Search results

and interpretation as in Article 22(3) GDPR. → You can find all related decisions in Category:Article 22 GDPR Article 20 of GDPR proposal, COM(2012) 11 final

between profiling under Article 4(4) GDPR and automated decision making under Article 22 GDPR: for a processing activity to qualify as profiling it is not necessary

pursuant to Article 22 GDPR, but only 'light profiling' under Article 4(4) GDPR. Therefore, the controller claimed that Article 15(1)(h) GDPR did not apply

referred to in Article 22(1) GDPR. For further details on the definition of automated decision-making see Article 22 GDPR and Article 4. In short, automated

are dealt with in Article 12(6) GDPR. It is unclear why Article 12(2) GDPR refers to Articles 15 to 22 GDPR, while Article 11(2) GDPR only refers to Articles

such as profiling (see also Article 4(4) GDPR); Restriction (marking for limited further processing, see also Article 4(3) GDPR), such as deactivation of

a "filing system" within the meaning of Article 4(6) GDPR. See also Article 2(1) GDPR on the scope of the GDPR when it comes to non-automated filing systems

listed in Article 83(4), (5) and (6) GDPR. This specifically refers to violations of Articles 8, 11, 25 to 39, 41(4), 42, 43 of the GDPR (paragraph 4), Articles

Protection Regulation (GDPR): A Commentary, Article 25 GDPR, p. 577 (Oxford University Press 2020). EDPB, 'Guidelines 4/2019 on Article 25 Data Protection

commentary to Article 60 GDPR, Article 61 GDPR, Article 62 GDPR, Article 63 GDPR, Article 64 GDPR, Article 65 GDPR, Article 66 GDPR and Article 56 GDPR. The SA

categories of data established in Article 9(2)(a) GDPR, Article 9(2)(c) GDPR, Article 9(2)(g) GDPR and Article 9(2)(i) GDPR directly correlate with a specific

access (Article 15 GDPR), rectification (Article 16 GDPR), erasure (Article 17 GDPR), restriction of processing (Article 18 GDPR), notification obligation

(e.g. Article 25 (1) and (2), Article 28(1), Article 32(1) GDPR, Article 89(1) GDPR). These measures can also be regarded as measures under Article 24(1)

meaning Recital 86 GDPR). However, Article 34 GDPR does not provide a specific deadline of 72 hours as is the case in Article 33 GDPR. Instead, timelines

compliance with the GDPR under Article 58(2)(d) GDPR or even ban it under Article 58(2)(f) GDPR. Therefore, complaints under Article 77 GDPR should extend to

62(7) GDPR, the reference to the EDPB is mandatory. The authority addressed under Article 66(1)-(2) GDPR is the CSA within the meaning of Article 4(22) GDPR

performance. Article 7 GDPR regulates the "conditions for consent". It specifies the definition of consent set out in Article 4(11) GDPR and, by integrating

consent under Article 6(4) GDPR and further processing for a compatible purpose under Article 6(4) GDPR. See the commentary on Article 6(4) GDPR for details

exercise on their behalf all rights foreseen under Articles 77 and 78 GDPR and Article 20 of L. 4624/2019. The mandate shall be given with a specific written

establishment), Article 4(21) GDPR (definition of SA), Article 4(22) GDPR (definition of SA concerned(CSA)), Article 4(23) GDPR (definition of cross-border processing)

controller (as defined under Article 4(7) GDPR) and a processor (as defined under Article 4(8) GDPR). As noted above, Article 79 GDPR imposes a two-stage cumulative

possible "legitimate interest" under Article 6(1)(f) GDPR. Equally to Article 6(1)(c) GDPR, Article 6(2) and (3) GDPR require that Union or Member State

between Article 21(3) GDPR and Article 17 GDPR on the right to erasure must be considered. The tight relationship between Article 21(3) and Article 17(1)(c)

motion. Its powers are described under Article 8 of the law "Informatique et Libertés". Under Article R311-1(4) of the French code of administrative justice

with Article 13, Article 14 GDPR gives expression to the principle of transparency enshrined in Article 5(1)(a) GDPR and further defined in Article 12 GDPR

clear from the wording of Article 41(1) GDPR. Article 41(1) GDPR does not define accreditation. Nonetheless, Article 41(2) GDPR provides a criterion against

burdens. This reading of Article 31 GDPR is supported by the language of Article 83(4)(a) GDPR which categorises Article 31 GDPR as an 'obligation' of the

simple majority principle under Article 72(1) GDPR would have applied regardless of Article 73(1) GDPR. In addition, the GDPR explicitly legislates for a simple

please refer to Article 19 GDPR. If the controller declines to rectify the data, they must provide reasons for their decision (Article 12(4) GDPR). The data

evaluating the effectiveness of security measures (Article 32(1)(d) GDPR). According to Article 4(5) GDPR, "pseudonymisation" means the processing of personal

access (Article 15 GDPR), rectification (Article 16 GDPR), erasure (Article 17 GDPR), restriction (Article 18 GDPR), notification (Article 19 GDPR) or data

