Skip to content

Enforcement Tracker

3,488 GDPR enforcement decisions from 52 countries, updated daily.

Total fines · last 12 months
€1.3B
+875% vs previous year
Decisions · last 12 months
531
44 per month avg
Largest · last 90 days
€6.6M
Most active authority
110 decisions · SPAIN

Monthly fine totals · last 12 months

AugSepOctNovDecJanFebMarAprMayJunJul
Date ↓ Company / party Authority Articles Fine
2021-02-01 IDFINANCE Spain, S.L.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5 €3,000
2021-02-01 Legal Person
Insufficient fulfilment of data subjects rights
🇪🇺 Czech Data Protection Auhtority (UOOU) Art. 17 €80
2021-01-27 FRANCE DPA: Insufficient technical and organisational measures to ensure information security
Insufficient technical and organisational measures to ensure information security
🇪🇺 French Data Protection Authority (CNIL) Art. 32 €150,000
2021-01-27 FRANCE DPA: Insufficient technical and organisational measures to ensure information security
Insufficient technical and organisational measures to ensure information security
🇪🇺 French Data Protection Authority (CNIL) Art. 32 €75,000
2021-01-27 Azienda USL della Romagna
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 9Art. 32 €50,000
2021-01-27 Azienda Ospedaliero Universitaria Senese
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 9 €50,000
2021-01-27 Family Service / N.D.P.K. nv.
Insufficient legal basis for data processing
🇪🇺 Belgian Data Protection Authority (APD) Art. 5Art. 6Art. 7Art. 13 €50,000
2021-01-27 Azienda Ospedaliero Universitaria di Parma
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 9 €10,000
2021-01-27 City of Rome (Roma capitale)
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 2 €10,000
2021-01-22 BELGIUM DPA: Insufficient technical and organisational measures to ensure information security
Insufficient technical and organisational measures to ensure information security
🇪🇺 Belgian Data Protection Authority (APD) Art. 5Art. 24Art. 32Art. 33 €25,000
2021-01-21 Telefónica Móviles España, SAU
Insufficient legal basis for data processing
🇪🇺 Spanish Data Protection Authority (aepd) Art. 6 €75,000
2021-01-21 Alterna Operador Integral S.L.
Insufficient legal basis for data processing
🇪🇺 Spanish Data Protection Authority (aepd) Art. 6 €50,000
2021-01-20 Legal Person
Insufficient legal basis for data processing
🇪🇺 Czech Data Protection Auhtority (UOOU) Art. 6Art. 14 €26,710
2021-01-20 Legal Person
Insufficient legal basis for data processing
🇪🇺 Czech Data Protection Auhtority (UOOU) Art. 6Art. 14 €11,430
2021-01-20 Individual
Non-compliance with general data processing principles
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5 €1,200
2021-01-19 Aquateknikk AS
Insufficient legal basis for data processing
🇪🇺 Norwegian Supervisory Authority (Datatilsynet) Art. 5Art. 6 €9,700
2021-01-19 Legal Person
Insufficient fulfilment of data subjects rights
🇪🇺 Czech Data Protection Auhtority (UOOU) Art. 15 €1,200
2021-01-15 Anwara Sp. z.o.o.
Insufficient cooperation with supervisory authority
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 31Art. 58 €4,600
2021-01-14 Regione Lazio
Insufficient data processing agreement
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 28 €75,000
2021-01-14 Coop Finnmark SA
Insufficient legal basis for data processing
🇪🇺 Norwegian Supervisory Authority (Datatilsynet) Art. 5Art. 6 €38,600
2021-01-14 Azienda sanitaria provinciale di Enna
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 9 €30,000
2021-01-14 Azienda Usl di Bologna
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 9 €18,000
2021-01-14 Agenzia regionale protezione ambientale Campania (ARPAC)
Insufficient technical and organisational measures to ensure information security
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 32 €8,000
2021-01-14 Poliambulatorio Talenti S.r.l.
Insufficient fulfilment of data subjects rights
🇪🇺 Italian Data Protection Authority (Garante) Art. 12Art. 15 €2,000
2021-01-13 Caixabank S.A.
Insufficient legal basis for data processing
🇪🇺 Spanish Data Protection Authority (aepd) Art. 6Art. 13Art. 14 €2,000,000