{
    "componentChunkName": "component---src-templates-post-js",
    "path": "/blog/gdpr-enforcement-heat-map-q2-2026",
    "result": {"data":{"allPrismicBlogpostpage":{"edges":[{"node":{"uid":"gdpr-enforcement-heat-map-q2-2026","type":"blogpostpage","lang":"en-gb","id":"fe3dc7f8-0897-54f1-9ec4-3b760e7f798d","alternate_languages":[],"data":{"activate_public_scanner_cta_header":false,"metadescription":{"text":"Proprietary analysis of 2,685 GDPR fines from the CMS Enforcement Tracker. Q2 2026 DPA heat map, sector risk ranking for H2 2026, the EDPB's CEF 2026 transparency action, and the four violation categories — transparency, AI processing, erasure rights, third-country transfers — defining the next six months of enforcement."},"metatitle":{"text":"GDPR Enforcement Heat Map Q2 2026: Which DPAs Are Fining and Who's Next"},"categories":[{"is_pilar_page_":false,"table_of_content_title":{"richText":[]}}],"backgroundpreview":{"alt":null,"url":null},"title":{"text":"GDPR Enforcement Heat Map Q2 2026: Which DPAs Are Fining, What For, and Who's Next"},"preview":{"alt":null,"url":"https://images.prismic.io/secure-privacy/ajKt_o1P9HI4UoJB_heatmap.png?ixlib=gatsbyFP&auto=format%2Ccompress&fit=max&q=45"},"date":"2026-06-18","canonical":{"text":"https://secureprivacy.ai/blog/gdpr-enforcement-heat-map-q2-2026"},"body":[{"id":"c0abd74c-7d1f-5710-9c16-8ceccebfab79","slice_type":"text","primary":{"text":{"richText":[{"type":"paragraph","text":"Sources: CMS GDPR Enforcement Tracker Report (March 2026 edition, 2,685 verified fines); EDPB press releases; DPA press offices; DLA Piper GDPR Fines and Data Breach Survey January 2026; enforcementtracker.com live statistics","spans":[{"start":0,"end":225,"type":"em"},{"start":9,"end":44,"type":"hyperlink","data":{"link_type":"Web","url":"https://cms.law/en/int/publication/GDPR-Enforcement-Tracker-Report/numbers-and-figures","target":"_blank"}},{"start":89,"end":108,"type":"hyperlink","data":{"link_type":"Web","url":"https://www.edpb.europa.eu/news/news/2026/cef-2026-edpb-launches-coordinated-enforcement-action-transparency-and-information_en","target":"_blank"}},{"start":187,"end":225,"type":"hyperlink","data":{"link_type":"Web","url":"https://www.enforcementtracker.com/statistics","target":"_blank"}}],"direction":"ltr"},{"type":"heading2","text":"What This Analysis Is and Why It Exists","spans":[],"direction":"ltr"},{"type":"paragraph","text":"Every major GDPR enforcement summary tells you what already happened. This one tells you what is about to happen.","spans":[],"direction":"ltr"},{"type":"paragraph","text":"Using DPA activity data from January 1 to June 15, 2026, the EDPB's published enforcement priorities, and sector-level fine frequency patterns from the CMS GDPR Enforcement Tracker database — 2,685 verified fines recorded between May 25, 2018 and March 1, 2026 — Secure Privacy's enforcement intelligence team has built the first sector-level risk ranking for H2 2026: which DPAs are accelerating, which sectors are in the crosshairs, and which specific violation categories are generating the pipeline of investigations that will produce fines between now and December 31, 2026.","spans":[{"start":152,"end":180,"type":"hyperlink","data":{"link_type":"Web","url":"https://cms.law/en/int/publication/GDPR-Enforcement-Tracker-Report/numbers-and-figures","target":"_blank"}}],"direction":"ltr"},{"type":"paragraph","text":"This is not a historical review, but a forward risk map.","spans":[],"direction":"ltr"},{"type":"heading2","text":"The Enforcement Baseline: Where We Are as of Q2 2026","spans":[],"direction":"ltr"},{"type":"paragraph","text":"Before mapping forward risk, the current picture:","spans":[],"direction":"ltr"}]}}},{"id":"dc95bf25-c153-567e-84ef-2055961ce66b","slice_type":"new_table","items":[{"header_col":{"richText":[{"type":"paragraph","text":"Metric","spans":[]}]}},{"header_col":{"richText":[{"type":"paragraph","text":"Figure","spans":[]}]}},{"header_col":{"richText":[{"type":"paragraph","text":"Source","spans":[]}]}}]},{"id":"5f52f3e9-65f5-5832-9ce1-8fc90301dc9d","slice_type":"new_table_body","items":[{"col1_image":{"alt":null,"url":null},"col1":{"richText":[{"type":"paragraph","text":"Cumulative GDPR fines since May 2018","spans":[]}]},"col2_image":{"alt":null,"url":null},"col2":{"richText":[{"type":"paragraph","text":"€7.1 billion","spans":[]}]},"col3_image":{"alt":null,"url":null},"col3":{"richText":[{"type":"paragraph","text":"DLA Piper / CMS Tracker, 2026","spans":[]}]},"col4_image":{"alt":null,"url":null},"col4":{"richText":[]},"col5_image":{"alt":null,"url":null},"col5":{"richText":[]},"col6_image":{"alt":null,"url":null},"col6":{"richText":[]},"col7_image":{"alt":null,"url":null},"col7":{"richText":[]}},{"col1_image":{"alt":null,"url":null},"col1":{"richText":[{"type":"paragraph","text":"Verified fines in CMS database","spans":[]}]},"col2_image":{"alt":null,"url":null},"col2":{"richText":[{"type":"paragraph","text":"2,685 (3,062 including partial data)","spans":[]}]},"col3_image":{"alt":null,"url":null},"col3":{"richText":[{"type":"paragraph","text":"CMS Enforcement Tracker Report, March 2026","spans":[]}]},"col4_image":{"alt":null,"url":null},"col4":{"richText":[]},"col5_image":{"alt":null,"url":null},"col5":{"richText":[]},"col6_image":{"alt":null,"url":null},"col6":{"richText":[]},"col7_image":{"alt":null,"url":null},"col7":{"richText":[]}},{"col1_image":{"alt":null,"url":null},"col1":{"richText":[{"type":"paragraph","text":"Total fines issued in 2025","spans":[]}]},"col2_image":{"alt":null,"url":null},"col2":{"richText":[{"type":"paragraph","text":"€1.2 billion","spans":[]}]},"col3_image":{"alt":null,"url":null},"col3":{"richText":[{"type":"paragraph","text":"DLA Piper GDPR Survey, January 2026","spans":[]}]},"col4_image":{"alt":null,"url":null},"col4":{"richText":[]},"col5_image":{"alt":null,"url":null},"col5":{"richText":[]},"col6_image":{"alt":null,"url":null},"col6":{"richText":[]},"col7_image":{"alt":null,"url":null},"col7":{"richText":[]}},{"col1_image":{"alt":null,"url":null},"col1":{"richText":[{"type":"paragraph","text":"Average fine (all time)","spans":[]}]},"col2_image":{"alt":null,"url":null},"col2":{"richText":[{"type":"paragraph","text":"€2.36 million","spans":[]}]},"col3_image":{"alt":null,"url":null},"col3":{"richText":[{"type":"paragraph","text":"CMS Enforcement Tracker, 2026","spans":[]}]},"col4_image":{"alt":null,"url":null},"col4":{"richText":[]},"col5_image":{"alt":null,"url":null},"col5":{"richText":[]},"col6_image":{"alt":null,"url":null},"col6":{"richText":[]},"col7_image":{"alt":null,"url":null},"col7":{"richText":[]}},{"col1_image":{"alt":null,"url":null},"col1":{"richText":[{"type":"paragraph","text":"Daily breach notifications to DPAs","spans":[]}]},"col2_image":{"alt":null,"url":null},"col2":{"richText":[{"type":"paragraph","text":"443 per day (22% YoY increase)","spans":[]}]},"col3_image":{"alt":null,"url":null},"col3":{"richText":[{"type":"paragraph","text":"DLA Piper, 2026","spans":[]}]},"col4_image":{"alt":null,"url":null},"col4":{"richText":[]},"col5_image":{"alt":null,"url":null},"col5":{"richText":[]},"col6_image":{"alt":null,"url":null},"col6":{"richText":[]},"col7_image":{"alt":null,"url":null},"col7":{"richText":[]}},{"col1_image":{"alt":null,"url":null},"col1":{"richText":[{"type":"paragraph","text":"Country with most fines by count","spans":[]}]},"col2_image":{"alt":null,"url":null},"col2":{"richText":[{"type":"paragraph","text":"Spain (AEPD, ~1,000+ fines)","spans":[]}]},"col3_image":{"alt":null,"url":null},"col3":{"richText":[{"type":"paragraph","text":"CMS Tracker","spans":[]}]},"col4_image":{"alt":null,"url":null},"col4":{"richText":[]},"col5_image":{"alt":null,"url":null},"col5":{"richText":[]},"col6_image":{"alt":null,"url":null},"col6":{"richText":[]},"col7_image":{"alt":null,"url":null},"col7":{"richText":[]}},{"col1_image":{"alt":null,"url":null},"col1":{"richText":[{"type":"paragraph","text":"Country with most fines by value","spans":[]}]},"col2_image":{"alt":null,"url":null},"col2":{"richText":[{"type":"paragraph","text":"Ireland (DPC, €4.04 billion cumulative)","spans":[]}]},"col3_image":{"alt":null,"url":null},"col3":{"richText":[{"type":"paragraph","text":"Improvado / CMS, 2026","spans":[]}]},"col4_image":{"alt":null,"url":null},"col4":{"richText":[]},"col5_image":{"alt":null,"url":null},"col5":{"richText":[]},"col6_image":{"alt":null,"url":null},"col6":{"richText":[]},"col7_image":{"alt":null,"url":null},"col7":{"richText":[]}},{"col1_image":{"alt":null,"url":null},"col1":{"richText":[{"type":"paragraph","text":"Most-fined sector by cumulative value","spans":[]}]},"col2_image":{"alt":null,"url":null},"col2":{"richText":[{"type":"paragraph","text":"Media, Telecoms and Broadcasting (~70% of all corporate fine value)","spans":[]}]},"col3_image":{"alt":null,"url":null},"col3":{"richText":[{"type":"paragraph","text":"CMS Enforcement Tracker