Enforcement

€1,800 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 1,800 on a Landlord. The landlord used video surveillance in rental apartments without having a sufficient legal basis. The original fine of EUR 3,000 was reduced to EUR 1,800 due to immediate payment and admission of responsibility by the controller.

€1,200 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 1,200 on a dental clinic. The controller used video surveillance in its clinic for security purposes, including a camera in the doctor's office where patients were treated. This resulted in excessive data processing. The original fine of EUR 2,000 was reduced to EUR 1,200 due to immediate payment and admission of responsibility by the controller.

€2,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)

The Romanian DPA has imposed a fine of EUR 2,000 on the Order of General Nurses, Midwives and Medical Assistants of Romania – Neamt Branch. The controller used video surveillance in a manner that was not in accordance with the GDPR.

€2,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 2,000 on Elba Catering Distribuzioni s.r.I.s. The controller installed video surveillance, which affected the public road. Furthermore, the controller failed to install signs to inform data subjects regarding data processing.

€12,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 12,000 on the Commune di Tuscania. The controller had been using video surveillance and licence plate recognition within its territory for the purposes of territorial security and supervising separate waste collection at recycling centers. However, the controller did not put up any relevant signs containing the privacy policy or warning signs. The controller also failed to enter into data processing agreements with processors handling data on its behalf,

€3,600 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 3,600 on DELAFRUIT, S.L. The controller installed video surveillance in the staff break area and dining room, but did not put up the necessary information signs. The original fine of EUR 6,000 was reduced to EUR 3,600 due to immediate payment and admission of responsibility by the controller.

€3,600 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 3,600 on RISING SUN CAR RENTAL S..L. The controller used video surveillance to ensure security at its facility, affecting more areas than were necessary for this purpose. Additionally, the controller failed to install signs to inform data subjects regarding the video surveillance. The original fine of EUR 6,000 was reduced to EUR 3,600 due to immediate payment and admission of responsibility by the controller.

€800 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 800 on SOBLADA RESTAURACIÓN, S.L. The controller installed video surveillance without providing the necessary information signs or informing its employees. The original fine of EUR 1,000 was reduced to EUR 800 due to immediate payment and admission of responsibility by the controller.

€2,400 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 2,400 on AXARQUIA VELEZ DENTAL, S.L. The controller used video surveillance to ensure security at its facility, affecting more areas than were necessary for this purpose. The original fine of EUR 8,000 was reduced to EUR 2,400 due to immediate payment and admission of responsibility by the controller.

€6,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 6,000 on the Comuni di Orte. The controller implemented video surveillance on its territory in a manner that did not comply with the basic principles of data processing.

€10,000 fine - Hellenic Data Protection Authority (HDPA)

The Hellenic DPA has imposed a fine of EUR 10,000 on the Municipality of Moschato–Tavros. The controller installed a video surveillance system in a depot to protect municipal vehicles. However, the controller failed to ensure, during the design phase, that the cameras only processed the necessary data. They also failed to adequately inform their employees and record the processing activities.

€32,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 32,000 on the Provincia Autonoma di Bolzan. The controller implemented video surveillance with automated licence plate recognition capabilities for vehicles, with the aim of guiding policies on mobility and infrastructure and preventing and investigating crimes. However, the controller did not comply with the basic principles of the GDPR, nor did they adequately comply with the DPA.

€6,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 6,000 on a company. The controller used video surveillance at its sites, but did not display adequate signs to inform data subjects about the processing of their data.

€33,500 fine - Austrian Data Protection Authority (dsb)

The Austrian DPA has imposed a fine of EUR 33,500 on a bakery chain. The controller used video surveillance which affected both public areas and areas intended solely for employees. The cameras were installed and operated in a way that did not comply with the principle of data minimisation and was not based on a sufficient legal basis. Additionally, CCTV footage was distributed via a messaging service.

€9,700 fine - Belgian Data Protection Authority (APD)

The Belgian DPA has imposed a fine of EUR 9,700 on a Landlord. The controller installed video surveillance in and around a student residence. However, the surveillance was too invasive, resulting in it not being lawful.

Een boete van 300 euro - Spaanse Autoriteit voor Gegevensbescherming (AEPD).

