Search results

indirectly, in particular by reference to an identifier such as a name, an identity number, location data, an online identifier or to one or more factors

directly or indirectly, in particular by an identifier, such as a name, an identification number, data location, an online identifier or one or more elements

not able to provide such data following an access request. A complainant, a previous worker of Amazon Spain, made an access request to Amazon in order to

directly or indirectly, in particular by an identifier, such as a name, an identification number, location, an online identifier or one or more elements

guidelines) and not the acceptance of work under an agency agreement within the meaning of the Law of Obligations Act.An impact assessment/study is not, by its nature

directly or indirectly, in particular by an identifier such as a name, identi- fication number, location data, an online identifier or one or more elements

must be sufficiently precise to be invoked by an individual and by the national courts [and imposes] an unconditional obligation. ” 4 CJEU judgment of

downloads the application form via the website of the embassy or BZ. An appointment for an intake at the consulate can be made be on the embassy's website via

Furthermore, the evaluations are only displayed when an higher amount evaluations are collected. As an additional safeguard, all students are verified via

carried out by an optician or an optician or ophthalmologist. According to the answer, many customers do not seem to know that dealing with an optician is

that was available to the creditors came from the surrender of an insurance policy and (for an amount of € 10,757) from a son of [applicants] et al. would

the law if (i) there is an infringement of a subjective right, (ii) an act or omission is in breach of a statutory duty or (iii) an act or omission is in

claimed, from the email address: ***EMAIL.1 sent an email email to the SGT and General Directorates, in which an Excel sheet was attached where you could see

Adherence to an approved code of conduct within the meaning of Article 40 or to a certification mechanism approved under Article 42 may serve as an element

exclusively at its own expense. It therefore struck down SABAM's claim for such an injunction to be issued against Netlog. SABAM is a management company which

of an adopted child. An applicant applied to the Vilnius City Administration (hereinafter - the Administration) with regards to the education of an adopted

burden of proof. It is therefore clear that an expectation of privacy arising from contract (more specifically an employment contract) has to be expressly

recidivism to be an aggravating circumstance. Se / on el / e, / 'the absence of an aggravating circumstance does not mean the existence of an aggravating circumstance

travel services to Russia offered on the website, and an offer for a group trip is requested by sending an e-mail to the registrar. Visa types other than group

of […] euros in 2015. 5. During the summer of 2015, during an internal research project on an anti-fraud mechanism, the company reused personal data contained

indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors

although Member States are in principle free to fix an appropriate fee for bringing an appeal before an administrative authority, that fee may not be set

October 2019, - an internal audit subcontracted to an audit firm covering organizational aspects, - an external audit carried out by an audit firm, in order

carried out an online control mission on the "discord.com" website and on the DISCORD mobile application on 17 November 2020. 8. On 29 December 2020, an off-site

personal information could reach an unlimited number of viewers. Dragefossen had operating revenues of around NOK 113 million and an annual profit of approx. NOK

legislator as an alternative to the judicial procedure (see articles 77 to 79 of the GDMP). The lodging of a complaint should remain an easy step for data

PT and SK (Kancelaria [...]), an administrative fine, the President of the Office for Personal Data Protection, declaring an infringement by the Chief National

indirectly, in particular by means of an identifier, such as a name, an identification number, data from location, an online identifier or one or more elements

national legislation. The DPA conducted an audit of the IT University of Copenhagen (ITU) and their use of an online proctoring service for one of their

number of persons so that the information was accessed by sending an e-mail (i.e. an automated process). 19. In this sense, it is clear that within the

there was an error in the delivery and that several letters to a couple of clients were confused. With the same date "Client indicates that an unknown person

as "personal data": any information about an identified or identifiable natural person ("data subject"); An identifiable natural person shall be considered

DPA (AEPD) against a university where they had had different roles, ("an employee, an employee with disciplinary proceedings, undergraduate student, master's

Administration Act states: When it is stipulated by law that an administrative sanction may be imposed on an enterprise, the sanction can be imposed even if no individual

proportionality assessment or an adequate weighing of interests. Therefore, the Greek DPA held that the processor acted as an independent controller within

I. Facts [2] The defendant holds a business licence as an address publisher and was active as an address trader for ten years with the aim of enabling its