Report","spans":[]}]},"col4_image":{"alt":null,"url":null},"col4":{"richText":[]},"col5_image":{"alt":null,"url":null},"col5":{"richText":[]},"col6_image":{"alt":null,"url":null},"col6":{"richText":[]},"col7_image":{"alt":null,"url":null},"col7":{"richText":[]}},{"col1_image":{"alt":null,"url":null},"col1":{"richText":[{"type":"paragraph","text":"Most common violation category","spans":[]}]},"col2_image":{"alt":null,"url":null},"col2":{"richText":[{"type":"paragraph","text":"Insufficient legal basis for processing (Art. 6)","spans":[]}]},"col3_image":{"alt":null,"url":null},"col3":{"richText":[{"type":"paragraph","text":"CMS Enforcement Tracker Report","spans":[]}]},"col4_image":{"alt":null,"url":null},"col4":{"richText":[]},"col5_image":{"alt":null,"url":null},"col5":{"richText":[]},"col6_image":{"alt":null,"url":null},"col6":{"richText":[]},"col7_image":{"alt":null,"url":null},"col7":{"richText":[]}}]},{"id":"f862ab0a-1476-536b-bc7e-0fbb13d62824","slice_type":"text","primary":{"text":{"richText":[{"type":"paragraph","text":"The headline trend: enforcement is not plateauing. The 22% year-over-year increase in daily breach notifications, combined with EDPB coordination that is broadening fine values across smaller national DPAs, means the H2 2026 fine pipeline is already larger than it was at the same point in 2025.","spans":[],"direction":"ltr"},{"type":"paragraph","text":"What the €7.1 billion headline figure actually means — and why it misleads if read flat:","spans":[{"start":0,"end":88,"type":"strong"}],"direction":"ltr"},{"type":"paragraph","text":"The aggregate is dominated by a small number of mega-fines. Meta's €1.2 billion transfer-violation penalty alone accounts for roughly 17% of all GDPR fine value ever issued. Strip out the five largest decisions on record — Meta (€1.2B), Amazon (€746M, since procedurally annulled), TikTok (€530M), Uber (€290M), and Criteo's predecessor case — and the remaining 2,680 cases average approximately €1.8 million per fine. This distinction matters operationally: a mid-sized organization is statistically far more likely to face a six- or seven-figure enforcement action than a billion-euro one, and compliance planning calibrated only to headline mega-fines will systematically underweight the actual, far more common risk profile.","spans":[],"direction":"ltr"},{"type":"paragraph","text":"Key GDPR Enforcement Statistics — Q2 2026 Snapshot:","spans":[{"start":0,"end":51,"type":"strong"}],"direction":"ltr"},{"type":"list-item","text":"Cumulative GDPR fines since May 25, 2018: €7.1 billion","spans":[],"direction":"ltr"},{"type":"list-item","text":"GDPR fines issued in 2025 alone: €1.2 billion","spans":[],"direction":"ltr"},{"type":"list-item","text":"Average fine across all 2,685 verified cases: €2.36 million","spans":[],"direction":"ltr"},{"type":"list-item","text":"Average fine excluding the five largest mega-fines: approximately €1.8 million","spans":[],"direction":"ltr"},{"type":"list-item","text":"Daily breach notifications received by EU DPAs in 2026: 443 (up 22% year-over-year)","spans":[],"direction":"ltr"},{"type":"list-item","text":"DPAs participating in the EDPB's 2026 Coordinated Enforcement Framework: 25","spans":[],"direction":"ltr"},{"type":"list-item","text":"Spain's AEPD 2025 fine total: €40 million across 299 fines (up 14% from 2024)","spans":[],"direction":"ltr"},{"type":"list-item","text":"Ireland's DPC cumulative fine value: €4.04 billion (the dominant figure cited across nearly every enforcement tracker; one outlier source has reported €2.8 billion without a disclosed methodology, which we treat as unverified pending a published source)","spans":[],"direction":"ltr"},{"type":"heading2","text":"The DPA Heat Map: Scoring Each Authority Q2 2026","spans":[],"direction":"ltr"},{"type":"paragraph","text":"Secure Privacy's DPA Heat Map scores each major supervisory authority on three dimensions: Fine Frequency (volume of enforcement actions Q1–Q2 2026), Escalation Signal (whether fine values are increasing, decreasing, or stable), and Forward Focus (whether the DPA has published or signaled a specific enforcement priority for H2 2026).","spans":[{"start":91,"end":105,"type":"strong"},{"start":150,"end":167,"type":"strong"},{"start":233,"end":246,"type":"strong"}],"direction":"ltr"}]}}},{"id":"8333a170-1647-5fa2-8ba9-67923d789b2d","slice_type":"new_table","items":[{"header_col":{"richText":[{"type":"paragraph","text":"DPA","spans":[]}]}},{"header_col":{"richText":[{"type":"paragraph","text":"Country","spans":[]}]}},{"header_col":{"richText":[{"type":"paragraph","text":"Fine Frequency Q2 2026","spans":[]}]}},{"header_col":{"richText":[{"type":"paragraph","text":"Escalation Signal","spans":[]}]}},{"header_col":{"richText":[{"type":"paragraph","text":"Forward Focus H2 2026","spans":[]}]}},{"header_col":{"richText":[{"type":"paragraph","text":"Heat Map Rating","spans":[]}]}}]},{"id":"54316c2d-e3d3-5b23-9f48-c74593025ca3","slice_type":"new_table_body","items":[{"col1_image":{"alt":null,"url":null},"col1":{"richText":[{"type":"paragraph","text":"AEPD","spans":[]}]},"col2_image":{"alt":null,"url":null},"col2":{"richText":[{"type":"paragraph","text":"Spain","spans":[]}]},"col3_image":{"alt":null,"url":null},"col3":{"richText":[{"type":"paragraph","text":"🔴 Very High (highest volume in EU)","spans":[]}]},"col4_image":{"alt":null,"url":null},"col4":{"richText":[{"type":"paragraph","text":"🔴 Escalating (€40M+ in 2025, up 14% YoY)","spans":[]}]},"col5_image":{"alt":null,"url":null},"col5":{"richText":[{"type":"paragraph","text":"Biometric data, DPIA failures, AI systems","spans":[]}]},"col6_image":{"alt":null,"url":null},"col6":{"richText":[{"type":"paragraph","text":"🔴🔴 Extreme","spans":[]}]},"col7_image":{"alt":null,"url":null},"col7":{"richText":[]}},{"col1_image":{"alt":null,"url":null},"col1":{"richText":[{"type":"paragraph","text":"Garante","spans":[]}]},"col2_image":{"alt":null,"url":null},"col2":{"richText":[{"type":"paragraph","text":"Italy","spans":[]}]},"col3_image":{"alt":null,"url":null},"col3":{"richText":[{"type":"paragraph","text":"🔴 High (AI fines emerging)","spans":[]}]},"col4_image":{"alt":null,"url":null},"col4":{"richText":[{"type":"paragraph","text":"🔴 Escalating (aligning to Irish/French levels)","spans":[]}]},"col5_image":{"alt":null,"url":null},"col5":{"richText":[{"type":"paragraph","text":"AI data processing, telecom, employment","spans":[]}]},"col6_image":{"alt":null,"url":null},"col6":{"richText":[{"type":"paragraph","text":"🔴🔴 Extreme","spans":[]}]},"col7_image":{"alt":null,"url":null},"col7":{"richText":[]}},{"col1_image":{"alt":null,"url":null},"col1":{"richText":[{"type":"paragraph","text":"CNIL","spans":[]}]},"col2_image":{"alt":null,"url":null},"col2":{"richText":[{"type":"paragraph","text":"France","spans":[]}]},"col3_image":{"alt":null,"url":null},"col3":{"richText":[{"type":"paragraph","text":"🟠 High (major cases in Sept 2025)","spans":[]}]},"col4_image":{"alt":null,"url":null},"col4":{"richText":[{"type":"paragraph","text":"🟠 Stable-high","spans":[]}]},"col5_image":{"alt":null,"url":null},"col5":{"richText":[{"type":"paragraph","text":"Cookie consent, ad tech, transparency","spans":[]}]},"col6_image":{"alt":null,"url":null},"col6":{"richText":[{"type":"paragraph","text":"🔴 Very High","spans":[]}]},"col7_image":{"alt":null,"url":null},"col7":{"richText":[]}},{"col1_image":{"alt":null,"url":null},"col1":{"richText":[{"type":"paragraph","text":"DPC","spans":[]}]},"col2_image":{"alt":null,"url":null},"col2":{"richText":[{"type":"paragraph","text":"Ireland","spans":[]}]},"col3_image":{"alt":null,"url":null},"col3":{"richText":[{"type":"paragraph","text":"🟠 Moderate volume, very high value","spans":[]}]},"col4_image":{"alt":null,"url":null},"col4":{"richText":[{"type":"paragraph","text":"🟠 Stable (pipeline of Big Tech cases)","spans":[]}]},"col5_image":{"alt":null,"url":null},"col5":{"richText":[{"type":"paragraph","text":"Cross-border transfers, GPAI transparency","spans":[]}]},"col6_image":{"alt":null,"url":null},"col6":{"richText":[{"type":"paragraph","text":"🔴 Very High","spans":[]}]},"col7_image":{"alt":null,"url":null},"col7":{"richText":[]}},{"col1_image":{"alt":null,"url":null},"col1":{"richText":[{"type":"paragraph","text":"BfDI / State DPAs","spans":[]}]},"col2_image":{"alt":null,"url":null},"col2":{"richText":[{"type":"paragraph","text":"Germany","spans":[]}]},"col3_image":{"alt":null,"url":null},"col3":{"richText":[{"type":"paragraph","text":"🟠 Moderate (federated structure)","spans":[]}]},"col4_image":{"alt":null,"url":null},"col4":{"richText":[{"type":"paragraph","text":"🟠 Stable-increasing","spans":[]}]},"col5_image":{"alt":null,"url":null},"col5":{"richText":[{"type":"paragraph","text":"Children's data, biometrics, employer processing","spans":[]}]},"col6_image":{"alt":null,"url":null},"col6":{"richText":[{"type":"paragraph","text":"🟠 