Search results

documentation, but Articles 5(2) or 30(1)(a) GDPR require documentation and Articles 6(1)(a), 13(1)(c) and 14(1)(c) GDPR require the disclosure of the specific

in Articles 9(1)(a), 22(2)(c) and 49(1)(a) GDPR. See the commentary on Article 9(1)(a) GDPR for explicit consent. Generally, consent must be given directly

further details see Article 14(1)(d) GDPR. Similar to the ex-ante information in Article 13(1)(e) and 14(1)(e) GDPR, Article 15(1)(c) GDPR requires the controller

Article 13 should not be too long. Article 12 GDPR may be limited by Union or national Law in accordance with Article 23 GDPR. Article 12(1) GDPR requires controllers

(Nomos 2018). Recital 70 GDPR. Recital 71 sentence 1 GDPR. Recital 71 sentence 1 GDPR. Recital 28 sentence 1 GDPR, such as Hansen, in Simitis, Hornung, Spieker

it can be assumed that the SAs may be given additional powers, but that the existing powers may not be restricted. A contrary view cannot be derived from

See the commentary on Article 5(1)(b) GDPR for more details. The legal basis must necessarily be found either in Article 6(1) GDPR or, where special categories

non-material damage. Article 32(1) GDPR reflects the principle of integrity and confidentiality enshrined in Article 5(1)(f) GDPR. The controller and the

of Article 21(1) GDPR. Therefore, for a claim for deletion to be admissible, all and only the conditions listed in Article 21(1) must be met. In particular

83(5) Var. 1 or (6) GDPR, as otherwise there could be a violation of ne bis in idem. First, it follows from this criterion that a fine may also be imposed

subsume the corresponding legal basis contained in Article 6(1)(a) GDPR, 6(1)(d) GDPR and 6(1)(e) GDPR respectively, and would require no additional correlation

Article 6(1)(e) or (f) GDPR are clearly covered by Article 21(1) GDPR, mentioning profiling specifically is somewhat legally redundant. However, it can be seen

additional benefit of Article 14(1)(d) GDPR may be questionable, if one agrees that Article 14(1)(c) (see commentary on Article 13(1)(c) GDPR) already requires

paragraph (1). Although the measures should be implemented to ensure compliance with every data protection principle, and are therefore to be understood

Article 25 (1) and (2), Article 28(1), Article 32(1) GDPR, Article 89(1) GDPR). These measures can also be regarded as measures under Article 24(1) since they

May 2020 (Version 1.1), pp. 7-8 (available here). EDPB, ‘Guidelines 05/2020 on consent under Regulation 2016/679’, 4 May 2020 (Version 1.1), pp. 8-9 (available

their agreement must be the same as those of the SCCs. The SCCs will often leave some blank spaces to be filled in or options to be selected by the parties

agreement on joint responsibility as required under Article 26(1) of the GDPR. Article 33(1) GDPR outlines that controllers (as defined above) have an obligation

result of an infringement of the GDPR. Article 82(1) contains the conditions for such a claim, which are to be interpreted in accordance with EU law. Such conditions

(DPO) must also be involved in the drafting of the DPIA under Article 35(2) GDPR and Article 39(1)(c) GDPR, and their advice should be recorded by the

Article 57(1)(h) GDPR can also be initiated based on information that the SA obtained from another SA (e.g. in accordance with Article 60(1) GDPR and Article

clarified in C-132/21 that "Article 77(1), Article 78(1) and Article 79(1) of Regulation (EU) 2016/679 [...] must be interpreted as permitting the remedies

the supervisory authorities concerned shall be deemed to be in agreement with that draft decision and shall be bound by it. 7. The lead supervisory authority

version=1.0 https://www.garanteprivacy.it/documents/10160/0/Bilancio+di+previsione+2019+-+Sintetico.xlsx/700e5df5-f7c3-6510-1bd5-ef90e9824f17?version=1.0

(Article 65(1)(b) GDPR). It seems that the decision on a conflicting view can only be taken within a specific procedure under Article 65(1)(b) GDPR and

scope requires the data in question to be 'personal data'. This term is defined, and further discussed, in Article 4(1) GDPR. Any information that relates

Article 34(1) is not triggered, as the authorised party will not be able to make use of the data obtained. “Subsequent” measures should be interpreted

requirements of data minimization (Article 5(1)(c) GDPR) and storage limitation (Article 5(1)(e) GDPR). Under Article 30(1)(f) GDPR, where possible, the controller

make contact with him' (BVerwG, NJW 2006, 3367ff.)”. Article 1(1) in conjunction with Article 2(1) Directive (EU) 2016/680 of the European Parliament and of

categories of data listed under Article 9(1) GDPR. There have been conflicting arguments as to whether Article 22(1) GDPR lays down a right or a general prohibition

surveillance cameras, it was therefore in breach of Article 37(1)(b) GDPR by not having a DPO. Article 37(1) GDPR specifies three conditions in which the designation

that they will be considered to be ad hoc clauses that require the authorisation of the competent DPA" under Article 46(3)(a) GDPR.Article 46(1) allows the

