1. March 2026
#Bußgelder #dsgvo #strafgelder

GDPR fines in February 2026

GDPR fines in February 2026

Supervisory authorities in the EU and the UK are currently sending a clear message: data protection through technology design, cooperation with the authorities and effective security measures are mandatory – not optional. Those who ignore these requirements risk severe fines, even without a major data scandal.

The following is an overview of current cases and the most important lessons for companies.

UK (ICO): Heavy fine for failure to protect minors

The British supervisory authority ICO imposed a fine of 247,590 pounds on Imgur owner MediaLab. The accusation: there was neither age verification nor effective parental consent checks. In addition, there was no data protection impact assessment (DPIA), even though children were exposed to potentially harmful content.

The message: Anyone offering services that can be used by minors must implement special protective measures. These include age checks, clear processes for obtaining parental consent and a careful DPIA.

Romania (ANSPDCP): 20,000 euro fine for lack of cooperation

An online retailer in Romania was fined 20,000 euros for ignoring requests from the data protection authority. The fine was imposed solely because of the lack of cooperation – not because of a specific data protection breach in the background.

This shows that even refusing to provide information or ignoring letters from the authorities can be expensive. Companies are obliged to cooperate with the supervisory authorities and provide requested information in a timely manner.

Romania (ANSPDCP): 2,000 euros for a dental practice – not because of the incident, but because of the behavior afterwards

In another case, a dental practice reported a data breach. In the subsequent proceedings, however, it repeatedly ignored queries from the authority and a formal order. The consequence: a fine of 2,000 euros – triggered by the lack of cooperation, not by the original incident.

The lesson: Anyone who reports a data breach must actively cooperate with the authorities, answer questions and implement the measures ordered. Transparent communication and documented steps to limit the damage are crucial.

Netherlands (AP): 250,000 euros against ten municipalities for unauthorized data collection

The Dutch supervisory authority imposed a total fine of 250,000 euros on ten municipalities. These had collected sensitive data on Islamic communities – including information on religion and political views – without sufficient transparency and without a viable legal basis.

This makes it clear that particularly sensitive data (e.g. on religion, health or political opinion) is subject to strict requirements. Authorities and companies must check very carefully whether there is a legal basis, whether the data subjects are informed and whether the purpose justifies the data collection.

Spain (AEPD): 10,000 euros for insecure handling of passwords

In Spain, a telecommunications provider was fined 10,000 euros because access data was sent in plain text and no two-factor authentication (2FA) was implemented. The supervisory authority clarified that even a potential risk can be sufficient to justify a breach of Article 32 GDPR (security of processing).

This underlines the fact that technical and organizational measures (TOM) must be state of the art. These include secure password procedures, encryption and – where appropriate – multi-factor authentication.

Key findings for companies

Clear patterns can be recognized across all cases:

  1. Proactive compliance instead of waiting
    Data protection must be integrated into processes, products and systems from the outset. Privacy by design and by default are not theoretical concepts, but concrete requirements.
  2. Cooperation with supervisory authorities is essential
    Anyone who ignores requests or withholds information risks fines – even without a serious data protection incident. Quick, complete and documented responses are mandatory.
  3. Robust technical and organizational measures
    Insecure passwords, a lack of encryption or the absence of 2FA are increasingly being sanctioned. Companies should regularly review and adapt their TOMs.
  4. Special care with children and sensitive data
    Services with underage users and the processing of special categories of personal data require increased care, clear legal bases and additional protection mechanisms.
  5. Good intentions are not enough
    Even if no damage has occurred or the objectives are “well-intentioned”: Compliance with the legal requirements is crucial. Formal requirements such as DPIA, information obligations and documentation are mandatory.

Conclusion

The latest decisions show: Supervisory authorities in Europe and the UK are consistently enforcing the GDPR. Those who postpone data protection requirements or ignore requests from authorities are taking a high financial and reputational risk.

Companies should now critically review their data protection organization, TOMs and DPIA processes and set them up professionally. If you need support in evaluating your GDPR compliance, revising your technical and organizational measures or carrying out data protection impact assessments, Syngenity® GmbH is your partner.

more news

Syngenity Inc. at the German-American Executive Summit

Syngenity Inc. at the German-American Executive Summit

Happy International Women’s Day!

Happy International Women’s Day!

ENX VCS Vehicle Cybersecurity

ENX VCS Vehicle Cybersecurity

Audit Tips Vol. 4 Audit Readiness

Audit Tips Vol. 4 Audit Readiness

Internal audit vs. external audit

Internal audit vs. external audit

Myth 2: Risk assessment is only a formal audit point

Myth 2: Risk assessment is only a formal audit point

Consent Management Platform by Real Cookie Banner