Skip to content

Article 5 GDPR — enforcement

Cited in 1,716 decisions · €1.8B total fines · median €10,000 · top authority: 🇪🇺Spanish Data Protection Authority (aepd) (541)

Date ↓ Company / party Authority Articles Fine
2020-12-03 Karolinska University Hospital of Solna
Insufficient technical and organisational measures to ensure information security
🇪🇺 Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) Art. 5Art. 32 €390,100
2020-12-03 Sahlgrenska University Hospital
Insufficient technical and organisational measures to ensure information security
🇪🇺 Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) Art. 5Art. 32 €341,300
2020-12-03 Östergötland Region
Insufficient technical and organisational measures to ensure information security
🇪🇺 Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) Art. 5Art. 32 €243,800
2020-12-03 Västerbotten Region
Insufficient technical and organisational measures to ensure information security
🇪🇺 Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) Art. 5Art. 32 €243,800
2020-12-02 Losada Advocats S.L.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5Art. 32 €10,000
2020-12-02 Comercio Online Levante, S.L.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5Art. 32 €3,000
2020-12-01 Azeta.ee e-apteek
Insufficient legal basis for data processing
🇪🇺 Estonian Data Protection Authority (AKI) Art. 5Art. 6 €100,000
2020-12-01 Südameapteegi e-apteek
Insufficient legal basis for data processing
🇪🇺 Estonian Data Protection Authority (AKI) Art. 5Art. 6 €100,000
2020-12-01 Apotheka e-apteek
Insufficient legal basis for data processing
🇪🇺 Estonian Data Protection Authority (AKI) Art. 5Art. 6 €100,000
2020-11-27 Private Individual
Non-compliance with general data processing principles
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5 €1,200
2020-11-26 Concentrix Cvg Italy s.r.l.
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 9 €20,000
2020-11-26 Reti Televisive Italiane S.p.a.
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5 €10,000
2020-11-26 Charly Mike s.r.l.
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 13 €3,000
2020-11-25 Gnosjö Municipality
Insufficient legal basis for data processing
🇪🇺 Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) Art. 5Art. 6Art. 13Art. 35 €19,500
2020-11-24 City of Stockholm
Insufficient technical and organisational measures to ensure information security
🇪🇺 Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) Art. 5Art. 32 €394,000
2020-11-23 Burgo Group S.p.A
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 13 €20,000
2020-11-19 Vodafone España, S.A.U.
Insufficient legal basis for data processing
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5Art. 6 €36,000
2020-11-18 Carrefour France
Non-compliance with general data processing principles
🇪🇺 French Data Protection Authority (CNIL) Art. 5Art. 12Art. 13Art. 15 €2,250,000
2020-11-18 Carrefour Banque
Non-compliance with general data processing principles
🇪🇺 French Data Protection Authority (CNIL) Art. 5 €800,000
2020-11-18 HUNGARY DPA: Non-compliance with general data processing principles
Non-compliance with general data processing principles
🇪🇺 Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) Art. 5 €28
2020-11-16 Vodafone España, S.A.U.
Insufficient legal basis for data processing
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5Art. 6 €42,000
2020-11-16 Homeowners Association
Non-compliance with general data processing principles
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5 €1,600
2020-11-13 Ticketmaster UK Limited
Insufficient technical and organisational measures to ensure information security
🇪🇺 Information Commissioner (ICO) Art. 5Art. 32 €1,405,000
2020-11-13 BELGIUM DPA: Non-compliance with general data processing principles
Non-compliance with general data processing principles
🇪🇺 Belgian Data Protection Authority (APD) Art. 5Art. 6Art. 12Art. 13 €1,500
2020-11-12 Vodafone Italia S.p.A.
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 7Art. 15 €12,251,601