June 2025 marked a watershed moment in European data protection enforcement, with regulatory authorities across the continent imposing some of the most significant GDPR penalties to date. With total GDPR fines reaching approximately โฌ5.88 billion since 2018, this monthโs enforcement actions demonstrate an increasingly assertive regulatory approach that spans multiple sectors and violation types.
The five major fines issued in June 2025 totaled over โฌ48 million, affecting organizations from telecommunications giants to DNA testing companies, government departments, and educational institutions. These penalties reveal evolving enforcement priorities, particularly around third-party risk management, biometric data processing, and cybersecurity failures.
GDPR & ISO 27001 Compliance Assessment Tool
1. Germany: Vodafone GmbH - โฌ45 Million Fine
The Violations That Cost โฌ45 Million
The German data protection authority (BfDI) fined Vodafone GmbH โฌ45 million ($51.4 million) for privacy and security violations, making this one of the largest GDPR enforcement actions in Germany to date. The penalty was strategically divided into two components, each addressing distinct but interconnected failures.
Third-Party Partner Misconduct (โฌ15 Million)
BfDI imposed a โฌ15 million fine on Vodafone GmbH for failing to monitor partner agencies whose employees made unauthorized contract changes or tricked customers into signing fictitious contracts. The investigation revealed that malicious employees in partner agencies who broker contracts to customers on behalf of Vodafone, there had been fraud cases due to fictitious contracts or contract changes at the expense of customers.
This violation centered on Article 28 GDPR, which requires data controllers to ensure that processors provide adequate guarantees for GDPR-compliant data processing. The BfDI found that Vodafone had not sufficiently complied with its obligations under Art. 28 GDPR, as there were no effective processes for selecting, auditing and continuously monitoring the partners.
Authentication System Vulnerabilities (โฌ30 Million)
The larger portion of the fine addressed critical security failures in Vodafoneโs customer authentication infrastructure. The British multinational telecommunications company was hit with a second โฌ30 million fine for authentication vulnerabilities of its MeinVodafone (โMy Vodafoneโ) and the companyโs hotline, which allowed attackers to access customer eSIM profiles.
The case exemplifies the dangers of inadequate authentication mechanisms in an era of rampant cyber attacks and social engineering. In Vodafoneโs case, a weak identity verification process became an open door for data exposure and account takeover.
Corporate Response and Remediation
Notably, a Vodafone spokesperson was not immediately available for comment when contacted by BleepingComputer today, but the regulator acknowledged the companyโs cooperation. It should be particularly emphasized that Vodafone cooperated fully throughout the proceedings and also disclosed self-incriminating circumstances. The fines were accepted and have already been paid in full to the federal treasury.
The company has implemented comprehensive reforms, including updated processes for partner selection and auditing, enhanced authentication systems, and donations to data protection and digital literacy organizations.
CMMC & NIST 800-171 Compliance Assessment Tool
2. United Kingdom: 23andMe - ยฃ2.31 Million Fine
A โProfoundly Damagingโ Genetic Data Breach
The ICO fined genetic testing company 23andMe ยฃ2.31 million for failing to implement appropriate security measures to protect the personal information of UK users, following a large-scale cyber attack in 2023. This penalty followed a joint investigation with Canadian authorities and addressed one of the most sensitive types of personal data breaches: genetic information.
The Credential Stuffing Attack
Between April and September 2023, a hacker carried out a credential stuffing attack on 23andMeโs platform, exploiting reused login credentials that were stolen from previous unrelated data breaches. This resulted in the unauthorised access to personal information belonging to 155,592 UK residents.
The breach exposed names, birth years, self-reported city or postcode-level location, profile images, race, ethnicity, family trees and health reports, affecting individuals whose genetic data represents some of the most intimate personal information possible.
Systemic Security Failures
The ICO identified multiple critical security deficiencies:
- Unsatisfactory authentication measures, including lack of mandatory MFA and unsecure password requirements- No measures taken to prevent accessing and downloading raw genetic data- No measures to adequately monitor, detect, or respond to security threats to user data
Delayed Recognition and Response
Perhaps most concerning was 23andMeโs inadequate incident response. The 23andMe breach took place between April and September 2023, during which time the attackers used credential-stuffing techniques to access a small portion of the total user accounts, but it was only in October 2023, following a post on Reddit which explicitly offered 23andMe data for sale, that 23andMe launched a full internal investigation.
