Skip to content

Enforcement Tracker

3,481 GDPR enforcement decisions from 51 countries, updated daily.

Total fines · last 12 months
€1.3B
+878% vs previous year
Decisions · last 12 months
543
45 per month avg
Largest · last 90 days
€6.6M
Most active authority
112 decisions · SPAIN

Monthly fine totals · last 12 months

AugSepOctNovDecJanFebMarAprMayJunJul
Date ↓ Company / party Authority Articles Fine
2024-03-12 Toyota Bank Polska S.A.
Insufficient fulfilment of data breach notification obligations
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 33 €18,000
2024-03-07 Banca di Credito Cooperativo Appulo Lucana soc. cooperativa
Insufficient fulfilment of data subjects rights
🇪🇺 Italian Data Protection Authority (Garante) Art. 12Art. 15 €20,000
2024-03-07 Centro Riparazioni Piacentino S.p.A.
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 13 €20,000
2024-03-07 Bar
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 13Art. 114 €2,000
2024-03-07 DENTAL REY-GAR, S.L.
Insufficient cooperation with supervisory authority
🇪🇺 Spanish Data Protection Authority (aepd) Art. 58 €1,000
2024-03-06 Verkkokauppa.com
Non-compliance with general data processing principles
🇪🇺 Deputy Data Protection Ombudsman Art. 5Art. 25 €856,000
2024-03-05 EURO MINI STORAGE ROMANIA SRL
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 24Art. 32 €5,000
2024-03-01 Vodafone España, S.A.U.
Insufficient legal basis for data processing
🇪🇺 Spanish Data Protection Authority (aepd) Art. 6 €200,000
2024-02-29 Vodafone España, S.A.U.
Insufficient legal basis for data processing
🇪🇺 Spanish Data Protection Authority (aepd) Art. 6 €200,000
2024-02-28 Hellenic Post (ΕΛΛΗΝΙΚΑ ΤΑΧΥΔΡΟΜΕΙΑ ΑΝΩΝΥΜΗ ΕΤΑΙΡΕΙΑ)
Insufficient technical and organisational measures to ensure information security
🇪🇺 Hellenic Data Protection Authority (HDPA) Art. 5Art. 32 €2,995,140
2024-02-26 Company
Insufficient legal basis for data processing
🇭🇷 Croatian Data Protection Authority (azop) Art. 6Art. 7Art. 13 €20,000
2024-02-26 VESTA CEU ROMÂNIA SRL.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 32 €3,000
2024-02-23 TELEFÓNICA DE ESPAÑA, S.A.U.
Insufficient cooperation with supervisory authority
🇪🇺 Spanish Data Protection Authority (aepd) Art. 58 €90,000
2024-02-22 Azienda Trasporto Passeggeri Emilia-Romagna S.p.A.
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 7Art. 12 €50,000
2024-02-22 Camera di Commercio Industria Artigianato e Agricoltura
Insufficient legal basis for data processing
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 6Art. 2 €2,000
2024-02-19 Private individual
Insufficient cooperation with supervisory authority
🇪🇺 Spanish Data Protection Authority (aepd) Art. 58 €400
2024-02-19 Private individual
Insufficient cooperation with supervisory authority
🇪🇺 Spanish Data Protection Authority (aepd) Art. 58 €400
2024-02-13 VODAFONE ESPAÑA, S.A.U.
Insufficient legal basis for data processing
🇪🇺 Spanish Data Protection Authority (aepd) Art. 6 €100,000
2024-02-13 IBERIA LÍNEAS AÉREAS DE ESPAÑA, S.A. OPERADORA.
Insufficient fulfilment of data subjects rights
🇪🇺 Spanish Data Protection Authority (aepd) Art. 15 €40,000
2024-02-13 ASNEF-EQUIFAX, SERVICIOS DE INFORMACIÓN SOBRE SOLVENCIA Y CRÉDITO, S.L.
Insufficient fulfilment of data subjects rights
🇪🇺 Spanish Data Protection Authority (aepd) Art. 15 €4,000
2024-02-12 CTC EXTERNALIZACIÓN, S.L
Insufficient fulfilment of information obligations
🇪🇺 Spanish Data Protection Authority (aepd) Art. 13Art. 32Art. 35 €365,000
2024-02-08 UniCredit S.p.a.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 32 €2,800,000
2024-02-08 NTT Data Italia S.P.A
Insufficient fulfilment of data breach notification obligations
🇪🇺 Italian Data Protection Authority (Garante) Art. 28Art. 33 €800,000
2024-02-08 Medtronic Italia
Non-compliance with general data processing principles
🇪🇺 Italian Data Protection Authority (Garante) Art. 5Art. 9Art. 12Art. 13 €300,000
2024-02-08 Vodafone España, S.A.U.
Insufficient legal basis for data processing
🇪🇺 Spanish Data Protection Authority (aepd) Art. 6 €200,000