Skip to content

Article 9 GDPR — enforcement

Cited in 233 decisions · €44.1M total fines · median €15,000 · top authority: 🇪🇺Italian Data Protection Authority (Garante) (121)

Date ↓ Company / party Authority Articles Fine
2022-07-07 Senseonics Inc.
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 7Art. 9 €45,000
2022-05-26 Azienda sanitaria universitaria Friuli Centrale
Insufficient technical and organisational measures to ensure information security
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 9Art. 25Art. 32 €70,000
2022-05-26 Azienda sanitaria universitaria Friuli Occidentale
Insufficient technical and organisational measures to ensure information security
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 9Art. 25Art. 32 €50,000
2022-05-26 Azienda Sanitaria Locale Roma
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 9Art. 2 €46,000
2022-05-22 Azienda Socio Sanitaria Territoriale Dei Sette Laghi
Insufficient technical and organisational measures to ensure information security
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 9Art. 32 €7,000
2022-05-18 Clearview Al Inc.
Non-compliance with general data processing principles
🇪🇺 Information Commissioner (ICO) Art. 5Art. 6Art. 9Art. 14 €9,000,000
2022-05-18 Kredyt Inkaso Investments RO S.A
Insufficient legal basis for data processing
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 5Art. 6Art. 9Art. 33 €5,000
2022-05-03 HEI – Medical Travel
Insufficient fulfilment of data subjects rights
🇪🇺 Icelandic data protection authority ('Persónuvernd') Art. 15Art. 9Art. 17 €10,600
2022-04-28 Ospedale San Raffaele s.r.l.
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 9 €70,000
2022-04-28 Istituto Nazionale Assicurazione Infortuni sul Lavoro
Insufficient technical and organisational measures to ensure information security
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 9Art. 32 €50,000
2022-04-28 Il Sole 24 Ore S.p.a.
Insufficient fulfilment of data subjects rights
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 9Art. 12 €40,000
2022-04-28 Italian Ministry of Defense
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 9Art. 10 €10,000
2022-04-28 'Isabella Gonzaga' high school
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 9Art. 2 €2,500
2022-04-28 Direzione Didattica Statale 1° Circolo-Eboli
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 9Art. 2 €1,500
2022-04-26 ASST di Lodi
Insufficient technical and organisational measures to ensure information security
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 9Art. 32 €1,000
2022-04-04 Brussels Airport Zaventem
Insufficient legal basis for data processing
🇪🇺 Belgian Data Protection Authority (APD) Art. 5Art. 6Art. 9Art. 12 €200,000
2022-04-04 Brussels Airport Charleroi
Insufficient legal basis for data processing
🇪🇺 Belgian Data Protection Authority (APD) Art. 5Art. 6Art. 9Art. 12 €100,000
2022-04-04 Ambuce Rescue Team
Insufficient legal basis for data processing
🇪🇺 Belgian Data Protection Authority (APD) Art. 5Art. 6Art. 9 €20,000
2022-03-10 Azienda USL Toscana Centro
Insufficient technical and organisational measures to ensure information security
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 9Art. 32 €10,000
2022-03-03 BREBAU GmbH
Insufficient legal basis for data processing
🇪🇺 Data Protection Authority of Bremen Art. 5Art. 6Art. 9 €1,900,000
2022-02-10 Azienda socio sanitaria territoriale Melegnano e della Martesana
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 9 €3,500
2022-02-02 IAB Europe
Insufficient legal basis for data processing
🇪🇺 Belgian Data Protection Authority (APD) Art. 5Art. 6Art. 9Art. 12 €0
2022-02-01 SC Grupex 2000 SRL
Insufficient legal basis for data processing
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 6Art. 9 €1,000
2022-01-27 EU DisinfoLab
Non-compliance with general data processing principles
🇪🇺 Belgian Data Protection Authority (APD) Art. 5Art. 6Art. 9Art. 12 €2,800
2022-01-27 Researcher
Non-compliance with general data processing principles
🇪🇺 Belgian Data Protection Authority (APD) Art. 5Art. 6Art. 9Art. 12 €1,200