Regulatory Commentary
UK Information Commissioner John Edwards said: โThis was a profoundly damaging breach that exposed sensitive personal information, family histories, and even health conditions of thousands of people in the UKโ. He emphasized that โonce this information is out there, it cannot be changed or reissued like a password or credit card numberโ.
Compliance Cost Estimator | Calculate Compliance Costs Accurately
3. Ireland: Department of Social Protection - โฌ550,000 Fine
Biometric Data Without Legal Foundation
The Data Protection Commission (DPC) has fined the Department of Social Protection (DSP) โฌ550,000 for breaches of privacy rules relating to the use of facial recognition technology in the registration process for the Public Services Card. This case represents a significant enforcement action against a government entity for biometric data processing violations.
The SAFE 2 Registration System
The Department of Social Protection (DSP) processes biometric facial templates and uses facial matching technologies, as part of the registration process for the Public Services Card. This process is known as โSAFE 2 registrationโ and is mandatory for anyone who wishes to apply for a Public Services Card.
The scale of this processing is staggering: In 2021, DSP was in possession of face biometric data for approximately 70 percent of Irelandโs population, a scale DPC said necessitated strict legal safeguards.
Multiple GDPR Violations
The DPC found several serious violations:
- Infringed Articles 5(1)(a), 6(1), and 9(1) GDPR by failing to identify a valid lawful basis for the collection of biometric data in connection with SAFE 2 registration- Infringed Article 5(1)(e) GDPR by retaining biometric data collected as part of SAFE 2 registration- Infringed Article 35(7)(b) and Article 35(7)(c) GDPR by failing to include certain details in the Data Protection Impact Assessment
Government Response and Civil Rights Concerns
The Department of Social Protection said it believes that it has a valid legal basis and that it does satisfy the requirements of transparency required to operate the SAFE process. However, the Irish Council for Civil Liberties (ICCL), which has campaigned against the use of facial recognition in the Public Services Card for more than 15 years, welcomed the decision but described it as โmore than a decade late and inadequateโ.
The ICCL argued that โThe Department effectively created a de facto national biometric ID system by stealth over 15-plus years without a proper legal foundation. This illegal database of millions of Irish peopleโs biometric data must be deletedโ.
Zero Trust Maturity Evaluator | Free Assessment Tool for CISOs
4. Ireland: City of Dublin Education and Training Board - โฌ125,000 Fine
Security Failures in Public Education
The DPC reprimanded CDETB, imposed administrative fines totalling โฌ125,000 and ordered CDETB to bring its processing into compliance with the security requirements of the GDPR. This case demonstrates that even smaller public sector organizations face significant enforcement for basic security failures.
Multiple Security and Notification Violations
The City of Dublin Education and Training Board (CDETB) violated several key GDPR provisions:
- Infringed Articles 5(1)(f), 32(1) and 32(2) GDPR by failing to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk- Infringed Article 33(1) GDPR by failing to notify the DPC of the breach without undue delay- Infringed Article 34(1) GDPR by failing to notify the affected data subjects of the breach without undue delay
Regulatory Pattern Recognition
This Decision represents the second time in approximately six months that the DPC has sanctioned a public sector body for infringements related to a failure to ensure risk-appropriate security measures are implemented, as a well as a failure to notify the DPC of a data breach without undue delay.
The regulator emphasized that the fines set out above, totalling โฌ125,000, are substantially lower than the fining range proposed in the draft Decision, the maximum of which was โฌ210,000, suggesting some mitigation factors were considered.
PII Compliance Navigator | U.S. State Privacy Law Sensitive Data Categories
5. Italy: Noi Compriamo Auto.it S.r.l. - โฌ45,000 Fine
Direct Marketing Violations and Data Subject Rights
The DPA fined a car dealership โฌ45,000 for unlawfully processing personal data for direct marketing and for other GDPR violations related to direct marketing. While the smallest fine on this list, this case illustrates important principles around marketing consent and data subject rights.
The Violation Pattern
Noi Compriamo Auto.it S.r.l. (the controller) is a company that controls many car retailers across Italy. A data subject received numerous unwanted marketing communications from different email addresses. All emails promoted the controllerโs website (www.noicompriamoauto.it).