leeway exists only in cases of Article 64(2) GDPR but not the context of Article 70(2) GDPR. According to Article 70(3) GDPR, the EDPB is obligated to “forward

on Article 36(4), it is still disputed whether the outcome of the procedure rather resembles that of Article 58(3)(a) GDPR or Article 58(3)(b) GDPR. See

in Category:Article 3 GDPR EDPB, ‘Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)’, 12 November 2019 (Version 2.1), p. 4 (available here)

freedoms of individuals", as stated in Article 35(1) and further elucidated in Article 35(3) and Article 35(4) GDPR. The WP29 developed a list of criteria

of a secret ballot under Article 22(4) RoP and the holding of written procedure under Article 24(1) RoP. Article 72(2) GDPR grants the EDPB regulatory autonomy

other DPAs concerned. The BCR Lead the submits, following Article 64(1) GDPR and Article 64(4) GDPR, a draft decision to the EDPB. The EDPB, in turn, issues

complaint under Article 77(1) GDPR on behalf of the data subject and to represent the them before all supervisory authorities (“SA”) (Article 4(21) GDPR). Secondly

lead SA (“LSA”) (Article 65(1)(b) GDPR), and where a SA is not following an opinion of the EDPB (Article 6(1)(c) GDPR). Article 65(1)(a) GDPR addresses the

the Article that further information about the logic involved must be provided only when the conditions of Article 22(1) GDPR and Article 22(4) GDPR are

which would be competent under Article 55(1) GDPR, as provided in Article 56 GDPR in connection with Article 60 GDPR. For more information see commentary

and (3) GDPR), inform him or her about the measures taken (Article 12(3) and (4) GDPR), the right to receive this service free of charge (Article 12(5) GDPR)

mechanism referred to in Article 63 GDPR (Article 28(8) GDPR). The Commission has made use of its power under Article 28(7) GDPR and published standard contractual

shall apply from 25 May 2018. There is no relevant recital for Article 99 GDPR. Article 99 GDPR sets out the dates of the Regulation's entry into force and

pursuant to Article 40(7) GDPR. These DPAs will then confirm whether they are “supervisory authorities concerned” (see Article 4(22)(a)(b) GDPR). Finally

explicit wording of Article 81 GDPR does not limit its application to proceedings instigated either under Article 78 GDPR or Article 79 GDPR. Secondly, the

meaning of Article 4(7) and (8) GDPR can be liable for compensation. A claim for damages first requires an infringement of the GDPR. Article 82 GDPR does not

relevance of Article 29 GDPR were rooted in the fact that Article 28(3)(b) GDPR already seems to cover much of the scope of Article 29 GDPR. More specifically

recitals for Article 97 GDPR. Article 97 GDPR imposes a "comprehensive reporting obligation" upon the Commission. The first paragraph of Article 97 GDPR sets out

in Category:Article 45 GDPR Kuner, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 45 GDPR, p. 774 (Oxford

directly to children. As such, Article 8 GDPR stipulates additional requirements for consent by children. Article 8 GDPR applies only if the processing

under the GDPR. → You can find all related decisions in Category:Article 94 GDPR Kühling, Raab, in Kühling, Buchner, GVO BDSG, Article 94 GDPR, margin numbers

in force for more than 4 years after the GDPR’s entrance into force. Responding to requests regarding the applicability of the GDPR in Slovenia, the IP issued

Protection Regulation (GDPR), Article 75 GDPR, p. 1105 (Oxford University Press 2020). Dix, in Kühling, Buchner, DS-GVO BDSG, Article 75 GDPR, margin number 6

Marsch, DS-GVO/BDSG, Article 59 GDPR, margin numbers 4 and 5 (Nomos 2022). Ziebarth, in Sydow, Marsch, DS-GVO/BDSG, Article 59 GDPR, margin number 8 (Nomos

resolution mechanism under Article 65 GDPR in connection with Article 63 GDPR is triggered (Article 60 (4) GDPR). Article 60(2) GDPR clarifies that also in

protected by Article 96 GDPR if it is found to be incompatible with other GDPR provisions. → You can find all related decisions in Category:Article 96 GDPR It follows

incompatible with the office. Article 52(4) GDPR and Article 52(6) GDPR establish the framework for SAs financial governance. Article 52(4) GDPR stipulates that SAs

Category:Article 67 GDPR See EDPB, State of Play - IMI for GDPR purposes, 27 June 2018 (available here). See EDPB, 2019 Annual Report, Section 4.3.1 (available

process them. This was already the case under Article 8(7) of the DPD, the precursor of Article 87 GDPR. In many Member States, the processing of NIN and

disclosed to per Article 4(9) GDPR. Article 19 does not establish any specific time requirement for notification. However, since the purpose of Article 19 is to

Article 76 GDPR, p. 1111-1112 (Oxford University Press 2020). Docksey, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 76 GDPR, p.

proposed amendments to the GDPR (pursuant to Article 70(1)(b) GDPR). Although not explicitly mentioned in Article 69(2) GDPR, the requirement that the Board

