Search results

Protection Agency must note that this is stated in Article 14 (2) of the Data Protection Regulation. Article 5 (5) (c) does not apply to the extent that the collection

Violation of Article 6(1)(f) GDPR The LfDI found a violation of Article 6(1) GDPR. When weighing the interests in the context of Article 6(1)(f) GDPR, it must

but at the latest within one month, cf. article 14 no. 3, letter a. 5 According to article 14 no. 5, this article does not apply if: • The registered person

the terms of the French version of article 14.5.c) of the GDPR. 37. What is provided for in article 14.5. c) of the GDPR constitutes an exception to the right

out in Article 14(5)(a) and Article 14(5)(c) GDPR. The DPA rejected the controller's views as it argued that the exceptions in Article 14(5) GDPR should

possible "legitimate interest" under Article 6(1)(f) GDPR. Equally to Article 6(1)(c) GDPR, Article 6(2) and (3) GDPR require that Union or Member State

BDSG, Article 5 GDPR, margin number 56 (C.H. Beck 2020) Resta, in Riccio, Scorza, Belisario, GDPR e Normativa Privacy - Commentario, Article 5 GDPR (Wolters

access (Article 15 GDPR), rectification (Article 16 GDPR), erasure (Article 17 GDPR), restriction (Article 18 GDPR), notification (Article 19 GDPR) or data

required under the GDPR (e.g. from a security perspective under Article 32 GDPR or as a means of data minimisation under Article 5(1)(c) GDPR) can get confused

further details see Article 14(1)(d) GDPR. Similar to the ex-ante information in Article 13(1)(e) and 14(1)(e) GDPR, Article 15(1)(c) GDPR requires the controller

are dealt with in Article 12(6) GDPR. It is unclear why Article 12(2) GDPR refers to Articles 15 to 22 GDPR, while Article 11(2) GDPR only refers to Articles

rights under the GDPR, when relevant information is provided. Article 13 GDPR embodies the principle of transparency in Article 5(1)(a) GDPR, outlining the

additional benefit of Article 14(1)(d) GDPR may be questionable, if one agrees that Article 14(1)(c) (see commentary on Article 13(1)(c) GDPR) already requires

categories of data established in Article 9(2)(a) GDPR, Article 9(2)(c) GDPR, Article 9(2)(g) GDPR and Article 9(2)(i) GDPR directly correlate with a specific

Articles 13(2)(b) and 14(2)(c) GDPR. However, Article 21(4) GDPR specifies that the right to object under Article 21(1) and 21(2) GDPR (i.e. the right to

Datenschutzrecht, Article 32 GDPR, margin number 40 (C.H. Beck 2019). Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 32 GDPR, margin number 25 (C.H. Beck 2020

Category:Article 83 GDPR The wording “infringements of this Regulation” in Article 83(1) GDPR is slightly imprecise. In fact, Article 83(5)(d) GDPR also provides

affected since, under Article 28(1) GDPR, a controller shall only use processors providing the same standards under Article 25 GDPR. Manufacturers or producers

commentary to Article 60 GDPR, Article 61 GDPR, Article 62 GDPR, Article 63 GDPR, Article 64 GDPR, Article 65 GDPR, Article 66 GDPR and Article 56 GDPR. The SA

under Article 79 GDPR – or both. This flexibility allows for parallel proceedings under both Article 77 GDPR and under Article 79 GDPR. As the GDPR foresees

access (Article 15 GDPR), rectification (Article 16 GDPR), erasure (Article 17 GDPR), restriction of processing (Article 18 GDPR), notification obligation

purpose(s) (Article 5(1)(b)); lawfulness of processing (Article 6); adequate, relevant and limited to what is necessary data (Article 5(1)(c)); limited

requirements of data minimization (Article 5(1)(c) GDPR) and storage limitation (Article 5(1)(e) GDPR). Under Article 30(1)(f) GDPR, where possible, the controller

which would be competent under Article 55(1) GDPR, as provided in Article 56 GDPR in connection with Article 60 GDPR. For more information see commentary

processing), Article 57 GDPR (tasks of SAs), Article 58 GDPR (powers of SAs), as well as Article 65 GDPR (dispute resolution by the board), Article 63 GDPR (consistency

accountability in Article 5(2) GDPR, paragraph (2) specifies further requirements in the general principle of transparency under Article 5(1)(a) GDPR, paragraph

BDSG, Article 38 GDPR, margin number 14 (C.H. Beck 2020, 3rd Edition). WP29, ‘Guidelines on Data Protection Officers (‘DPOs’)’, 16/EN WP 243 rev.01, 5 April

the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 6 (available here). EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’

categories of data under Article 9 GDPR or data relating to criminal convictions and offences under Article 10 GDPR. Article 37(2) GDPR allows for the designation

Regulation (GDPR), Article 82 GDPR, p. 1175. (Oxford University Press 2020); Quaas, in BeckOK DatenschutzR, Article 82 GDPR, margin number 14 (C.H. Beck 2020

resolution mechanism under Article 65 GDPR in connection with Article 63 GDPR is triggered (Article 60 (4) GDPR). Article 60(2) GDPR clarifies that also in

mechanism referred to in Article 63 GDPR (Article 28(8) GDPR). The Commission has made use of its power under Article 28(7) GDPR and published standard contractual

exercise on their behalf all rights foreseen under Articles 77 and 78 GDPR and Article 20 of L. 4624/2019. The mandate shall be given with a specific written