Televisive Italian S.p.A. (RTI) and prohibited the broadcasting of an interview made by “Le Iene” (an Italian TV program) reporters, which infringed the Italian

imposition of an administrative fine and an injunction to appoint a data protection officer against the municipality. A. On the imposition of an administrative

Article 15(1) GDPR, but instead introduces an independent provision. The wording of Article 15(3) creates an obligation on the controller to provide the

and organisational measures to ensure an adequate level of security. A company called Gureak Lanean suffered an attempt of hacking of their servers. The

Italy held that when an individuals is asked to consent to the processing of their personal data by an algorithm in order to reach an automated decision

by Article 6(1) GDPR, after hiring a handwriting expert to determine that an alleged signature was fake. The Bulgarian DPA examined a complaint lodged

The data protection commissioner's office requested an explanation from the data controller with an explanation request dated July 4, 2023. On 10 August

rule incorrectly or makes an incorrect assessment of the facts, this could result in an incorrect decision. If NAV has used an incorrect understanding of

Nordic has stated that an order confirmation by mail is not as good documentation of a contract as an audio recording, since an order confirmation, for

punishable by a fine of 20,000,000 euros as maximum or, in the case of an enterprise, an amount equivalent to 4% as maximum of the total annual overall turnover

July 2019. Again, on 17 July 2019, NRA requested an all-round audit of its information systems by an independent external organization. NRA also developed

wanted to book accommodation in an hotel, the controller, which offered three options to do so on its website: through an external service provider, through

Protection Authority (Datatilsynet) issued a reprimand concerning the use of an acquired development and testing environment without implementing the appropriate

management platform’ (CMP), which is an interface that appears when a data subject first navigates to a websites or uses an application for the first time.

German Supreme Court (BGH - VI ZR 60/21), the court came to an opposite conclusion that an online platform collecting and publishing personal data of doctors

a company had obtained access to an employee's emails. In the first case, the company had accessed her inbox due to an acute situation where they needed

fines Vodafone €10,000 for transferring personal data from their customers to an advertising company without prior consent. After requesting the provision

The Portuguese DPA considered that an organisation is the controller of personal data when employing the services of a direct marketing company to promote

addresses in the "To" section instead of the "BBC" section while sending an email. At an unspecified time, the controller, a Romanian water supplier, incurred

In October 2020, the Polish DPA received an anonymous tip informing about this incident. The DPA started an investigation and requested information from

that CP&A maintained an online register, containing data on the cause of absenteeism in its employees. In response, it launched an own volition investigation

data as follows: 2 «any information about an identified or identifiable natural person (« the registered »); An identifiable natural person is a person who

associated an email address and/or phone number with a business account (whether as a mandatory requirement of switching prior to September 2019, or on an optional

In 2019, after conducting an internal risk analysis and a Data Protection Impact Assessment (DPIA) the hospital introduced an encryption solution for secure

CI Plus module as an alternative to a loan receiver (quasi an adapter that replaces the zapping receiver and can be inserted into an existing receiver

controller applies for an amendment to this decision. The Deputy Data Protection Commissioner also gives the data controller an order in accordance with

information. That is not an improper purpose. Court can deal with abuse of process if shown If there is an abuse in seeking a remedy for an ulterior purpose,

the same results. An automated message informing clients that the account was no longer functioning, for instance, would have been an adequate solution

AP has started an official investigation. This decision covers the period from 2012 to enwith2018. 1.2Process flow On 4 September 2018, an AP supervisor

cf. Article 24. An employee in a municipal health care center had access to highly sensitive personal data (image files) through an incorrectly configured

this is whether it is an individual case or a system-wide problem weave. If, in the case of an individual application, there is an indication that it is

"personal data": any information about an identified or identifiable natural person ("the interested party"); an identifiable natural person shall be considered