Regulation (GDPR): A Commentary, Article 38 GDPR, p. 707 (Oxford University Press 2020). Bergt, in Kühling, Buchner, DS-GVO BDSG, Article 38 GDPR, margin number

subject (Article 12(2) GDPR), respond and communicate the measures taken (Article 12(3) and (4) GDPR), the principle of freedom from costs (Article 12(5)

Recital 167 GDPR and Article 291 TFEU, the aim of implementing acts is to “ensure uniform conditions for implementing” the GDPR. In its GDPR Certification

64(2) GDPR). The remaining paragraphs of Article 64(3)-(8) GDPR lay down substantive rules and a detailed procedure for the EDPB’s opinions. Article 64(1) GDPR

decisions pursuant to Article 65 GDPR (Article 70(1)(t) GDPR). Article 68 GDPR is the first of nine Articles (Articles 68-76 GDPR) governing the EDPB set

situation, Article 95 GDPR will not be relevant, and the GDPR applies as normal. Notably, Recital 173 GDPR, which relates to Article 95 GDPR, omits reference

accordance with Article 98'. → You can find all related decisions in Category:Article 98 GDPR The CJEU has yet to rule on Article 98 GDPR. Nonetheless, the

with the GDPR (Article 31 GDPR). Direct liability of the representative is limited to the obligations set out in Article 30 and Article 58(1)(a) GDPR. Article

requirements of data minimization (Article 5(1)(c) GDPR) and storage limitation (Article 5(1)(e) GDPR). Under Article 30(1)(f) GDPR, where possible, the controller

right to data protection. Article 51 GDPR is closely connected to Article 4(21) (definition of SA), Article 52 (independence), Article 53 (General conditions

decisions in Category:Article 74 GDPR For more on this point, see Article 72 GDPR. Dix in Kühling, Buchner, DS-GVO BDSG, Article 74 GDPR, margin number 7 (C

objections pursuant to Article 92(5) GDPR. Article 92(5) GDPR imposes a further condition for the delegation of power, in line with Article 290(2)(b) TFEU. A

standards of clarity (Article 61(3) GDPR). Requests are imperative and, subject to specific exceptions (Article 61(4) and (5) GDPR), must be fulfilled and

from Article 6(1) GDPR and comply with the principles enshrined in Article 5 GDPR. Additionally, the processing will still be subject to other GDPR provisions

subject to the GDPR or, in cases where they are not established in the EU, act within the material and territorial scope of the GDPR. Article 48 GDPR refers to

Member State in relation to damage referred to in Article 62(4) GDPR. According to Article 62(7) GDPR, if the lead SA does not invite the SA to take part

further discussed, in Article 4(1) GDPR. Any information that relates to an identified or identifiable natural person falls under the GDPR, this also includes

access (Article 15 GDPR), rectification (Article 16 GDPR), deletion (Article 17 GDPR), restriction of processing (Article 18 GDPR), objection (Article 21 GDPR)

unlike delegated acts made under Article 92 GDPR. Article 93(2) GDPR explicitly provides for the application of Article 5 of Regulation (EU) No 182/2011

practices published under Article 70(3) GDPR. Though Article 70(3) GDPR already obliges the EDPB to make these public, Article 71(2) GDPR ensures that the public

to in Article 46(2)(d) GDPR, contractual clauses referred to in Article 46(3)(a) GDPR, or binding corporate rules within the meaning of Article 47 GDPR

conduct under Article 83 GDPR should be excluded from penalties issued under Article 84 GDPR is debated. Whilst the wording of the GDPR is simply unclear

important to note that Article 13(1)(f) GDPR, Article 14(1)(f) GDPR, Article 15(1)(c) GDPR and Article 15(2) GDPR, make specific reference to transfers of personal

exchange of knowledge between them. This way, Article 50 GDPR expands the exhortation under Article 57(1)(g) GDPR that calls for cooperation between EU DPAs

difference between Article 42(1) GDPR and Article 42(2) GDPR is that in the former, the applicant for certification is subject to the GDPR, while in latter

can carry out a notification in phases under Article 33(4) GDPR (see below). Under Article 33(3)(b) GDPR, the supervisory authority must be given the contact

Category:Article 11 GDPR Georgieva, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 11 GDPR, p. 395

Regulation (GDPR): A Commentary, Article 53 GDPR, p. 888 (Oxford University Press 2020). Boehm, in Kühling, Buchner, DS-GVO BDSG, Article 54 GDPR, margin numbers

opening clause under Article 88(1) GDPR, any rules introduced must meet the criteria imposed by Article 88(2) GDPR. Lastly, Article 88(3) GDPR imposes an obligation

from any of the GDPR’s protections. → You can find all related decisions in Category:Article 39 GDPR Just as Article 38 GDPR, Article 39 GDPR also shows similarities

of such processing (see Article 5(1)(b) GDPR), the requirement to have a legitimate basis laid down by law (see Article 6(1) GDPR), the right to access and

or infringes the GDPR or any other applicable laws, including national ones. See commentary under Article 77 GDPR. Article 78(1) GDPR establishes both

