Search results

Article 83 of the RGPD that an administrative fine of EUR 500 000, an injunction accompanied by a periodic penalty payment and an additional publication penalty

com/abstract=3319284. 10, i. An end user requests a web page; ii. The publisher's ad server on the web page selects an SSP; iii. The SSP then selects an Ad exchange; iv

Chamber emphasises that the purpose of imposing an administrative fine is not to only to put an end to an offence committed but, above all, to ensure effective

are monitored by an independent body. Art. 47 Charter of Fundamental Rights of the European Union – Right to an effective remedy and an impartial court

therein do not allow an individual to challenge in court the election procedure of the head of a DPA. This judgement stemmed from an appeal against a decision

storage of the ID. Consent is also not valid if data subjects must complete an additional form setting out that refusal. Orange  România SA is a  provider 

necessarily understand that they are seeing an ad or how an ad has been targeted towards them. • There is also an assessment of the impact on human rights

its usual meaning, indicates a “faithful reproduction or transcription of an original” in opposition to a “purely general description” of data. The true

2021, it appears that «[…]». The company is now planning an IPO in 2022. The audit points out that an IPO of a company means that the public has a clear interest

its holder. When an advantage or service is offered to a citizen by means of his identity card as part of a computer application, an alternative that does

luz Energía (SIE) to via an SMS. 2nd. There is certification of the digital signature of the supply contract by sending of an SMS with SIE, on July 14

The HDPA of Greece examined the complaint of an employee of the Hellenic Electricity Distribution Network Operator S.A. against the latter regarding a

Regulation as follows: "Any information about an identified or identifiable natural person (" the data subject "); an identifiable natural person is a person

Article 22(1) GDPR. In particular, it asked whether an automated creation of a credit score value constitutes an automated decision within the meaning of this

about the health of an employee of such service, when those data are required for determining that employee's working capacity. Allowing an exception to the

Article 83(5) GDPR provides that an infringer may be subject to an “administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of

a delivery address is an absolute necessity for the delivery of goods to the customers. Thus, Intervare does not detect whether an address is secret, as

An employee had submitted a complaint to the Greek Data Protection Authority about the video surveillance in the store in which she had worked. The Greek

personal data passed on to an uninvolved and unauthorized third party. This will make the Plaintiff exposed and there is also an indirect threat of potential

to process sensitive personal data When you leave an assessment on Legelisten.no, you must provide an e-mail address. For many, the email address contains

The Rotterdam Court of First Instance rejected an access request to procedural files before the State of the Netherlands as inadmissible. The Court ruled

property is Ms. A.A.A. with an e-mail address for notification purposes ***EMAIL.1 and the tenants are Mr. B.B.B. and Ms. C.C.C., with an e-mail address for notification

section 25 of the Data Protection Act (1050/2018), an appeal against this decision may be lodged with an administrative court in accordance with the provisions

resolution may be considered as an infraction. administrative action in accordance with the provisions of the RGPD, classified as an infraction in its article

Authority first.C/ES/3409/13-05-2019 complaint by A concerning receipt of an unclaimed communication policy (e-mail message) to promote the candidacy of

breach is an objective fact that does not coincide with the controller’s lack of appropriate security measures – i.e. the mere GDPR infringement. An annoyance

Supervisory Authority, “an agreement whereby a minor user consents to the processing of his or her personal data in connection with the use of an information society

ordered CARREFOUR BANQUE to pay an administrative fine of €800000. Insofar as the company took the necessary measures to put an end to the breaches of which

complaint under Article 77 GDPR. A data subject made an access request with an address publisher and direct marketing company, the controller, asking it specifically

restricted committee of the Commission impose an administrative fine on the two companies, as well as an injunction to bring into compliance the processing

recipient, and revoked), by the exporter or by an entity trusted by the exporter under a jurisdiction offering an essentially equivalent level of protection