The companyโs violations included:
- Inadequate proof of consent for direct marketing- Failure to respond promptly to data subject rights requests- Lack of proper oversight of data processors- Insufficient โdouble opt-inโ documentation
Processor Liability Issues
Significantly, after exercising his rights, the data subject still received marketing communications from third parties (the processors) on behalf of the controller. On this basis, the controller claimed that it was not responsible for any GDPR violations committed by the processor. The DPA rejected the argument.
The Italian authority clarified that liability waivers and similar clauses only regulate the legal relationship between the parties. Such clauses do not exempt data controllers from complying with their duties under the GDPR.
US State Breach Notification Requirements Tracker
Key Trends and Implications
1. Expansion Beyond Big Tech
While big tech continues to be the primary target the regulatory landscape has expanded. Authorities are now increasingly focusing on other industries, including finance, healthcare, and energy, underscoring the broadening scope of GDPR enforcement. June 2025โs fines demonstrate this trend, affecting telecommunications, healthcare/genetics, government services, education, and automotive sectors.
2. Third-Party Risk Management
The Vodafone case highlights a critical compliance area: the dangers of inadequate authentication mechanisms in an era of rampant cyber attacks and social engineering and poor vendor oversight. Organizations increasingly face liability for their partnersโ and processorsโ actions, making vendor due diligence essential.
3. Biometric Data Scrutiny
Both the German Vodafone authentication failures and the Irish Social Protection biometric processing cases demonstrate heightened regulatory focus on biometric data and authentication systems. As biometric data is classified as โspecial category dataโ, warranting enhanced security protocols due to the potential for misuse.
4. Government Accountability
The enforcement actions against Irish government entities demonstrate that public sector organizations face the same GDPR standards as private companies. The DPC therefore again emphasises that it is vitally important that organisations ensure that the risks related to processing personal data are assessed and that processing is carried out in a manner that ensures appropriate security.
5. Incident Response Requirements
Multiple cases emphasized the importance of timely breach notification and response. The average number of breach notifications per day increased slightly to 363 from 335 last year, but inadequate response remains a significant factor in penalty calculations.
Strategic Compliance Recommendations
Immediate Actions
- Third-Party Risk Assessment: Conduct comprehensive audits of all data processors and partners, ensuring Article 28 GDPR compliance2. Authentication Security Review: Implement multi-factor authentication and robust identity verification systems3. Biometric Data Audit: Review all biometric data processing for appropriate legal bases and security measures4. Incident Response Testing: Ensure breach notification procedures can meet 72-hour requirements
Long-term Strategic Considerations
- Privacy by Design: Embed data protection requirements into system architecture from the outset2. Vendor Management Programs: Establish ongoing monitoring and assessment of third-party data processing3. Cross-Border Coordination: Prepare for joint investigations as regulators increasingly collaborate internationally4. Sector-Specific Compliance: Recognize that traditional โlow-riskโ sectors now face intense scrutiny
Looking Forward: The Enforcement Evolution
2025 may well be the year that regulators pivot more to naming and shaming and personal accountability, as evidenced by the Dutch Data Protection Commission announced it is investigating whether it can hold the directors of Clearview AI personally liable for numerous breaches of the GDPR.
The June 2025 fines represent more than isolated enforcement actions; they signal a maturing regulatory environment where:
- No sector is immune from significant enforcement- Technical security failures carry severe financial consequences- Biometric and sensitive data processing faces heightened scrutiny- Third-party relationships create direct liability for controllers- Government entities must meet the same standards as private organizations
Conclusion
June 2025โs GDPR enforcement activity totaling over โฌ48 million demonstrates the continued evolution and intensification of European data protection enforcement. From Vodafoneโs massive third-party risk management failures to 23andMeโs genetic data security breaches, these cases provide crucial lessons for organizations worldwide.
The clear year on year trend remains upwards in GDPR enforcement, with the average fine being EUR 2,360,409 across all countries. Organizations that fail to learn from these enforcement patterns do so at their peril, as regulatory authorities demonstrate increasing sophistication in identifying violations and calculating proportionate penalties.
The message is clear: robust data protection compliance is no longer optional but essential for business continuity in the modern regulatory environment. As we expect for this trend to continue during 2025 as US AI technology comes up against European data protection laws, proactive compliance investment represents not just regulatory necessity but competitive advantage in an increasingly privacy-conscious marketplace.