Press 2020). Spiecker et al., GDPR Article-by-Article Commentary (2023), p 1090. Spiecker et al., GDPR Article-by-Article Commentary (2023), p 1090. CJEU

that purpose. Article 89(4) GDPR makes it clear that the derogations to the GDPR are only available for processing specified in Article 89 GDPR, and not for

accordance with Article 58(1) GDPR. Article 90 GDPR was drafted with a view to regulate potential conflicts between the application of the GDPR on the one hand

categories of data under Article 9 GDPR or data relating to criminal convictions and offences under Article 10 GDPR. Article 37(2) GDPR allows for the designation

adequacy decision pursuant to Article 45 GDPR shall be used, when it exists; second, appropriate safeguards under Article 46 GDPR, such as binding corporate

about the scope of the term 'personal data' under Article 4(1) GDPR. Non-EU citizens can rely on the GDPR as its application is generally independent of nationality

Regulation (GDPR), Article 91 GDPR, p. 1263 (Oxford University Press 2020). Tosoni, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article

provisions such as Article 30(4) for the record of processing or Article 40(11) for the register of approved codes of conduct, Article 26 does not explicitly

provided for in Article 52(3) GDPR and Articles 53(3) and 53(4) GDPR. For more information on SA members and staff, please refer to Article 52(2) GDPR (SA members)

into force of the GDPR. Spiecker et al., GDPR Article-by-Article Commentary (2023), p 1073. Spiecker et al., GDPR Article-by-Article Commentary (2023)

refusal to take action on a data subject’s request (Article 12(4)). The first sentence of Article 20(3) GDPR clarifies that the exercise of the right to data

with Article 22, GDPR. 55       5.3.2.1. The processing of personal data is lawful in accordance with Article 6, Paragraph 1, Letter e of the GDPR. The

website controller qualifies as controller (Article 4(7) GDPR) and Google LLC as processor (Article 4(8) GDPR) for data processing in connection with Google

the fine, the criteria specified in the same article 83. 111. Article 83 of the GDPR, as referred to in Article 20, paragraph III, of the Data Protection

interests under Article 6(1)(f) GDPR. On the erasure obligations under Article 17 GDPR, the CJEU held that under Article 17(1)(d) GDPR SCHUFA will be under

of a copy, that "Article 15(1) of the GDPR restricts the right of access to personal data within the meaning of Article 4(1) of the GDPR and additional information

within the meaning of Article 4 no. 2 of the GDPR and the term "transfer" within the meaning of Article 44 et seq. of the GDPR. GDPR had to be differentiated

protection within the meaning of Article 45 of the GDPR and without appropriate safeguards within the meaning of Article 46 of the GDPR. Furthermore, the plaintiff

of Chapter V GDPR. The complaint was transferred to the Swedish DPA in its quality of lead supervisory authority pursuant to Article 56 GDPR. Following the

reading first sentence of Article 15(3), in conjunction with Article 12(5) of the GDPR under Article 23(1)(i) GDPR. (judgment of 4 May 2023, Österreichische

personal data under Article 9(1) GDPR. Their processing would require the data subjects' explicit consent under Article 9(2)(a) GDPR and § 151(4) GewO, ordered

Spain the GDPR is developed by the Ley Orgánica 3/2018 de Protección de Datos Personales y garantía de los derechos digitales (LOPDGDD). Article 7.2 LOPDGDD

decision within the meaning of Article 22(1) and Article 22(2) GDPR - then the opening clause of Article 22(2)(b) GDPR does not apply to national rules

of personal data of data subjects guaranteed by Article 44 GDPR and consequently breached Article 44 GDPR. The DPA issued a fine of 300,000 SEK (approx.

Therefore, given that Article 6(1), Article 5(1)(a), Article 5(1)(d), Article 5(1)(c), and Article 14 GDPR were infringed in connection to Article 5(1)(b), the

analogously, Section 823 (1) and (2) BGB in conjunction with Article 6 (1) GDPR and Article 17 GDPR. Claims under data protection law could be asserted by way

that the letter in question referred to Article 58(1)(a) of the GDPR and Article 5:16 in conjunction with Article 5:17 of the Awb does not make this any

following the mandatory legal requirements to do so, violating Article 6(1) and Article 13 GDPR. A resident has installed, without the authorization of the

te, LPACAP), for the alleged violation of Article 5.1.c) of the RGPD, typified in the Article 83.5 of the GDPR. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid

under Article 77 GDPR was very clear and limited in scope. However, the DSB went on to assert a violation of Article 12 GDPR and Article 15(1)(h) GDPR, acting

regard to article 83.2 (k) of the RGPD, the LOPDGDD, article 76, "Sanctions and corrective measures", provides: "2. In accordance with Article 83(2)(k)

included within the framework of data protection. Therefore, Article 16 GDPR cannot be applied. Article 16 refers to inaccurate personal data, not to the rectification

concerned supervisory authority (Article 4(22) GDPR) – raised its concerns and requested mutual assistance under Article 61(1) GDPR from the DPC as lead supervisory