11 (C.H. Beck 2020, 38th edition). Paal, in Paal, Pauly, DS-GVO BDSG, Article 2 GDPR, margin number 14 (C.H. Beck 2021, 3rd edition). CJEU, Case C-25/17

DS-GVO BDSG, Article 72 GDPR, margin number 5 (C.H. Beck 2020, 3rd edition). Nguyen in Gola, DS-GVO, Article 72 GDPR, margin numbers 1-2 (C.H. Beck 2018

(e.g. Article 25 (1) and (2), Article 28(1), Article 32(1) GDPR, Article 89(1) GDPR). These measures can also be regarded as measures under Article 24(1)

adequacy decision pursuant to Article 45 GDPR shall be used, when it exists; second, appropriate safeguards under Article 46 GDPR, such as binding corporate

Regulation (GDPR): A Commentary, Article 33 GDPR, p. 642-643 (Oxford University Press 2020). According to Bensoussan, the drafting of Article 33 GDPR drew inspiration

falls outside the scope of Article 57 GDPR should be deemed inadmissible for the purposes of Article 31 GDPR. Article 31 GDPR can be read as a supporting

with the support of the EDPB in accordance with Article 70(1)(b) GDPR. According to Article 45(5) GDPR, the continued monitoring referred to in paragraph

Articles 13 or 14 GDPR. This can be drawn from the final sentence of Article 11(1) GDPR. It must be assessed with the utmost attention whether GDPR provisions

decisions in Category:Article 26 GDPR Petri, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 26 GDPR, margin number 12 (C.H. Beck 2019).

subject (Article 12(2) GDPR), respond and communicate the measures taken (Article 12(3) and (4) GDPR), the principle of freedom from costs (Article 12(5) GDPR)

DS-GVO BDSG, Article 19 GDPR, margin number 12 (C.H. Beck 2020). Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 19 GDPR, margin

BDSG, Article 36 GDPR, margin number 5 (C.H. Beck 2020, 3rd Edition). Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 36 GDPR, margin number 5 (C.H. Beck

authority. The director did not have to inform the data subject under Article 14(5)(c) GDPR because the law clearly prescribed the acquisition or dissemination

important to note that Article 13(1)(f) GDPR, Article 14(1)(f) GDPR, Article 15(1)(c) GDPR and Article 15(2) GDPR, make specific reference to transfers of personal

64(2) GDPR). The remaining paragraphs of Article 64(3)-(8) GDPR lay down substantive rules and a detailed procedure for the EDPB’s opinions. Article 64(1) GDPR

Cases C-92/09 and C-93/09 Volker und Markus Schecke und Eifert. See for example CJEU in C-364/14 Schrems I and C-311/18 Schrems II. See Article 1(1) of

organisation), Article 45(5) GDPR (revocation, change of such determinations); Articles 46(2)(c) and (d) GDPR (standard protection clauses); Article 47(3) GDPR (formats

recitals for Article 97 GDPR. Article 97 GDPR imposes a "comprehensive reporting obligation" upon the Commission. The first paragraph of Article 97 GDPR sets out

Kommentar, Article 54 GDPR, margin number 12 and 13 (C.H. Beck 2017). Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 54 GDPR, margin number 14 (C.H. Beck

this purpose (Article 52(4)(5)(6) GDPR). Elements of SAs' complete independence are also addressed in Article 53 GDPR and Article 54 GDPR. The CJEU in the

DatenschutzR, Article 80 GDPR, margin number 10 (C.H. Beck 2021, 36th edition). Bergt in Kühling, Buchner, DS-GVO BDSG, Article 80 GDPR, margin number 5 (C.H. Beck

2016/679 [7] that: "Article 14, paragraph Article 14 (5) (c) allows for the abolition of the disclosure requirements in Article 14 (2). 1, 2 and 4, in

exchange of knowledge between them. This way, Article 50 GDPR expands the exhortation under Article 57(1)(g) GDPR that calls for cooperation between EU DPAs

into force of the GDPR. Spiecker et al., GDPR Article-by-Article Commentary (2023), p 1073. Spiecker et al., GDPR Article-by-Article Commentary (2023)

explicit wording of Article 81 GDPR does not limit its application to proceedings instigated either under Article 78 GDPR or Article 79 GDPR. Secondly, the

Category:Article 47 GDPR Kuner, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR) Update of Selected Articles, Article 68 GDPR, p

controller is subject, under Article 6(1)(c) GDPR. In line with the general objectives of the GDPR, as outlined in Article 1 GDPR Article 16 TFEU, SAs are also

DS-GVO BDSG, Article 53 GDPR, margin number 5 (C.H. Beck 2020, 3rd Edition). Polenz, in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 53 GDPR, margin

consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and (b) the processing is

from Article 6(1) GDPR and comply with the principles enshrined in Article 5 GDPR. Additionally, the processing will still be subject to other GDPR provisions

