BULLETIN №075Last updated · 10 Jun 2026
Fine Tracker.
A public register of regulatory fines issued under EU compliance directives. Updated as decisions are published by national supervisory authorities.
35 entries
| № | Imposed | Company | Country | Authority | Type | Amount | ↗ |
|---|---|---|---|---|---|---|---|
| 001 | — | Lensa.roLensa.ro, operated by Tensa Art Design, was fined EUR 20,000 by Romania’s data protection authority, ANSPDCP. The case involved cookie-based tracking and behavioral advertising without clear user consent, as well as failure to respond to the authority’s official information requests. | RO | Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal | GDPR consent and cooperation violation | €20,000 | ↗ |
| 002 | — | Enel Energia SpAEnel Energia SpA was fined EUR 79.1 million by the Italian data protection authority, Garante. The case concerned misuse of personal data and was a major GDPR enforcement action. | IT | Garante per la protezione dei dati personali | Misuse of personal data | €79,100,000 | ↗ |
| 003 | — | DPD PolskaThe President of the Personal Data Protection Office imposed an administrative fine of more than PLN 11 million on DPD Polska for GDPR violations. The authority cited the failure to conclude data processing agreements with external carriers and inadequate organizational measures to protect data security. | PL | Prezes Urzędu Ochrony Danych Osobowych | GDPR fine | zł 11,000,000 | ↗ |
| 004 | — | FC BarcelonaThe AEPD imposed a fine of EUR 500,000 on FC Barcelona for a GDPR breach. The case concerned personal data processing that did not comply with legal requirements. | ES | AEPD | — | €500,000 | ↗ |
| 005 | 05 Dec 2026 | XThe European Commission imposed a EUR 120 million fine on X for breaching transparency requirements under the Digital Services Act. The penalty covered deceptive verification design, an inadequate ad repository, and restricted access for researchers. | EU | European Commission | Digital Services Act transparency violation | €120,000,000 | ↗ |
| 006 | 24 Feb 2026 | Reddit, Inc.The ICO imposed a GBP 14.5 million UK GDPR fine on Reddit, Inc. for failures related to age-gating and the protection of children’s data. The matter was initially misfiled as an enforcement notice and later refiled as a monetary penalty notice. | GB | Information Commissioner's Office | Children's data protection | £14,500,000 | ↗ |
| 007 | 31 Jan 2026 | SC Tensa Art Design SAThe Romanian data protection authority fined SC Tensa Art Design SA, operator of the Lensa brand, EUR 20,000 under the GDPR. The sanction followed the company’s failure to respond to the authority’s investigative request concerning cookie tracking and behavioral advertising on its website. | RO | Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal | GDPR investigation non-cooperation | €20,000 | ↗ |
| 008 | 13 Jan 2026 | Free Mobile and FreeFrance’s CNIL fined Free Mobile and Free a combined EUR 42 million for GDPR breaches linked to a 2024 data breach affecting more than 24 million users. The regulator found inadequate security measures and said Free Mobile unlawfully retained former subscribers’ data. | FR | Commission nationale de l’informatique et des libertés | Data protection | €42,000,000 | ↗ |
| 009 | 01 Jan 2026 | CloudflareAGCOM issued an ordinanza ingiunzione against Cloudflare under the Digital Services Act. The fine is 100,000 EUR and relates to a breach of DSA obligations. | IT | AGCOM | DSA | €100,000 | ↗ |
| 010 | 19 Dec 2025 | HelsaMiNorway’s digital accessibility regulator found 119 accessibility errors at HelsaMi, with 64 issues still unresolved after the initial remediation deadline. The operator was ordered to fix the problems by 2025-12-19 or face a daily penalty of NOK 50,000 until compliance is achieved. | NO | Tilsynet for universell utforming av IKT | Accessibility fine | kr 50,000 | ↗ |