The EDPS found, after the CJEU requested for an authorisation of contractual clauses under Article 48(3)(a) of the EU GDPR, that no data transfers took

followed such an approach in the assessment of fines based on the fine concept of the Data Protection Conference of 19.10.2019. Such an assessment method

ordered an employer to delete the HR evaluation data on its employees. The decision comes after a complaint filed by an employee concerning an access request

courtyards or the vicinity of commercial buildings and the area in front of an ATM, where an individual could not expect privacy in the absolute sense. Thus, the

submitted a complaint to the AEPD stating that the defendant had sent an email containing an accusation of attempted fraud, letter of dismissal, and severance

and to make an alternative available if a student is unable or unwilling to work with proctoring, without this leading to study delay. 2.8 An internal memo

also seeks an amendment of the contested judgment, but in the sense of a complete dismissal of the action. In the alternative, it is seeking an application

committed an infringement and the Authority considers that a fine is justified, the Authority should note that the Applicant has committed an infringement

GDPR. The Bank launched an internal investigation and confirmed the committal of the violation, which it attributed to an error of an employee of its local

Following an audit, the Luxembourg DPA (CNPD) imposed a fine of €18,700 on a company because of four breaches relating to the role and position of its

with INDECEMI and received an email with the details of another person who was also in the claim process, who, in turn, received an email with the data of

the complainant's personal data in an online article) was carried out for journalistic purposes. As the complainant is an former politician and the article

indirectly, in particular by reference to an identifier, such as a name, an identification number, localisation data, an online identifier or one or more factors

grows day by day — subscribe to GDPRtoday to get a weekly update! GDPRhub is an initiative by noyb.eu, and made possible by the contributions of hundreds

indirectly, in particular by means of an identifier, such as a name an identification number, location data, an online identifier or one or more elements

that a delivery address is an absolute necessity for the delivery of goods to the customers. Nemlig, does not detect if an address is secret, as it is

the correct manner, with an attorney at law. The fact that an IND employee was also present at the hearing, who also spoke - as an informant - does not, contrary

combination with standardized icons that allow provide an easily visible, intelligible and clearly readable form an adequate overview of the planned treatment. The

thus an intentional infringement and both subjective and objective conditions for impose an infringement fee is fulfilled. Assessment of whether an infringement

assertion that the application of the legal basis justified an interest in in the present case, an assessment in concreto of all the relevant factual elements

had been opened based on an administrative act that did not comply with the legal requirements. This ruling is the result by an appeal of Rossel & Cie,

measures which effectively prevent or at the very least seriously discourage an internet user, when conducting a search from within the EU on the basis of

March to [...] April 2020, with varying frequency, to an individual address e-mail address of an employee of the Company These lists included only administrative

decision that there is: - an infringement of Article 5 (1) a), b) and c) and (2) of the GDPR and Article 24 (1) of the GDPR; and - an infringement of article

decision on an administrative remedy may be suspended as a precautionary measure if the person concerned indicates his intention to bring an action. If

seems appropriate to assume an obligation to provide information about recipients in any case, but only to accept such an obligation with regard to the

implemented such an arrangement. To begin with, the DPA pointed out that only requesting a name and personal identity code when booking an appointment online

between banks, an advisory was provided containing information about the payer, including information on his address. The system did not make an assessment

indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier or one or more factors

credit registration. With an A3 coding, it is registered whether it concerns a write-off or a remission. After all, an A3 coding with an end date shows that

identified, the GP proposed to the patients, at the first contact, or with an active recall, an individual assistance plan (PAI); - until 2018, the GP only communicated

Metropolitan Court in an administrative lawsuit can be challenged. The emergency does not affect the time limit for bringing an action. The application

by an employee of the Warsaw University of Life Sciences with the rules of data processing in force at the University is evidenced by the use by an employee

court action that would only be possible later (RS0039215 [T8]). [28] An interest in an action for a declaratory judgement is to be affirmed if the request

of an unwanted text message was justified on the grounds that it was sent directly by XX Srl, without using lists from Wind Tre, on the basis of an independently

act, cannot give rise to an infringement of the GDPR. 30. The Disputes Chamber draws attention to the presence or absence of an intention does not constitute

In an Article 60 GDPR procedure, the Norwegian DPA ordered an HR-services provider, pursuant to Article 58(2)(d) GDPR, to provide the data subject with

allegations. Is sending advertising emails without the consent of the recipient an infringement of Article 21 of the Spanish Information Society Services Act

directly or indirectly, in particular by an identifier, such as a name, an identification number, location data, an online identifier or one or various elements

Following an anonymous complaint against a debt collection agency the Croatian DPA issued a €2,265,000 fine for lack of security measures, lack of a processing