Regulation (GDPR), Article 75 GDPR, p. 1105 (Oxford University Press 2020). Dix, in Kühling, Buchner, DS-GVO BDSG, Article 75 GDPR, margin number 6 (C.H. Beck

However, Article 5(1)(d) GDPR gives the controller some leeway to continue processing inaccurate data - see more details under Article 5(1)(d) GDPR. Article

from any of the GDPR’s protections. → You can find all related decisions in Category:Article 39 GDPR Just as Article 38 GDPR, Article 39 GDPR also shows similarities

g, Article 95 GDPR, margin number 5 (C. H. Beck 2018, 2nd edition). Piltz, in Gola, Datenschutz-Grund-verordnung, Article 95 GDPR, margin number 5 (C.

protection law as enshrined in Article 5 GDPR must be complied with, and that the rights of the data subjects as found in the GDPR must also be available under

DatenschutzR, Article 73 GDPR, margin number 2 (C.H. Beck 2020, 36th edition). Brink, Wilhelm, in BeckOK DatenschutzR, Article 73 GDPR, margin number 4 (C.H. Beck

access (Article 15 GDPR), rectification (Article 16 GDPR), deletion (Article 17 GDPR), restriction of processing (Article 18 GDPR), objection (Article 21 GDPR)

BDSG, Article 69 GDPR, margin number 4 (C.H. Beck 2020, 3rd edition). Dix in Kühling, Buchner, DS-GVO BDSG, Article 69 GDPR, margin number 5 (C.H. Beck

(Articles 42(7) GDPR, 43(5), and 58(2)(h) GDPR). According to the EDPB, where a DPA is to conduct certification pursuant to Article 42(5) GDPR, it will have

decisions pursuant to Article 65 GDPR (Article 70(1)(t) GDPR). Article 68 GDPR is the first of nine Articles (Articles 68-76 GDPR) governing the EDPB set

DS-GVO BDSG, Article 59 GDPR, margin number 4 (C.H. Beck 2020). Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 59 GDPR, margin number 7 (C.H. Beck 2020

compliance with the GDPR under Article 58(2)(d) GDPR or even ban it under Article 58(2)(f) GDPR. Therefore, complaints under Article 77 GDPR should extend to

Regulation (GDPR), Article 89 GDPR, p. 1250 (Oxford University Press 2020). Eichler, in BeckOK DatenschutzR, Article 89 GDPR, margin number 12-13 (C.H. Beck

with the GDPR (Article 31 GDPR). Direct liability of the representative is limited to the obligations set out in Article 30 and Article 58(1)(a) GDPR. Article

DS-GVO BDSG, Article 71 GDPR, margin number 2 (C.H. Beck 2021, 3rd edition). Dix in Kühling, Buchner, GDPR BDSG, Article 71 GDPR, margin number 6 (C.H. Beck

(3) GDPR), inform him or her about the measures taken (Article 12(3) and (4) GDPR), the right to receive this service free of charge (Article 12(5) GDPR)

objections pursuant to Article 92(5) GDPR. Article 92(5) GDPR imposes a further condition for the delegation of power, in line with Article 290(2)(b) TFEU. A

meaning Recital 86 GDPR). However, Article 34 GDPR does not provide a specific deadline of 72 hours as is the case in Article 33 GDPR. Instead, timelines

leeway exists only in cases of Article 64(2) GDPR but not the context of Article 70(2) GDPR. According to Article 70(3) GDPR, the EDPB is obligated to “forward

conduct under Article 83 GDPR should be excluded from penalties issued under Article 84 GDPR is debated. Whilst the wording of the GDPR is simply unclear

Category:Article 74 GDPR For more on this point, see Article 72 GDPR. Dix in Kühling, Buchner, DS-GVO BDSG, Article 74 GDPR, margin number 7 (C.H. Beck

related decisions in Category:Article 76 GDPR Dix, in Kühling, Buchner, DS-GVO BDSG, Article 76 GDPR, margin number 1 (C.H. Beck 2020, 3rd edition). Docksey

clear from the wording of Article 41(1) GDPR. Article 41(1) GDPR does not define accreditation. Nonetheless, Article 41(2) GDPR provides a criterion against

lead SA (“LSA”) (Article 65(1)(b) GDPR), and where a SA is not following an opinion of the EDPB (Article 6(1)(c) GDPR). Article 65(1)(a) GDPR addresses the

requirements. Although Article 40(5) GDPR mentions that the competent DPA will be determined through the application of Article 55 GDPR, the GDPR does not provide

DatenschutzR, Article 78 GDPR, margin number 8 (C.H. Beck 2020, 36th edition); Körffer in Paal, Pauly, DS-GVO BDSG, Article 78 GDPR, margin number 2, C.H. (C.H. Beck

opening clause under Article 88(1) GDPR, any rules introduced must meet the criteria imposed by Article 88(2) GDPR. Lastly, Article 88(3) GDPR imposes an obligation

possibility offered to them under Article 66 GDPR. → You can find all related decisions in Category:Article 66 GDPR CJEU, C-645/19, 15 June 2021, Facebook

