Article 5 GDPR — enforcement
Cited in 1,716 decisions · €1.8B total fines · median €10,000 · top authority: 🇪🇺Spanish Data Protection Authority (aepd) (541)
| Date ↓ | Company / party | Authority | Articles | Fine |
|---|---|---|---|---|
| 2021-01-01 | Private individual Non-compliance with general data processing principles | 🇪🇺 Data Protection Authority of Saxony | Art. 5 | — |
| 2020-12-30 | ING Bank N.V. Amsterdam - Bucharest office Insufficient legal basis for data processing | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 5Art. 6 | €3,000 |
| 2020-12-23 | BELGIUM DPA: Insufficient fulfilment of data subjects rights Insufficient fulfilment of data subjects rights | 🇪🇺 Belgian Data Protection Authority (APD) | Art. 14Art. 12Art. 15Art. 5 | €50,000 |
| 2020-12-23 | BELGIUM DPA: Insufficient fulfilment of data subjects rights Insufficient fulfilment of data subjects rights | 🇪🇺 Belgian Data Protection Authority (APD) | Art. 14Art. 12Art. 6Art. 5 | €15,000 |
| 2020-12-21 | Banco Bilbao Vizcaya Argentaria, S.A. Non-compliance with general data processing principles | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5 | €36,000 |
| 2020-12-17 | Roma Capitale (Rome Municipality) Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 13Art. 14Art. 28 | €500,000 |
| 2020-12-17 | ID Finance Poland Sp. z o.o. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 5Art. 25Art. 32 | €235,300 |
| 2020-12-17 | Azienda Unità Sanitaria Locale Toscana Sud Est Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 13Art. 14Art. 28 | €100,000 |
| 2020-12-17 | Banca Transilvania SA Insufficient technical and organisational measures to ensure information security | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 5Art. 32 | €100,000 |
| 2020-12-17 | University College Dublin Insufficient technical and organisational measures to ensure information security | 🇪🇺 Data Protection Authority of Ireland | Art. 5Art. 32Art. 33 | €70,000 |
| 2020-12-17 | Miropass S.r.l. Insufficient legal basis for data processing | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 9Art. 28 | €40,000 |
| 2020-12-17 | Comune di Luino Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6Art. 37 | €10,000 |
| 2020-12-17 | Comune di Santo Stefano Belbo Non-compliance with general data processing principles | 🇪🇺 Italian Data Protection Authority (Garante) | Art. 5Art. 6 | €4,000 |
| 2020-12-16 | HUNGARY DPA: Insufficient legal basis for data processing Insufficient legal basis for data processing | 🇪🇺 Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | Art. 5Art. 6Art. 9Art. 12 | €97,150 |
| 2020-12-16 | HUNGARY DPA: Insufficient fulfilment of information obligations Insufficient fulfilment of information obligations | 🇪🇺 Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | Art. 5Art. 13 | €1,940 |
| 2020-12-15 | Uppsalahem AB Insufficient legal basis for data processing | 🇪🇺 Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) | Art. 5Art. 6 | €29,500 |
| 2020-12-15 | LATVIA DPA: Insufficient legal basis for data processing Insufficient legal basis for data processing | 🇪🇺 Data State Inspectorate (DSI) | Art. 5Art. 6 | €6,250 |
| 2020-12-14 | Virgin Mobile Polska Insufficient technical and organisational measures to ensure information security | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 5Art. 25Art. 32 | €443,000 |
| 2020-12-11 | Umeå University Insufficient technical and organisational measures to ensure information security | 🇪🇺 Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) | Art. 5Art. 32 | €54,000 |
| 2020-12-10 | Budapesti Műszaki és Gazdaságtudományi Egyetem (Budapest University of Technology and Economics) Insufficient legal basis for data processing | 🇪🇺 Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | Art. 5Art. 6Art. 9Art. 12 | €22,200 |
| 2020-12-09 | SPAIN DPA: Non-compliance with general data processing principles Non-compliance with general data processing principles | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5 | €10,000 |
| 2020-12-07 | Perfomeclic Insufficient legal basis for data processing | 🇪🇺 French Data Protection Authority (CNIL) | Art. 5Art. 14Art. 21Art. 28 | €7,300 |
| 2020-12-03 | Capio St. Göran AB Insufficient technical and organisational measures to ensure information security | 🇪🇺 Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) | Art. 5Art. 32 | €2,900,000 |
| 2020-12-03 | Aleris Sjukvård AB Insufficient technical and organisational measures to ensure information security | 🇪🇺 Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) | Art. 5Art. 32 | €1,463,000 |
| 2020-12-03 | Aleris Sjukvård AB Insufficient technical and organisational measures to ensure information security | 🇪🇺 Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) | Art. 5Art. 32 | €1,168,000 |