AEPD found that the Socialist Party of Catalonia (PSC-PSOE) violated Article 21 GDPR due to unsolicited political propaganda sent after the data subject

parent's request, thus violating Article 15(1) and (4) GDPR as well as the principle of accountability pursuant to Article 5(2) GDPR. The complainant requested

meaning of article 4.19 of the GDPR – (article 13.1. c) of the GDPR) and does not mention the data retention periods personal data processed (article 13.2.

according to article 4.1 of the GDPR, are a Personal data and its protection, therefore, is the subject of said Regulation. In the article 4.2 of the GDPR defines

of Chapter V GDPR. The complaint was transferred to the Swedish DPA in its quality of lead supervisory authority pursuant to Article 56 GDPR. Following the

claimed party, for the alleged infringement of Article 6.1 of the GDPR, typified in Article 83.5 of the GDPR. FIFTH: Notification of the Commencement Agreement

the inspected with section 4 of chapter 4 of the GDPR. 3. […] the inspectorate [is active in the field of transport] […]. 4. The controlled has approximately

considering that it has violated the provisions of Article 17 of the GDPR and Article 21 of the GDPR and urge GLOBAL CAPITAL GROUP SPAIN, S.L. with NIF

Pursuant to Article 83 GDPR in conjunction with Article 4 No. 7 and 8 GDPR, fines for violations of the GDPR pursuant to Article 83(4) to (6) GDPR are not

even pseudonymised data (Art. 4 Para. 5 GDPR) from the term personal data are recorded in accordance with Art. 4 Para. 1 GDPR. It is undeniable that the MB

officer, article 39 of the RGPD attributes to him the function of cooperate with said authority. Similarly, the domestic legal system, in article 65.4 of the

very serious in article 72.1. e) from the LOPDGDD, with 10,000 euros. -article 13 of the GDPR, in accordance with article 83.5 b) of the GDPR, and for the

insurer calculated a settlement offer was a trade secret covered by Article 15(4) GDPR and 4(6) DSG; the controller's 200-page response to an access request

compatible by virtue of a legal provision (see Article 6.4. of the RGPD). Based on the criteria in section 6.4 of the EDR: there is no link between the two

disclosing personal data from a surveillance footage, thus breaching Article 5(1)(a) GDPR and Article 6. The company appealed to the Norwegian Privacy Appeals Board

accordance with article 4.1 of the GDPR, is data personnel and their protection, therefore, is the subject of said Regulation. In article 4.2 The GDPR defines

rating, breaching Article 6(1) GDPR, and required the company to implement a policy for conducting credit ratings per Article 24 GDPR. A person lodged a

the controller had violated Article 5(1)(a) GDPR, Article 12 GDPR, Article 13 GDPR, Article 15 GDPR and Article 25(1) GDPR. As a result, the DPA issued

violates Article 32 GDPR. Retaining personal data of an applicant for a lease after another applicant has been selected also violates Article 5(1)(e) GDPR

informed of this provision. Pursuant to Article 78 of the Regulation, as well as to Article 152 of the Code and Article 10 of Legislative Decree no. 150 of

that under Article 82 (1) and (2) GDPR, any person who has suffered material or non-material damage as a result of a violation of the GDPR is entitled

lit. a GDPR and Article 62.1 no. 4 DPA and Article 52.2 nos. 4 and 7 DPA 2000. The defendant's general assertions, in particular regarding the coverage

comprehensible character, within the meaning of Article 12 of the GDPR, of the information provided for in Article 13 of the Regulation must be assessed. The

force: "According to Article 16 sentence 1 GDPR, every data subject has the right to request the controller (see Article 4(7) GDPR) to correct incorrect

of Chapter V GDPR. The complaint was transferred to the Swedish DPA in its quality of lead supervisory authority pursuant to Article 56 GDPR. Following the

fairness of processing (Article 5(1)(a) GDPR), data minimisation (Article 5(1)(c) GDPR), and data protection by default (Article 25(2) GDPR). The DPA suggested

paragraph 3, all of article 35, and paragraph a) of paragraph 4 of article 83, all GDPR, with a fine of up to €20,000,000 or up to 4% of annual turnover

this case under Article 6(1)(a) or 6(1)(c)? If Article 6(1)(a) applies, do the requirements for parental consent under Article 8 GDPR also apply? Did the

governed by the basic principle of GDPR, the principle of transparency (relevant Articles 12-14 of the GDPR). 4. The GDPR introduces the principle of accountability

this respect (also Senate, judgment of February 8th, 2022, 4 U 1728/21 and February 22nd, 2022, 4 U 1712/21). There it has performed the following: According

communication service. Therefore, TikTok had to obtain valid consent (Article 4(11) GDPR) from users before using the identifiers. The DPA stated that it should

the meaning of Article 4 GDPR and that it had an interest in secrecy that justified its refusal to provide a copy under Article 15(4) GDPR. Unsatisfied,

with the principles of article 5 par. 1 GDPR. It is no coincidence that the GDPR includes accountability (see Article 5 para. 2 GDPR) in the regulation of

this regulation in accordance with Article 57 (1) (a) GDPR and which has the powers in accordance with Article 58 GDPR. For this reason alone, there was