Those applications were used by an unknown party (allegedly an educational institution) and developed by Respondus Inc., an American company. Respondus and

indirectly, in particular by reference to an identifier, such as a name, an identification number, localisation data, an online identifier or one or more factors

The DSB held that the processing of teacher data of an App called "Lernsieg" to evaluate teachers is lawful on the basis of Art. 6 para. 1 lit. f GDPR

NIF S7800001E, -Due to an infringement of Article 5.1.f) of the RGPD, typified in article 83.5 of the GDPR, with a warning. -For an infringement of Article

amendment; if so, it may refrain from striking out and give an opportunity to make such an amendment.” The claimant’s case 14. The claimant says that the

from The Directorate of Customs, but can not see that they have an impact on whether an infringement fine should be imposed, or the size of this. 2 The

the controller relies on an overall bundled consent to anything contained in the terms and the privacy policy. This represents an “all-or nothing” approach

law firm, sent an email to multiple recipients without putting them in bcc. The complainant was one of the recipients. Does sending an email without putting

claimed party is considered responsible for an infringement typified in article 83.5.a) of the RGPD, in an initial assessment, they are considered concurrent

ban, including the preparation and sending of an updated impact analysis for the use of the Services with an expected completion time of 2-3 months from

homosexuality, political parties or diseases. The plaintiff was shown an advertisement for an Austrian politician based on the analysis that he resembled other

Inspectorate with the request to conduct an investigation into the extent to which the request to conduct an investigation into the extent to which the

accounting firm U BVBA, Z BVBA sent an e-mail to the applicant, Ms U1 and Mr U2 on 15 July 2019. On 15 July 2019, Z BVBA sent an e-mail to the applicant, Ms U1

report stated that NIF received an inquiry from the National Cyber Security Center (NCSC-NO) on 18.12.19 regarding an extract from the sport's member database

Article 83 of the GDPR that an administrative fine of up to 250,000 euros, an injunction accompanied by a fine as well as an additional penalty publication

have not committed an offence pass in front of the exit terminal and noted that the data relating to vehicles that have not committed an offence are not transmitted

indirectly, in particular by reference to an identifier such as a name, an identity number, location data, an online identifier or one or more factors specific

premises justifying the imposition of an administrative fine on the Company.           When deciding to impose an administrative fine on the Company, as

competent to adjudicate an application for compensation for material or immaterial damage resulting from an act in violation of the AVG by an administrative body

defines personal data as those belonging to “not only an ‘identified natural person’, but also an ‘identifiable natural person’”. Moreover, a representative

The Hellenic DPA fined a processor €30,000 for failing to grant an appropriate level of security of personal data under Article 32(2), Article 32(4) GDPR

rather because the ex-spouse had mistakenly introduced the email with an “i” instead of an “e” in the data subject’s name. Additionally, the HDPA noted that

DPA held that the controller had to provide an answer to the request within 14 days. The data subject made an access request for a full diagnosis report

inadmissibility, files an appeal of replacement that is resolved in an estimatory manner and gives rise to the current claim: Namely: “…Consequently, when an interested

happened, Transavia engaged an external service provider to conduct a root-cause-analysis. Circumstances of the breach: By using (i) an automated method in which

The request for a hearing must be indicated in the application. An action brought against an order is adjudicated by the court in a simplified trial out of

operates an online mail-order pharmacy under the brand "E.", which is available at "https: //www.E ..de ”. On October 6, 2018, a private person filed an online

updated for possible security vulnerabilities. It has an anti-injection system of SQL orders and an Intrusion Prevention System (IPS). Only TCP 80 (the port

results following an Article 17 erasure request. An online newspaper article from 2012 mentioned the complainant's resignation as the head of an educational

account of one of the applicants was a result of an investigation which included actions taken by an Uber employee such as carrying out a personal conversation

capacityindividual both administrative and criminal.An application file signed by me is attached ”.THIRD: There is an email sent by the VOX DPO of 05/16/2019responding

indirectly, in particular by means of an identifier, such as a name, an identification number, data from location, an online identifier or one or more elements

this discussion because of an incorrect delivery of the invitation. The respondent, another political party, then posted an entry on her public Facebook