High","spans":[]}]},"col7_image":{"alt":null,"url":null},"col7":{"richText":[]}},{"col1_image":{"alt":null,"url":null},"col1":{"richText":[{"type":"paragraph","text":"ICO","spans":[]}]},"col2_image":{"alt":null,"url":null},"col2":{"richText":[{"type":"paragraph","text":"UK","spans":[]}]},"col3_image":{"alt":null,"url":null},"col3":{"richText":[{"type":"paragraph","text":"🟡 Moderate","spans":[]}]},"col4_image":{"alt":null,"url":null},"col4":{"richText":[{"type":"paragraph","text":"🟠 Escalating (DUA Act raises PECR fines)","spans":[]}]},"col5_image":{"alt":null,"url":null},"col5":{"richText":[{"type":"paragraph","text":"Children's data, age verification, cookie consent","spans":[]}]},"col6_image":{"alt":null,"url":null},"col6":{"richText":[{"type":"paragraph","text":"🟠 High","spans":[]}]},"col7_image":{"alt":null,"url":null},"col7":{"richText":[]}},{"col1_image":{"alt":null,"url":null},"col1":{"richText":[{"type":"paragraph","text":"AP","spans":[]}]},"col2_image":{"alt":null,"url":null},"col2":{"richText":[{"type":"paragraph","text":"Netherlands","spans":[]}]},"col3_image":{"alt":null,"url":null},"col3":{"richText":[{"type":"paragraph","text":"🟠 Low-moderate volume, very high value","spans":[]}]},"col4_image":{"alt":null,"url":null},"col4":{"richText":[{"type":"paragraph","text":"🔴 Escalating (€100M Yango fine, May 2026)","spans":[]}]},"col5_image":{"alt":null,"url":null},"col5":{"richText":[{"type":"paragraph","text":"Third-country transfers (Russia, China), parent-company turnover-based fines","spans":[]}]},"col6_image":{"alt":null,"url":null},"col6":{"richText":[{"type":"paragraph","text":"🔴 Very High","spans":[]}]},"col7_image":{"alt":null,"url":null},"col7":{"richText":[]}},{"col1_image":{"alt":null,"url":null},"col1":{"richText":[{"type":"paragraph","text":"UODO","spans":[]}]},"col2_image":{"alt":null,"url":null},"col2":{"richText":[{"type":"paragraph","text":"Poland","spans":[]}]},"col3_image":{"alt":null,"url":null},"col3":{"richText":[{"type":"paragraph","text":"🟡 Low-moderate","spans":[]}]},"col4_image":{"alt":null,"url":null},"col4":{"richText":[{"type":"paragraph","text":"🟡 Stable","spans":[]}]},"col5_image":{"alt":null,"url":null},"col5":{"richText":[{"type":"paragraph","text":"Breach notification failures, financial sector","spans":[]}]},"col6_image":{"alt":null,"url":null},"col6":{"richText":[{"type":"paragraph","text":"🟡 Medium","spans":[]}]},"col7_image":{"alt":null,"url":null},"col7":{"richText":[]}},{"col1_image":{"alt":null,"url":null},"col1":{"richText":[{"type":"paragraph","text":"DPA","spans":[]}]},"col2_image":{"alt":null,"url":null},"col2":{"richText":[{"type":"paragraph","text":"Romania","spans":[]}]},"col3_image":{"alt":null,"url":null},"col3":{"richText":[{"type":"paragraph","text":"🟡 Moderate volume, low value","spans":[]}]},"col4_image":{"alt":null,"url":null},"col4":{"richText":[{"type":"paragraph","text":"🟡 Stable","spans":[]}]},"col5_image":{"alt":null,"url":null},"col5":{"richText":[{"type":"paragraph","text":"Consumer-facing processing, marketing","spans":[]}]},"col6_image":{"alt":null,"url":null},"col6":{"richText":[{"type":"paragraph","text":"🟡 Medium","spans":[]}]},"col7_image":{"alt":null,"url":null},"col7":{"richText":[]}},{"col1_image":{"alt":null,"url":null},"col1":{"richText":[{"type":"paragraph","text":"CNPD","spans":[]}]},"col2_image":{"alt":null,"url":null},"col2":{"richText":[{"type":"paragraph","text":"Luxembourg","spans":[]}]},"col3_image":{"alt":null,"url":null},"col3":{"richText":[{"type":"paragraph","text":"🟡 Low (post-Amazon annulment)","spans":[]}]},"col4_image":{"alt":null,"url":null},"col4":{"richText":[{"type":"paragraph","text":"🟡 Uncertain (Amazon case returned to CNPD)","spans":[]}]},"col5_image":{"alt":null,"url":null},"col5":{"richText":[{"type":"paragraph","text":"Data transfers, financial services","spans":[]}]},"col6_image":{"alt":null,"url":null},"col6":{"richText":[{"type":"paragraph","text":"🟡 Medium","spans":[]}]},"col7_image":{"alt":null,"url":null},"col7":{"richText":[]}}]},{"id":"04dbffe0-4ef2-521f-bd4a-b4c012fc332a","slice_type":"text","primary":{"text":{"richText":[{"type":"paragraph","text":"Reading the heat map: \n🔴🔴 Extreme = highest probability of significant enforcement action in H2 2026 based on current trajectory. \n🔴 Very High = active enforcement with documented pipeline. \n🟠 High = elevated activity with specific sector signals. \n🟡 Medium = baseline enforcement, no specific escalation signals identified.","spans":[{"start":0,"end":21,"type":"strong"},{"start":23,"end":329,"type":"em"}],"direction":"ltr"},{"type":"heading2","text":"The Q2 2026 Case Register: What Actually Happened","spans":[],"direction":"ltr"},{"type":"paragraph","text":"The following Q2 2026 enforcement actions are sourced from verified DPA press releases and the CMS Enforcement Tracker database.","spans":[],"direction":"ltr"},{"type":"heading3","text":"Spain (AEPD) — Q2 2026 Pattern","spans":[],"direction":"ltr"},{"type":"paragraph","text":"Spain's AEPD ended Q1 2026 in full acceleration mode and has carried that posture into Q2. The defining enforcement shift: the AEPD has moved beyond its historical pattern of high-volume, low-value consumer complaints into deliberate, high-value strategic enforcement.","spans":[],"direction":"ltr"},{"type":"paragraph","text":"Key Q1–Q2 2026 AEPD actions establishing the Q2 pattern:","spans":[],"direction":"ltr"},{"type":"list-item","text":"FC Barcelona — €500,000 (March 4, 2026): Deficient biometric data DPIA. Significant because it is a sports/entertainment sector case, not telecom or finance — signalling AEPD sector expansion.","spans":[{"start":0,"end":23,"type":"strong"}],"direction":"ltr"},{"type":"list-item","text":"Yoti Ltd — €950,000 (March 10, 2026): UK-based digital identity company fined for three distinct GDPR violations including biometric processing without legal basis and inadequate transparency. Landmark ruling for age verification providers across all sectors.","spans":[{"start":0,"end":19,"type":"strong"}],"direction":"ltr"},{"type":"list-item","text":"AENA — €1.8 million (November 2025, establishing Q2 pattern): Airport operator fined for facial recognition failures — Article 35 DPIA violation, mirroring the pattern that produced Spain's largest-ever fine (€10 million against AENA for insufficient DPIA under Art. 35).","spans":[{"start":0,"end":19,"type":"strong"}],"direction":"ltr"},{"type":"paragraph","text":"AEPD Q2 2026 signature: Biometric data (Art. 9), DPIA failures (Art. 35), and AI system processing (the AEPD has confirmed it can act under GDPR against prohibited AI systems before Spain's national AI legislation is finalized). In 2025 the AEPD issued 299 fines totaling €40 million — a 14% increase from 2024's record. Q2 2026 is tracking at or above that pace.","spans":[{"start":0,"end":23,"type":"strong"}],"direction":"ltr"},{"type":"paragraph","text":"The AEPD's largest Q2 2026 action to date reinforces a pattern distinct from biometrics: B2B data reuse without transparency. Amadeus IT Group was fined €18 million (reduced to €14.4 million following voluntary payment) on May 26, 2026, for using airline and travel agency booking data to profile travelers without a valid Art. 6 legal basis and without informing data subjects under Art. 14 — a violation pattern specifically relevant to any B2B platform that receives personal data through intermediaries rather than directly from individuals. Amadeus has stated it will appeal.","spans":[{"start":126,"end":164,"type":"strong"}],"direction":"ltr"},{"type":"heading3","text":"Netherlands (AP) — Q2 2026 Pattern","spans":[],"direction":"ltr"},{"type":"paragraph","text":"The Dutch AP delivered Q2 2026's most geopolitically significant fine: €100 million against MLU B.V., the European parent of ride-hailing app Yango, announced May 8, 2026, for transferring Finnish and Norwegian users' personal data — including driver's license scans, bank account numbers, and precise location data — to Russia without GDPR-adequate safeguards. The case was investigated jointly with Finnish and Norwegian regulators and represents the first coordinated European GDPR ruling specifically targeting data transfers to Russia.","spans":[{"start":71,"end":147,"type":"strong"}],"direction":"ltr"},{"type":"paragraph","text":"AP Chair Aleid Wolfsen's public statement on the decision is among the most directly quotable regulatory statements of Q2 2026: \"In Russia, personal data is not as well protected as in Europe. This may allow the Russian government to gain access to this data.