Oy, a company that keeps a credit information register. This register gives an overview of the creditworthiness of debtors, whose debts are shown in the

person, to an indeterminate number of individuals sicas 3. An approved certification mechanism may be used in accordance with article 42 as an element that

not support as an interpretation that the legislator intended to extend the concept of "insured party" to apply also to the applicant an insurance before

construction of an office building. During the project, workers who carried out activities at the construction site registered their presence through an electronic

the claimant). The claimant states that, on January 3, 2019, he submitted an e-mail requesting the cancellation of the inclusion of his data in the Asnef

by default (Article 25(2) GDPR). The DPA suggested that if an insurance company requests an individual's health information from healthcare services, the

indirectly, in particular by means of an identifier, such as example a name, an identification number, location data, an online identifier or one or more elements

validation for an email that did not belong to the data subject. The AEPD pointed out a violation of Article 6(1) GDPR by processing data without an adequate

Letter b) GDPR to. The provision only lists the frequent repetition as an example of an "excessive" application on. However, the use of the word "in particular"

fixed phone of his office so that, in the event of an inconvenience, the recipient could request an exemption from a possible subsequent shipment. 5) Some

context, the one in which an interested party can issue the required declaration by filling in an electronic form, sending an email, uploading a scanned

data as follows: «Any information about an identified or identifiable natural person (« the registered »); An identifiable natural person is a person who

on final convictions in the credit information register Thing Correction of an error in the credit information register and entry of default information

data with AFS. The DPA opened an investigation regarding the controller. In the procedure, the controller stated that it had an agreement with AFS for the

that it had submitted an request for erasure (Article 17 GDPR), but had never received an answer form the controller. The DPA started an investigation following

to which the vacancy notice for a vacancy for an official position, including a managerial position for an official, and for the recruitment of candidates

​​constitutional protection of telecommunications includes, alongside an objective dimension, an indispensable subjective dimension, Thus, it is important to consider

electoral census for delivery to political parties (date 06/03/2019).On 17/05/2019 an envelope with a miniature name and address, with the letterhead of the PSC

health data. Following the report made by a website, the CNIL carried out an online check in September 2019. On this occasion, the Commission found that

a copy of the image of an email as an example. They also declare that the employees have a consultation portal, providing as an example impression of a

and 418 ZPO. A is neither an official document on declarations within the meaning of § 415 ZPO nor an official document on an official order, disposition

identifier was strictly necessary for the provision of an online communication service at the user's request. If an identifier had multiple purposes, the provider

which had to be taken into account as an aggravating factor. The intensity of the intervention, which had also covered an unlimited number of passers-by and

sentiment. b. Existence of an effective objection 35. Finally, it must be checked whether the respondent had to take into account an objection by the complainant

The events described above imply an impact on the content of the article 13 RGPD, lacking informative sign(s) with an effective address to the that, where

(article 100.1, 5 ° LCA) and an order of compliance detailed below (article 100.1, 9 ° LCA) accompanied by an administrative fine in an amount of 15,000 euros

for months, especially considering that he was the subject of an Interpol Red Notice and an intensified search. The main reason for the principle of the

The CJEU held that the mandatory disclosure, in the context of an online transparency publication, of personal information concerning a public officer

€150,000 for sending unsolicited advertising messages, for not responding to an access request and for not facilitating the objection to processing of personal

58(2)(f) GDPR, the Italian DPA imposed a temporary limitation on processing of an AI-powered ChatBot. The privacy policy did not clarify which legal basis had

this body may be considered as an administrative offense in accordance with the provisions of the GDPR, classified as an infraction in its article 83.5

July 29, 2022, an explanation of what measures the data protection officer has taken as a result of the decision, unless it applies for an amendment to this

of an illegal act will require the prior duty of information, which may be understood to have been fulfilled when the placed in a visible place an informative

An association that disclosed personal data of one of its members in a Whatsapp group was fined €3,000 for violating Articles 5(1)(f) and 32 GDPR. The

result information that is accompanied by an objectively perceptible factual error and which therefore gives an incorrect, incomplete or misleading picture

and that the term remains an autonomous concept of EU law. That means that it is not decisive if an offence is classified as an administrative offence in

they are the owner of the property being, therefore, an area of public access, which constitutes an access not authorized to said data. This document was

process, provided in particular as an ordinary way of dealing with the oral hearing of cases from May 30 to July 31, as an alternative to the purely paper-based

controller to reply to a data subject's request to delete personal data, to an objection of processing of data for marketing purposes, transfer to third

golf company AE’ (hereinafter ‘Glyfada GAAR’) which includes an event with the complainant and an employee of the company.This request was repeated on...,

