Skip to content

Article 5 GDPR — enforcement

Cited in 1,715 decisions · €1.8B total fines · median €10,000 · top authority: 🇪🇺Spanish Data Protection Authority (aepd) (541)

Date ↓ Company / party Authority Articles Fine
2026-01-29 Ministero della Cultura
Non-compliance with general data processing principles
🇮🇹 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 12Art. 13 €12,000
2026-01-29 Istituto tecnico industriale statale “Stanislao Cannizzaro” di Catania
Insufficient legal basis for data processing
🇮🇹 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 9 €10,000
2026-01-29 Dr. Paolo Montemurro
Insufficient legal basis for data processing
🇮🇹 Italian Data Protection Authority (Garante) Art. 5Art. 9 €5,000
2026-01-29 Federazione Nazionale Ordini Professioni Infermieristiche (FNOPI)
Insufficient legal basis for data processing
🇮🇹 Italian Data Protection Authority (Garante) Art. 5Art. 6 €2,000
2026-01-19 Continental Automotive Products SRL
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 5Art. 32 €15,000
2026-01-19 Continental Automotive Products SRL
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 5Art. 32 €15,000
2026-01-19 Dental Clinic
Non-compliance with general data processing principles
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5 €1,200
2026-01-10 KVIKU SPAIN, S.L.
Non-compliance with general data processing principles
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5 €8,000
2026-01-08 FREE MOBILE
Insufficient technical and organisational measures to ensure information security
🇪🇺 French Data Protection Authority (CNIL) Art. 5Art. 32 €27,000,000
2026-01-08 FREE MOBILE
Insufficient technical and organisational measures to ensure information security
🇪🇺 French Data Protection Authority (CNIL) Art. 5Art. 32 €27,000,000
2026-01-08 Headquarter of a Fire Brigade
Insufficient legal basis for data processing
🇪🇺 Hellenic Data Protection Authority (HDPA) Art. 5 €10,000
2026-01-06 Sole Trader
Non-compliance with general data processing principles
🇸🇮 Slovenian Supervisory Authority (Informacijski pooblaščenec) Art. 5 €5,000
2025-12-31 ONE WAY PRIVATE COMPANY
Non-compliance with general data processing principles
🇪🇺 Hellenic Data Protection Authority (HDPA) Art. 5Art. 6Art. 7Art. 29 €80,000
2025-12-30 Debt collecting agancy (GESTIÓN DE COBROS, YO COBRO SL)
Insufficient legal basis for data processing
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5 €60,000
2025-12-30 ENDESA (energy supplyer)
Insufficient legal basis for data processing
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5 €60,000
2025-12-30 Debt collecting agancy (GESTIÓN DE COBROS, YO COBRO SL)
Insufficient legal basis for data processing
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5 €60,000
2025-12-30 ENDESA (energy supplyer)
Insufficient legal basis for data processing
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5 €60,000
2025-12-30 Vodafone España, S.A.U.
Insufficient fulfilment of data subjects rights
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5 €27,000
2025-12-30 Vodafone España, S.A.U.
Insufficient fulfilment of data subjects rights
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5 €27,000
2025-12-30 Telecommunications company
Insufficient legal basis for data processing
🇪🇺 Croatian Data Protection Authority (azop) Art. 6Art. 5 €20,000
2025-12-30 Telecommunications company
Insufficient legal basis for data processing
🇪🇺 Croatian Data Protection Authority (azop) Art. 6Art. 5 €20,000
2025-12-30 Restaurant (SANTI 3000, S.L.)
Insufficient legal basis for data processing
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5Art. 6 €9,600
2025-12-30 Restaurant (SANTI 3000, S.L.)
Insufficient legal basis for data processing
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5Art. 6 €9,600
2025-12-30 Vodafone España, S.A.U.
Non-compliance with general data processing principles
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5 €5,000
2025-12-30 Vodafone España, S.A.U.
Non-compliance with general data processing principles
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5 €5,000