Spiecker et al., GDPR Article-by-Article Commentary (2023), p 1090. Spiecker et al., GDPR Article-by-Article Commentary (2023), p 1090. CJEU, Case C‑28/08, European

accordance with Article 58(1) GDPR. Article 90 GDPR was drafted with a view to regulate potential conflicts between the application of the GDPR on the one hand

163 GDPR). Tosoni in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 98 GDPR, p. 1315 (Oxford University Press 2020). Case C- 528/

and interpretation as in Article 22(3) GDPR. → You can find all related decisions in Category:Article 22 GDPR Article 20 of GDPR proposal, COM(2012) 11 final

under the GDPR. → You can find all related decisions in Category:Article 94 GDPR Kühling, Raab, in Kühling, Buchner, GVO BDSG, Article 94 GDPR, margin numbers

to in Article 42(5) and approved by the supervisory authority which is competent pursuant to Article 55 or 56 or by the Board pursuant to Article 63; (c)

directly to children. As such, Article 8 GDPR stipulates additional requirements for consent by children. Article 8 GDPR applies only if the processing

standards of clarity (Article 61(3) GDPR). Requests are imperative and, subject to specific exceptions (Article 61(4) and (5) GDPR), must be fulfilled and

principle of data minimization provided in article 5.c [read article 5.1 c)] of the GDPR. According to article [...] of the royalty by-law of the City of

Procedural Act (Zákon č. 71/1967 Zb. o správnom konaní – Správny poriadok) unless the GDPR or the Slovak Data Protection Act (Zákon č. 18/2018 o ochrane osobných

of such processing (see Article 5(1)(b) GDPR), the requirement to have a legitimate basis laid down by law (see Article 6(1) GDPR), the right to access and

question if Google LLC violated Articles 5 et seqq. GDPR in connection with Article 28(3)(a) and Article 29 GDPR. The DSB fully upheld the complaint with

had been elected by the Italian Parliament on the 14 July 2020. The Garante operates under the GDPR and the national Data Protection Act ("Codice per la

Nowak, C-434/16, EU:C:2017:994, paragraphs 34–35. 5 CJEU judgment Breyer, C-582/14, EU:C:2016:779, paragraph 41. 6 CJEU judgment Breyer, C-582/14, EU:C:2016:779

or excessive (Article 12(5)(b) GDPR). The CJEU agreed with the reffering court that it was unclear from the wording of Article 15(1)(c) GDPR whether there

regulation[1] article 5, subsection 2, cf. Article 5, subsection 1, letters c and f, and Article 5, subsection 1, letter a, cf. Article 6, subsection 1

given that Article 6(1), Article 5(1)(a), Article 5(1)(d), Article 5(1)(c), and Article 14 GDPR were infringed in connection to Article 5(1)(b), the AEPD

is guaranteed in Article 8 i 20 ECJ judgment M.I.C.M, C-597/19, EU:C:2021:492, paragraphs 102–104 and Breyer judgment, C-582/14 EU:C:2016:779, paragraph

minimisation obligation pursuant to Article 5 of the GDPR and the data protection obligations pursuant to Article 25 of the GDPR. The Federal Administrative Court

Breyer, C-582/14, EU:C:2016:779, paras 45–46. 10 ECJ judgment M.I.C.M, C-597/19, EU:C:2021:492, paragraphs 102–104 and Breyer judgment, C-582/14, EU:C:2016:779

Breyer, C-582/14, EU:C:2016:779, paragraphs 45–46. 7 CJEU judgment M.I.C.M, C-597/19, EU:C:2021:492, paragraphs 102–104 and judgment Breyer, C-582/14, EU:C:2016:779

addresses that the Medical List does today, cf. GDPR Article 4, No. 11, Article 6 No. 1 letter a, Article 7 and Article 9 No. 2 letter a If current practice is

protection regulation's article 5, subsection 2, cf. Article 5, subsection 1, letters c and f, and Article 5, subsection 1, letter a, cf. Article 6, subsection 1

83(1)(a) of the GDPR. 5 of the GDPR, and with Article 21(5) of the GDPR, and with Article 21(2)(a) of the GDPR. 1(b) of Law No. 2472/1997, in conjunction

basis under Article 6(1) GDPR. In light of this, the DPA issued a fine of €70,000 to másLUZ Energía (SIE) by virtue of Article 83(5) GDPR for unlawful

entitled to erasure under Article 17(1)(d) GDPR, as the data processing was not lawful. In any case, the requirements of Article 6 GDPR were no longer met 6

data in violation of the Privacy Ordinance, Article 5 (1) (a) and (c), Article 6, Article 12 (1) and Article 13. The Authority requested in the notification

pursuant to Article 82 GDPR. According to the Advocate General’s opinion, even if the notion of damages should be interpreted broadly, Article 82 GDPR implies

her designation in accordance with Union or national law Article 5(1)(a) and (c) GDPR: Article 5: Principles governing the processing of personal data 1)

as they relied on Standard Contractual Clauses (SCCs) pursuant to Article 46(2)(c) GDPR. It also claimed to have adopted a "risk-based approach" to the transfers

par le biais de la page de fans Facebook en question ; b. Article 21(1) j° c. Article 12(3) T&C, le deuxième défendeur n'ayant pas respecté le droit à un

information [...]". 5. Because according to the above article 17 of the GDPR, as it has been interpreted according to the content of the Guidelines 5/2019 of the