| 011 | 19 Nov 2025 | About YouThe Hungarian Competition Authority (GVH) found that About You used misleading discount pricing and pressured consumers with countdown timers and scarcity messages. The company was ordered to pay HUF 505 million to the Hungarian central budget and to provide compensation to affected Hungarian customers. | HU | Gazdasági Versenyhivatal | Misleading pricing | Ft 505,000,000 | ↗ |
| 012 | 01 Nov 2025 | LastPass UK LtdIn November 2025, the Information Commissioner’s Office imposed a monetary penalty of about £1.2 million on LastPass UK Ltd. The sanction concerned security and governance failures that led to a breach affecting around 1.6 million UK users, despite the use of strong encryption. | GB | Information Commissioner's Office | Inadequate security measures | £1,200,000 | ↗ |
| 013 | 22 Oct 2025 | εκδοτικός οίκοςThe Greek Data Protection Authority fined a publishing house EUR 9,000 for disclosing an author's personal and special-category data in an email sent to 55 recipients. It also found failures to implement data protection by design and to notify both the authority and the data subject of the breach. | GR | Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα | GDPR data breach | €9,000 | ↗ |
| 014 | 10 Oct 2025 | Capita plc and Capita Pension Solutions LimitedThe Information Commissioner's Office imposed a £14 million fine on Capita plc and Capita Pension Solutions Limited for UK GDPR infringements linked to a March 2023 cyber security breach. The case concerned inadequate technical and organisational measures and a delayed response to security alerts. | GB | Information Commissioner's Office | Data protection breach | £14,000,000 | ↗ |
| 015 | 01 Sept 2025 | Osnovna škola XAZOP imposed a fine of EUR 2,000 on Osnovna škola X for breaching GDPR rules on personal data processing. The case involved unlawful processing of personal data, indicating a compliance failure under data protection requirements. | HR | AZOP | GDPR fine | €2,000 | ↗ |
| 016 | 02 Jul 2025 | Hrvatski ured za osiguranjeAZOP imposed a 101,000 euro fine on Hrvatski ured za osiguranje (HUO) after finding that it had not implemented adequate technical and organizational measures to protect personal data. The decision followed an investigation into a major data leak affecting about 1.2 million vehicle owners in Croatia. | HR | AZOP | Personal data protection | €101,000 | ↗ |
| 017 | 23 Jun 2025 | McDonald's Polska sp. z o.o.The President of the Personal Data Protection Office imposed an administrative fine of PLN 16,932,657 on McDonald's Polska sp. z o.o. and a separate fine on its processor. The decision of 2025-06-23 concerned inadequate processor verification, insufficient risk analysis, and failure to implement appropriate GDPR security measures. | PL | President of the Personal Data Protection Office | Data protection violation | zł 16,932,657 | ↗ |
| 018 | 03 Jun 2025 | Spotify ABOn 2025-06-03, Kammarrätten ruled that Spotify AB must pay an administrative fine of 58 million SEK. The case concerned insufficient transparency and inadequate information to data subjects under the GDPR, following an investigation by Integritetsskyddsmyndigheten. | SE | Integritetsskyddsmyndigheten (IMY) | GDPR transparency violation | kr 58,000,000 | ↗ |
| 019 | 03 Jun 2025 | Regione LombardiaThe Italian Data Protection Authority, Garante per la protezione dei dati personali, imposed a EUR 50,000 fine on Regione Lombardia. The case concerned unlawful retention of employees' email metadata, excessive retention of web browsing logs, and prolonged storage of helpdesk ticket data. | IT | Garante per la protezione dei dati personali | GDPR data retention violation | €50,000 | ↗ |
| 020 | 01 Jun 2025 | CarrefourThe Agencia Española de Protección de Datos imposed a EUR 3.2 million fine on Carrefour. The penalty followed five security breaches between January and April 2023 that affected the personal data of thousands of customers. | ES | Agencia Española de Protección de Datos | Data security breach | €3,200,000 | ↗ |