\" The fine was calculated against Yandex Group's global turnover of more than €12 billion, illustrating how parent-company revenue — not just the EU subsidiary's revenue — increasingly drives GDPR penalty calculations.","spans":[{"start":128,"end":260,"type":"em"}],"direction":"ltr"},{"type":"paragraph","text":"AP Q2 2026 signature: Third-country data transfer adequacy, parent-company turnover-based fine calculation, coordinated multi-DPA investigations. The Yango decision sits alongside the DPC's €530 million TikTok transfer fine as the clearest evidence that cross-border transfer enforcement has shifted from a paperwork exercise to a primary enforcement vector.","spans":[{"start":0,"end":21,"type":"strong"}],"direction":"ltr"},{"type":"heading3","text":"Italy (Garante) — Q2 2026 Pattern","spans":[],"direction":"ltr"},{"type":"paragraph","text":"The Garante is undergoing a structural enforcement shift. Historically focused on telecommunications, marketing consent, and employment data, it has in Q2 2026 become the most active European DPA on AI-related GDPR enforcement.","spans":[],"direction":"ltr"},{"type":"paragraph","text":"Key case establishing the pattern:","spans":[],"direction":"ltr"},{"type":"list-item","text":"AI provider — €5 million (ETid-2611, 2026): The CMS Enforcement Tracker Report 2026 specifically cites this as the first significant European fine for AI-related GDPR violations. The Garante found unlawful personal data processing in the context of an AI system's training data. This is the opening case of what will likely be a series.","spans":[{"start":0,"end":24,"type":"strong"}],"direction":"ltr"},{"type":"paragraph","text":"The EDPB's harmonization guidelines — encouraging smaller DPAs to align penalty calculations with Irish and French levels — have been adopted by the Garante faster than any other EU authority. The practical effect: Garante fines that previously maxed out in the low millions are now calibrated to the same frameworks that produced the DPC's €530 million TikTok decision.","spans":[],"direction":"ltr"},{"type":"paragraph","text":"Garante Q2 2026 signature: AI training data (GDPR + EU AI Act intersection), telecom marketing consent, employment data processing. The Garante has explicitly signalled that AI governance and GDPR compliance are no longer separable in its enforcement approach.","spans":[{"start":0,"end":26,"type":"strong"}],"direction":"ltr"},{"type":"heading3","text":"France (CNIL) — Q2 2026 Pattern","spans":[],"direction":"ltr"},{"type":"paragraph","text":"CNIL ended 2025 with two landmark decisions in September — Google €325 million and SHEIN €150 million — both for cookie consent failures and dark patterns. Q2 2026 has been comparatively quieter on major individual decisions, but CNIL's structural enforcement focus has sharpened.","spans":[{"start":59,"end":78,"type":"strong"},{"start":83,"end":101,"type":"strong"}],"direction":"ltr"},{"type":"paragraph","text":"CNIL is the lead European authority on the EDPB's 2026 Coordinated Enforcement Framework (CEF) action on transparency obligations under Articles 12–14 GDPR. This gives CNIL disproportionate influence over how the CEF investigation results translate into enforcement actions across 25 DPAs in H2 2026.","spans":[],"direction":"ltr"},{"type":"paragraph","text":"CNIL Q2 2026 signature: Privacy notice adequacy, consent flow transparency, cookie dark patterns. Any organisation receiving a CEF questionnaire from any DPA is effectively participating in a coordinated investigation coordinated by CNIL's approach.","spans":[{"start":0,"end":23,"type":"strong"}],"direction":"ltr"},{"type":"heading3","text":"Ireland (DPC) — Q2 2026 Pattern","spans":[],"direction":"ltr"},{"type":"paragraph","text":"The DPC's headline enforcement position has not changed: it remains the highest-value enforcer globally, with €4.04 billion in cumulative fines reflecting its One-Stop-Shop role for most major US tech platforms. The Amazon fine annulment in Luxembourg (March 2026) has no bearing on DPC cases — the annulment was on procedural grounds specific to Luxembourg's administrative process.","spans":[],"direction":"ltr"},{"type":"paragraph","text":"What has changed in Q2 2026: the DPC has opened investigations specifically targeted at GPAI (General-Purpose AI) transparency obligations under the EU AI Act, which became mandatory in August 2025. These are new enforcement territory — the first GDPR-adjacent AI Act investigations by any EU DPA — and will produce decisions in H2 2026 or early 2027.","spans":[],"direction":"ltr"},{"type":"paragraph","text":"DPC Q2 2026 signature: GPAI transparency, cross-border data transfer adequacy, children's data (building on 2023 TikTok precedent). The DPC's pipeline is slower than Spain or Italy but each case is larger.","spans":[{"start":0,"end":22,"type":"strong"}],"direction":"ltr"},{"type":"heading3","text":"UK (ICO) — Q2 2026 Pattern","spans":[],"direction":"ltr"},{"type":"paragraph","text":"The ICO's Q2 2026 enforcement is defined by two structural changes: the Data (Use and Access) Act 2025, which raised maximum PECR fines from £500,000 to £17.5 million or 4% of global turnover — bringing cookie consent enforcement into the same penalty range as GDPR — and the Reddit £14.47 million fine (February 24, 2026) for children's data failures and absence of age assurance.","spans":[{"start":276,"end":302,"type":"strong"}],"direction":"ltr"},{"type":"paragraph","text":"The Reddit case has established children's data and age verification as the ICO's primary H2 2026 enforcement theme. Any platform with users under 18 and inadequate age assurance controls is in scope.","spans":[],"direction":"ltr"},{"type":"paragraph","text":"ICO Q2 2026 signature: Children's data, age verification, cookie consent (now at GDPR-equivalent fine levels under DUA Act).","spans":[{"start":0,"end":22,"type":"strong"}],"direction":"ltr"},{"type":"heading2","text":"The EDPB CEF 2026: The Forward Risk Signal Every Organization Must Act On","spans":[],"direction":"ltr"},{"type":"paragraph","text":"This is the single most important forward enforcement signal of H2 2026, and it is being under-reported.","spans":[],"direction":"ltr"},{"type":"paragraph","text":"On March 19, 2026, the EDPB formally launched its 2026 Coordinated Enforcement Framework (CEF) action. The topic: compliance with transparency and information obligations under GDPR Articles 12, 13, and 14. Twenty-five DPAs across the EEA are participating. The DPAs are contacting controllers from multiple sectors via enforcement actions and fact-finding questionnaires throughout 2026. Findings will be aggregated and exchanged between DPAs in H2 2026, with follow-up enforcement actions to follow.","spans":[{"start":19,"end":101,"type":"hyperlink","data":{"link_type":"Web","url":"https://www.edpb.europa.eu/news/news/2026/cef-2026-edpb-launches-coordinated-enforcement-action-transparency-and-information_en","target":"_blank"}},{"start":114,"end":206,"type":"strong"}],"direction":"ltr"},{"type":"paragraph","text":"What this means in practice:","spans":[{"start":0,"end":28,"type":"strong"}],"direction":"ltr"},{"type":"paragraph","text":"Articles 12, 13, and 14 cover:","spans":[],"direction":"ltr"},{"type":"list-item","text":"Art. 12: How information about data processing is presented — in a concise, transparent, intelligible, and easily accessible form, using clear and plain language","spans":[{"start":0,"end":8,"type":"strong"}],"direction":"ltr"},{"type":"list-item","text":"Art. 13: What information must be provided at the point of data collection (purpose, legal basis, retention, rights, international transfers)","spans":[{"start":0,"end":8,"type":"strong"}],"direction":"ltr"},{"type":"list-item","text":"Art. 14: What information must be provided when data is obtained from a source other than the data subject","spans":[{"start":0,"end":8,"type":"strong"}],"direction":"ltr"},{"type":"paragraph","text":"The CEF investigation is specifically examining whether controllers' privacy notices, consent disclosures, cookie banners, and in-app disclosure flows meet these requirements — in clear and plain language, for real users, not just legal compliance teams.","spans":[],"direction":"ltr"},{"type":"paragraph","text":"\"The right to be informed is a core element of transparency and data subjects' control over their personal data,\" the EDPB stated at the March 2026 launch.","spans":[{"start":0,"end":113,"type":"em"}],"direction":"ltr"},{"type":"paragraph","text":"The CEF's enforcement trajectory has been consistent across its five years:","spans":[],"direction":"ltr"}]}}},{"id":"afc27995-dffb-5b7e-87fd-f221966750f5","slice_type":"new_table","items":[{"header_col":{"richText":[{"type":"paragraph","text":"Year","spans":[]}]}},{"header_col":{"richText":[{"type":"paragraph","text":"CEF Topic","spans":[]}]}},{"header_col":{"richText":[{"type":"paragraph","text":"Outcome","spans":[]}]}}]},{"id":"9192fc46-46ca-5b0b-afa5-bf533c661b2d","slice_type":"new_table_body","items":[{"col1_image":{"alt":null,"url":null},"col1":{"richText":[{"type":"paragraph","text":"2022","spans":[]}]},"col2_image":{"alt":null,"url":null},"col2":{"richText":[{"type":"paragraph","text":"Cloud services in public