not support as an interpretation that the legislator intended to extend the concept of "insured party" to apply also to the applicant of an insurance before

a credit score is a decision for the purposes of Article 22(1) GDPR, where an action taken by a third party ‘draws strongly’ from it. A data subject was

on ...2019 at ...2019 and time ... an automated telephone call from the number ..., to which he answered and heard an audio message that he had won 850

circumstances. The Belgian DPA brought an action before Court of First Instance of Brussels, Belgium on 11 September 2015, seeking an injunction against Facebook

provide for an observation period of at least five years with regard to the estimation of risk parameters. In contrast, data subjects have an interest in

certificate issued for ISO 27001 Certification (reflecting the result of an audit by an external auditor)." C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd

controller's premises. The controller argued that the DPA should have requested an explanation from the other company as well, because the data subject was not

the case to the access to written answers of an exam already decided by previous judgements. Therefore an access to the driving test videos may have the

000. Share your comments here! Share blogs or news articles here! This is an available machine translated decision. Please refer to the Greek original

La Salud) hired Electromedical and Information Services (ASEI) to carry out an internal investigation to assess whether the access to the data subject's

security.In addition, you are told that 401 GSNA is an Organic Formation of the General Staff, subject to an administrative management relationship and as a

challenge” died. The “blackout challenge” is an internet phenomenon in which participants film themselves in an autoerotic asphyxiation. This practice is

violation of Article 5 GDPR to be restored, as well as of its authority to impose an administrative fine that amounted to 8,000 EUR. The complainants claimed that

mobile app on her phone, without informing employees or customers. Following an appeal, the Norwegian Privacy Appeals Board upheld the DPA's decision. A trade

Regulation as any form of information about an identified or identifiable natural person (“the data subject”). An identifiable natural person means a natural

processing activities. The board rejected the request. Eventually, the DPA brought an appeal before the Supreme Administrative Court, which referred the following

the principle of accountability. Moreover, the processing was conducted in an opaque way with regard to both its general policy and dealing with the data

organization may be considered as an administrative offense in accordance with the provisions of the RGPD, classified as an infraction in its articles 83.5

(Garante) imposed a fine of €12.25 million on Vodafone Italia S.p.A, following an inquiry into their telemarketing practices which revealed that Vodafone was

form of processing based on Article 4(2) GDPR. The DPA has the power to issue an ex officio interim order for immediate total or partial temporary restriction

HDPA ran an on site audit at the Ministry of Foreign Affairs as being the data controller according to VIS Regulation and VIS Decision. VIS is an information

organization may be considered as an administrative offense in accordance with the provisions of the RGPD, classified as an infraction in its articles 83.5

of the principle of accountability, had to examine whether there was an issue of an adverse effect on the rights and freedoms of the mother with a view

for review by the second contested decision. The data subject claimed for an annulment of the decision by European Data Protection Supervisor (EDPS) of

rules"; HAVING DETECTED the publication by the online newspaper La Cronaca24 of an article entitled: "XX" available at the link https://... in which, citing

participant in an electronic database, it is possible that among the numerous registered calls there is an error in the number, due to an incorrect entry

resolution may be considered as an infraction administrative in accordance with the provisions of the RGPD, classified as an infringement in its article 83

DEYA X violated GDPR's data minimization principle Article 5(1)(c) by sharing an employee's personal and health data with multiple recipients without proper

restriction, and objection. In its decision, the DPA held that, in principle, an employer could not consult private emails of his employees, even if the company

forgotten was not infringed and rejected the complaint. The data subject has filed an administrative appeal against this decision. The Austrian Federal Administrative

do not preclude national rules from laying down, without any limit in time, an obligation for Internet advertising service providers to communicate certain

controller, and about the fact that their personal data could have been used for an additional purpose. The Greek DPA also found that the objections of the customers

(in ahead, the claimed one). The claim indicates the following: “I received an email from pulpower to confirm my subscription, as I had not done no management

viewed that an activity cannot be regarded as purely personal or domestic where a) its purpose is to make the data collected accessible to an unrestricted

electricity supply corresponding to the claimant's supply point, providing an email address for the invoice to be sent. To be able to carry out the requested

