GDPR Enforcement in Public Sector & Education

• The highest fine in the public and education sector to date was issued by the French DPA (CNIL), which fined the public employment agency France Travail EUR 5 million for violations of Art. 32 GDPR following a large-scale data breach (ETid-3026). Attackers used social engineering to compromise accounts of authorised external advisers and gained access to personal data of individuals registered with the agency over the past twenty years, affecting 38,820,828 persons. The DPA found that overly broad access rights, weak authentication and insufficient logging and monitoring constituted a failure to implement appropriate security measures under Art. 32 GDPR.
   
• The second-highest fine was issued by the Portuguese DPA, which fined the Portuguese National Statistical Institute EUR 4.3 million for multiple violations of several general data processing principles of the GDPR in connection with the 2021 census in Portugal (ETid-1524). The authority failed to inform individuals that providing religious and health data was voluntary, did not properly vet its processor and allowed data transfers outside the EEA without sufficient safeguards. Additionally, no data protection impact assessment was carried out for the census.
   
• Since the COVID-19 pandemic, universities and schools have increasingly used digital tools for online classes and exams. In this context, several GDPR fines were issued. For example, the Italian DPA (Garante) fined Bocconi University EUR 200,000 for using remote monitoring software during online exams, as students were video-monitored and snapshots taken without proper information on data processing (ETid-876).
   
• The number of fines for insufficient data security measures has also increased. The UK DPA (ICO) fined the Police Service of Northern Ireland £750,000 (EUR 907,000) after a spreadsheet released in response to a Freedom of Information request accidentally exposed the personal details of all 9,483 officers and staff, including surnames, initials, ranks, roles and other sensitive information. The breach caused significant risk and distress and could have been prevented through simple procedures (ETid-2555). The Latvian DPA (DVI) fined IT service provider ZZ Dats EUR 300,000 after a large-scale breach affected 42 municipalities, exposing residents’ names, personal identification numbers, addresses and municipal employee data (ETid-2930).
   
• DPAs are increasingly focusing on transparency obligations, emphasising that individuals must be clearly informed about how their data are processed. The Irish DPA (DPC) imposed a fine of EUR 550,000 on the Department of Social Protection for unlawfully using facial matching technology in the SAFE 2 registration process for the Public Services Card, collecting and retaining biometric facial templates on a large scale without a legal basis and failing to provide clear information to individuals (ETid-2657). Further, the Spanish DPA (AEPD) fined the Spanish Chamber of Commerce EUR 500,000 for unlawfully transferring the personal data of over 1.4 million self-employed individuals (including names, addresses and tax IDs) to Camerdata, a private data processor that shared the received data with commercial data brokers (ETid-2874).The AEPD rejected the Chamber’s claim that informing all affected individuals would constitute a “disproportionate effort” and held that Art. 14 GDPR still required that data subjects be properly informed.

• Hotspot 1: Insufficient legal basis for data processing
  In the public and education sector, fines related to an insufficient legal basis for data processing make up the majority of cases, often linked to inadequate transparency and a failure to properly inform citizens about how their personal data is collected and used, particularly in the context of monitoring or profiling activities.
   
• Hotspot 2: Insufficient technical and organisational measures to ensure information security 
  Inadequate security controls remain a major compliance risk in the public sector, with several large-scale breaches resulting from preventable weaknesses such as poor access management, unsecured data exports and outdated system configurations. Supervisory authorities are increasingly penalising incidents where basic safeguards could have prevented significant exposures of sensitive personal information.
   
• Hotspot 3: Non-compliance with general data processing principles 
  As demonstrated by the Portuguese DPA's EUR 4.3 million fine for widespread lapses during the 2021 census, DPAs impose substantial fines for non-compliance with general data processing principles, including the principles of lawfulness, fairness and transparency, purpose limitation and data minimisation.

It is rather likely that DPAs will continue to maintain close scrutiny of the public and education sector, particularly as schools, universities and public bodies continue to expand their use of digital tools and technology driven processes. This growing digital reliance raises the stakes for compliance, especially where sensitive data or minors are concerned.

At the same time, transparency and information duties are likely to gain even more regulatory attention. The EDPB selected compliance with the obligations of transparency and information as its enforcement priority for 2026. Against this background, public authorities should ensure that individuals are properly informed about the processing of their personal data.