The GDPR Enforcement Surge: Analyzing June 2025's Top 5 Record-Breaking Fines
June 2025 marked a watershed moment in European data protection enforcement, with regulatory authorities across the continent imposing some of the most significant GDPR penalties to date. With total GDPR fines reaching approximately €5.88 billion since 2018, this month's enforcement actions demonstrate an increasingly assertive regulatory approach that spans multiple sectors and violation types.
The five major fines issued in June 2025 totaled over €48 million, affecting organizations from telecommunications giants to DNA testing companies, government departments, and educational institutions. These penalties reveal evolving enforcement priorities, particularly around third-party risk management, biometric data processing, and cybersecurity failures.
1. Germany: Vodafone GmbH - €45 Million Fine
The Violations That Cost €45 Million
The German data protection authority (BfDI) fined Vodafone GmbH €45 million ($51.4 million) for privacy and security violations, making this one of the largest GDPR enforcement actions in Germany to date. The penalty was strategically divided into two components, each addressing distinct but interconnected failures.
Third-Party Partner Misconduct (€15 Million)
BfDI imposed a €15 million fine on Vodafone GmbH for failing to monitor partner agencies whose employees made unauthorized contract changes or tricked customers into signing fictitious contracts. The investigation revealed that malicious employees in partner agencies who broker contracts to customers on behalf of Vodafone, there had been fraud cases due to fictitious contracts or contract changes at the expense of customers.
This violation centered on Article 28 GDPR, which requires data controllers to ensure that processors provide adequate guarantees for GDPR-compliant data processing. The BfDI found that Vodafone had not sufficiently complied with its obligations under Art. 28 GDPR, as there were no effective processes for selecting, auditing and continuously monitoring the partners.
Authentication System Vulnerabilities (€30 Million)
The larger portion of the fine addressed critical security failures in Vodafone's customer authentication infrastructure. The British multinational telecommunications company was hit with a second €30 million fine for authentication vulnerabilities of its MeinVodafone ("My Vodafone") and the company's hotline, which allowed attackers to access customer eSIM profiles.
The case exemplifies the dangers of inadequate authentication mechanisms in an era of rampant cyber attacks and social engineering. In Vodafone's case, a weak identity verification process became an open door for data exposure and account takeover.
Corporate Response and Remediation
Notably, a Vodafone spokesperson was not immediately available for comment when contacted by BleepingComputer today, but the regulator acknowledged the company's cooperation. It should be particularly emphasized that Vodafone cooperated fully throughout the proceedings and also disclosed self-incriminating circumstances. The fines were accepted and have already been paid in full to the federal treasury.
The company has implemented comprehensive reforms, including updated processes for partner selection and auditing, enhanced authentication systems, and donations to data protection and digital literacy organizations.
2. United Kingdom: 23andMe - £2.31 Million Fine
A "Profoundly Damaging" Genetic Data Breach
The ICO fined genetic testing company 23andMe £2.31 million for failing to implement appropriate security measures to protect the personal information of UK users, following a large-scale cyber attack in 2023. This penalty followed a joint investigation with Canadian authorities and addressed one of the most sensitive types of personal data breaches: genetic information.
The Credential Stuffing Attack
Between April and September 2023, a hacker carried out a credential stuffing attack on 23andMe's platform, exploiting reused login credentials that were stolen from previous unrelated data breaches. This resulted in the unauthorised access to personal information belonging to 155,592 UK residents.
The breach exposed names, birth years, self-reported city or postcode-level location, profile images, race, ethnicity, family trees and health reports, affecting individuals whose genetic data represents some of the most intimate personal information possible.
Systemic Security Failures
The ICO identified multiple critical security deficiencies:
- Unsatisfactory authentication measures, including lack of mandatory MFA and unsecure password requirements
- No measures taken to prevent accessing and downloading raw genetic data
- No measures to adequately monitor, detect, or respond to security threats to user data
Delayed Recognition and Response
Perhaps most concerning was 23andMe's inadequate incident response. The 23andMe breach took place between April and September 2023, during which time the attackers used credential-stuffing techniques to access a small portion of the total user accounts, but it was only in October 2023, following a post on Reddit which explicitly offered 23andMe data for sale, that 23andMe launched a full internal investigation.