Energéticas, the controler, filed a lawsuit against the data subject due to an alleged debt. In the judgment , a Spanish Court of First Instance dismissed

subject could exercise their right to object and erasure. This case concerns an interlocutory judgment in the case C/13/694440/KG ZA-20-1118 MvW/JE dated

willingness to be known, as well as regarding the conditions under which such an access should be provided. This question, as the HDPA found, was never answered

failing to implement appropriate technical and organisational measures to ensure an appropriate level of security. The failure resulted in a data breach and unauthorised

the Constitution also establishes that it is prohibited the attribution to an unique national number to the citizens. In Portugal the GDPR is implemented

bureaucratic steps that severely limit individual rights. Proceedings before an administrative tribunal can take up to 2 years. You can help us fill this

provide the members of the Supreme Court with independent advice – known as an ‘advisory opinion’ (conclusion)- on how to rule in the cassation proceedings

administrative fines of maximum EUR 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the C/ Jorge Juan, 6 www.aepd.es 28001

and records relating to her, including any decision of the Supreme Court on an appeal. A relevant case: HDPA 12/2024 Please find relevant provisions of laws

fundamental rights of the data subject is not overridden, following § 12 (2). In an employment context, processing of personal data may take place on the basis

was fined 9898 RON (equivalent to €2000) for sending unsolicited message to an e-mail address collected indirectly from public sources for the purpose of

A car rental company filed an appeal with the Spanish National High Court against a Spanish DPA decision in which a fine of €25,000 was imposed for breaching

proceed and is not willing to open an investigation against a company established abroad that has not designated an EU Represenative. Rocketreach sells

breach from a person who became an unauthorized recipient of personal data. The breach involved sending an email with an unencrypted, non-password protected

by e-mail, by an insurance agent, who is an entity processing for an insurance company, an insurance policy containing personal data to an unauthorised

Article 32 (1) (d) • An assessment of privacy consequences has not been carried out, cf. Article 35 • Using an application with an insufficient level of

e-mail through encryption. Enforced TLS is an example of an encryption solution that can be used to protect an e-mail. In the present case, enforced TLS

had processed the complainant's data without an appropriate legal basis. The DVI received a complaint about an employer who had allegedly informed other employees

corporate email if having an email address is necessary for the workers. The Labour Chamber of the Spanish National High Court dealt with an appeal from a case

was not adequately secured, as it was transmitted in an unencrypted format. The DPA initiated an investigation in response to the complaint, in which it

explains its authority to impose an infringement fee, before explaining its assessment related to the infringement fee and whether an order should be issued. In

subjects who did not have an account with DPG Media, and had to provide a copy of their ID, as verification, before they could submit an access request pursuant

decision made at an individual presentation and the appeal instructions have not been attached. The notice must nevertheless be regarded as an appealable decision

Accounting Oversight Board following an application for approval by the Federal Minister of Finance. The transfer was based on an administive arrangement per Article

further proof of identity before fulfilling an access request. The Council of State reaffirmed that such an additional request must not be so demanding

of third parties that must be submitted so that an undertaking can qualify for the customs status of an authorised economic operator (AEO). According to

imposed a €35,000 fine on an energy company for the violation of Article 5(1)(f) GDPR and 32 GDPR because an employee accidentally sent an email to the data subject

indirectly, in particular by means of an identifier, such as a name, an identification number, location data, an online identifier or one or more elements

Company. The President of the UODO initiated an administrative proceeding against the Company to impose an administrative fine on the Company. The DPA found

imposed a €35,000 fine on an energy company for the violation of Articles 5(1)(f) and 32 GDPR because an employee accidentally sent an email to the data subject

for private life on the one hand and rights to protection of property and an effective remedy on the other hand. Directive 2002/58 provides rules determining

Persoonsgegevens (AP) launched an investigation into a possible breach of the GDPR against the provincial political party PVV Overijsssel after an individual filed a

automatically and in all cases of such an obligation on the employee. However, such an obligation of the employee may be ordered by an individual company or organization

appointing an EU representative. It further required Locatefamily.com to pay an exrta €20,000 for each two-week period it failed to appoint an EU representative

a controller €3,000 for not ensuring an adequate protection of personal data against the misuse of a processor. An employee had recorded and shared footage