Articles 5(1)(b) and 5(1)(c) of the GDPR, as well as its duty of responsibility as the data controller, laid down in Article 5(2) of the GDPR. Furthermore

infringement of Article 5(1)(c) GDPR. After recalling that each concerned DPA could submit a request for mutual assistance under Article 61 GDPR and thereby

referred to Article 5(1)(a) (principle of lawfulness, fairness and transparency), Article 12(1), Article 7, Article 13 and Article 14 GDPR, the corresponding

under Article 77 GDPR was very clear and limited in scope. However, the DSB went on to assert a violation of Article 12 GDPR and Article 15(1)(h) GDPR, acting

called); -         Violation of the principle of data minimization, Article 5(1)(c) GDPR: inadequate and offensive comments or irrelevant comments related

obligation of the controller (Article 6 (1) (c)) or to perform a public interest task or exercise public authority paragraph (e)). Article 6 (3) of the Data Protection

and 14 of Regulation (EU) 2016/679 and article 11toun.3471 / 2006, according to article 58par.2 of the GCP in in combination with article 83 par. 5 of the

force: "According to Article 16 sentence 1 GDPR, every data subject has the right to request the controller (see Article 4(7) GDPR) to correct incorrect

other two conditions of Article 6 (1) (f) of the GDPR are not met. (26) The second condition of Article 6 (1) (f) of the GDPR is that the processing of

by article 32.1 of the Regulation (EU) 2016/679. (…) V Without prejudice to the provisions of article 83.5 of the RGPD, the aforementioned article provides

protection within the meaning of Article 45 of the GDPR and without appropriate safeguards within the meaning of Article 46 of the GDPR. Furthermore, the plaintiff

the controller had violated Article 5(1)(a) GDPR, Article 12 GDPR, Article 13 GDPR, Article 15 GDPR and Article 25(1) GDPR. As a result, the DPA issued

that the data is not obtained from the interested party (article 14). Article 13 of the GDPR states: "1. When personal data relating to him or her is obtained

the fine, the criteria specified in the same article 83. 111. Article 83 of the GDPR, as referred to in Article 20, paragraph III, of the Data Protection

under Article 15 GDPR." The DPA rejected the request for review. Genealogical research on a family surname did not fall within the scope of Article 15 GDPR

right to access under Article 15 GDPR because the controller was entitled to reject the request pursuant to Article 12(5)(b) GDPR. The court reasoned that

number C/10/576071 / HA RK 19-693 C/10/576074 / HA RK 19-694, C/10/576079 / HA RK 19-696, C/10/576083 / HA RK 19-697, C/10/576085 / HA RK 19-698, C/10/576094

very serious in article 72.1. e) from the LOPDGDD, with 10,000 euros. -article 13 of the GDPR, in accordance with article 83.5 b) of the GDPR, and for the

Wohnen SE €14,500,000 for violating Article 5(1)(c) and Article 5(1)(e) GDPR. The DPA of Berlin fined Deutsche Wohnen SE for violating Article 5(1)(c) and Article

provisions of Article 5(1)(a) and Articles 13 and 14 GDPR. Furthermore, the defendant violated the principle of integrity and confidentiality from Art. 5 Para.

fine, the criteria specified in the same Article 83." 112. Under Article 83 of the GDPR, as referred to in Article 20(III) of the Data Protection Act: "1

processor's accountability under Article 5(2) GDPR? Did the data processor under question violate Article 5(1) and 5(2) GDPR? Does the existence of a basis

to in Article 5(1) LRN, under which the controller did not fall in. Therefore, the controller breached Article 5(1)(a) GDPR and Article 6(1) GDPR, in conjunction

conjunction with Article 56(5), read in conjunction with Article 56(6), read in conjunction with Article 56(7), read in conjunction with Article 56(8). in conjunction

lawfulness, the Litigation Chamber concludes that Article 5.1.a. of the GDPR in conjunction with Article 6 of the GDPR have not been complied with with regard to

for the violation of Article 5(1)(f) GDPR and Article 5(2) GDPR. The AEPD considered that the fine was proportional, since the GDPR establishes that fines

that the controller had not violated Article 45 GDPR nor any of the subsequent Articles from Chapter V of the GDPR. The AEPD took into account that the

Markkinapörssi and Satamedia, C-73/07, EU:C:2008:727, para. 52 et seq.; also judgment of 14 February 2019, Buivids, C-345/17, EU:C:2019:122, para. 48 et seq

LPACAP), for the alleged violation of Article 6.1 and 13 of the RGPD, typified in the Article 83.5 of the GDPR. FIFTH: The database of this organization

specialized website. AG Bobek is also of the opinion that Article 6(1)(c) GDPR and Article 6(3) GDPR do not preclude national rules from laying down, without

it should have under Article 60 GDPR - Article 61(8) GDPR applied, which meant that the urgent need to act under Article 66(1) GDPR was presumed to be met