Regulatory Commentary
UK Information Commissioner John Edwards said: "This was a profoundly damaging breach that exposed sensitive personal information, family histories, and even health conditions of thousands of people in the UK". He emphasized that "once this information is out there, it cannot be changed or reissued like a password or credit card number".
ComplianceHub
3. Ireland: Department of Social Protection - €550,000 Fine
Biometric Data Without Legal Foundation
The Data Protection Commission (DPC) has fined the Department of Social Protection (DSP) €550,000 for breaches of privacy rules relating to the use of facial recognition technology in the registration process for the Public Services Card. This case represents a significant enforcement action against a government entity for biometric data processing violations.
The SAFE 2 Registration System
The Department of Social Protection (DSP) processes biometric facial templates and uses facial matching technologies, as part of the registration process for the Public Services Card. This process is known as "SAFE 2 registration" and is mandatory for anyone who wishes to apply for a Public Services Card.
The scale of this processing is staggering: In 2021, DSP was in possession of face biometric data for approximately 70 percent of Ireland's population, a scale DPC said necessitated strict legal safeguards.
Multiple GDPR Violations
The DPC found several serious violations:
- Infringed Articles 5(1)(a), 6(1), and 9(1) GDPR by failing to identify a valid lawful basis for the collection of biometric data in connection with SAFE 2 registration
- Infringed Article 5(1)(e) GDPR by retaining biometric data collected as part of SAFE 2 registration
- Infringed Article 35(7)(b) and Article 35(7)(c) GDPR by failing to include certain details in the Data Protection Impact Assessment
Government Response and Civil Rights Concerns
The Department of Social Protection said it believes that it has a valid legal basis and that it does satisfy the requirements of transparency required to operate the SAFE process. However, the Irish Council for Civil Liberties (ICCL), which has campaigned against the use of facial recognition in the Public Services Card for more than 15 years, welcomed the decision but described it as "more than a decade late and inadequate".
The ICCL argued that "The Department effectively created a de facto national biometric ID system by stealth over 15-plus years without a proper legal foundation. This illegal database of millions of Irish people's biometric data must be deleted".
4. Ireland: City of Dublin Education and Training Board - €125,000 Fine
Security Failures in Public Education
The DPC reprimanded CDETB, imposed administrative fines totalling €125,000 and ordered CDETB to bring its processing into compliance with the security requirements of the GDPR. This case demonstrates that even smaller public sector organizations face significant enforcement for basic security failures.
Multiple Security and Notification Violations
The City of Dublin Education and Training Board (CDETB) violated several key GDPR provisions:
- Infringed Articles 5(1)(f), 32(1) and 32(2) GDPR by failing to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk
- Infringed Article 33(1) GDPR by failing to notify the DPC of the breach without undue delay
- Infringed Article 34(1) GDPR by failing to notify the affected data subjects of the breach without undue delay
Regulatory Pattern Recognition
This Decision represents the second time in approximately six months that the DPC has sanctioned a public sector body for infringements related to a failure to ensure risk-appropriate security measures are implemented, as a well as a failure to notify the DPC of a data breach without undue delay.
The regulator emphasized that the fines set out above, totalling €125,000, are substantially lower than the fining range proposed in the draft Decision, the maximum of which was €210,000, suggesting some mitigation factors were considered.
David Stauss5. Italy: Noi Compriamo Auto.it S.r.l. - €45,000 Fine
Direct Marketing Violations and Data Subject Rights
The DPA fined a car dealership €45,000 for unlawfully processing personal data for direct marketing and for other GDPR violations related to direct marketing. While the smallest fine on this list, this case illustrates important principles around marketing consent and data subject rights.
The Violation Pattern
Noi Compriamo Auto.it S.r.l. (the controller) is a company that controls many car retailers across Italy. A data subject received numerous unwanted marketing communications from different email addresses. All emails promoted the controller's website (www.noicompriamoauto.it).
