Skip to content

Article 5 GDPR — enforcement

Cited in 1,715 decisions · €1.8B total fines · median €10,000 · top authority: 🇪🇺Spanish Data Protection Authority (aepd) (541)

Date ↓ Company / party Authority Articles Fine
2025-12-30 SLOVAKIA DPA: Insufficient legal basis for data processing
Insufficient legal basis for data processing
🇪🇺 Slovak Data Protection Office Art. 5Art. 6
2025-12-30 SLOVENAKIË: Onvoldoende technische en organisatorische maatregelen om de informatiebeveiliging te waarborgen.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Slovak Data Protection Office Art. 5Art. 32
2025-12-30 SLOVENAKIË, Dataprotectieautoriteit: Onvoldoende juridische basis voor de verwerking van persoonsgegevens.
Insufficient legal basis for data processing
🇪🇺 Slovak Data Protection Office Art. 5Art. 6
2025-12-30 SLOVAKIA DPA: Insufficient technical and organisational measures to ensure information security
Insufficient technical and organisational measures to ensure information security
🇪🇺 Slovak Data Protection Office Art. 5Art. 32
2025-12-30 SLOVAKIA DPA: Insufficient technical and organisational measures to ensure information security
Insufficient technical and organisational measures to ensure information security
🇪🇺 Slovak Data Protection Office Art. 5Art. 32
2025-12-30 SLOVENAKIË: Onvoldoende technische en organisatorische maatregelen om de informatiebeveiliging te waarborgen.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Slovak Data Protection Office Art. 5Art. 32
2025-12-29 Order of General Nurses, Midwives and Medical Assistants of Romania – Neamt Branch
Non-compliance with general data processing principles
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 5Art. 6Art. 12Art. 13 €2,000
2025-12-29 Order of General Nurses, Midwives and Medical Assistants of Romania – Neamt Branch
Non-compliance with general data processing principles
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 5Art. 6Art. 12Art. 13 €2,000
2025-12-23 Geturhotels Srl
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 17Art. 24 €6,000
2025-12-23 Geturhotels Srl
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 17Art. 24 €6,000
2025-12-20 EXCEL HOTELS & RESORTS, S.A.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5 €32,000
2025-12-20 EXCEL HOTELS & RESORTS, S.A.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5 €32,000
2025-12-18 Bank
Non-compliance with general data processing principles
🇭🇷 Croatian Data Protection Authority (azop) Art. 5Art. 6Art. 13Art. 25 €1,500,000
2025-12-18 Pioneer Hi-Bred Italia Sementi s.r.l.
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 28 €120,000
2025-12-18 Anticimex s.r.l.
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 12Art. 13Art. 15 €40,000
2025-12-18 LTL S.p.A.
Insufficient fulfilment of data subjects rights
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 12Art. 15 €40,000
2025-12-18 Comune di Nave
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 12Art. 13 €6,000
2025-12-18 Elba Catering Distribuzioni s.r.I.s.
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 13 €2,000
2025-12-18 Data Controller
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6 €1,000
2025-12-12 Chief Constable of the Police Service of Scotland
Insufficient technical and organisational measures to ensure information security
🇬🇧 Information Commissioner (ICO) Art. 5Art. 25Art. 32Art. 33 €75,700
2025-12-11 Legal Entity
Insufficient legal basis for data processing
🇪🇺 Slovenian Supervisory Authority (Informacijski pooblaščenec) Art. 5Art. 6 €75,474
2025-12-10 University of Limerick
Insufficient technical and organisational measures to ensure information security
🇮🇪 Data Protection Authority of Ireland Art. 5Art. 30Art. 32Art. 33 €98,000
2025-12-04 Comune di Tuscania
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 12Art. 13 €12,000
2025-12-04 Istituto Comprensivo Centro di Casalecchio di Reno
Insufficient fulfilment of data subjects rights
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6 €2,000
2025-12-04 Istituto Comprensivo Centro di Casalecchio di Reno
Insufficient fulfilment of data subjects rights
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6 €2,000