Administration Act states: When it is stipulated in law that an administrative sanction may be imposed on an enterprise, the sanction is imposed even if no individual

ordinary letters by Mr M. K." bearing an illegible signature and stamp reading "W. [...] *AN*" and a copy of an unaddressed sample notification. In response

a fair trial under Article 6 ECHR. The data subject, an asset management professional, undertook an agreement with PME Investment Services. The agreement

to: • when an Assistant Director should decide to issue an electronic monitoring condition despite one of the exceptions applying; • when an electronic

after an assessment of the criteria in the Personal Data Act 2000 § 46 first paragraph, the Norwegian Public Roads Administration is ordered to pay an infringement

will that inform the data subject by means of a statement or an unambiguous active accepts an act concerning him/her concerning the processing of personal

sent an e-mail to the defendant's data protection officer. He writes the following: "Dear,I am not a customer of [defendant], yet today I received an email

confirmed an online pharmacy's (Promofarma ecom S.L) compliance with the GDPR after having used its investigation powers. The AEPD carried out an ex officio

can be assigned to an employee with the required roles (which an employee with this company role name must have), allowed roles (which an employee with this

but one an exception to a general rule from the GDPR, namely that breaches of the GDPR are possible are curbed with an administrative fine. As an exception

that it accepts of t these considerations would be based on an illegality, an irregularity or an error manifest. The fact that the person concerned by the

number [number] ; On 7 March 2016 ABN AMRO an A coding for contract number [number] ; On 7 March 2016 ABN AMRO an A coding for contract number [number] ;

Administration Act on administrative sanctions. An administrative sanction means a negative reaction that can be imposed by an administrative body, which is directed

83(5)(e) in fine of Regulation 2016/679, to an administrative fine of up to EUR 20,000,000, and in the case of an enterprise - up to 4% of its total annual

service provider provided an IP address, insofar as that legislation enables the national court seised of an application for an order for disclosure of personal

assess an application for compensation for material or immaterial damage resulting from an act in violation of the General Administrative Law Act by an administrative

personal data processing) [16] : Form no. 1: By submitting an application, an individual expresses an interest in vaccination with a vaccine against COVID-19

of his ex-wife as an individual. In response to the complaint, the defendant stated that it was the claimant herself who firstly sent an e-mail to the school’s

context of an Article 60 GDPR procedure, the Cypriot DPA reprimanded a controller for unlawfully asking a data subject’s ID when addressing an access request

companies. Employee policy breach Booking argued the fact that an employee had breached an internal protocol by not reporting the suspected incident to the

conditions that must be met for an applicant (other than the ‘privileged’ applicants pursuant to Article 263(2) TFEU) to challenge an act, where it is not the

following information: "www.***frauen.com is an offer of: N***Netzwerk GmbH & Co KG" and "www.dates***.com is an offer by: N***Netzwerk GmbH & Co KG". In order

administrative proceedings to impose an administrative fine in connection with the impossibility of carrying out an inspection in the scope of the Company's

Commissioner’s Office (ICO) has issued fines totalling £120,000 to an EU referendum campaign and an insurance company for serious breaches of electronic marketing

The Danish DPA (Datatilsynet) held that an insurance company acted in accordance with Article 15 GDPR by not disclosing to a data subject the name of the

process personal data with an appropriate level of security, as required by Article 32 GDPR. The company accepted applications via an applicant portal integrated

Prior to contact with the respondent, an announcement letter accompanied by an information leaflet as well as an email or SMS (which will refer to the

States shall issue an alert for refusal of entry and stay if the Member State, on the basis of an individual assessment, which includes an assessment of the

infringement. Where administrative fines are imposed on an undertaking, an undertaking should be understood to be an undertaking in accordance with Articles 101 and

proposed to the Commission's restricted session to impose an administrative fine on AEC and an injunction, together with a penalty payment, to bring the

and the greater the personal cost of an action, the less likely it is that an action will be committed. Thus, an attempt is made to increase the costs

authorized to initiate an investigation, including an on-site investigation, if it does so useful. Operative part The AP submits an order to the UWV for

indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors

creating an account, accounts were not locked after a certain number of failed access attempts, and part of a reference code used instead of an account

guiding principles: 1 If an intended application for legal protection is settled before lis pendens and the possible filing of an action for a declaration

Arnhem-Leeuwarden confirmed an interlocutory injunction from the Court of First Instance, stating that a copyright watchdog could not force an Internet Service Provider