(Datatilsynet) held that the controller had breached Articles 5(1)(a) and (c), 6, 12(1) and 13 GDPR and for this fined the controller NOK 100,000 (approximately

recent letter (ref.C/ΕΞ/3668-1/08-08-2018) informed the company complained of the implementation of Regulation (EU) 2016/679 (hereafter GDPR) and the way in

within the meaning of Article 4 no. 2 of the GDPR and the term "transfer" within the meaning of Article 44 et seq. of the GDPR. GDPR had to be differentiated

assessing the scope of Article 96 of the Latvian Constitution, an account must be taken of the GDPR as well as of Article 16 TFEU and Article 8 of the Charter

regarding Articles 5(1)(b) GDPR and 5(1)(e) GDPR and held that national courts had to determine, using the factors of Article 6(4) GDPR, whether further

governed by the basic principle of GDPR, the principle of transparency (relevant Articles 12-14 of the GDPR). 4. The GDPR introduces the principle of accountability

violation of article 5.1.f) of the GDPR SAW The violation of article 5.1.f) of the RGPD implies the commission of the violations typified in article 83.5 of the

claimed party, for the alleged infringement of Article 6.1 of the GDPR, typified in Article 83.5 of the GDPR. FIFTH: Notification of the Commencement Agreement

breaching Articles 12(1), 14(1)(c), 14(2) and 14(3) GDPR. In addition, Datatilsynet also issued criticism in relation to Article 5(1)(a) GDPR for the controller’s

hereinafter, LPACAP), for the alleged infringement of Article 6.1 of the GDPR, typified in Article 83.5 of the GDPR. SEVENTH: Notification of the aforementioned

constitute personal data under Article 4(1) GDPR? If so, do they qualify as special categories of personal data under Article 9 GDPR? Is the defendant obliged

fail to adhere to the data transparency (Article 5(1)(a) GDPR) and the data minimisation (Article 5(1)(c) GDPR) principles? Was the defendant required to

issue. C. On the failure to comply with the obligations relating to cookies 53. According to Article 82 of the Data Protection Act, transposing Article 5(3)

judgment of 16 December 2008 - C-73/07, EuZW 2009, 108 para. 59). 16.12.2008 - C-73/07, EuZW 2009, 108 para. 61 f.; v. 14.2.2019 - C-345/17, NVwZ 2019, 465 para

LPACAP), for the alleged violation of Article 5.1.c) of the RGPD, typified in the Article 83.5 of the GDPR. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid

Moreover, the information provided as per Article 13 GDPR were not compliant with the requirements of Article 12 GDPR in light of the fact that TikTok services

provisions of article 5.1.c of the GDPR. On information and people’s rights: Under Article 69 of the “Informatique et Libertés” law and Article 14.5.b of the

a breach of Article L. 34-5 of the French Post and Electronic Communications Code. The CNIL recalls the provisions of Article 5(1)(c) GDPR, according to

vehicles. Article 5(1)(c) GDPR - “minimum data processing” principle 37. The principle of data minimum processing as set out in Article 5(1)(c) GDPR states

for an infringement of article 14 of the RGPD, typified in article 83.5 of the RGPD, a warning sanction, in in relation to article 74.a) of the LOPDGDD.

number C/10/576071 / HA RK 19-693, C/10/576079 / HA RK 19-696, C/10/576083 / HA RK 19-697, C/10/576085 / HA RK 19-698, C/10/576091 / HA RK 19-701, C/10/576094

towards employees, cf. Articles 13 and 14 GDPR complied with the principle of transparency in Article 5 (2) (1) (a) GDPR, which according to the Authority's

under Article 15(4)(c) and 15(8) of Law No. 4624/19, the national data protection law, in conjunction with Article 58(2) GDPR. According to Article 6 of

disclosing personal data from a surveillance footage, thus breaching Article 5(1)(a) GDPR and Article 6. The company appealed to the Norwegian Privacy Appeals Board

Protection RESOLVES: FIRST: IMPOSE C.C.C., with NIF *** NIF.1, for a violation of article 5.1.c), typified in article 83.5 of the aforementioned rule, a sanction

principles are found under Article 5(1)(a) and Article 5(2) GDPR respectively]. The Spanish DPA even made reference to Recital 40 GDPR on the legality of processing

violated Article 6(1)GDPR, for processing personal data without a legal basis. Hence, the AEPD decided to fine Telefónica for the violation of Article 6(1)GDPR

his/her consent. The DPA first outlined Article 6(1)(a) and (b) GDPR, Articles 4(11) GDPR on consent, as well as Article 6 of the Spanish Data Protection Law

www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 5 5/14 particular (…) ” III The RGPD deals in its article 5 with the principles that must govern the treatment

the DSGVO (ECJ, Judgment of 16.12.2008 - C-73/07, EuZW 2009, 108 marginal 56- C/D and others; v. 14.02.2019 - C-345/17, NVwZ 2019, 465 marginal 49/51 -

1, for a violation of Article 13 of the GDPR, typified in Article 83.5 of the GDPR, a fine of 2000 euros (TWO THOUSAND euro). C/ Jorge Juan, 6 www.aepd

limitation (Article 5.1 b) GDPR) C.1. General 42. In accordance with Article 5.1 b) of the GDPR, personal data is used “ for specific, explicitly defined

from them, as required under Article 14(1)(a) AVG and Article 14(2)(c)(e) and point (f) AVG; c. article 12 j° article 14 AVG, in view of the defendant