17(1)(c) GDPR, by its logical and systematic context, also applies to the right to object under Article 21(6) GDPR. Pursuant to Article 21(6) GDPR, where personal

according to article 4.1 of the GDPR, is data personnel and their protection, therefore, is the subject of said Regulation. In article 4.2 of the GDPR defines

Decision 22-02-2021 Authority: AZOP (Croatia) Jurisdiction: Croatia Relevant Law: Article 32(1)(b) GDPR Article 32(1)(d) GDPR Article 32(2) GDPR Article 32(4)

according to article 4.1 of the GDPR, is data personnel and their protection, therefore, is the subject of said Regulation. In article 4.2 of the GDPR defines

Ordinance Article 6 No. 1 letter f, for failure to assess protests, cf. Article 21, and for lack of information, cf. Article 13. 2. Pursuant to Article 58 (2)

provided for in Article 56(1), read in conjunction with Article 56(2), read in conjunction with Article 56(3), read in conjunction with Article 56(4), read in

violated Article 5(1)(a) GDPR, Article 5(1)(c) GDPR, Article 9 GDPR and Article 25(2) GDPR. As a result, and in accordance with Article 58(2)(d) GDPR, the

in Article 12(5) GDPR, Article 15(4) GDPR or Article 16 of the Norwegian Personal Data Act were applicable. The DPA ordered the controller (Article 58(2)(d)

law to the GDPR, both regimes must be read in the same way. Second, identifiability is defined by Article 3(1) 2018/1725 (Article 4(1) GDPR). The use of

and 13 GDPR? Is the information provided to data subjects throughout the subscription process in compliance with the provisions of Article 13 GDPR? Does

lawfulness, the Litigation Chamber concludes that Article 5.1.a. of the GDPR in conjunction with Article 6 of the GDPR have not been complied with with regard to

defendant within the meaning of Article 4 of the GDPR. The defendant is therefore a controller within the meaning of Art. 4 No. 7 GDPR. b. 44 The Senate is convinced

be regarded as the controller within the meaning of Article 4 under 7 GDPR. The legal framework 4.4. [Applicants] argue that Uber has infringed their right

consent, in line with Article 6(1)(a) GDPR. The Court recalled that Article 31 of the Croatian Law on the Implementation of the GDPR stipulates that the

(definition) Article 4.1: Data subject (definition) Article 4.2: Processing (definition) Article 4.3: Restriction of processing (definition) Article 4.4: Profileing

"accept all" button be considered a breach of GDPR Article 4(11) and Article 7, read in conjunction with GDPR Article 5(3) -Privacy while the data controller

submitted its observations, which, in accordance with Article 54(1)(b), (3) and (4), (4) and (4), (5) and (5), (5) and (5), (5) and (5), (5) and (6). 2

none of the exceptions in Article 82 of the Data Protection Act were applicable, and Apple had to obtain consent (Article 4(11) GDPR) before using the identifiers

they are processed (article 5.1 e) of the GDPR). 8.1.4. As for breaches of Articles 5.2. and 24 of the GDPR 88. Article 24.1 of the GDPR which covers Chapter

authority. Under Article 60 GDPR, the following DPAs were identified as “concerned supervisory authorities” under Article 4(22) GDPR: the Netherlands,

monitor the functioning of decisions adopted on the basis of Article 25(6) or Article 26(4) of Directive 95/46/EC. In its adequacy decisions, the Commission

obligation of Article 32 GDPR? - Does the fact that this health data is not encrypted constitute a breach of the security obligation under Article 32 GDPR? - Does

Art. 4 No. 1 GDPR, is processed and stored here by the defendant as the person responsible in accordance with Art. 4 No. 7 GDPR. According to Art. 4 No.

reprimand in accordance with Article 58(2)(b) GDPR for these established violations. The DPA issued an order, as per Article 15(4)(b) of the Greek Law 4624/2019

processing of sensitive personal data under Article 9 GDPR and their lack of valid consent to do so under Article 6(1) GDPR. In 2020, the Norwegian Consumer Council

violated Article 6 and Article 32 GDPR. The DPA seems to consider the authentication procedure itself as "processing" and therefore Article 32 GDPR applies

patient data cf. Article 32 GDPR and Article 5(1)(f) GDPR and inadequate internal controls cf. Article 24 GDPR and Article 5(2) GDPR. Østfold Hospital

Compétence de la Chambre de Résolution des Litiges (Article 2 AVG ; Article 4 WOG) 55. Conformément à l'article 2, paragraphe 1, de l'AVG, le règlement s'applique

the right of access under Article 15(4) of the GDPR or section 22 of the DDPA can be invoked. It follows from Article 15 (4), that the right to obtain

of automatic decisions, including profiling, as referred to in Article 22 (1). 1 and 4, and at least meaningful information about the logic therein, as

company was not compliant with Article 13 GDPR. The CNPD held that the controller infringed Article 5(1)(c) GDPR and Article 13 GDPR and decided to: - impose