The Spanish DPA (AEPD) fined an audit company €3,000 for a security breach occurred when they sent the claimant information of another client, instead

the controller relies on an overall bundled consent to anything contained in the terms and the privacy policy. This represents an “all-or nothing” approach

Internet for an infringement of the right to privacy and violation of the GDPR. The request is based on unlawful processing of personal data. An infringement

to comply with an application to exercise the rights set out in Articles 15 to 22 of Regulation (EU) 2016/679, it shall be initiated by an admission agreement

contract' is not simply an assessment of what is permitted by or written into the terms of a contract. [...]The concept of necessity has an independent meaning

provide access to the affected individual. The Complainant had an accident outside a store, and an Action has been filed subsequently. Access to the video footage

certainly not in light of the defendant's statement that an opinion from the VTC was not possible within an acceptable period of time. 29. Finally, inasmuch as

The Upper Tribunal dismissed an appeal against the FTT's decision to uphold three fines imposed on Leave.EU and Eldon Insurance Services by the UK DPA

The District Court of Pankow held that a controller can refuse to answer an access request under Article 15 GDPR if the effort required to comply with

they have been able to verify that due to an error in the answering process The complainant was sent a copy of an answer that was not related with the claim

"Category" of "Trainee". For the "BECA" concept, there is an accrued amount of 35 euros and an income tax deduction of 2%. The document devotes various

The Spanish DPA fined Mapfre, an insurance company, for a violation of Article 6 GDPR for processing personal data for an insurance policy without a legal

with an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element

subsequent period of 3 months. (2) The Tribunal may, on an application by the data subject, make an order requiring the Commissioner (a) to take appropriate

the perpetrators for an act that has already been sanctioned by a criminal court as a criminal offence? In this case, the AEPD found an infringement of Article

The NAIH fined €1.500 an employer in the public sector for unlawful search in archived e-mail account of former employee. An employer searched in the archived

personal data was unlawful may be reviewed by way of an action for a declaratory judgment if there is an interest in a declaratory judgment. (2) Where personal

indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an on-line identifier, or to one or more factors

5(1)(c) GDPR. The controller must however inform the data subject through an information sign. On 20 May 2021, a Spanish natural person (the data subject)

directly or indirectly, in particular by an identifier, such as a name, an identification number, location, an online identifier or one or more elements

unauthorized persons. c) .- The office is located in an industrial warehouse. To access it you must call an external bell, enter with authorization, cross the

that a controller, regardless of the burden of proof, has always an obligation to reply to an access request, even if the content of such a reply is merely

by e-mail to different persons outside and inside the company constitutes an infringement of Article 5(1)(f) GDPR. ATPSA's union representative at ITP

system with his phone and shared the video via WhatsApp, the AEPD carried out an investigation. The AEPD found a data breach due to the improper filming of

directly or indirectly, in particular by an identifier, such as a name, an identification number, location, an online identifier or one or more elements

police authorities at their request. It concerned an incident where the child was depicted picking up an object from the ground, which had been lost by a

controller didn’t provide an answer. On 8 August 2022, the data subject filed a complaint at the Belgium DPA for the lack of an answer to the request. The

indirectly, in particular by means of an identifier, such as aname, an identification number, location data, an online identifier or one or morevarious

where it finds an inadequacy in the investigation or an error that makes the conclusion impossible. In this case, I would first expect an explanation that

in relation to an access request that was answered incorrectly by a company, and ordered it to pay the claimant €1,250. The defendant is an auto-mobile manufacturer

The French DPA (CNIL) imposed a €150,000 fine on an undisclosed data controller operating an online shopping for failing to properly secure personal data

the to transfer personal data to a third country or an international organisation; or whether or not an adequacy decision by the Commission exists; or, in

when creating an account by a person via the mobile application and that a password consisting of six characters was accepted when creating an account via

suggested to exist an ongoing threat to the Claimant's personal data, such as to justify an injunction. 
 
