS DE MESA Insufficient legal basis for data processing | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5 | €1,600 |
| 2025-08-12 | REAL FEDERACIÓN ESPAÑOLA DE TENIS DE MESA Insufficient legal basis for data processing | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5 | €1,600 |
| 2025-08-05 | Bank of Cyprus Public Company Limited Insufficient technical and organisational measures to ensure information security | 🇨🇾 Cypriot Data Protection Commissioner | Art. 5Art. 24Art. 32 | €25,000 |
| 2025-08-04 | Ospedaliero-Universitaria Careggi Insufficient technical and organisational measures to ensure information security | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 9Art. 25Art. 32 | €80,000 |
| 2025-08-04 | Ospedaliero-Universitaria Careggi Insufficient technical and organisational measures to ensure information security | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 9Art. 25Art. 32 | €80,000 |
| 2025-08-04 | Comune di Venezia Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 25Art. 32 | €10,000 |