Pursuant to article 58, second paragraph, opening words and article 83, fifth paragraph, of the GDPR, read in in connection with article 14, third paragraph

with the principles of article 5 par. 1 GDPR. It is no coincidence that the GDPR includes accountability (see Article 5 para. 2 GDPR) in the regulation of

analyzes the criteria by Article 83.2 of the GDPR: - As to the nature and seriousness of the violation [article 83.2 a) of the GDPR], with regard to breaches

P3120800B, for the alleged violation of article 5.1.b) in relation to article 6.4 of the RGPD, in accordance with article 83.5.a) of the RGPD. SECOND: INITIATE

appear in the name of C.C.C. C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/14 2. That, thanks to friendly talks with C.C.C., the complainant

infraction of the Article 5.1.f) of the GDPR, typified in Article 83.5 of the GDPR. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/14 SECOND: SANCTION

a violation of article 5.1.a) of the RGPD, in accordance with article 83.5 a) of the RGPD. " No allegations are received against it. C / Jorge Juan, 6

with the provisions of article 58.2.b) of the RGPD, for the alleged infringement of article 14 of the RGPD, typified in article 83.5.b) of the RGPD. In that

the lack of a privacy and cookie policy on a website infringe Article 13 GDPR and Article 22(2) LSSI? The AEPD decided to impose a fine to the clinic: €

required by article 6 of the RGPD. The data processing carried out violates article 6 of the RGPD conduct that is subsumed in article 83.5 of the RGPD

National Court, C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 14/14 in accordance with the provisions of article 25 and section 5 of the additional

applies on violations of Article 13 (and 14) GDPR. The DSB held that § 24(6) DSG also applies on violations of Article 13 and 14 GDPR. A controller may therefore

the alleged violation of Article 48.1.b) of Law 9/2014, of 9 C / Jorge Juan, 6 www.agpd.es 28001 - Madrid sedeagpd.gob.es 5/14 May, General Telecommunications

to Article 14 - and not the right to information pursuant to Article 15 of the GDPR as alleged by the respondent - was alleged. However, Article 14 (1)

(f), Article 5(2), Article 6(1), Article 7(1), Article 24(1), Article 25(1), Article 32(1)(b), Article 32(1)(c) and Article 32(1)(b), Article 32(1)(c) and

hereinafter, LPACAP), for the alleged infringement of Article 6.1 of the GDPR, typified in Article 83.5 of the GDPR. FIFTH: Notified of the aforementioned start-up

opening clause in Article 86 GDPR if the disclosure involves personal data? The court held that the VIG complies with Article 86 GDPR: The provisions of

that under Article 82 (1) and (2) GDPR, any person who has suffered material or non-material damage as a result of a violation of the GDPR is entitled

portability; (c) where the processing is based on Article 6(1)(a) or on Article 9, (c) where the processing is based on Article 6(1)(a) or Article 9(2)(a),

that a controller is allowed to reject a request to access under Article 12(5)(b) GDPR as "excessive" if the request's sole purpose is to verify the validity

as Article 57 (1) (a), Article 58 (2) (e) and (i), Article 83 (1) - (3) and Article 83 (4) (a) in connection with Article 33 (1) and Article 34 (1), (2)

as used in Article 5 of the GDPR and that Article 17(1)(d) of the GDPR also does not apply.c. Is the method of registration inadequate?4.14. [applicant]

subject, and their (c) where the processing is based on Article 6(1)(a) or Article 6(1)(b) or Article 6(1)(c) of the GDPR Article 9(2)(a), the existence

transparency, cf. Article 5(1)(a), and accuracy, cf. Article (5)(1)(d), they hadn't recorded the processing activity as required in Article 30, hadn't conducted

approved appeal of Article 5(1)(a), Article 12(1), Article 13(1) and Article 13(2). The appeal for Article 5(1)(c), Article 6(1) and Article 8 GDPR was not approved

4 and article 15 of the GDPR (right of access), for reasons set out below. Furthermore, in accordance with article 58.2.c) of the GDPR and article 95, §

Authority. II.5.2. Established infringement of Article 5(1)(a) j° Article 6(1)(f) and Article 12(2) GDPR in conjunction with Article 17 (1) GDPR. II.5.2.1. Administrative

provisions of the GDPR relating to the principles of data protection (article 5 of the GDPR) and the lawfulness of processing (article 6 of the GDPR). An infringement

provided for in Article 5(1)(a), (e) and (f), Article 5(2), Article 24(1) and (2), Article 28(3), Article 30(1)(d) and (f) and Article 32(1) of the General

that the article’s publication was in violation of Article 5(1)(c) GDPR, Article 6(1)(f) GDPR, when read in line with Article 85 GDPR. Article 5(1)(c) outlines

lawfulness and transparency (Article 5(1)(a), 6 and 9 GDPR) as well as its obligations under Article 12, 14, 15 and 27 GDPR. The DPA fined the controller

thereby violating Article 12 (1) and Article 14 (1) points a) and c), as well as Article 14 (2) b), c) and e) of the GDPR points. 3.5. Customer 1's data