sector","spans":[]}]},"col3_image":{"alt":null,"url":null},"col3":{"richText":[{"type":"paragraph","text":"Published report; follow-up investigations in 6 countries","spans":[]}]},"col4_image":{"alt":null,"url":null},"col4":{"richText":[]},"col5_image":{"alt":null,"url":null},"col5":{"richText":[]},"col6_image":{"alt":null,"url":null},"col6":{"richText":[]},"col7_image":{"alt":null,"url":null},"col7":{"richText":[]}},{"col1_image":{"alt":null,"url":null},"col1":{"richText":[{"type":"paragraph","text":"2023","spans":[]}]},"col2_image":{"alt":null,"url":null},"col2":{"richText":[{"type":"paragraph","text":"DPO designation and position","spans":[]}]},"col3_image":{"alt":null,"url":null},"col3":{"richText":[{"type":"paragraph","text":"Published report; 17 follow-up enforcement actions","spans":[]}]},"col4_image":{"alt":null,"url":null},"col4":{"richText":[]},"col5_image":{"alt":null,"url":null},"col5":{"richText":[]},"col6_image":{"alt":null,"url":null},"col6":{"richText":[]},"col7_image":{"alt":null,"url":null},"col7":{"richText":[]}},{"col1_image":{"alt":null,"url":null},"col1":{"richText":[{"type":"paragraph","text":"2024","spans":[]}]},"col2_image":{"alt":null,"url":null},"col2":{"richText":[{"type":"paragraph","text":"Right of access (Art. 15)","spans":[]}]},"col3_image":{"alt":null,"url":null},"col3":{"richText":[{"type":"paragraph","text":"Published report; formal investigations opened","spans":[]}]},"col4_image":{"alt":null,"url":null},"col4":{"richText":[]},"col5_image":{"alt":null,"url":null},"col5":{"richText":[]},"col6_image":{"alt":null,"url":null},"col6":{"richText":[]},"col7_image":{"alt":null,"url":null},"col7":{"richText":[]}},{"col1_image":{"alt":null,"url":null},"col1":{"richText":[{"type":"paragraph","text":"2025","spans":[]}]},"col2_image":{"alt":null,"url":null},"col2":{"richText":[{"type":"paragraph","text":"Right to erasure (Art. 17)","spans":[]}]},"col3_image":{"alt":null,"url":null},"col3":{"richText":[{"type":"paragraph","text":"Report adopted Feb 2026; enforcement actions pending","spans":[]}]},"col4_image":{"alt":null,"url":null},"col4":{"richText":[]},"col5_image":{"alt":null,"url":null},"col5":{"richText":[]},"col6_image":{"alt":null,"url":null},"col6":{"richText":[]},"col7_image":{"alt":null,"url":null},"col7":{"richText":[]}},{"col1_image":{"alt":null,"url":null},"col1":{"richText":[{"type":"paragraph","text":"2026","spans":[]}]},"col2_image":{"alt":null,"url":null},"col2":{"richText":[{"type":"paragraph","text":"Transparency obligations (Arts. 12–14)","spans":[]}]},"col3_image":{"alt":null,"url":null},"col3":{"richText":[{"type":"paragraph","text":"25 DPAs participating; H2 2026 findings exchange","spans":[]}]},"col4_image":{"alt":null,"url":null},"col4":{"richText":[]},"col5_image":{"alt":null,"url":null},"col5":{"richText":[]},"col6_image":{"alt":null,"url":null},"col6":{"richText":[]},"col7_image":{"alt":null,"url":null},"col7":{"richText":[]}}]},{"id":"b25d46cd-5deb-51c6-b0bc-b3744171335a","slice_type":"text","primary":{"text":{"richText":[{"type":"paragraph","text":"Every prior CEF topic has produced enforcement actions. There is no reason to expect 2026 to be different. The difference is that transparency obligations under Arts. 12–14 are universal — they apply to every organization that processes personal data, at every scale, in every sector. This is the broadest CEF sweep since the framework began.","spans":[],"direction":"ltr"},{"type":"heading2","text":"Sector Risk Ranking: H2 2026","spans":[],"direction":"ltr"},{"type":"paragraph","text":"Based on Secure Privacy's analysis of DPA enforcement patterns, CEF scope, EDPB harmonization signals, and sector-specific violation frequency from the CMS Enforcement Tracker database, here is the first sector-level risk ranking for GDPR enforcement in H2 2026.","spans":[],"direction":"ltr"}]}}},{"id":"803dd804-e000-52e4-8f48-bfd5311815f5","slice_type":"new_table","items":[{"header_col":{"richText":[{"type":"paragraph","text":"Rank","spans":[]}]}},{"header_col":{"richText":[{"type":"paragraph","text":"Sector","spans":[]}]}},{"header_col":{"richText":[{"type":"paragraph","text":"Risk Level","spans":[]}]}},{"header_col":{"richText":[{"type":"paragraph","text":"Primary Exposure","spans":[]}]}},{"header_col":{"richText":[{"type":"paragraph","text":"DPAs Most Likely to Act","spans":[]}]}}]},{"id":"c86602f4-4b1b-551c-a85a-c9987b6d8629","slice_type":"new_table_body","items":[{"col1_image":{"alt":null,"url":null},"col1":{"richText":[{"type":"paragraph","text":"1","spans":[]}]},"col2_image":{"alt":null,"url":null},"col2":{"richText":[{"type":"paragraph","text":"AI / Technology Platforms","spans":[]}]},"col3_image":{"alt":null,"url":null},"col3":{"richText":[{"type":"paragraph","text":"🔴🔴 Critical","spans":[]}]},"col4_image":{"alt":null,"url":null},"col4":{"richText":[{"type":"paragraph","text":"Training data consent, GPAI transparency, automated decision-making","spans":[]}]},"col5_image":{"alt":null,"url":null},"col5":{"richText":[{"type":"paragraph","text":"Garante (Italy), DPC (Ireland), AEPD (Spain)","spans":[]}]},"col6_image":{"alt":null,"url":null},"col6":{"richText":[]},"col7_image":{"alt":null,"url":null},"col7":{"richText":[]}},{"col1_image":{"alt":null,"url":null},"col1":{"richText":[{"type":"paragraph","text":"2","spans":[]}]},"col2_image":{"alt":null,"url":null},"col2":{"richText":[{"type":"paragraph","text":"Media, Telecoms and Broadcasting","spans":[]}]},"col3_image":{"alt":null,"url":null},"col3":{"richText":[{"type":"paragraph","text":"🔴🔴 Critical","spans":[]}]},"col4_image":{"alt":null,"url":null},"col4":{"richText":[{"type":"paragraph","text":"Consent basis, dark patterns, marketing calls, data subject rights","spans":[]}]},"col5_image":{"alt":null,"url":null},"col5":{"richText":[{"type":"paragraph","text":"AEPD (Spain), Garante (Italy), CNIL (France)","spans":[]}]},"col6_image":{"alt":null,"url":null},"col6":{"richText":[]},"col7_image":{"alt":null,"url":null},"col7":{"richText":[]}},{"col1_image":{"alt":null,"url":null},"col1":{"richText":[{"type":"paragraph","text":"3","spans":[]}]},"col2_image":{"alt":null,"url":null},"col2":{"richText":[{"type":"paragraph","text":"Financial Services","spans":[]}]},"col3_image":{"alt":null,"url":null},"col3":{"richText":[{"type":"paragraph","text":"🔴 Very High","spans":[]}]},"col4_image":{"alt":null,"url":null},"col4":{"richText":[{"type":"paragraph","text":"Transparency notices, data subject rights, credit scoring disclosure","spans":[]}]},"col5_image":{"alt":null,"url":null},"col5":{"richText":[{"type":"paragraph","text":"AEPD (Spain), BfDI (Germany), CNIL (France)","spans":[]}]},"col6_image":{"alt":null,"url":null},"col6":{"richText":[]},"col7_image":{"alt":null,"url":null},"col7":{"richText":[]}},{"col1_image":{"alt":null,"url":null},"col1":{"richText":[{"type":"paragraph","text":"4","spans":[]}]},"col2_image":{"alt":null,"url":null},"col2":{"richText":[{"type":"paragraph","text":"Healthcare","spans":[]}]},"col3_image":{"alt":null,"url":null},"col3":{"richText":[{"type":"paragraph","text":"🔴 Very High","spans":[]}]},"col4_image":{"alt":null,"url":null},"col4":{"richText":[{"type":"paragraph","text":"Art. 9 special category data, breach notification, DPIAs","spans":[]}]},"col5_image":{"alt":null,"url":null},"col5":{"richText":[{"type":"paragraph","text":"Garante (Italy), German state DPAs, ICO (UK)","spans":[]}]},"col6_image":{"alt":null,"url":null},"col6":{"richText":[]},"col7_image":{"alt":null,"url":null},"col7":{"richText":[]}},{"col1_image":{"alt":null,"url":null},"col1":{"richText":[{"type":"paragraph","text":"5","spans":[]}]},"col2_image":{"alt":null,"url":null},"col2":{"richText":[{"type":"paragraph","text":"Online Platforms / Adtech","spans":[]}]},"col3_image":{"alt":null,"url":null},"col3":{"richText":[{"type":"paragraph","text":"🔴 Very High","spans":[]}]},"col4_image":{"alt":null,"url":null},"col4":{"richText":[{"type":"paragraph","text":"Cookie consent, legal basis for behavioural targeting, transparency","spans":[]}]},"col5_image":{"alt":null,"url":null},"col5":{"richText":[{"type":"paragraph","text":"CNIL (France), DPC (Ireland), ICO (UK)","spans":[]}]},"col6_image":{"alt":null,"url":null},"col6":{"richText":[]},"col7_image":{"alt":null,"url":null},"col7":{"richText":[]}},{"col1_image":{"alt":null,"url":null},"col1":{"richText":[{"type":"paragraph","text":"6","spans":[]}]},"col2_image":{"alt":null,"url":null},"col2":{"richText":[{"type":"paragraph","text":"Retail / E-commerce","spans":[]}]},"col3_image":{"alt":null,"url":null},"col3":{"richText":[{"type":"paragraph","text":"🟠 High","spans":[]}]},"col4_image":{"alt":null,"url":null},"col4":{"richText":[{"type":"paragraph","text":"Privacy notices (CEF 2026), consent flows, data subject requests","spans":[]}]},"col5_image":{"alt":null,"url":null},"col5":{"richText":[{"type":"paragraph","text":"AEPD (Spain), CNIL (France), ICO (UK)","spans":[]}]},"col6_image":{"alt":null,"url":null},"col6":{"richText":[]},"col7_image":{"alt":null,"url":null},"col7":{"richText":[]}},{"col1_image":{"alt":null,"url":null},"col1":{"richText":[{"type":"paragraph","text":"7","spans":[]}]},"col2_image":{"alt":null,"url":null},"col2":{"richText":[{"type":"paragraph","text":"Employment / HR","spans":[]}]},"col3_image":{"alt":null,"url":null},"col3":{"richText":[{"type":"paragraph","text":"🟠 High","spans":[]}]},"col4_image":{"alt":null,"url":null},"col4":{"richText":[{"type":"paragraph","text":"Employee monitoring, recruitment data, biometric access controls","spans":[]}]},"col5_image":{"alt":null,"url":null},"col5":{"richText":[{"type":"paragraph","text":"AEPD (Spain), BfDI (Germany), Garante (Italy)","spans":[]}]},"col6_image":{"alt":null,"url":null},"col6":{"richText":[]},"col7_image":{"alt":null,"url":null},"col7":{"richText":[]}},{"col1_image":{"alt":null,"url":null},"col1":{"richText":[{"type":"paragraph","text":"8","spans":[]}]},"col2_image":{"alt":null,"url":null},"col2":{"richText":[{"type":"paragraph","text":"Education","spans":[]}]},"col3_image":{"alt":null,"url":null},"col3":{"richText":[{"type":"paragraph","text":"🟠 High","spans":[]}]},"col4_image":{"alt":null,"url":null},"col4":{"richText":[{"type":"paragraph","text":"Children's data, age verification, third-party EdTech tools","spans":[]}]},"col5_image":{"alt":null,"url":null},"col5":{"richText":[{"type":"paragraph","text":"ICO (UK), German state DPAs, Austrian DSB","spans":[]}]},"col6_image":{"alt":null,"url":null},"col6":{"richText":[]},"col7_image":{"alt":null,"url":null},"col7":{"richText":[]}},{"col1_image":{"alt":null,"url":null},"col1":{"richText":[{"type":"paragraph","text":"9","spans":[]}]},"col2_image":{"alt":null,"url":null},"col2":{"richText":[{"type":"paragraph","text":"Energy / Utilities","spans":[]}]},"col3_image":{"alt":null,"url":null},"col3":{"richText":[{"type":"paragraph","text":"🟡 Medium","spans":[]}]},"col4_image":{"alt":null,"url":null},"col4":{"richText":[{"type":"paragraph","text":"Data subject rights fulfillment, retention, breach notification","spans":[]}]},"col5_image":{"alt":null,"url":null},"col5":{"richText":[{"type":"paragraph","text":"Garante (Italy), AEPD (Spain)","spans":[]}]},"col6_image":{"alt":null,"url":null},"col6":{"richText":[]},"col7_image":{"alt":null,"url":null},"col7":{"richText":[]}},{"col1_image":{"alt":null,"url":null},"col1":{"richText":[{"type":"paragraph","text":"10","spans":[]}]},"col2_image":{"alt":null,"url":null},"col2":{"richText":[{"type":"paragraph","text":"Public Sector","spans":[]}]},"col3_image":{"alt":null,"url":null},"col3":{"richText":[{"type":"paragraph","text":"🟡 Medium","spans":[]}]},"col4_image":{"alt":null,"url":null},"col4":{"richText":[{"type":"paragraph","text":"Transparency notices (CEF 2026), DPIA compliance","spans":[]}]},"col5_image":{"alt":null,"url":null},"col5":{"richText":[{"type":"paragraph","text":"German state DPAs, CNIL (France), AEPD (Spain)","spans":[]}]},"col6_image":{"alt":null,"url":null},"col6":{"richText":[]},"col7_image":{"alt":null,"url":null},"col7":{"richText":[]}}]},{"id":"d743ffc6-4f31-546b-8a3f-91a4d02ba589","slice_type":"text","primary":{"text":{"richText":[{"type":"paragraph","text":"Note on AI sector ranking: This is the fastest-moving category and the one with the least historical enforcement data. The Garante's €5 million AI fine (2026), the DPC's open GPAI investigations, and the EU AI Act's high-risk AI enforcement deadline of August 2, 2026 create a convergent enforcement pressure unlike any other sector. AI companies and AI deployers should treat themselves as operating in the highest-risk regulatory environment in Europe from Q3 2026 onward.","spans":[{"start":0,"end":26,"type":"strong"}],"direction":"ltr"},{"type":"heading2","text":"The Four Violation Categories That Will Define H2 2026","spans":[],"direction":"ltr"},{"type":"paragraph","text":"Based on DPA signals and CEF 2026 scope, four violation categories will dominate H2 2026 enforcement. These are not predictions — they are the publicly stated priorities of the enforcement bodies themselves, reinforced by the Q2 2026 cases that have already established each pattern.","spans":[],"direction":"ltr"},{"type":"heading3","text":"1. Transparency Failures (Arts. 12–14) — CEF 2026 Direct","spans":[],"direction":"ltr"},{"type":"paragraph","text":"The CEF 2026 action is specifically targeting this. What regulators are looking for:","spans":[],"direction":"ltr"},{"type":"list-item","text":"Privacy notices in legalese rather than clear, plain language","spans":[],"direction":"ltr"},{"type":"list-item","text":"Notices that describe data categories but not specific purposes or retention periods","spans":[],"direction":"ltr"},{"type":"list-item","text":"Consent flows that disclose some processing purposes but omit others (particularly AI-related uses, data sharing with third parties, and international transfers)","spans":[],"direction":"ltr"},{"type":"list-item","text":"Mobile app privacy notices that differ from website notices without justification","spans":[],"direction":"ltr"},{"type":"list-item","text":"Privacy notices that have not been updated to reflect actual current processing activities","spans":[],"direction":"ltr"},{"type":"paragraph","text":"Any organization that has not reviewed its privacy notice architecture since the EDPB launched CEF 2026 (March 19, 2026) is operating in a live investigation environment without having checked its exposure.","spans":[],"direction":"ltr"},{"type":"heading3","text":"2. AI Data Processing — GDPR + AI Act Convergence","spans":[],"direction":"ltr"},{"type":"paragraph","text":"The Garante's €5 million AI fine established the category. The pattern being investigated:","spans":[],"direction":"ltr"},{"type":"list-item","text":"Personal data used to train AI models without a valid GDPR Art. 6 legal basis for that specific purpose","spans":[],"direction":"ltr"},{"type":"list-item","text":"AI systems that make or materially influence decisions about individuals without meeting Art. 22 transparency requirements","spans":[],"direction":"ltr"},{"type":"list-item","text":"Biometric data processed by AI systems without Art. 9 explicit consent or equivalent legal basis","spans":[],"direction":"ltr"},{"type":"list-item","text":"GPAI systems that have not produced the technical documentation required by EU AI Act Art. 53 (mandatory since August 2025)","spans":[],"direction":"ltr"},{"type":"paragraph","text":"The convergence risk is compound: a single AI deployment can simultaneously trigger a GDPR Art. 6 violation (insufficient legal basis for training data), an Art. 22 violation (lack of automated decision transparency), an Art. 9 violation (biometric or health data without explicit consent), and an AI Act Art. 53 violation (missing GPAI documentation). Each carries separate fines.","spans":[],"direction":"ltr"},{"type":"heading3","text":"3. Data Subject Rights at Scale — Post-CEF 2025 Pipeline","spans":[],"direction":"ltr"},{"type":"paragraph","text":"The CEF 2025 action on the right to erasure (Art. 17) produced its report in February 2026. DPAs are now converting that report's findings into enforcement actions. The most common failure pattern identified:","spans":[],"direction":"ltr"},{"type":"list-item","text":"Erasure requests acknowledged but not acted on within the 30-day statutory period","spans":[],"direction":"ltr"},{"type":"list-item","text":"Erasure from primary systems but not from backups, third-party processors, or AI training sets","spans":[],"direction":"ltr"},{"type":"list-item","text":"Automated systems that cannot process erasure requests (particularly legacy systems and ML pipelines)","spans":[],"direction":"ltr"},{"type":"paragraph","text":"Any organization that received a CEF 2025 fact-finding questionnaire and cannot demonstrate that erasure requests reach their AI and data science pipelines — not just their marketing databases — is in the enforcement queue.","spans":[],"direction":"ltr"},{"type":"heading3","text":"4. Third-Country Data Transfers — The Yango Precedent","spans":[],"direction":"ltr"},{"type":"paragraph","text":"The Dutch AP's €100 million fine against Yango's European operator (May 2026) establishes a fourth defining H2 2026 enforcement category, distinct from the historic focus on US transfers under Schrems II. The pattern being investigated:","spans":[],"direction":"ltr"},{"type":"list-item","text":"Personal data transferred to jurisdictions where state security services have legal powers to compel access, without an EU adequacy decision or valid Art. 46 safeguard (standard contractual clauses, binding corporate rules)","spans":[],"direction":"ltr"},{"type":"list-item","text":"Encryption or pseudonymization claimed as a compliance safe harbor without addressing whether the recipient entity could plausibly re-identify users through organizational