However, Article 5(1)(d) GDPR gives the controller some leeway to continue processing inaccurate data - see more details under Article 5(1)(d) GDPR. Article

prior authorization, irrespective of the requirements of paragraph 1. Article 36(1) GDPR  establishes an obligation for the controller to consult the DPA

the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 16 (available here) referring to Article 1(1)(b) Directive (EU) 2015/1535 of the European Parliament

processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject's consent

proceedings under Article 79(1) GDPR in limited circumstances of substantive violations. Instead, Article 79(1) GDPR should be read as excluding proceedings

Article 55 - Competence 1. Each supervisory authority shall be competent for the performance of the tasks assigned to and the exercise of the powers conferred

concerning potential conflicts of interest. According to Article 38(1) GDPR, the DPO must be involved in a timely manner in all issues which relate to the protection

an opinion of the EDPB (Article 6(1)(c) GDPR). Article 65(1)(a) GDPR addresses the cases where a consensus could not be reached within the consistency mechanism

(Version 2.1), p. 19 (available here). EDPB, ‘Guidelines 07/2020 on the concepts of controller and processor in the GDPR’, 07 July 2021 (Version 2.1), p. 19

under Articles 58(1)(d) or 58(3)(a) and 58(3)(b) GDPR do not qualify as decisions and cannot be subject to legal actions under Article 78(1) GDPR. A data subject

derogation shall not be applied, and the derogation from Article 49(1)(a) GDPR will be applicable instead. The incapacity may be physical, mental or legal

implementation requirements for 85(1) to be fulfilled. While not outlined, the academic commentary agrees that Article 85(1) should not be read as requiring member

of Article 40(1) establishes that they “shall encourage” this (emphasis added). Article 40(1) GDPR clarifies that codes of conduct must be tailored to “specific

public hearing. Under specific conditions the hearing may be secret. For an administrative fine to be issued, a prior invitation of the defendant (or his representative

processing. Paragraph 1 provides a comprehensive list of tasks that the DPO must perform according to the GDPR, and these tasks cannot be restricted by national

May 2020 (Version 1.1), p. 28 (available here). EDPB, ‘Guidelines 05/2020 on consent under Regulation 2016/679’, 4 May 2020 (Version 1.1), p. 27 (available

in Articles 70(1)(e) and 70(1)(f) GDPR was an editorial error. This obligation applies to all guidance issued by the Board. Articles 70(1)(n) to (q) GDPR

not' (cf. Art. 3(1)). Hornung and Spiecker in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 1 (Beck 2019) (accessed

designation must be done in written form. The GDPR does not specify any particular requirements for the representative. However, under Article 1(17) GDPR, the

to Article 55 or 56. 2. Certification bodies referred to in paragraph 1 shall be accredited in accordance with that paragraph only where they have: (a)

pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and (b) the processing is carried

responsible in writing and wait a period of 1 month (if you have no response) before filling a complaint. There seems to be no legal basis for this requirement

conditions for entities to qualify as NPOs. For the purposes of Article 80(1) GDPR must be (i) a not-for-profit body, organisation or association, (ii) properly

referred to in paragraph 1 within the period referred to in paragraph 3. 7. The supervisory authority referred to in paragraph 1 shall take utmost account

anonymisation would therefore neither be possible, nor required under Article 89(1) GDPR. All in all, it can be concluded that anonymisation only becomes

State in accordance with Article 55(1). In that case, the urgent need to act under Article 66(1) shall be presumed to be met and require an urgent binding

operation. These three requirements must be satisfied before a monitoring body can be accredited according to Article 41(1)(b) GDPR. Although this provision only

the purposes of Article 5(1)(e) GDPR when determining the duration for which data must be stored. Any such laws would also be relevant for determining whether

authority has taken a measure pursuant to paragraph 1 and considers that final measures need urgently be adopted, it may request an urgent opinion or an urgent

draft” to the BCR Lead , which may be commented by other DPAs concerned. The BCR Lead the submits, following Article 64(1) GDPR and Article 64(4) GDPR, a

that point, it is important to note that Article 13(1)(f) GDPR, Article 14(1)(f) GDPR, Article 15(1)(c) GDPR and Article 15(2) GDPR, make specific reference

establishment of SAs are set out in Article 51(1) and 52 GDPR, Article 54(1)(a) GDPR repeats that these should be legislated for through a Member State's domestic

will be subject to continuous change, since an EU-wide mechanism will need to be adaptable to take into account national regulations that may be sector-specific

of Article 88(1) GDPR. Therefore, for a comprehensive overview of the term ‘more specific’, please refer to section 2.1 below. Article 88(1) GDPR establishes

processing under Articles 13 or 14 GDPR. This can be drawn from the final sentence of Article 11(1) GDPR. It must be assessed with the utmost attention whether

