▲ Enforcement Tracker
3,481 GDPR enforcement decisions from 51 countries, updated daily.
Total fines · last 12 months
€1.3B
+878% vs previous year
Decisions · last 12 months
543
45 per month avg
Monthly fine totals · last 12 months
AugSepOctNovDecJanFebMarAprMayJunJul
| Date ↓ | Company / party | Authority | Articles | Fine |
|---|---|---|---|---|
| 2026-01-08 | FREE Insufficient technical and organisational measures to ensure information security | 🇪🇺 French Data Protection Authority (CNIL) | Art. 32Art. 34 | €15,000,000 |
| 2026-01-08 | Headquarter of a Fire Brigade Insufficient legal basis for data processing | 🇪🇺 Hellenic Data Protection Authority (HDPA) | Art. 5 | €10,000 |
| 2026-01-08 | Money Seeds S.R.L. Insufficient fulfilment of data subjects rights | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 12Art. 13Art. 14 | €2,000 |
| 2026-01-08 | Money Seeds S.R.L. Insufficient fulfilment of data subjects rights | 🇪🇺 Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | Art. 12Art. 13Art. 14 | €2,000 |
| 2026-01-06 | Sole Trader Non-compliance with general data processing principles | 🇸🇮 Slovenian Supervisory Authority (Informacijski pooblaščenec) | Art. 5 | €5,000 |
| 2026-01-02 | Polish Postal Service Lack of appointment of data protection officer | 🇪🇺 Polish National Personal Data Protection Office (UODO) | Art. 38 | €232,379 |
| 2025-12-31 | ONE WAY PRIVATE COMPANY Non-compliance with general data processing principles | 🇪🇺 Hellenic Data Protection Authority (HDPA) | Art. 5Art. 6Art. 7Art. 29 | €80,000 |
| 2025-12-31 | SIGMA & KAPPA IMPORTING SOCIÉTÉ ANONYME Insufficient technical and organisational measures to ensure information security | 🇪🇺 Hellenic Data Protection Authority (HDPA) | Art. 32 | €10,000 |
| 2025-12-31 | Thessaloniki–Thessaly Gas Supply Company S.A. Insufficient data processing agreement | 🇪🇺 Hellenic Data Protection Authority (HDPA) | Art. 28Art. 32 | €10,000 |
| 2025-12-31 | I Mathisi Insufficient fulfilment of data subjects rights | 🇬🇷 Hellenic Data Protection Authority (HDPA) | Art. 12Art. 15Art. 31 | €6,000 |
| 2025-12-31 | REVMA PLUS Retail S.A. Insufficient technical and organisational measures to ensure information security | 🇪🇺 Hellenic Data Protection Authority (HDPA) | Art. 32 | €5,000 |
| 2025-12-30 | Company Non-compliance with general data processing principles | 🇪🇺 French Data Protection Authority (CNIL) | Art. 6Art. 13Art. 32Art. 35 | €3,500,000 |
| 2025-12-30 | ENDESA (energy supplyer) Insufficient legal basis for data processing | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5 | €60,000 |
| 2025-12-30 | ENDESA (energy supplyer) Insufficient legal basis for data processing | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5 | €60,000 |
| 2025-12-30 | Debt collecting agancy (GESTIÓN DE COBROS, YO COBRO SL) Insufficient legal basis for data processing | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5 | €60,000 |
| 2025-12-30 | Debt collecting agancy (GESTIÓN DE COBROS, YO COBRO SL) Insufficient legal basis for data processing | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5 | €60,000 |
| 2025-12-30 | Social Insurance Agency Insufficient technical and organisational measures to ensure information security | 🇪🇺 Slovak Data Protection Office | Art. 32 | €50,000 |
| 2025-12-30 | Social Insurance Agency Insufficient technical and organisational measures to ensure information security | 🇪🇺 Slovak Data Protection Office | Art. 32 | €50,000 |
| 2025-12-30 | Slovak Telekom Insufficient technical and organisational measures to ensure information security | 🇪🇺 Slovak Data Protection Office | Art. 32 | €40,000 |
| 2025-12-30 | Slovak Telekom Insufficient technical and organisational measures to ensure information security | 🇪🇺 Slovak Data Protection Office | Art. 32 | €40,000 |
| 2025-12-30 | Vodafone España, S.A.U. Insufficient fulfilment of data subjects rights | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5 | €27,000 |
| 2025-12-30 | Vodafone España, S.A.U. Insufficient fulfilment of data subjects rights | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 5 | €27,000 |
| 2025-12-30 | Telecommunications company Insufficient legal basis for data processing | 🇪🇺 Croatian Data Protection Authority (azop) | Art. 6Art. 5 | €20,000 |
| 2025-12-30 | Telecommunications company Insufficient legal basis for data processing | 🇪🇺 Croatian Data Protection Authority (azop) | Art. 6Art. 5 | €20,000 |
| 2025-12-30 | Madrileña Red de Gas Insufficient technical and organisational measures to ensure information security | 🇪🇺 Spanish Data Protection Authority (aepd) | Art. 32 | €12,000 |