means","spans":[],"direction":"ltr"},{"type":"list-item","text":"Fine calculations based on parent-company global turnover rather than the EU subsidiary's local revenue — a calculation method now established in both the Yango and earlier TikTok decisions","spans":[],"direction":"ltr"},{"type":"paragraph","text":"Organizations with data pipelines touching Russia, China, or other third countries without an EU adequacy decision should treat this as an active enforcement vector, not a theoretical risk. The joint Dutch-Finnish-Norwegian investigation model used in the Yango case also signals that cross-border coordination between DPAs — not just within the EU's One-Stop-Shop mechanism, but across EEA members — is becoming a standard enforcement pattern.","spans":[],"direction":"ltr"},{"type":"heading2","text":"What the Enforcement Data Cannot Tell You — A Methodological Note","spans":[],"direction":"ltr"},{"type":"paragraph","text":"This analysis is built on verified case data, DPA press releases, and EDPB official communications. It is not a prediction of any specific fine. DPA decision timelines are not deterministic — investigations opened in Q2 2026 may produce decisions in Q4 2026 or Q1 2027 depending on organizational complexity, cross-border cooperation requirements, and DPA resource capacity.","spans":[],"direction":"ltr"},{"type":"paragraph","text":"Three things the heat map reflects with high confidence: which DPAs are currently the most active (Spain, Italy, France, Ireland, and now the Netherlands following the Yango decision); which violation categories they are currently investigating (transparency, AI data processing, erasure rights, third-country transfers); and which sectors are statistically over-represented in current investigation pipelines (AI/tech, telecoms, financial services, healthcare).","spans":[],"direction":"ltr"},{"type":"paragraph","text":"Three things the heat map cannot predict: the exact timing of specific decisions, whether investigations result in fines or corrective orders, and how individual DPAs will calculate penalty amounts in novel categories like AI system violations.","spans":[],"direction":"ltr"},{"type":"paragraph","text":"A note on figure reconciliation: Enforcement statistics vary across secondary sources because trackers use different cutoff dates, different inclusion criteria for fines with incomplete public data, and in some cases undisclosed methodologies. We have found at least one frequently cited figure — Ireland's cumulative fine total — reported at €2.8 billion by one source with no visible citation, against the consistently corroborated €4.04 billion figure from the DLA Piper survey, the CMS Enforcement Tracker, and multiple independent secondary analyses. We report the corroborated figure and flag the discrepancy rather than silently picking one. We recommend the same discipline to any reader cross-referencing enforcement statistics: a figure with no disclosed source or methodology should be treated as unverified, regardless of how widely it circulates.","spans":[{"start":0,"end":32,"type":"strong"}],"direction":"ltr"},{"type":"paragraph","text":"Primary regulator sources have their own limitations worth noting. CNIL's own public sanctions register, for instance, anonymizes some 2026 entries to organization category rather than company name, meaning even direct primary-source verification sometimes requires cross-referencing the linked legal decision text to resolve full attribution. No single source in this space — primary or secondary — is complete on its own.","spans":[],"direction":"ltr"},{"type":"heading2","text":"The Practical Compliance Checklist: What to Do Before Q3 2026","spans":[],"direction":"ltr"},{"type":"paragraph","text":"Based on the CEF 2026 focus and the sector risk ranking above, the following controls are the highest-priority actions before July 1, 2026:","spans":[],"direction":"ltr"},{"type":"paragraph","text":"Tier 1 — CEF 2026 Direct Exposure (do immediately)","spans":[{"start":0,"end":50,"type":"strong"}],"direction":"ltr"},{"type":"paragraph","text":"▢ Audit every privacy notice against Arts. 12, 13, 14 requirements — specifically: are purposes described in plain language, are retention periods specified, are all third-party data sharing arrangements disclosed?","spans":[],"direction":"ltr"},{"type":"paragraph","text":"▢ Verify that mobile app privacy notices and website privacy notices are consistent and current","spans":[],"direction":"ltr"},{"type":"paragraph","text":"▢ Check that consent flows accurately describe all data uses, including any AI-related processing","spans":[],"direction":"ltr"},{"type":"paragraph","text":"▢ Confirm that any processing based on legitimate interest includes an LIA (Legitimate Interest Assessment) and that this basis is correctly disclosed in the privacy notice","spans":[],"direction":"ltr"},{"type":"paragraph","text":"Tier 2 — AI Processing Exposure (before August 2, 2026)","spans":[{"start":0,"end":55,"type":"strong"}],"direction":"ltr"},{"type":"paragraph","text":"▢ Inventory every AI system that processes personal data — including third-party AI tools embedded in your stack","spans":[],"direction":"ltr"},{"type":"paragraph","text":"▢ Verify GDPR Art. 6 legal basis for each use of personal data in AI training or inference","spans":[],"direction":"ltr"},{"type":"paragraph","text":"▢ Confirm GPAI transparency documentation exists for any GPAI system you deploy (mandatory since August 2025)","spans":[],"direction":"ltr"},{"type":"paragraph","text":"▢ Conduct or update DPIAs for high-risk AI systems before August 2, 2026 EU AI Act enforcement deadline","spans":[],"direction":"ltr"},{"type":"paragraph","text":"▢ Verify that consent withdrawal signals reach AI pipelines — not just marketing and CRM systems","spans":[],"direction":"ltr"},{"type":"paragraph","text":"Tier 3 — Erasure Rights Pipeline (post-CEF 2025)","spans":[{"start":0,"end":48,"type":"strong"}],"direction":"ltr"},{"type":"paragraph","text":"▢ Test erasure request handling end-to-end — from request receipt to deletion from primary systems, backups, third-party processors, and AI training sets","spans":[],"direction":"ltr"},{"type":"paragraph","text":"▢ Document the erasure process with timestamps and evidence","spans":[],"direction":"ltr"},{"type":"paragraph","text":"▢ Verify 30-day SLA compliance with a sample of recent erasure requests","spans":[],"direction":"ltr"},{"type":"paragraph","text":"Tier 4 — Third-Country Transfer Exposure (the Yango precedent)","spans":[{"start":0,"end":62,"type":"strong"}],"direction":"ltr"},{"type":"paragraph","text":"▢ Map every data flow to third countries without an EU adequacy decision, including via sub-processors and infrastructure providers","spans":[],"direction":"ltr"},{"type":"paragraph","text":"▢ Verify Art. 46 safeguards (SCCs, BCRs) are in place and current for every identified transfer","spans":[],"direction":"ltr"},{"type":"paragraph","text":"▢ Confirm any pseudonymization or encryption claimed as a safeguard genuinely prevents re-identification by the receiving entity — not just by an external third party","spans":[],"direction":"ltr"},{"type":"paragraph","text":"▢ Review whether any sub-processor or vendor relationship routes data through jurisdictions with state access powers, even if the primary contracting entity is EU-based","spans":[],"direction":"ltr"},{"type":"paragraph","text":"Secure Privacy's GDPR compliance platform helps organizations operationalize all three tiers — connecting consent management, DPIA workflows, data subject rights automation, and AI data governance into a single auditable system. Explore Secure Privacy's GDPR compliance tools →","spans":[{"start":229,"end":277,"type":"hyperlink","data":{"link_type":"Web","url":"https://secureprivacy.ai","target":"_blank"}}],"direction":"ltr"},{"type":"heading2","text":"Frequently Asked Questions: GDPR Enforcement H2 2026","spans":[],"direction":"ltr"},{"type":"heading4","text":"Which DPA issues the most GDPR fines?","spans":[{"start":0,"end":37,"type":"strong"}],"direction":"ltr"},{"type":"paragraph","text":"Spain's AEPD leads by volume with nearly 1,000 fines since 2018 — by far the highest count of any European regulator. Ireland's DPC leads by total fine value at €4.04 billion cumulative, driven by its One-Stop-Shop role for major US tech platforms. Italy's Garante is the fastest-escalating authority in 2026, increasingly aligning its penalty levels with Irish and French decisions under EDPB harmonization guidance.","spans":[],"direction":"ltr"},{"type":"heading4","text":"Which DPA is the most aggressive in 2026?","spans":[{"start":0,"end":41,"type":"strong"}],"direction":"ltr"},{"type":"paragraph","text":"There is no single answer because \"aggressive\" means different things depending on the metric. By sheer frequency of enforcement action, Spain's AEPD is the most