GDPR Fines

A list of GDPR fines across all European data protection agencies since 2019, comprising a total cost of €3,994,443,726.

Data Protection Authority Name	Fined Company	Fine	Violation	Description
Data Protection Commissioner of Malta	Not assigned Unknown	2020 €2,500.00	Insufficient technical and organisational measures to ensure information security Art. 5 (1) f) GDPR Art. 32 (1) b) GDPR	The controller has disclosed a personal email address to all recipients of the email.
Data Protection Commissioner of Malta	Not assigned Unknown	2020 €20,000.00	Insufficient fulfilment of data subjects rights Art. 13 GDPR Art. 15 GDPR	The controller failed to comply with a data subject's right to information. In addition, the data protection policy did not meet the transparency requirements.
Data Protection Commissioner of Malta	Not assigned Unknown	2020 €4,000.00	Insufficient fulfilment of data subjects rights Art. 13 GDPR Art. 15 GDPR, Regulation 9 S.L 586.01	The controller had sent unsolicited commercial messages. In addition, the privacy policy did not comply with transparency requirements and the controller failed to comply with requests for information from data subjects.
Data Protection Authority of Baden-Wuerttemberg	Accomodation and Hospitalty Restaurant	2019-11 €5,000.00	Non-compliance with general data processing principles Art. 5 (1) c) GDPR	Excessive use of video surveillance in violation of the principle of data minimization.
GARANTE Italian Data Protection Authority	Transportation and Energy Consorzio Concessioni Reti Gas S.c.a.r.l.	2023-03-2023 €2,000.00	Non-compliance with general data processing principles Art. 5 (1) a),c) GDPR Art. 12 GDPR Art. 13 GDPR	The Italian DPA has fined Consorzio Concessioni Reti Gas S.c.a.r.l. EUR 2,000. The controller continued to leave the business email account of an intern active even after the termination of the employment. The DPA furthermore found that the controller could not prove compliance with its information obligations under the GDPR.