 The prospect of an award of an injunction seems

states that the Motor Insurance Agency is not an operator that could be excluded from the application of an administrative penalty, taking into account that

adds that he had knowledge of this debt through an SMS and appeared in a shop of the claimed to obtain an invoice for the amount of € 56.88 although the

provided by an external actor in third countries, the treatment may be presumed to have entailed a particular risk of infringement registered privacy. An impact

€1500 fine against an individual for installing security cameras pointed towards the public street and nearby private properties without an adequate information

received from the registrar An explanation has been requested from the controller with an explanation request dated 22 January 2021 and an additional explanation

Article 123 of the LPACAP, the interested parties may lodge, on an optional basis, an appeal for a reversal to the Director of the Spanish Data Protection

Article 123 of the LPACAP, the interested parties may lodge, on an optional basis, an appeal for reversal to the Director of the Spanish Data Protection

Dutch, TikTok failed to provide an adequate explanation of how the app collects, processes and uses personal data. This is an infringement of privacy legislation

indirectly, in particular by means of an identifier such as a name, an identification number, location data, an online identifier or one or more elements

(controller) published an Excel sheet on its website. This Excel sheet contained personal data of vehicle owners who had requested an address change. The

the staff council is suspended as long as an employee is prohibited from conducting official business or an official is temporarily suspended due to a

threshold of the door of the store (the mara captures an important part of the sidewalk without observing an information sign), for outside, the silhouette of

income etc.). In April 2021, the controller sent an email to everyone who registered for the project with an unencrypted Excel file attached, which contained

functions during an investigation, as Vodafone did not comply with an order to provide information to the DPA. The Spanish DPA (AEPD) launched an investigation

event of an alarm going off and the presence of intruders is detected. The establishment does not have a video surveillance system but rather an intruder

procedure 1. On May 6, 2018, the complainant sends an email to the Data Protection Authority (DPA) requesting an opinion on a data processing operation carried

initated an inquiry. The Ministry was summoned to answer a questionnaire. It stated that the drones had also been used for other purposes : scouting an area

ruled that the collection and use of name and VAT number by an accountant on behalf of an heir without a relevant order constitutes a violation of articles

argument that the scope of the violations is limited, the DPA noted that (1) an email address in itself is personal data, even without references to names

address: [...], is an incomplete application for revoking consent to the processing of personal data. In the Company's opinion, such an e-mail may constitute

categories of recipients and, in the case of an intention to transfer to a third country, to showing whether an adequacy decision or other appropriate safeguards

designed by the controller company. Following an initial complaint, the controller removed the picture within an hour of posting and re-uploaded it after covering

personali) imposed a fine of € 30.000 on a local public health body for using an attendance detection system based on biometric data of employees. Following

this body may be considered as an administrative offense in accordance with the provisions of the RGPD, classified as an offense in its articles 83.5 and

contains, among other things, an overview of which aspects are to be taken into account, both in the assessment of whether an infringement fee is to be imposed

corresponding to a purchase that the claimant had not made, of an amount of 1500 euros. As it is an amount high, the respondent entity proceeded, subsequently

additional box implies an agreement to trade in personal data. According to the Inspectorate, the defendant also does not demonstrate that an objection received

and Article 12.3 AVG - If Article 21.1 AVG imposes an obligation on the controller to make the Where an obligation follows from Article 21.1 AVG for the

Union or Member State Law (as e.g. the VIG) stipulate an obligation to publish the results of checks An internet platform ("Frag den Staat") requested the

laws. During an ongoing dispute at a Norwegian Court of Appeal regarding the award of occupational injury insurance between a complainant and an insurance

constitutive of an infraction, attributable to the claimmado , for violation of art. 5.1 c) RGPD.The known facts are constitutive of an infraction, attributable

indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier or one or more factors

the computer’s desktop. An additional camera had ot be installed on the students’ devices, as a mandatory condition to sit an exam. The second camera captured

is associable to an identified or identifiable person (not only associable to person physical), and that, in addition, constitutes an automated treatment

transpired that the transfers were occurring due to an internal IT error, which Company B labelled as an "internal configuration error." The Luxembourg DPA

pre-recorded from a generic account and an individual account. It can also be accessed from a connection from an external computer station using its identifiers

particular reference to an identifier is considered identifiable such as the name, an identification number, location data, an online identifier or one

balancing of interests under Article 21(1) GDPR. A data subject working as an accountant had submitted false documents to the bank and was consequently

Televisión Española, S.A. (RTVE), had published an unaltered audio recording of her speaking in court. An investigation by the DPA confirmed multiple instances