aggressive — nearly 1,000 fines since 2018 and an accelerating 2025-into-2026 pace. By willingness to issue unprecedented or first-of-category fines, Italy's Garante and the Netherlands' AP are currently the most aggressive — the Garante's first AI-training-data fine and the AP's first coordinated Russia-transfer fine both represent genuinely new enforcement territory rather than incremental escalation of existing patterns. By absolute financial severity per case, Ireland's DPC remains unmatched, though its case volume is comparatively low.","spans":[],"direction":"ltr"},{"type":"heading4","text":"Why is \"legitimate interest\" as a legal basis so frequently misunderstood, and does it show up in enforcement data?","spans":[{"start":0,"end":115,"type":"strong"}],"direction":"ltr"},{"type":"paragraph","text":"Yes — legitimate interest (GDPR Art. 6(1)(f)) is one of the most commonly misapplied legal bases in enforcement decisions, and it is a recurring theme in practitioner discussion precisely because the test is fact-specific rather than a simple checkbox. A valid legitimate interest basis requires a documented three-part balancing test: a legitimate purpose, necessity of the processing to achieve it, and confirmation that the organization's interest is not overridden by the individual's rights and freedoms. The Amadeus case illustrates the failure mode clearly — the AEPD found that even where a business rationale existed, the absence of a documented legal basis assessment and adequate transparency under Art. 14 was sufficient grounds for a €18 million fine. Organizations relying on legitimate interest without a documented Legitimate Interest Assessment (LIA) on file are operating with the same exposure that produced this decision.","spans":[],"direction":"ltr"},{"type":"heading4","text":"What is the EDPB CEF 2026 and does it apply to my organization?","spans":[{"start":0,"end":63,"type":"strong"}],"direction":"ltr"},{"type":"paragraph","text":"The EDPB's 2026 Coordinated Enforcement Framework (CEF) action focuses on GDPR transparency and information obligations under Articles 12, 13, and 14. Twenty-five DPAs across the EEA are participating. The investigation covers controllers in multiple sectors — private and public — and DPAs are contacting organizations directly via fact-finding questionnaires and enforcement actions throughout 2026. If you process personal data of EU residents, you are within scope. If you receive a questionnaire from any participating DPA, you are in an active investigation.","spans":[],"direction":"ltr"},{"type":"heading4","text":"Why is the AI sector rated as the highest risk for H2 2026?","spans":[{"start":0,"end":59,"type":"strong"}],"direction":"ltr"},{"type":"paragraph","text":"Three factors converge for AI companies and AI deployers in H2 2026: the Garante's €5 million AI-related GDPR fine in 2026 established the violation category; the EU AI Act's high-risk AI system obligations take full effect August 2, 2026, creating a second penalty layer on top of GDPR; and the DPC has opened GPAI-specific investigations that will produce decisions in H2 2026 or early 2027. AI deployments that process personal data are simultaneously exposed to GDPR violations (Arts. 6, 9, 22) and AI Act violations — with each carrying separate fines.","spans":[],"direction":"ltr"},{"type":"heading4","text":"What sectors are most exposed to GDPR enforcement in H2 2026?","spans":[{"start":0,"end":61,"type":"strong"}],"direction":"ltr"},{"type":"paragraph","text":"Based on Secure Privacy's analysis of the CMS Enforcement Tracker data and DPA forward signals: AI / technology platforms, media and telecoms, financial services, healthcare, and online advertising / adtech represent the five highest-risk sectors. The CEF 2026 transparency action broadens this to include retail, education, and the public sector.","spans":[],"direction":"ltr"},{"type":"heading4","text":"What is the most common GDPR violation leading to fines?","spans":[{"start":0,"end":56,"type":"strong"}],"direction":"ltr"},{"type":"paragraph","text":"Insufficient legal basis for data processing (Art. 6) is the most frequently cited violation in the CMS Enforcement Tracker database. Transparency failures (Arts. 5, 12–14) are the fastest-growing violation category — reflecting both the CEF 2025 erasure findings and the 2026 CEF transparency focus. In financial value terms, cross-border data transfer violations (Art. 46) dominate, driven by the Meta €1.2 billion and TikTok €530 million decisions.","spans":[],"direction":"ltr"},{"type":"heading4","text":"How does the EU AI Act affect GDPR enforcement from August 2026?","spans":[{"start":0,"end":64,"type":"strong"}],"direction":"ltr"},{"type":"paragraph","text":"The EU AI Act's high-risk AI system obligations — human oversight, technical robustness, audit logging, and transparency documentation — take full effect August 2, 2026. DPAs enforcing GDPR can simultaneously apply AI Act provisions, creating compound enforcement exposure for organizations deploying high-risk AI systems that process personal data. The Garante and DPC have both explicitly indicated they will coordinate GDPR and AI Act enforcement from Q3 2026 onward.","spans":[],"direction":"ltr"},{"type":"heading2","text":"About This Analysis","spans":[],"direction":"ltr"},{"type":"paragraph","text":"This enforcement heat map is produced by Secure Privacy's enforcement intelligence team using the CMS GDPR Enforcement Tracker database (2,685 verified fines, March 2026 edition), EDPB official communications, DPA press releases (including the Dutch AP, Spanish AEPD, and Irish DPC), and the DLA Piper GDPR Fines and Data Breach Survey (January 2026). It is updated quarterly. The next edition will be published in September 2026 covering Q3 enforcement activity.","spans":[],"direction":"ltr"},{"type":"paragraph","text":"Secure Privacy's GDPR compliance and consent management platform helps DPOs and legal teams operationalize the controls that enforcement data shows regulators are checking — privacy notice management, consent lifecycle governance, DPIA workflows, data subject rights automation, and AI data governance. Book a compliance review with Secure Privacy →","spans":[{"start":303,"end":349,"type":"hyperlink","data":{"link_type":"Web","url":"https://secureprivacy.ai","target":"_blank"}}],"direction":"ltr"},{"type":"paragraph","text":"Related Secure Privacy resources:","spans":[{"start":0,"end":33,"type":"strong"}],"direction":"ltr"},{"type":"list-item","text":"GDPR Fines and Penalties Explained","spans":[{"start":0,"end":34,"type":"hyperlink","data":{"link_type":"Web","url":"https://secureprivacy.ai/blog/gdpr-fines-and-penalties-explained","target":"_blank"}}],"direction":"ltr"},{"type":"list-item","text":"AI Governance Framework Tools: Compliance, Risk & Control","spans":[{"start":0,"end":57,"type":"hyperlink","data":{"link_type":"Web","url":"https://secureprivacy.ai/blog/ai-governance-framework-tools","target":"_blank"}}],"direction":"ltr"},{"type":"list-item","text":"How to Automate Privacy Impact Assessments (PIA & DPIA)","spans":[{"start":0,"end":55,"type":"hyperlink","data":{"link_type":"Web","url":"https://secureprivacy.ai/blog/how-to-automate-privacy-impact-assessments-pia-dpia","target":"_blank"}}],"direction":"ltr"},{"type":"list-item","text":"What Are AI Governance Controls?","spans":[{"start":0,"end":32,"type":"hyperlink","data":{"link_type":"Web","url":"https://secureprivacy.ai/blog/ai-governance-controls","target":"_blank"}}],"direction":"ltr"},{"type":"list-item","text":"Consent Management Across Websites and Apps","spans":[{"start":0,"end":43,"type":"hyperlink","data":{"link_type":"Web","url":"https://secureprivacy.ai/blog/consent-management-websites-apps","target":"_blank"}}],"direction":"ltr"}]}}}],"description":{"text":"Every major GDPR enforcement summary tells you what already happened. This one tells you what is about to happen."}},"tags":["Privacy Governance"]}}]},"allPrismicBlogpage":{"edges":[{"node":{"uid":"blog","type":"blogpage","lang":"en-gb","id":"8be6fe51-0ae2-581d-9e23-8b00e02986c1","data":{"cta_button_text":{"richText":[{"type":"paragraph","text":"Sign-up for FREE","spans":[],"direction":"ltr"}]},"cta_button_link":{"url":"https://cmp.secureprivacy.ai/onboarding"},"cta_banner_text":{"richText":[{"type":"paragraph","text":"No credit card required","spans":[],"direction":"ltr"}]},"cta_banner_heading":{"richText":[{"type":"paragraph","text":"Get Started For Free with the\n#1 Cookie Consent Platform.","spans":[{"start":16,"end":20,"type":"strong"}],"direction":"ltr"}]}}}}]}},"pageContext":{"id":"fe3dc7f8-0897-54f1-9ec4-3b760e7f798d","uid":"gdpr-enforcement-heat-map-q2-2026","lang":"en-gb","type":"blogpostpage","url":"/blog/gdpr-enforcement-heat-map-q2-2026"}},
    "staticQueryHashes": ["106289065","1254728886","1714079170","2867542246","3445072782","764283450"]}