De Spaanse autoriteit voor gegevensbescherming heeft een boete van 300 euro opgelegd aan een rijschool. De verantwoordelijke partij had cameratoezicht geïnstalleerd, maar heeft de betrokkenen niet voldoende geïnformeerd over de verwerking van hun gegevens. De oorspronkelijke boete van 500 euro is verlaagd tot 300 euro vanwege de directe betaling en de erkenning van verantwoordelijkheid door de verantwoordelijke partij.

€300 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 300 on a driving school. The controller has installed video surveillance, but failed to adequatly inform data subjects. The original fine of EUR 500 was reduced to EUR 300 due to immediate payment and admission of responsibility by the controller.

€10,000 fine - Hellenic Data Protection Authority (HDPA)

The Hellenic DPA has imposed a fine of EUR 10,000 on Shield of David - K.I.D.A.F. The controller, a day care centre for people with autism, has legally installed video surveillance on its premises. However, the controller failed to adequately respond to a data subject's request to exercise their rights. Furthermore, the controller forwarded data to third entities without notifying the data subject. Lastly, the controller failed to cooperate adequately with the DPA.

€16,000 fine - Slovenian Supervisory Authority (Informacijski pooblaščenec)

The Slovenian DPA has imposed a fine of EUR 16,000 on a sole trader. The controller rented out apartments to tenants and installed video surveillance inside them.

€8,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 8,000 on the Eastern Parma Apennine Mountain Community. The controller had set up video surveillance in front of a police station, that filmed employees and other individuals. However, the surveillance was set up in a way that did not comply with data protection regulations.

€6,600 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA imposed a fine on GRUAS IGNACI, S.L. The controller uses too much data to verify a person's identity, which breaches the principle of data minimization. Furthermore, the controller uses video surveillance without informing data subjects about data processing. Lastly, the controller failed to implement sufficient technical and organizational measures to ensure information security. The original fine of EUR 11,000 was reduced to EUR 6,600 due to immediate payment and admission of r

€500 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 500 on GALENICUM HEALTH, S.L.U. The controller uses video surveillance that partially captures images of a public road, which infringes on the principle of data minimization.

€1,500 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 1,500 on Macelleria La Costata s.r.I.s. The controller used video surveillance in its butcher's shop without installing the necessary information signs. Furthermore, the cameras were able to film public areas.

€18,400 fine - Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)

The Swedish DPA has imposed a fine of EUR 18,400 on the Granit Bostad Beritsholm AB. The controller, a property management company, installed CCTV cameras in an apartment complex without sufficient legal basis. Additionally, the controller failed to inform data subjects about the video surveillance.

€300 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 300 on a data controller. The controller had installed a video surveillance system without adequately providing information for data subjects.

€2,300 fine - National Commission for Data Protection (CNPD)

The DPA of Luxembourg has issued a fine of EUR 2,300 on a company, that is active in the retail sale of telecommunication equipement in specialised stores. The controller had installed video surveillance on the property. The video surveillance was installed in a way, that partly infringed the prinicple of legality and the principle of data minimisation. The controller also failed to adequately inform data subjects regarding the data processing and failed to implement adequate technical and organ

€500 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 500 on 4T OCIO Y CAFÉ 2009, S.L. for installing a video surveillance system without the express consent of the owners' association of the building in question.

€29,500 fine - Data Protection Authority of Ireland

The Irish DPA has imposed a fine of EUR 29,500 on the Sligo County Council. The controller used video surveillance but failed to ensure compliance with the GDPR. They failed to provide adequate information to data subjects, failed to implement sufficient technical and organisational measures to ensure GDPR compliance, failed to ensure adequate data security and stored the recorded data for longer than necessary.

€1,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 1,000 on MINAS DE VALDECASTILLO, S.A.. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly provided information about the data processing by the cameras and thus violated its duty to inform.

€35,700 fine - Croatian Data Protection Authority (azop)

The Croatian DPA (AZOP) has imposed fines totaling EUR 35,700 on nine companies for failing to adequately indicate their video surveillance areas and for failing to provide all the necessary information on data processing related to video processing.

€400 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 400 on a private individual. The individual had installed video surveillance cameras, which however also recorded parts of neighboring properties.