Spanish DPA held that where an employee had signed an image rights transfer agreement with their employer, prior to the display of an advertisement banner using

the controller relies on an overall bundled consent to anything contained in the terms and the privacy policy. This represents an “all-or nothing” approach

Under the old Personal Data Act of 2000, there was an additional requirement that the business may have an "objective need" to obtain credit information. This

Regulation as any form of information about an identified or identifiable natural person ('the data subject'). An identifiable natural person means a natural

provisions, provided that these serve to safeguard an important public interest. The complainant has an obligation to provide information and evidence to

personal data caused by an "underlying bug" is due to an infringement of the requirements of Article 32 GDPR. 88. The FR SA expressed an objection concerning

Norwegian DPA (Datatilsynet) stating that they had been subject to an unauthorized credit rating. An employee of the credit rating agency has indeed triggered a

club (UAB VS FITNESS), fingerprint scanning is required. It then initiated an own volition investigation of a possible breach of the GDPR. The VDAI found

constitute an economic activity for the service provider. ... c) "Service provider" or "provider": natural or legal person that provides an information

protection by an organ that exercises judicial activity, which is not the case here as there is no connection with court or legal proceedings, it was an issue

reachyou later than usual.” (It might be an automatic response). 8.4. On 19 May 2019, the data subject sent an email to , saying the following: I’m sorry

viewing of an apartment that was advertised for sale, without their consent and knowledge. The photo was available on a public website via an URL link.

employees' fingerprints. Security An employer may ask an employee to give a fingerprint for, for example, access control. Sometimes an employee is obliged to give

to established case law, Internet advertising is usually only an invitation to submit an offer. The Senate sees no reason to deviate from this basic rule

subject, and not on whether identification is possible for an 'average reader'. This is an appeal of the earlier case T‑384/20 - OC v European Commission

imposed a warning on an association for the protection of prison workers for publishing personal data without consent on Twitter. An association for the

Norwegian Data Protection Authority's assessment of an infringement fee of NOK 100,000 for having monitored an employee's e-mail box without a legal basis, cf

83(5)(e) in fine of Regulation 2016/679, to an administrative fine of up to EUR 20,000,000, and in the case of an undertaking, up to 4% of its total annual

photographed and / or photographed by the selfie box during an active action. In connection with the start of an event, it is announced over loudspeakers that there

rights or special dangers or (3) in the interest of private documentation if an identification of persons is not intended. It is unclear if this national

liability of each in the event of breach of data protection laws. Fashion ID, an online retailer clothing company, embedded the ‘Like’ social plug-in from

within 30 days by either: - an appeal to the Data Protection Inspectorate pursuant to the Administrative Procedure Act; or - an appeal to Tallinn Administrative

Act , an administrative sanction may be imposed on an enterprise itselfif no individual has shown guilt. This means that Oslo Municipality has an objectiveliability

conducting an inspection before starting an administrative offense case is also in the manager's interest, because not every inspection results in an administrative

educational magazines, received an e-mail from the individual in charge of its web-portal. This individual stated that an external alleged researcher had

not therefore mean that an administrative body is obliged to provide a copy of the documents containing those personal data. An administrative body may

data subjects were harmed in any way. After an overall assessment, the PVN concluded (under doubt) that an administrative fine for such a violation should

remembered that the complainant was an employee of a higher federal authority and repeated the request to present an ID card in order to obtain a PeP (politically

question per. email, even if they had an email address registered with the Zoo. Against this background, Zoo stated that an extract of e-mail addresses had been

in these proceedings, has made an attempt to justify such proceedings. Considering that the Company is an entrepreneur, an entity professionally participating

performance of an agreement involving the data subject or, at the request of the person concerned, to take measures before concluding an agreement take;

in particular by means of assignment to an identifier such as a name; an identification number, location data, an online identifier or one or more factors

basis. The Slovenian DPA (IP) was asked for an opinion concerning the scope of GDPR Article 15. Within the GDPR, an individual can only request their own personal

Secure @ Mail. In the case of an advisory email about new e-mail in Secure @ Mail, the advisory email will include: include an ID number on the email, a link

with an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element

Court has ruled on the merits of the case. According to the Court, an appeal against an administrative decision can only be effective if the applicant is