Article 55. In that case, the urgent need to act under Article 66(1) shall be presumed to be met and require an opinion or an urgent binding decision from

under Articles 16, 17(1), and 18 vis-à-vis other recipients of the data, the notification should be done immediately. Recipients shall be notified either “in

Article 83 GDPR, Article 84(1) GDPR dispenses with complete harmonisation. It does, however, provide that any sanctions chosen must be ‘effective, proportionate

convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing

pursued need to be demonstrated; (iii) the processing has to be subject to independent oversight; and (iv) effective remedies need to be available to the

92 GDPR's wording seems to be in conflict with Article 290(1) TFEU, but in actuality it is not. Article 92(2) GDPR must be read in line with Article 92(3)

Whether Article 75(1) GDPR can truly ensure the secretariat's freedom from the EDPS' influence, remains to be seen. However, it must be acknowledged that

not apparent why the principle laid down in Article 72(1) GDPR should be deviated from. Article 72(1) GDPR stipulates that the Board shall take decisions

version can be found here. The current RoP are divided into eight sections: 1.      Legal nature, tasks and guiding principles of the EDPB (Articles 1 to 3 RoP)

national administration, can be prescribed for members. Competence requirements must be provided by law pursuant to Article 54(1)(b) GDPR. These competence

concerning the interpretation of Article 28(1) of Directive 95/46/EC ("DPD"), the Regulation's predecessor. Article 28(1) DPD established the existence of supervisory

Buchner, DS-GVO BDSG, Article 31 GDPR, margin numbers 1-4 (Beck 2020, 3rd edition). For instance, Article 58(1)(f) GDPR, which grants a supervisory authority

"Informatique et Libertés". Under Article R311-1(4) of the French code of administrative justice, acts taken by the CNIL can be appealed directly before the highest

nnees.be/introduire-une-requete-une-plainte In Dutch: https://www.gegevensbeschermingsautoriteit.be/verzoek-klacht-indienen The complaint can be sent by

shall have legal personality. 2. The Board shall be represented by its Chair. 3. The Board shall be composed of the head of one supervisory authority of each

(“RoP”). Article 33(1) RoP stipulates that in “accordance with Art 76 (1) GDPR”, discussions of the Board and of expert subgroups shall be confidential when:

accordance with paragraph 1 of this Article shall be subject to the supervision of an independent supervisory authority, which may be specific, provided that

relationship between the GDPR and the EPD is to be found in Recital 10 and Article 1(2) EPD. Article 1(2) EPD provides that the EPD's provisions serve

third countries and international organisations. The report shall be made public and be transmitted to the European Parliament, to the Council and to the

but not that the same data subject(s) must be party to the proceedings. If the requirements of Article 81(1) GDPR are fulfilled (meaning, “same subject

Article 93 - Committee procedure 1. The Commission shall be assisted by a committee. That committee shall be a committee within the meaning of Regulation

the Council. The reports shall be made public. 2. In the context of the evaluations and reviews referred to in paragraph 1, the Commission shall examine

official documents to be taken into account when applying this Regulation. Public access to official documents may be considered to be in the public interest

processing of personal data (see Article 5(1)(a) GDPR), the need to limit the purpose of such processing (see Article 5(1)(b) GDPR), the requirement to have a

Board should be set up as an independent body of the Union. To fulfil its objectives, the Board should have legal personality. The Board should be represented

secrecy 1. Member States may adopt specific rules to set out the powers of the supervisory authorities laid down in points (e) and (f) of Article 58(1) in

this section! You can help us filling this section! There are two options: 1) a "recurso de reposicion" to ask the AEPD to reconsider its decision or 2)

Directive 95/46/EC 1. Directive 95/46/EC is repealed with effect from 25 May 2018. 2. References to the repealed Directive shall be construed as references

records according to Article 57(1)(u) GDPR. The report may include that information but if it does not, it is unlikely to be invalid. However, the report

Article 74 - Tasks of the Chair 1. The Chair shall have the following tasks: (a) to convene the meetings of the Board and prepare its agenda; (b) to notify

Regulation, implementing powers should be conferred on the Commission when provided for by this Regulation. Those powers should be exercised in accordance with Regulation

of those articles of ZVOP-1 that are still valid or for controllers to whom ZVOP-1 fully applies. 2019 Annual Report can be found on ip-rs.si.

(like the correspondence with the controller) need to be attached. Under § 24(4) DSG complaints need to be filed one year from the time the complainant has