Skip to content

Article 5 GDPR — enforcement

Cited in 1,720 decisions · €1.8B total fines · median €10,000 · top authority: 🇪🇺Spanish Data Protection Authority (aepd) (541)

Date ↓ Company / party Authority Articles Fine
2020-02-11 Vodafone Romania
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 5Art. 32 €3,000
2020-02-06 RTI - Reti Televisive Italiane s.p.a.
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6 €20,000
2020-02-04 Cafetería Nagasaki
Insufficient legal basis for data processing
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5Art. 6 €1,500
2020-02-03 Vodafone España, S.A.U.
Insufficient legal basis for data processing
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5Art. 6 €75,000
2020-02-03 Vodafone España, S.A.U.
Insufficient legal basis for data processing
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5Art. 6 €75,000
2020-02-03 Vodafone España, S.A.U.
Insufficient legal basis for data processing
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5Art. 6 €60,000
2020-02-03 Xfera Moviles S.A.
Insufficient legal basis for data processing
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5Art. 6 €60,000
2020-02-03 Vodafone España, S.A.U.
Non-compliance with general data processing principles
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5 €50,000
2020-02-03 Iberia Lineas Aereas de Espana, S.A. Operadora Unipersonal
Insufficient legal basis for data processing
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5Art. 6Art. 21 €20,000
2020-02-03 Banco Bilbao Vizcaya Argentaria S.L.
Insufficient legal basis for data processing
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5Art. 6Art. 21 €6,670
2020-02-03 Queseria Artesenal Ameco S.L.
Insufficient legal basis for data processing
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5Art. 6 €5,000
2020-02-03 Automoción
Insufficient legal basis for data processing
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5Art. 6 €800
2020-01-30 Comune di Colledara
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6 €4,000
2020-01-23 Sapienza Università di Roma
Insufficient technical and organisational measures to ensure information security
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 32 €30,000
2020-01-23 Azienda Ospedaliero Universitaria Integrata di Verona (Hospital)
Insufficient technical and organisational measures to ensure information security
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 32 €30,000
2020-01-15 TIM (telecommunications operator)
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 17Art. 21 €27,800,000
2020-01-15 Community of Francavilla Fontana
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6 €10,000
2020-01-14 Zhang Bordeta 2006, S.L. (Store and Restaurant)
Non-compliance with general data processing principles
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5 €3,600
2020-01-13 Allseas Marine S.A.
Non-compliance with general data processing principles
🇪🇺 Hellenic Data Protection Authority (HDPA) Art. 5 €15,000
2020-01-07 Vodafone España, S.A.U.
Non-compliance with general data processing principles
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5 €44,000
2020-01-01 CZECH REPUBLIC DPA: Non-compliance with general data processing principles
Non-compliance with general data processing principles
🇪🇺 Czech Data Protection Auhtority (UOOU) Art. 5Art. 6Art. 12Art. 15 €19,200
2020-01-01 Restaurant
Non-compliance with general data processing principles
🇪🇺 Data Protection Authority of Saarland Art. 5 €10,000
2020-01-01 LITHUANIA DPA: Non-compliance with general data processing principles
Non-compliance with general data processing principles
🇪🇺 Lithuanian Data Protection Authority (VDAI) Art. 5Art. 13Art. 24Art. 35 €8,000
2020-01-01 MALTA DPA: Insufficient technical and organisational measures to ensure information security
Insufficient technical and organisational measures to ensure information security
🇪🇺 Data Protection Commissioner of Malta Art. 5Art. 32 €5,000
2020-01-01 Restaurant
Non-compliance with general data processing principles
🇪🇺 Data Protection Authority of Hamburg Art. 5 €3,000