Skip to content

Article 9 GDPR — enforcement

Cited in 233 decisions · €44.1M total fines · median €15,000 · top authority: 🇪🇺Italian Data Protection Authority (Garante) (121)

Date ↓ Company / party Authority Articles Fine
2021-03-03 Electricity Authority of Cyprus
Insufficient legal basis for data processing
🇪🇺 Cypriot Data Protection Commissioner Art. 6Art. 9 €40,000
2021-02-25 Comune di Commezzadura
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 9 €6,000
2021-02-25 Azienda Ospedaliera Universitaria Careggi
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 9 €6,000
2021-02-25 Ministero dell’Istruzione, Ufficio Scolastico Regionale per il Lazio
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 9 €4,000
2021-02-11 Istituti ospedalieri bergamaschi
Insufficient technical and organisational measures to ensure information security
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 9Art. 32 €45,000
2021-02-11 Fondazione di religione e di culto “Casa sollievo della sofferenza” Opera di San Pio da Pietrelcina
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 9 €5,000
2021-01-27 Azienda Ospedaliero Universitaria Senese
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 9 €50,000
2021-01-27 Azienda USL della Romagna
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 9Art. 32 €50,000
2021-01-27 Azienda Ospedaliero Universitaria di Parma
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 9 €10,000
2021-01-14 Azienda sanitaria provinciale di Enna
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 9 €30,000
2021-01-14 Azienda Usl di Bologna
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 9 €18,000
2021-01-01 Private individual
Non-compliance with general data processing principles
🇪🇺 Austrian Data Protection Authority (dsb) Art. 5Art. 9 €600
2021-01-01 Physician
Insufficient legal basis for data processing
🇪🇺 Data Protection Authority of Brandenburg Art. 6Art. 9
2020-12-17 Miropass S.r.l.
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 9Art. 28 €40,000
2020-12-16 HUNGARY DPA: Insufficient legal basis for data processing
Insufficient legal basis for data processing
🇪🇺 Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) Art. 5Art. 6Art. 9Art. 12 €97,150
2020-12-10 Budapesti Műszaki és Gazdaságtudományi Egyetem (Budapest University of Technology and Economics)
Insufficient legal basis for data processing
🇪🇺 Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) Art. 5Art. 6Art. 9Art. 12 €22,200
2020-11-26 Concentrix Cvg Italy s.r.l.
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 9 €20,000
2020-11-17 Provincial Health Authority of Cosenza
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 9 €30,000
2020-10-26 Università Campus Bio-medico di Roma (Polyclinic)
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 9 €20,000
2020-10-19 Private Individual
Insufficient legal basis for data processing
🇪🇺 Austrian Data Protection Authority (dsb) Art. 5Art. 9 €600
2020-09-30 Scanshare s.r.l.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 9Art. 32 €60,000
2020-04-30 Unknown Organisation
Insufficient legal basis for data processing
🇪🇺 Dutch Supervisory Authority for Data Protection (AP) Art. 5Art. 9 €725,000
2020-04-23 Estee Lauder Romania
Insufficient legal basis for data processing
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 6Art. 7Art. 9 €3,000
2020-03-24 CP&A
Insufficient technical and organisational measures to ensure information security
🇪🇺 Dutch Supervisory Authority for Data Protection (AP) Art. 9Art. 32 €15,000
2020-03-06 Liceo Scientifico Nobel di Torre del Greco
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 9 €4,000