Article 5 GDPR — enforcement
Cited in 1,715 decisions · €1.8B total fines · median €10,000 · top authority: 🇪🇺Spanish Data Protection Authority (aepd) (541)
| Date ↓ | Company / party | Authority | Articles | Fine |
|---|---|---|---|---|
| 2026-01-29 | Ministero della Cultura Non-compliance with general data processing principles | 🇮🇹 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 12Art. 13 | €12,000 |
| 2026-01-29 | Istituto tecnico industriale statale “Stanislao Cannizzaro” di Catania Insufficient legal basis for data processing | 🇮🇹 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 9 | €10,000 |
| 2026-01-29 | Dr. Paolo Montemurro Insufficient legal basis for data processing | 🇮🇹 Italian Data Protection Authority (Garante) | Art. 5Art. 9 | €5,000 |
| 2026-01-29 | Federazione Nazionale Ordini Professioni Infermieristiche (FNOPI) Insufficient legal basis for data processing | 🇮🇹 Italian Data Protection Authority (Garante) | Art. 5Art. 6 | €2,000 |
| 2026-01-19 | Continental Automotive Products SRL Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 5Art. 32 | €15,000 |
| 2026-01-19 | Continental Automotive Products SRL Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 5Art. 32 | €15,000 |
| 2026-01-19 | Dental Clinic Non-compliance with general data processing principles | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5 | €1,200 |
| 2026-01-10 | KVIKU SPAIN, S.L. Non-compliance with general data processing principles | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5 | €8,000 |
| 2026-01-08 | FREE MOBILE Insufficient technical and organisational measures to ensure information security | 🇪🇺 French Data Protection Authority (CNIL) | Art. 5Art. 32 | €27,000,000 |
| 2026-01-08 | FREE MOBILE Insufficient technical and organisational measures to ensure information security | 🇪🇺 French Data Protection Authority (CNIL) | Art. 5Art. 32 | €27,000,000 |
| 2026-01-08 | Headquarter of a Fire Brigade Insufficient legal basis for data processing | 🇪🇺 Hellenic Data Protection Authority (HDPA) | Art. 5 | €10,000 |
| 2026-01-06 | Sole Trader Non-compliance with general data processing principles | 🇸🇮 Slovenian Supervisory Authority (Informacijski pooblaščenec) | Art. 5 | €5,000 |
| 2025-12-31 | ONE WAY PRIVATE COMPANY Non-compliance with general data processing principles | 🇪🇺 Hellenic Data Protection Authority (HDPA) | Art. 5Art. 6Art. 7Art. 29 | €80,000 |
| 2025-12-30 | Debt collecting agancy (GESTIÓN DE COBROS, YO COBRO SL) Insufficient legal basis for data processing | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5 | €60,000 |
| 2025-12-30 | ENDESA (energy supplyer) Insufficient legal basis for data processing | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5 | €60,000 |
| 2025-12-30 | Debt collecting agancy (GESTIÓN DE COBROS, YO COBRO SL) Insufficient legal basis for data processing | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5 | €60,000 |
| 2025-12-30 | ENDESA (energy supplyer) Insufficient legal basis for data processing | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5 | €60,000 |
| 2025-12-30 | Vodafone España, S.A.U. Insufficient fulfilment of data subjects rights | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5 | €27,000 |
| 2025-12-30 | Vodafone España, S.A.U. Insufficient fulfilment of data subjects rights | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5 | €27,000 |
| 2025-12-30 | Telecommunications company Insufficient legal basis for data processing | 🇪🇺 Croatian Data Protection Authority (azop) | Art. 6Art. 5 | €20,000 |
| 2025-12-30 | Telecommunications company Insufficient legal basis for data processing | 🇪🇺 Croatian Data Protection Authority (azop) | Art. 6Art. 5 | €20,000 |
| 2025-12-30 | Restaurant (SANTI 3000, S.L.) Insufficient legal basis for data processing | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5Art. 6 | €9,600 |
| 2025-12-30 | Restaurant (SANTI 3000, S.L.) Insufficient legal basis for data processing | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5Art. 6 | €9,600 |
| 2025-12-30 | Vodafone España, S.A.U. Non-compliance with general data processing principles | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5 | €5,000 |
| 2025-12-30 | Vodafone España, S.A.U. Non-compliance with general data processing principles | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5 | €5,000 |