Following an investigation, the Croatian DPA (AZOP) held that data processor, an IT company, did not take necessary measures to achieve an adequate level

personal data to Google LLC in the U.S. The respondent is an online retail company. The complainant is an individual represented by noyb - European Centre for

complex, the organization acting as a data controller can state that it needs an additional time of up to two months. In the case of one complainant, Alektum

by means of an invoice form signed by her, that an amount of € 32,368 be transferred to her by virtue of this money loan in order to pay an invoice from

There is no place for an independent appeal against the order under point 1, only on the merits of the case may be challenged in an appeal against a decision

appellant may challenge this decision within 30 days by submitting an appeal to an administrative court in accordance with the Code of Administrative Court

breach of Article 83(6) GDPR for failure to comply with an order of the DPA, the DPA imposed an administrative fine of €440,000 on the controller pursuant

The controller requested a copy of an identity document for identification purposes. Following the request of an official identity document, the data

systematically requesting an ID card for the exercise of right by a data subject a violation of Article 12 GDPR ? Are the following practices an infringement on

require a certain degree of seriousness to be taken into account. An employer dismissed an employee for having allegedly faked their sick leave. The employer

Benefits Department used the applicants' nationality (Dutch/not Dutch) as an indicator in an automated "risk-classification model", to assess which applications

The Spanish DPA held that sending an e-mail without using the BCC (Blind Carbon Copy) option is an infringement of Article 5(1)(b) and (f) GDPR. In particular

indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors

requests from an Airbnb customer (the data subject) to Airbnb Ireland UC (the controller); an access request under Article 15 GDPR and an erasure request

self-employed and liberal professionals to switch from a paper to an electronic invoice. Due to an error in the selection of e-mail addresses, a number of the

indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors

Does the tracking of a company vehicle (which an employee is also free to use in his leisure time) by an employer via a GPS positioning system require

the protection of personal information. Access to an employee's or former employee's e-mail box is an intrusive treatment of personal information, and constitutes

new call on 20/10/2020. The company reports that due to an obvious and unacceptable error by an employee, the implementation of the inclusion of the number

require a national court, called upon to give a ruling on an application for an injunction against an intermediary whose services are used by a third party

identified, in particular by means of an identifier such as a name, an identification number, location data, an online identifier or of one or more elements

held that according to § 59 (4) of the Federal Data Protection Act (BDSG), an authority obliged to provide information to a data subject may only request

reason, the processing of personal data from an electoral roll for an election in 2012 not possible for an election in 2018. As regards the lack of transparency

State adopted an almost identical decision concerning an appeal brought by the mother company Facebook Inc.. The only differences concern an argument raised

State adopted an almost identical decision concerning an appeal brought by the daughter company Facebook Ireland. The only differences concern an argument raised

until the expiry of the time limit for bringing an action to challenge the decision or, in the case of an administrative action, until the final decision

may take place regardless of whether the person is convicted of an offence that entails an increased risk of relapse into “DNA relevant” crime. Thus, the

register and no longer has a legal representative. If an investigation in this case were to reveal an illegal processing of personal data, the right to impose

the fact that the entry / exit card is an excessive measure. 2. On 17/10/2019, an Officer of my Office sent an email to his XXXXXXXX Defendant's staff's

send an email to ciao@ecooltra.com for there is evidence that you no longer want to use the account. ELEVENTH: On October 30, 2018 at 4:26 p.m. an email

GDPR by requiring a legitimate interest for granting an access request, and by not responding to an access request, thus denying the data subject its rights

were not kept in connection with an obligation under pharmaceutical law and (b) had not been taken along in the context of an audit of the operation of a Section

violation was found since the data breach was an isolated incident and the controller complied with Article 33 GDPR. An investigation was started on 20 December

authorized by the government (the Disputes Chamber of the GBA acts here as an organ of an administrative authority - which, although it depends on the legislature

indirectly, in particular by reference to an identifier such as a name, an identification number, a location data, an on-line identification or one or more

which includes an Israeli journalist, Raviv Drucker, an Israeli website, Seventh Eye, and one of its staff writers, Oren Persico, and an American journalist

indirectly, in particular by reference to an identifier such as a name, an identity number, location data, an online identifier or to one or more factors