€1,500,000 fine - Austrian Data Protection Authority (dsb)

The Austrian DPA has imposed a fine of EUR 1,500,000 on IKEA. The controller used excessive video surveillance, including in public spaces and the checkout area. Additionally, the video surveillance captured customers entering their credit card PINs when making payments. The controller appealed against the decision to the Austrian Federal Administrative Court, which upheld the DPA's decision in its ruling on 25 June 2025. June 2025.

€1,500,000 fine - Austrian Data Protection Authority (dsb)

The Austrian DPA has imposed a fine of EUR 1,500,000 on a company, that is part of a group. The controller installed video surveillance devices that did not comply with the GDPR, resulting in the company being fined.

€1,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has fined a private individual EUR 1,000. The controller had uploaded images from their video surveillance camera to Instagram showing, amongst others, a minor and members of the national armed forces. During its investigation, the DPA found that the controller had no valid legal basis for uploading these images.

€2,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 2,000 on a private individual for installing video surveillance cameras without a valid legal basis.

€600 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine on DIGIMAN ALICANTE S.L.. The data controller had installed a video surveillance system without adequately providing information for data subjects. The original fine of EUR 1,000 was reduced to EUR 600 due to voluntary payment and acknowledgement of responsibility.

€600 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA (AEPD) has imposed a fine of EUR 600 on ASSOCIACIO CANNABICA DEL MARESME ACANNAM. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly provided information about the data processing by the cameras and thus violated its duty to inform.

€300 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 300 on a private individual. The individual had installed a video surveillance camera which also recorded parts of a neighbouring property and the public space. The DPA considered this to be a violation of the principle of data minimization.

€600 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine on a Homeowners' association. The association had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. The DPA also found a breach of the controller's obligation to provide information on data processing under Art. 13 GDPR. The original fine of EUR 1000 was reduced to EUR 600 due to the voluntary payment and the acknowledgement of responsib

€300 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 300 on a private individual. The individual had installed a video surveillance camera in their garage area, which however also recorded parts of a neighboring property. The DPA considered this to be a violation of the principle of data minimization.

€5,000 fine - French Data Protection Authority (CNIL)

The French DPA has imposed a fine of EUR 5,000 on a bakery. The DPA found that the controller had violated its information obligations and the principle of data minimization in the context of data processing involving video surveillance.

€2,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 2,000 on EXPLOTACIONES HOSTELERAS Y DE OCIO ALBACETEÑAS, S.L.. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. The DPA also found a breach of the controller's obligation to provide sufficient information on data processing under Art. 13 GDPR.

€800 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed data subjects about the processing of the data by the video surveillance and thus violated its duty to inform. The original fine of EUR 1,000 was reduced to EUR 800 due to voluntary payment.

€300 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 300 on a private individual. The individual had installed a video surveillance camera which also recorded parts of a neighbouring property. The DPA considered this to be a violation of the principle of data minimization.

€1,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 1,000 on VOX ESPAÑA. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. The DPA also found a breach of the controller's obligation to provide sufficient information on data processing under Art. 13 GDPR.

€300 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 300 on a private individual. The individual had installed a video surveillance camera which also recorded the entrance area of the neighboring apartment. The DPA considered this to be a violation of the principle of data minimization.

€5,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 5,000 on Dly S.r.l.. The company had installed video surveillance systems in its premises, however, their specific use was not authorized.

Croatian Data Protection Authority (azop)

The Croatian DPA (AZOP) has imposed seven fines totaling EUR 16,000 on data controllers for failing to adequately mark video-monitored areas. This lack of marking resulted in people entering these areas not being informed of the surveillance, as the signs were either not visible on entry or did not contain all the necessary information. The fines ranged from EUR 500 to 4,000 and were imposed on various establishments, including hotels, restaurants, and shops. According to Art. 27 (1) of the Law

€300 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 300 on a private individual. The individual had installed a video surveillance camera which, among other things, also recorded public spaces. In addition, the person forwarded the recordings via WhatsApp. The DPA considered this to be a violation of the principle of data minimization.

€1,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 1,000 on DELSA ALQUILERES S.L.. The controller had installed video surveillance cameras in a residential complex which, among other things, also recorded common areas, although this was not authorized by the homeowners' association. In addition, the controller did not sufficiently comply with its information obligations under Art. 13 GDPR.