Skip to content

Article 9 GDPR — enforcement

Cited in 233 decisions · €44.1M total fines · median €15,000 · top authority: 🇪🇺Italian Data Protection Authority (Garante) (121)

Date ↓ Company / party Authority Articles Fine
2024-05-23 Azienda Sanitaria Locale TO4
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 9 €8,400
2024-05-09 Azienda ospedale università di Padova
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 9Art. 25Art. 32 €75,000
2024-04-24 I.N.P.A.S.
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 9Art. 2 €3,000
2024-02-08 Medtronic Italia
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 9Art. 12Art. 13 €300,000
2024-02-08 Azienda socio-sanitaria locale n. 1 di Sassari
Insufficient technical and organisational measures to ensure information security
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 9Art. 32 €18,000
2024-02-06 SANITAS, S.A. DE SEGUROS
Insufficient legal basis for data processing
🇪🇺 Spanish Data Protection Authority (aepd) Art. 6Art. 9 €160,000
2024-01-24 Municipality
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 9Art. 37 €6,000
2024-01-17 Centrum Medyczne Ujastek Sp. z o.o.
Non-compliance with general data processing principles
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 5Art. 6Art. 9Art. 13 €273,000
2024-01-01 Doctor´s Office
Insufficient legal basis for data processing
🇪🇺 Data Protection Authority of Hessen Art. 5Art. 6Art. 9 €3,700
2024-01-01 Doctor´s Office
Insufficient legal basis for data processing
🇪🇺 Data Protection Authority of Hessen Art. 5Art. 6Art. 9 €3,300
2024-01-01 Doctor´s Office
Insufficient technical and organisational measures to ensure information security
🇪🇺 Data Protection Authority of Hessen Art. 5Art. 6Art. 9Art. 32 €2,500
2023-12-07 Azienda socio sanitaria territoriale nord Milano, C.F.
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 9Art. 25Art. 32 €40,000
2023-11-17 Eurocollege Oxford English Institute S.L.
Non-compliance with general data processing principles
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5Art. 6Art. 9 €72,000
2023-10-26 Region of Lombardy
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 9Art. 2 €20,000
2023-10-12 Azienda socio sanitaria territoriale di Lodi CF
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 9Art. 32 €40,000
2023-09-28 Salvator Mundi International Hospital s.r.l
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 9 €60,000
2023-09-28 Ministero dell'Ambiente e della Sicurezza Energetica
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 9Art. 2 €5,000
2023-09-28 Physician
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 9 €5,000
2023-09-26 Phyisician
Non-compliance with general data processing principles
🇪🇺 Austrian Data Protection Authority (dsb) Art. 5Art. 9 €10,000
2023-09-25 FEDERACIÓN DE BALONMANO DE CASTILLA LA MANCHA
Insufficient legal basis for data processing
🇪🇺 Spanish Data Protection Authority (aepd) Art. 9Art. 13 €17,000
2023-09-18 SAF LOGISTICS
Non-compliance with general data processing principles
🇪🇺 French Data Protection Authority (CNIL) Art. 5Art. 9Art. 10Art. 31 €200,000
2023-09-14 Nimbus s.r.l.
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 9Art. 13 €5,000
2023-08-31 Mednow Medical Center di Giugni Marco
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 9Art. 12Art. 15 €10,000
2023-07-18 Azienda Socio Sanitaria Territoriale Ovest Milanese
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 9Art. 32 €12,000
2023-06-27 Creditinfo Lánstraust hf.
Insufficient legal basis for data processing
🇪🇺 Icelandic data protection authority ('Persónuvernd') Art. 5Art. 6Art. 8Art. 9 €257,000