In 2025, enforcement in the individuals and private associations sector continued to cover a wide range of cases, from minor private misconduct to high‑profile violations by organised associations. The sector touches both sensitive personal disputes and big professional football associations.
Enforcement here is relevant to every EU citizen in their everyday lives. Personal data plays a big role in small non-profit organisations, in conflicts between neighbors, everyday video surveillance and for individual misuse of personal data by police officers.
Thereby, this sector shapes public perceptions of data protection and of data protection authorities among EU citizens.
Key numbers
* (ETid-2575)
Let's take a closer look
- The two highest fines of EUR 1 million and EUR 600 thousand were issued against Spanish football associations for not carrying out a DPIA regarding their use of an identification system based on facial recognition and biometric tokens (ETid-2545 and ETid-2575).
- Fines against private individuals were generally much lower, most often below EUR 2,000.
- The lowest fine of EUR 48 was issued against an Estonian police officer (ETid-384) who accessed personal data in a police database for private research.
- Many cases against individuals and private associations involve video surveillance on private grounds or in traffic. DPAs imposed fines for such violations regularly even on private individuals.
Main takeaways
Compliance hotspots
- The most common compliance risks for individuals and private associations mainly concern video surveillance, misuse of access rights, and the handling of biometric data. Nearly half of all fines in this sector were imposed due to illegal video surveillance, highlighting the particular attention that data protection authorities pay to this form of data processing. Video surveillance is considered especially risky, meaning that even private individuals must meet strict requirements.
- In addition, authorities regularly sanction unauthorised access to personal data in internal systems, such as the improper use of access rights. Another central risk is the processing of biometric data, especially when facial recognition or biometric access systems are used without a sufficient legal basis or transparency. These developments show that both technical and organizational measures in this sector are increasingly coming under the scrutiny of supervisory authorities.
Outlook
Enforcement against individuals and private associations is likely to become more standardised and increasingly technology‑focused rather than significantly more punitive overall. Visible and complaint‑prone processing activities, especially video surveillance, will remain a primary driver of enforcement. At the same time, recent enforcement signals suggest a shift toward more intrusive technologies, particularly where associations use facial recognition, biometric access systems or other novel tools without a proper legal basis, transparency, or a DPIA.
For larger non-profits, leagues and member organisations, regulators are likely to continue applying essentially the same standards as for commercial businesses, especially on TOMs, privacy notices, lawful basis and data subject rights. That fits the broader GDPR trend: across all sectors, the most common enforcement triggers remain insufficient legal basis, breaches of core processing principles, weak security, and failures to honour data subject rights.
Overall, the likely trajectory is a combination of many low-value domestic fines against individuals and occasional higher-profile cases against big associations using high-risk or large-scale member data processing, with active authorities such as Spain continuing to shape the enforcement landscape.