Following an investigation the AEPD imposed a fine of 20.000 EUR on IBERIA Airlines for the violation of Article 6(1)(f) GDPR, when further sending unsolicited

via e-Boks regarding an investigation. Statistics Denmark responded to the inquiry on 11 September 2020. It appeared from this that an error must have occurred

In an Article 60 GDPR procedure, the Danish DPA reprimanded Danske bank for a violation of Article 32(1) GDPR. A technical error resulted in the unauthorised

Article 2(2)(c) GDPR. Person A (the complainant) who lives in an apartment building received an e-mail from their neighbour along with a recording marked “Tal

generic errors at the basis of an undue contact or an unsuitable response, is not suitable for eliminating Society, provided that an adequate structuring of systems

may also be read as an application to change the date of dissolution in the contested decision to a later date. 3.7. Trigion lodged an appeal in which it

conviction of A and his background as an expert. A's private family relationship is also mentioned. Search match c) led to an article on […] .no and was about

directly or indirectly, in particular by an identifier, such as a name, an identification number, data location, an online identifier or one or more elements

and proceedings without an order or fine against the controller. The parent complained to the DPA about this decision using an internal administrative

indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier or one or more factors

case, as an additional or substitute for the measures referred to in article 58, paragraph 2, letters a) to h) and j). When deciding to impose an administrative

third parties as highly risky. In this regard, an unencrypted access to the system does not guarantee an adequate level of security. The data controller

The Spanish DPA (AEPD) warned a Home Owners' Association for an infringement of Article 5(1)(f) GDPR, due to the disclosing of personal data in a debtors

the group. In 2017, the controller asked the DPA of Thüringen whether such an appointment was lawful, due to concerns of conflict of interests and lack

Adherence to an approved code of conduct pursuant to article 40 or to a certification mechanism approved under article 42 may serve as an element to demonstrate

notwithstanding an appeal. The decision to erase data in accordance with Article 100, § 1, 10°, is not enforceable by provision. § 2 An appeal may be lodged

indirectly, with particular reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more characteristic

to the question of whether the title is an integral part of the name 19. The question of whether the title is an integral part of the name is similarly

Appeal), with the Data Protection Authority as defendant. Such an appeal can be lodged by means of an inter partes petition stating the conditions referred to

address the other informational obligations under Article 15 GDPR. An oral response to an access request was insufficient. Under Article 15 GDPR, the controller

the controller. The data subject filed an administrative appeal against this decision with the Audencia Nacional (“AN”) who annulled the decision of the AEPD

compiled from an electronic database based on the path shown at the bottom. 6 The content of the reply letter did not provide the Applicant with an accurate

the certificate request and in the face of silence I request an appearance by requesting an appointment at the AEAT without having obtained a satisfactory

proceedings of an upcoming trial, and had used such data to send those members an individual letter requesting the extrajudicial payment of an amount of money

The AEPD fined a consultancy company €12,000 for sending an unsolicited commercial communication to the complainant, after they had been previously fined

financial advisor, suing through a collaborating company that will deposit an amount in an account in a bank. The respondent was notified of this circumstance

controller should provide an overview of distinct, well-defined purposes for which personal data is processed, along with an indication of the (categories

costs, declaring the requests for information and the request for an affirmation in lieu of an oath to have been dealt with. She submits and is of the opinion

proof of consent and legitimate interest An essential condition for the legality of data management is that it has an appropriate legal basis be. Article 6

they inform having suffered from a cyberattack. Thus, the AEPED carried out an investigation. Th AEPD found there was no evidence showing illegal access

The Croatian DPA imposed an administrative fine in the amount of EUR 5,470,000.00 on EOS Matrix as a data controller due to the multiple violations of

data subject's rights seriously and a request to exercise a right requires an immediate answer by the controller. Non-compliance can lead to administrative

judgment is based on an incorrect legal assessment. He requests the amendment in the sense of a statement of claim or, in the alternative, an application for

Graasvold, Ellen Økland Blinkenberg, Hans Marius Tessem) The case concerns an appeal from X Mission Assembly on the Data Inspectorate's decision of 19 March

personal data. On 12 September 2019, the director of the AEPD agreed to initiate an investigation to clarify the facts that have not were not mentioned in the

interim measures under Article 21 GDPR because the appellant failed to prove an urgent interest. The complainant asked his bank (ING Bank N.V.) to remove