Skip to content

Article 5 GDPR — enforcement

Cited in 1,716 decisions · €1.8B total fines · median €10,000 · top authority: 🇪🇺Spanish Data Protection Authority (aepd) (541)

Date ↓ Company / party Authority Articles Fine
2021-01-01 Private individual
Non-compliance with general data processing principles
🇪🇺 Data Protection Authority of Saxony Art. 5
2020-12-30 ING Bank N.V. Amsterdam - Bucharest office
Insufficient legal basis for data processing
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 5Art. 6 €3,000
2020-12-23 BELGIUM DPA: Insufficient fulfilment of data subjects rights
Insufficient fulfilment of data subjects rights
🇪🇺 Belgian Data Protection Authority (APD) Art. 14Art. 12Art. 15Art. 5 €50,000
2020-12-23 BELGIUM DPA: Insufficient fulfilment of data subjects rights
Insufficient fulfilment of data subjects rights
🇪🇺 Belgian Data Protection Authority (APD) Art. 14Art. 12Art. 6Art. 5 €15,000
2020-12-21 Banco Bilbao Vizcaya Argentaria, S.A.
Non-compliance with general data processing principles
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5 €36,000
2020-12-17 Roma Capitale (Rome Municipality)
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 13Art. 14Art. 28 €500,000
2020-12-17 ID Finance Poland Sp. z o.o.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 5Art. 25Art. 32 €235,300
2020-12-17 Azienda Unità Sanitaria Locale Toscana Sud Est
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 13Art. 14Art. 28 €100,000
2020-12-17 Banca Transilvania SA
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 5Art. 32 €100,000
2020-12-17 University College Dublin
Insufficient technical and organisational measures to ensure information security
🇪🇺 Data Protection Authority of Ireland Art. 5Art. 32Art. 33 €70,000
2020-12-17 Miropass S.r.l.
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 9Art. 28 €40,000
2020-12-17 Comune di Luino
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 37 €10,000
2020-12-17 Comune di Santo Stefano Belbo
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6 €4,000
2020-12-16 HUNGARY DPA: Insufficient legal basis for data processing
Insufficient legal basis for data processing
🇪🇺 Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) Art. 5Art. 6Art. 9Art. 12 €97,150
2020-12-16 HUNGARY DPA: Insufficient fulfilment of information obligations
Insufficient fulfilment of information obligations
🇪🇺 Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) Art. 5Art. 13 €1,940
2020-12-15 Uppsalahem AB
Insufficient legal basis for data processing
🇪🇺 Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) Art. 5Art. 6 €29,500
2020-12-15 LATVIA DPA: Insufficient legal basis for data processing
Insufficient legal basis for data processing
🇪🇺 Data State Inspectorate (DSI) Art. 5Art. 6 €6,250
2020-12-14 Virgin Mobile Polska
Insufficient technical and organisational measures to ensure information security
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 5Art. 25Art. 32 €443,000
2020-12-11 Umeå University
Insufficient technical and organisational measures to ensure information security
🇪🇺 Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) Art. 5Art. 32 €54,000
2020-12-10 Budapesti Műszaki és Gazdaságtudományi Egyetem (Budapest University of Technology and Economics)
Insufficient legal basis for data processing
🇪🇺 Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) Art. 5Art. 6Art. 9Art. 12 €22,200
2020-12-09 SPAIN DPA: Non-compliance with general data processing principles
Non-compliance with general data processing principles
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5 €10,000
2020-12-07 Perfomeclic
Insufficient legal basis for data processing
🇪🇺 French Data Protection Authority (CNIL) Art. 5Art. 14Art. 21Art. 28 €7,300
2020-12-03 Capio St. Göran AB
Insufficient technical and organisational measures to ensure information security
🇪🇺 Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) Art. 5Art. 32 €2,900,000
2020-12-03 Aleris Sjukvård AB
Insufficient technical and organisational measures to ensure information security
🇪🇺 Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) Art. 5Art. 32 €1,463,000
2020-12-03 Aleris Sjukvård AB
Insufficient technical and organisational measures to ensure information security
🇪🇺 Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) Art. 5Art. 32 €1,168,000