Skip to content

Enforcement Tracker

3,481 GDPR enforcement decisions from 51 countries, updated daily.

Total fines · last 12 months
€1.3B
+878% vs previous year
Decisions · last 12 months
543
45 per month avg
Largest · last 90 days
€6.6M
Most active authority
112 decisions · SPAIN

Monthly fine totals · last 12 months

AugSepOctNovDecJanFebMarAprMayJunJul
Date ↓ Company / party Authority Articles Fine
2026-01-08 FREE
Insufficient technical and organisational measures to ensure information security
🇪🇺 French Data Protection Authority (CNIL) Art. 32Art. 34 €15,000,000
2026-01-08 Headquarter of a Fire Brigade
Insufficient legal basis for data processing
🇪🇺 Hellenic Data Protection Authority (HDPA) Art. 5 €10,000
2026-01-08 Money Seeds S.R.L.
Insufficient fulfilment of data subjects rights
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 12Art. 13Art. 14 €2,000
2026-01-08 Money Seeds S.R.L.
Insufficient fulfilment of data subjects rights
🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) Art. 12Art. 13Art. 14 €2,000
2026-01-06 Sole Trader
Non-compliance with general data processing principles
🇸🇮 Slovenian Supervisory Authority (Informacijski pooblaščenec) Art. 5 €5,000
2026-01-02 Polish Postal Service
Lack of appointment of data protection officer
🇪🇺 Polish National Personal Data Protection Office (UODO) Art. 38 €232,379
2025-12-31 ONE WAY PRIVATE COMPANY
Non-compliance with general data processing principles
🇪🇺 Hellenic Data Protection Authority (HDPA) Art. 5Art. 6Art. 7Art. 29 €80,000
2025-12-31 SIGMA & KAPPA IMPORTING SOCIÉTÉ ANONYME
Insufficient technical and organisational measures to ensure information security
🇪🇺 Hellenic Data Protection Authority (HDPA) Art. 32 €10,000
2025-12-31 Thessaloniki–Thessaly Gas Supply Company S.A.
Insufficient data processing agreement
🇪🇺 Hellenic Data Protection Authority (HDPA) Art. 28Art. 32 €10,000
2025-12-31 I Mathisi
Insufficient fulfilment of data subjects rights
🇬🇷 Hellenic Data Protection Authority (HDPA) Art. 12Art. 15Art. 31 €6,000
2025-12-31 REVMA PLUS Retail S.A.
Insufficient technical and organisational measures to ensure information security
🇪🇺 Hellenic Data Protection Authority (HDPA) Art. 32 €5,000
2025-12-30 Company
Non-compliance with general data processing principles
🇪🇺 French Data Protection Authority (CNIL) Art. 6Art. 13Art. 32Art. 35 €3,500,000
2025-12-30 ENDESA (energy supplyer)
Insufficient legal basis for data processing
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5 €60,000
2025-12-30 ENDESA (energy supplyer)
Insufficient legal basis for data processing
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5 €60,000
2025-12-30 Debt collecting agancy (GESTIÓN DE COBROS, YO COBRO SL)
Insufficient legal basis for data processing
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5 €60,000
2025-12-30 Debt collecting agancy (GESTIÓN DE COBROS, YO COBRO SL)
Insufficient legal basis for data processing
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5 €60,000
2025-12-30 Social Insurance Agency
Insufficient technical and organisational measures to ensure information security
🇪🇺 Slovak Data Protection Office Art. 32 €50,000
2025-12-30 Social Insurance Agency
Insufficient technical and organisational measures to ensure information security
🇪🇺 Slovak Data Protection Office Art. 32 €50,000
2025-12-30 Slovak Telekom
Insufficient technical and organisational measures to ensure information security
🇪🇺 Slovak Data Protection Office Art. 32 €40,000
2025-12-30 Slovak Telekom
Insufficient technical and organisational measures to ensure information security
🇪🇺 Slovak Data Protection Office Art. 32 €40,000
2025-12-30 Vodafone España, S.A.U.
Insufficient fulfilment of data subjects rights
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5 €27,000
2025-12-30 Vodafone España, S.A.U.
Insufficient fulfilment of data subjects rights
🇪🇺 Spanish Data Protection Authority (aepd) Art. 5 €27,000
2025-12-30 Telecommunications company
Insufficient legal basis for data processing
🇪🇺 Croatian Data Protection Authority (azop) Art. 6Art. 5 €20,000
2025-12-30 Telecommunications company
Insufficient legal basis for data processing
🇪🇺 Croatian Data Protection Authority (azop) Art. 6Art. 5 €20,000
2025-12-30 Madrileña Red de Gas
Insufficient technical and organisational measures to ensure information security
🇪🇺 Spanish Data Protection Authority (aepd) Art. 32 €12,000