OJ L 119, 4.5.2016 p. 1; Article 16 of the Treaty on the Functioning of the European Union (TFEU), OJ No C 202, 7.6.2016, p. 1; Article 8 of the Charter

The Spanish DPA (AEPD) fined Borjamotor, S.A. for infringing Article 7 GDPR and Article Article 21(1) of the Spanish Law on Information Society Services (LSSI)

fulfilled the duty of information in accordance with GDPR. The Spanish DPA considered that Article 35 GDPR applies in this case and thus a DPIA is necessary

2016, Star Storage and others, C 439/14 and C 488/14, EU:C:2016:688, paragraph 46, and of 26 July 2017, Sacko, C 348/16, EU:C:2017:591, paragraph 31) 60 Consequently

required by Article 13 of the GDPR GDPR. The form used violated Article 13 of the GDPR conduct that is subsumi- ble under Article 83(5) of the GDPR, which provides:

investigation.14 see, to this effect, CJEU, July 18, 2013, Commission and others / Kadi, C ‑ 584/10 P, C ‑ 593/10 P and C ‑ 595/10 P,ECLI: EU: C: 2013: 518

punish illegal behavior. 6 Even if article 14 of the GDPR had been applied, as referred to in article 14 par. 5 of the GDPR regarding the information provided

information obligation provided for a / 'article 14, §5, (c) of the GDPR. (...) Pursuant to article 14, §5, (c) of the GDPR, the responsibility for processing

right to erasure (“right to be forgotten”) of Article 17 GDPR and Article 19 of Regulation 2018/1725. Under GDPR, such prolonged and unrestricted data retention

principles of minimization and purpose limitation (Article 5(1)(c) and Article 5(1)(b) of the GDPR): The Belgian DPA considers that the indication of the

groups January 14, 2020. 4. Capture WhatsApp message from a contact relating the request for money. 5. Report to the Police of January 14, 2020 filed by

internal compliance and accountability according to Article 5(1) GDPR, Article 5(2) GDPR and Article 6(1) GDPR. Since the company had totally ignored the its

cites Articles 5(1)(b) and (e), 9(2)(j), 89(1) GDPR and Section 7(1)(1) and (2)(1) GDPR. In particular, it follows from Article 9(2)(j) GDPR that the processing

time tracking system, due to a lack of compatibility with Article 7(4) and Article 35(9) of GDPR. KEO PLC decided to upgrade its ERP system, whose upgrade

judgments of the European Court of Justice C-131/12 and C-136/17 In the judgments of the EU Court C-131/12 and C-136/17, it has been stated that the processing

400,000 pursuant of Article 83(5)(c) GDPR for the breach of the international personal data transfer regime (Articles 44 and 46(2) GDPR). The service that

relation to the requirements prescribed by Article 12.1 of the GDPR (transparency obligation) and by Article 13 of the GDPR (right to information). The Head of

violated Article 12 GDPR, as it did not facilitate the data subject´s exercise of their rights, especially the right to erasure under Article 17 GDPR. In view

ofcontroller (article 4.7 of the GDPR), the scope of the GDPR (article3.1 of the GDPR), the right to erasure (article 17 of the GDPR) and its powers (article 58.2of

connection with Article 5 paragraph 1 point c, Article 9 paragraph 1, Article 58 paragraph 2 point f, point g and point i and with Article 83 paragraph 2

basis (article 14.1 c) GDPR), but all information as stipulated in article 14.1 GDPR in order to comply with the transparency principle (article 5.1 a) GDPR)

the violation of the GDPR: violation of article 6.1, violation typified in its article 83.5.a). IV Secondly, article 32 of the GDPR “Security of processing”

incorporate the obligation established in Article 20.1 c) of the LOPDGD to block the information for thirty days. Article 20.1 c) of the LOPDGDD states "That the

April 2016 (General Data Protection Regulation - GDPR), in conjunction with Article 3, Article 4(2) and Article 6(1)(b), all of which are applicable to the

obligation (Article 4:32 § 1 Wft). Therefore, Article 6(1)(c) GDPR was relevant. However, the Court highlighted that the phrase "at least on" in Article 6(1)

((articles 5. 1, a) GDPR , 12.1 GDPR and 14.1 a) and c) GDPR) and how the accountability obligation was fulfilled (art 5.2 GDPR and 24 GDPR). The parties

the data subject to seek further remedies. Moreover, in line with Article 14(4) GDPR, the controller should have informed the data subject that personal

free circulation of these data (hereinafter, GDPR); and in article 47 of the Law Organic 3/2018, of December 5, Protection of Personal Data and guarantee

under Article 15 GDPR to the defendant and requested i.a. information on concrete recipients of their personal data under Article 15(1)(c) GDPR. The defendant

personal data in the context of telephone jokes. Article 6 GDPR (legality of processing) and Articles 13 and 14 GDPR (transparency) were infringed. The decision

measures aimed at strengthening the security of the processing. Under Article 36(5) GDPR, the Italian Ministry of Health has submitted the Data Protection