GDPR Enforcement Tracker - list of GDPR fines

The CMS.Law GDPR Enforcement Tracker is an overview of fines and penalties which data protection authorities within the EU have imposed under the EU General Data Protection Regulation (GDPR, DSGVO). Our aim is to keep this list as up-to-date as possible. Since not all fines are made public, this list can of course never be complete, which is why we appreciate any indication of further GDPR fines and penalties. Please note that we do not list any fines imposed under national / non-European laws, under non-data protection laws (e.g. competition laws / electronic communication laws) and under "old" pre-GDPR-laws. We have, however, included a limited number of essential ePrivacy fines under national member state laws.
New features: "ETid" and "Direct URL"!
We have assigned a unique and permanent ID to each fine in our database, which makes it possible to precisely address fines, e.g. in publications. Once an "ETid" has been assigned to a fine, it remains the same, even if the fine is overturned or amended by courts at a later date, or if we add fines that were issued chronologically before. The "Direct URL" (click "+" or on a specific ETid to view details of a fine) can be used to share fines online, e.g. on Twitter or other media.
Show
10
entriesSearch:
ETid Country Date of Decision Fine [€] Controller/Processor Quoted Art. Type Source
Filter Column
Filter Column
Filter Column
Filter Column
Filter Column
ETid-1694 ITALY
ITALY 2023-01-11 6,000 Ufficio Scolastico Regionale per la Lombardia, Ufficio IV - Ambito Territoriale di Brescia Art. 5 GDPR, Art. 6 GDPR, Art. 9 GDPR, Art. 2-ter Codice della privacy, Art. 2-septies (8) Codice della privacy Insufficient legal basis for data processing link
ETid-1693 ITALY
ITALY 2023-01-26 5,000 Azienda ULSS n.5 Polesana Art. 5 (1) f) GDPR, Art. 9 GDPR, Art. 32 GPDR Insufficient technical and organisational measures to ensure information security link
ETid-1692 SPAIN
SPAIN 2023-03-14 240 Private individual Art. 5 (1) c) GDPR Non-compliance with general data processing principles link
ETid-1691 SPAIN
SPAIN 2023-02-27 4,000 Attorney Art. 5 (1) f) GDPR, Art. 6 GDPR Insufficient legal basis for data processing link
ETid-1690 SPAIN
SPAIN 2023-03-15 480 Private individual Art. 5 (1) c) GDPR, Art. 13 GDPR Non-compliance with general data processing principles link
ETid-1689 SPAIN
SPAIN 2023-03-16 5,000 Private individual Art. 5 (1) f) GDPR, Art. 32 (1) GDPR Non-compliance with general data processing principles link
ETid-1688 POLAND
POLAND 2023-01-19 6,400 Szczecin-Centrum District Court Art. 5 (1) f) GDPR, Art. 5 (2) GDPR, Art. 24 (1) GDPR, Art. 25 (1), (2) GDPR, Art. 32 (1), (2) GDPR Insufficient technical and organisational measures to ensure information security link link
ETid-1687 ROMANIA
ROMANIA 2023-03-16 3,000 Med Life S.A. Art. 32 (1) b) GDPR, Art. 32 (2) GDPR, Art. 32 (4) GDPR Insufficient technical and organisational measures to ensure information security link
ETid-1686 ROMANIA
ROMANIA 2023-03-16 1,000 Centrul Medical dr. Furtună Dan Art. 32 (1) b) GDPR, Art. 32 (2) GDPR Insufficient technical and organisational measures to ensure information security link
ETid-1685 ROMANIA
ROMANIA 2023-03-14 3,000 Tinmar Energy SA Art. 32 (1) b) GDPR, Art. 32 (2) GDPR Insufficient technical and organisational measures to ensure information security link