AEPD fined in €2,000 a website for non-GDPR compliant privacy policy, violating Article 13 GDPR. On January 16, 2022 the data subject complaint against

Policy on their website (Article 13 GDPR) and for the absence of a reject button on the second layer of their Cookie Policy (Article 22(2) LSSI). The claimant

investigations the CNIL found five breaches of the GDPR: -         Violation of the right to object, Article 21(2) GDPR: no procedure was implemented to ensure effectively

be personal data per Article 4 GDPR. The CNIL then assessed whether the transfers of the data to the US comply with Article 44 GDPR. It considered whether

(threethousand euros), for violation of article 22.2) of the LSSI Law, typified as “slight” in theArticle 38.4.g) of the aforementioned Law.SECOND: REQUIRE

enshrined in Article 25 GDPR. Additionally, the AEPD concluded that the controller had violated Article 5(1)(f) GDPR, noting that although the GDPR does not

established in Article 12(3) and (4) GDPR. Therefore, the Belgian DPA found the controller to have breached Article 15 GDPR in conjunction with Article 12(3) and

personal data and information under Article 15 GDPR in his Google account, Google has not violated Article 15 GDPR concerning this data/information. As

sedeagpd.gob.es 4/7 Article 22 section 4 LOPDGDD (LO 3/2018, December 5) provides the following: “The duty of information provided for in article 12 of Regulation

(three thousand euros), for in-fraction of article 22.2) of the LSSI Law, typified as “slight” in article 38.4.g)of the aforementioned Law.SECOND: REQUIRE

recording is "processing" of "personal data" within the meaning of Article 4(1) and 4(2) GDPR. Therefore, the data subject has the right to request access to

service in the terms required by article 22.2.”, and may be sanctioned with a fine of up to €30,000, in accordance with article 39 of the aforementioned LSSI

assessments. 4.2.1. Exemption under Article 15 (1) of the Data Protection Regulation. 4 The right to access is limited, among other things. Article 15 (1) of

(thirty thousand euros), for violation of article 22.2) of the LawLSSI, typified as “slight” in article 38.4.g) of the aforementioned Law.SECOND: REQUIRING

express answer for any rights exercised under Articles 15 to 22 GDPR, by virtue of Article 12 GDPR. Share blogs or news articles here! The decision below is

data subject (Article 26 GDPR). The processing by the processor must, in accordance with the provisions of article 28 paragraph 3 of the GDPR, be governed

referred to Article 5(1)(a) (principle of lawfulness, fairness and transparency), Article 12(1), Article 7, Article 13 and Article 14 GDPR, the corresponding

infringement of Article 5.1.f) of the RGPD typified in Article 83.5.a) of the RGPD and considered very serious, for the purposes of prescription, in Article 72.1

basis under Article 6(1) GDPR. In light of this, the DPA issued a fine of €70,000 to másLUZ Energía (SIE) by virtue of Article 83(5) GDPR for unlawful

basis in line with Article 13(1)(d) GDPR. The DPA stated that it would impose a fine on the controller, pursuant to Article 58(2)(i) GDPR, if latter does

sanction to the party claimed for the violation of Article 13 of the GDPR typified in Article 83.5 of the GDPR. The sanction that must be imposed is an administrative

GLOBAL, SL, with NIF B55053482, for aviolation of Article 21.1 of the LSSI, typified in Article 38.4.d) of the LSSI, awarning penalty.SECOND: REQUIRE CATMEDIA

cookies, as per Article 22(2) Spanish Law on Information Society Services (LSSI). This law regulates cookies, connected to Article 13 GDPR. The decision

Hague October 4, 2022, ECLI:NL:GHDHA:2022:2100, para. 3.1-3.13. 4 Conclusion 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 Exhibit 4 to the introductory

significant negligent action (Article 83(2)(b) GDPR) and that basic personal identifiers were affected (Article 83(2)(g) GDPR). The economic volume of the

Regulation (EU) 2016/679 and in the sections 3 and 4 of article 13 of this organic law. " FIFTH: Article 15 of the RGPD provides that: "one. The interested

of automated decisions, including profiling, toreferred to in Article 22, paragraphs 1 and 4, and, at least in such cases, informationsignificant about applied

of 25,000 euros (Article 83, paragraph 2 GDPR; Article 100, §1, 13 ° WOG and Article 101 WOG). 18 55. Taking into account article 83 GDPR and the case law

Judiciales (JAVA). JAVA infringed Article 6(1)(a) GDPR by publishing illegal recordings on its website and also infringed Article 22(2) LSSI due to its cookie

exercised by a complainant pursuant to Article 17 GDPR and analysed the exercise of the rights under Articles 15-22 GDPR. On 15 February 2019, Mrs A.A.A.  (hereinafter

pursuant to Article 13 GDPR. In the present case, the controller omitted this obligation. The DPA therefore held that the controller violated Article 13 GDPR

default (Art. 25 GDPR), integrity and confidentiality (Art. 5.1.f GDPR), as well as security ofprocessing(Art. 32GDPR)......101 B.4.4. - Additional alleged

