BULLETIN №075Last updated · 10 Jun 2026
Fine Tracker.
A public register of regulatory fines issued under EU compliance directives. Updated as decisions are published by national supervisory authorities.
35 entries
| № | Imposed | Company | Country | Authority | Type | Amount | ↗ |
|---|---|---|---|---|---|---|---|
| 021 | 21 May 2025 | NN ΕλληνικήThe Greek Data Protection Authority imposed a €22,000 fine on NN Ελληνική for refusing to provide recorded telephone calls in response to a data subject access request. The case concerns failure to comply with access rights obligations under data protection law. | GR | Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα | Data subject access request violation | €22,000 | ↗ |
| 022 | 29 Apr 2025 | Ordine professionale degli psicologi della LombardiaOn 2025-04-29, the Italian Data Protection Authority fined the Ordine professionale degli psicologi della Lombardia EUR 30,000. The sanction concerned breaches of Articles 5(1)(f) and 32 GDPR following a data breach and the failure to implement adequate security measures. | IT | Garante per la protezione dei dati personali | Failure to implement adequate security measures | €30,000 | ↗ |
| 023 | 23 Apr 2025 | MetaThe European Commission fined Meta EUR 200 million for breaching the Digital Markets Act. The sanction concerns Meta’s “consent or pay” model used for Facebook and Instagram users in Europe. | IE | European Commission | Digital Markets Act violation | €200,000,000 | ↗ |
| 024 | 01 Apr 2025 | BitdefenderBitdefender received a GDPR fine of EUR 10,000 from the Romanian data protection authority. The sanction followed an investigation completed in April 2025 after a data breach notification, with the authority citing inadequate technical and organizational security measures. | RO | Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal | GDPR data security breach | €10,000 | ↗ |
| 025 | 01 Jan 2025 | Sambla GroupThe Finnish Data Protection Authority fined Sambla Group EUR 950,000 after unauthorized parties accessed credit application data by manipulating web addresses. The authority found that the company had not implemented adequate safeguards to prevent the breach. | FI | Tietosuojavaltuutetun toimisto | Insufficient security measures | €950,000 | ↗ |
| 026 | 27 Sept 2024 | Meta Platforms Ireland LimitedThe Irish Data Protection Commission fined Meta Platforms Ireland Limited EUR 91,000,000 for inadequate protection of Facebook and Instagram user passwords. According to the decision, the company stored passwords in plain text without proper encryption, and the final decision was announced on 2024-09-27. | IE | Irish Data Protection Commission | Data security | €91,000,000 | ↗ |
| 027 | 05 Oct 2023 | DPP Law LtdThe Information Commissioner's Office issued a monetary penalty notice against DPP Law Ltd. The firm was fined GBP 60,000 for failing to implement appropriate technical and organisational measures to secure personal data. | GB | Information Commissioner's Office | Data security | £60,000 | ↗ |
| 028 | 04 Oct 2023 | Amazon EuropeThe CNPD imposed a fine of EUR 746,000,000 on Amazon Europe for breaches of data protection rules. The case concerned shortcomings in the processing of personal data and compliance with GDPR requirements. | LU | CNPD | GDPR | €746,000,000 | ↗ |
| 029 | 22 May 2023 | Meta PlatformsIreland's Data Protection Commission imposed a EUR 1.2 billion GDPR fine on Meta Platforms in May 2023. The case concerned unlawful transfer of EU user data to the US. | IE | Ireland Data Protection Commission | Unlawful data transfer | €1,200,000,000 | ↗ |
| 030 | 28 Mar 2023 | Sky Italia S.r.l.The Italian Data Protection Authority fined Sky Italia S.r.l. EUR 842,062 for violations related to telemarketing and commercial communications. The company failed to properly verify consent, relied on outdated consents, and did not check the Public Register of Oppositions before campaigns. | IT | Garante per la protezione dei dati personali | GDPR telemarketing | €842,062 | ↗ |
| 031 | 04 Jan 2023 | MetaMeta, the parent company of Facebook and Instagram, was fined 390 million euros by the Irish Data Protection Commission in 2023. The authority cited GDPR violations related to consent for personalized advertising. | IE | Irish Data Protection Commission | GDPR consent violation | €390,000,000 | ↗ |
| 032 | 02 Sept 2022 | Meta Platforms, Inc.Ireland's Data Protection Commission fined Meta Platforms, Inc. 405 million euros for the handling of minors' data on Instagram. The case involved public exposure of contact details and default public business accounts. | IE | Data Protection Commission | Personal data processing | €405,000,000 | ↗ |
| 033 | 02 Sept 2021 | WhatsAppWhatsApp was fined 225 million EUR by the Irish Data Protection Commission in 2021. The authority cited violations related to privacy policies and insufficient transparency about how user data was used. | IE | Irish Data Protection Commission | Transparency violation | €225,000,000 | ↗ |
| 034 | 01 Jan 2021 | Município de LisboaThe Portuguese data protection authority fined Município de Lisboa EUR 1,250,000 in 2021. The sanction concerned the unlawful transfer of protesters’ personal data to the Russian Embassy in breach of the GDPR. | PT | Comissão Nacional de Proteção de Dados | GDPR data transfer violation | €1,250,000 | ↗ |
| 035 | 25 Feb 2020 | Addiko Bank d.d.The High Administrative Court of the Republic of Croatia upheld AZOP’s decision of 25 February 2020 against Addiko Bank d.d. The confirmed administrative fine was 145,995.09 EUR for obstructing customers’ access to their personal data and credit documentation. | HR | AZOP | GDPR access rights violation | €145,995 | ↗ |