GDPR Enforcement Highlights

In 2026, the General Data Protection Regulation will remain a key touchstone for companies in all sectors. The latest decisions by European data protection authorities clearly show that even large organizations continue to fail to meet basic requirements. Authorities are responding with increasing consistency, particularly when it comes to cookie consent, cybersecurity, marketing communications or video surveillance. This overview summarizes some of the most recent cases and shows why data protection compliance remains essential for every company.

Infringements in the area of cookies and tracking technologies are a recurring theme. The French data protection authority CNIL has published several decisions imposing fines, which illustrate one thing in particular: The requirements for informed consent are interpreted very strictly. In one case from the financial sector, a company was fined 1,500,000 euros because cookies were set before consent was given and users’ choices were ignored. The CNIL clarified that all non-essential cookies may only be activated after active and voluntary consent has been given. The technical implementation must also ensure that refusals are respected. This case underlines how important it is that companies not only design their cookie banners to be visually appealing, but also implement them in a technically correct manner and check them regularly.

Another case, also brought by the CNIL, concerned a media and publishing company. The company had continued to use cookies despite expressly rejecting them and had labeled certain tracking technologies as supposedly essential, although this was not true. This led to a fine of 750,000 euros. The decision shows that dark patterns in the cookie sector not only lead to a poor user experience, but also constitute clear compliance violations. The authorities now analyze cookie banners in detail and react in particular when refusals are deliberately circumvented. The decision also points out that violations can still be punished years later if the supervisory authorities follow up and re-examine.

Cybersecurity also remains a focus of the European authorities. The Spanish data protection authority AEPD recently imposed a fine of 1,560,000 euros on a retail company that had fallen victim to a ransomware attack. The investigation revealed that the technical and organizational measures did not meet the required level of protection. Among other things, multi-factor authentication was not used and the updating of security-relevant systems was inadequate. In addition, the data breach was reported late and affected persons were not informed in good time. This case shows that companies often neglect basic security measures despite increasing cyber threats. Multi-factor authentication, up-to-date security patches and robust emergency processes are essential today to minimize regulatory risks.

Another example comes from Italy, where the supervisory authority GPDP imposed a fine of 6,000 euros on a company from the hotel industry. The case concerned unauthorized SMS advertising without prior consent. In addition, the company had ignored objections to being contacted and was unable to provide a clear legal basis for processing the data. It was once again emphasized that direct marketing is only permitted with valid consent or in narrow exceptional cases. In addition, companies must ensure that once objections have been raised, they are permanently taken into account and the corresponding data deleted.

Video surveillance also remains a critical issue, especially when its use goes beyond what is necessary. In Spain, the AEPD imposed another fine, this time amounting to 3,600 euros, on a company from the automotive and food industries. The infringement concerned surveillance cameras that not only recorded video images, but also audio recordings. In addition, the cameras were installed in work and break areas and the legally required signs were missing. The Spanish authorities made it clear that audio recordings are almost always inadmissible in the context of video surveillance. Companies must also ensure that surveillance does not take place in areas where employees or customers have a legitimate expectation of privacy.

These examples show that European supervisory authorities continue to take a strict approach and consistently punish even seemingly minor infringements. The key finding is that data protection compliance is not a one-off task, but a continuous process. Companies must regularly review their procedures, keep technical measures up to date and ensure that users, employees and customers are informed transparently.

Companies should continuously evaluate their processes, particularly in the areas of cookies, cyber security, direct marketing and video surveillance. The decisions make it clear that supervisory authorities also recognize and critically scrutinize long-term breaches. Technical failures, late reporting of data breaches and a lack of transparency can have considerable financial and reputational consequences.

Data protection-compliant operation is possible if clear responsibilities are defined, technical standards are adhered to and processes are regularly updated. With their decisions, the authorities show that compliance is not only legally necessary, but also an essential component of responsible corporate governance.