General Data Protection Regulation

GDPR
active

EU-wide data protection law governing the processing of personal data of individuals in the EU/EEA. Sets strict requirements for consent, data subject rights, breach notification, and cross-border transfers.

Jurisdiction

European Union

Jurisdiction Type

supranational

Effective Date

5/25/2018

Enforcing Authority

National Data Protection Authorities (DPAs)

Maximum Fine

Up to €20M or 4% of annual global turnover

Fines Under This Regulation

1,990

Total Fine Amount (USD)

$4.8B

Privacy Topics

consentdata_subject_rightsbreach_notificationcross_border_transferdpoprivacy_by_designchildren

Key Articles

ArticleDescription
Art. 5Principles of processing
Art. 6Lawful basis
Art. 7Conditions for consent
Art. 9Special categories
Art. 15Right of access
Art. 17Right to erasure
Art. 20Data portability
Art. 25Data protection by design
Art. 32Security of processing
Art. 33Breach notification to authority
Art. 35Data protection impact assessment
Art. 83Fines and penalties
Art. 12-14Transparency and information
Art. 44-49International transfers
View Official Text →

Fines Under GDPR

DateCompanyAuthorityAmount (USD)Type
--UnknwonSlovak Data Protection Office--Failure to implement sufficient measures to ensure information security
--Vodafone EspanaSpanish Data Protection Authority (AEPD)$5,400Failure to comply with processing principles
--UnknownSlovak Data Protection Office--Non-compliance with lawful basis for data processing
--Gestion De Cobros Yo Cobro SLSpanish Data Protection Authority (AEPD)$64,800Non-compliance with lawful basis for data processing
--UnknownSlovak Data Protection Office--<a href="https://www.privacy-regulation.eu/en/32.htm">Art. 32 GDPR</a>
--Vodafone EspanaSpanish Data Protection Authority (AEPD)$29,160Non-compliance with subjects' rights protection safeguards
--UnknownData Protection Authority of Hamburg$540Non-compliance with lawful basis for data processing
--ENDESASpanish Data Protection Authority (AEPD)$64,800Non-compliance with lawful basis for data processing
--UnknownData Protection Authority of Saarland--Non-compliance with lawful basis for data processing
--RestaurantSpanish Data Protection Authority (AEPD)$12,960Non-compliance with lawful basis for data processing
--UnknownSlovak Data Protection Office--Non-compliance with subjects' rights protection safeguards
--UnknownSlovak Data Protection Office--Failure to implement sufficient measures to ensure information security
--UniCredit BankCzech Data Protection Authority (UOOU)$3,391Non-compliance with lawful basis for data processing
--Alza.cz a.s.Czech Data Protection Authority (UOOU)$635Non-compliance with lawful basis for data processing
--Individual entrepreneurCzech Data Protection Authority (UOOU)$1,058Failure to implement sufficient measures to ensure information security
--Edison Energia S.p.A.Italian Data Protection Authority (Garante)$5,292,000Failure to comply with data processing principles
--Hamburger Volksbank eGData Protection Authority of Hamburg--Non-compliance with lawful basis for data processing
--UnknownData Protection Authority of Brandenburg$54,000Non-compliance with subjects' rights protection safeguards
--UnknownData Protection Authority of Liechtenstein$4,428Unknown
--Ikea Romania SARomanian National Supervisory Authority for Personal Data Processing (ANSPDCP)$1,080Failure to implement sufficient measures to ensure information security
--Piraeus BankHellenic Data Protection Authority (HDPA)$10,800Failure to comply with data processing principles
--ALBERTO FORTE COMPSITE, S.L.Spanish Data Protection Authority (AEPD)$12,960Failure to implement sufficient measures to ensure information security
--Mercadona S.A.Spanish Data Protection Authority (AEPD)$18,360Non-compliance with lawful basis for data processing
2026-02-01NL Municipalities (x10)Netherlands AP$270,000consent
2025-09-01SHEINFrance CNIL$162,000,000consent

Showing 1 - 25 of 1,990 results

Page 1 of 80