The company's violations included:
- Inadequate proof of consent for direct marketing
- Failure to respond promptly to data subject rights requests
- Lack of proper oversight of data processors
- Insufficient "double opt-in" documentation
Processor Liability Issues
Significantly, after exercising his rights, the data subject still received marketing communications from third parties (the processors) on behalf of the controller. On this basis, the controller claimed that it was not responsible for any GDPR violations committed by the processor. The DPA rejected the argument.
The Italian authority clarified that liability waivers and similar clauses only regulate the legal relationship between the parties. Such clauses do not exempt data controllers from complying with their duties under the GDPR.
Breach Notification TrackerKey Trends and Implications
1. Expansion Beyond Big Tech
While big tech continues to be the primary target the regulatory landscape has expanded. Authorities are now increasingly focusing on other industries, including finance, healthcare, and energy, underscoring the broadening scope of GDPR enforcement. June 2025's fines demonstrate this trend, affecting telecommunications, healthcare/genetics, government services, education, and automotive sectors.
2. Third-Party Risk Management
The Vodafone case highlights a critical compliance area: the dangers of inadequate authentication mechanisms in an era of rampant cyber attacks and social engineering and poor vendor oversight. Organizations increasingly face liability for their partners' and processors' actions, making vendor due diligence essential.
3. Biometric Data Scrutiny
Both the German Vodafone authentication failures and the Irish Social Protection biometric processing cases demonstrate heightened regulatory focus on biometric data and authentication systems. As biometric data is classified as "special category data", warranting enhanced security protocols due to the potential for misuse.
4. Government Accountability
The enforcement actions against Irish government entities demonstrate that public sector organizations face the same GDPR standards as private companies. The DPC therefore again emphasises that it is vitally important that organisations ensure that the risks related to processing personal data are assessed and that processing is carried out in a manner that ensures appropriate security.
5. Incident Response Requirements
Multiple cases emphasized the importance of timely breach notification and response. The average number of breach notifications per day increased slightly to 363 from 335 last year, but inadequate response remains a significant factor in penalty calculations.
Strategic Compliance Recommendations
Immediate Actions
- Third-Party Risk Assessment: Conduct comprehensive audits of all data processors and partners, ensuring Article 28 GDPR compliance
- Authentication Security Review: Implement multi-factor authentication and robust identity verification systems
- Biometric Data Audit: Review all biometric data processing for appropriate legal bases and security measures
- Incident Response Testing: Ensure breach notification procedures can meet 72-hour requirements
Long-term Strategic Considerations
- Privacy by Design: Embed data protection requirements into system architecture from the outset
- Vendor Management Programs: Establish ongoing monitoring and assessment of third-party data processing
- Cross-Border Coordination: Prepare for joint investigations as regulators increasingly collaborate internationally
- Sector-Specific Compliance: Recognize that traditional "low-risk" sectors now face intense scrutiny
Looking Forward: The Enforcement Evolution
2025 may well be the year that regulators pivot more to naming and shaming and personal accountability, as evidenced by the Dutch Data Protection Commission announced it is investigating whether it can hold the directors of Clearview AI personally liable for numerous breaches of the GDPR.
The June 2025 fines represent more than isolated enforcement actions; they signal a maturing regulatory environment where:
- No sector is immune from significant enforcement
- Technical security failures carry severe financial consequences
- Biometric and sensitive data processing faces heightened scrutiny
- Third-party relationships create direct liability for controllers
- Government entities must meet the same standards as private organizations
Conclusion
June 2025's GDPR enforcement activity totaling over €48 million demonstrates the continued evolution and intensification of European data protection enforcement. From Vodafone's massive third-party risk management failures to 23andMe's genetic data security breaches, these cases provide crucial lessons for organizations worldwide.
The clear year on year trend remains upwards in GDPR enforcement, with the average fine being EUR 2,360,409 across all countries. Organizations that fail to learn from these enforcement patterns do so at their peril, as regulatory authorities demonstrate increasing sophistication in identifying violations and calculating proportionate penalties.
The message is clear: robust data protection compliance is no longer optional but essential for business continuity in the modern regulatory environment. As we expect for this trend to continue during 2025 as US AI technology comes up against European data protection laws, proactive compliance investment represents not just regulatory necessity but competitive advantage in an increasingly privacy-conscious marketplace.