Madrid sedeagpd.gob.es 13/22 3.- On 09/01/19, this Agency requested the entity in question information on the reported events. 4.- On 22/02/19, the entity complained

and 15(3) of the EU Regulation 2016/679 and in Article 13(3) and (4) of this Organic Law". FIFTH: Article 15 of the RGPD provides that "1. The data subject

Therefore, Article 5(1)(f) GDPR was considered violated by the community of owners as a whole and a fine according to Article 83(5) GDPR was imposed.

with Article 4 WOG. 17. First, it is clear that the content of the disputed e-mail messages constitute personal data within the meaning of Article 4.1. AVG

database. The request for erasure under Article 17(1) GDPR is not applicable, because under Article 17(3)(e) GDPR, the processing was necessary for the defence

A.A.A., herein the data controller, violated Article 6 GDPR and Article 13 GDPR, as well as Article 22.2 LSSI (Spanish national law). The data subject

the Regulation (EU) 2016/679 and in sections 3 and 4 of article 13 of this organic law. " FIFTH: Article 17 of the RGPD provides that: "one. The interested

considered a violation pursuant to Article 72(1)(m) of the LOPDGDD, which would be sanctioned according to Article 58(2) GDPR. Share your comments here! Share

infringement of article 32.1 of the GDPR (LCEur 2016, 605), typified in the Article 83.4.a) of the GDPR, a warning sanction, in accordance with article 77 of the

automated decisions, including profiling, to referred to in article 22, paragraphs 1 and 4, and, at least in such cases, information significant on the

for the alleged infringement of Article 5.1.c) of the RGPD, typified in Article 83.5 of the RGPD. SIXTH: On 06/27/22 the first brief of allegations to

to the legal provisions established in article 22.2 LSSI. This Infraction is classified as "minor" in Article 38.4 g) of the aforementioned Law, and may

obligations under Article 5(1)(f) and Article 32 of GDPR. Article 5 (1) : Ticketmaster has failed to comply with the requirements of GDPR including to process

point b. of her applications, "by analogy pursuant to Article 25.1 in conjunction with Article 22.4 of the first case DSG". Arguments of the defendant: The

public space respect Article 5 (1) (c) GDPR? The AEPD held that the installation of a video surveillance system under Article 22 LOPDGDD must always comply

their privacy policy in line with Article 6(1)(a) GDPR within a month. The AEPD also held that URLs 1-4 breached Article 22(2) of the Law 34/2002 (LSSI), the

violation of data minimisation, Article 5(1)(c) GDPR. No fines can be imposed against the controller and Article 83(5) GDPR can therefore not be imposed.

regards to a violation of Article 7 GDPR, for gathering consent in a generic way. To fine the controller €3000 for infringing Article 22(2) LSSI, for installing

did not react either. GDPR applicable? (Article 3(2) GDPR) The DPA held that the GDPR was applicable pursuant of Article 3(2) GDPR. Because the controller

to the cookies. The Spanish DPA fined the company €2,000 for infringing Article 22.2 LSSI. The fine was reduced to 1,600 because the company voluntarily

violation of the Article 12 of the GDPR, in conjunction with Article 17 of the GDPR. V Classification of the infringement of article 12 of the GDPR The aforementioned

provided for in Article 18 GDPR. As explained by the Court, Article 18(1) GDPR, in particular in paragraph (d), is linked to Article 21(1) GDPR, which guarantees

access and deletion enshrined in Articles 15 to 22 of the RGPD, Articles 13 to 18 LOPDGDD and Article 17 GDPR respectively. The conflict of law arose in this

contract (Article 6(1)(b) GDPR), nor could be based on legitimate interest of the controller (Article 6(1)(f) GDPR). Consent (Article 6(1)(a) GDPR) could

AEPD concluded that the defendant could have breached Article 13 GDPR, Article 7 GDPR and Article 22(2) LSSI: there was no identification of the data controller

that, in cases of video surveillance, Article 22.4 LOPDGDD provides that the duty of disclosure in Article 12 GDPR may be fulfilled by placing a sign near

processing is based on consent under Article 6(1)(a) GDPR, the consent must meet the requirements of, among others, Article 7 GDPR. The DPA observed deficiencies

that motivates the presentation of the claim. SECOND: In accordance with article 65.4 of the LOPGDD, which has provided for a mechanism prior to the admission

Regulation (EU)2016/679 and in the paragraphs 3 and 4 of article 13 of this organic law " FIFTH: Article 17 of the RGPD states that: "1. The data subject

meaning of Article 4 No. 7 GDPR. However, the defendant cannot be accused of violating an obligation to provide information under Art. 15, 12 GDPR. Paragraph

existence of automated decisions, including profiling, to referred to in Article 22(1) and (4) and, at least in such cases, information about the importance and

en hij deze zaak niet wenst verder te zetten. 2. Rechtsgrond Artikel 12.4 AVG 4. Wanneer de verwerkingsverantwoordelijke geen gevolg geeft aan het verzoek

decision stated: - Pursuant to Article 100, §1, 9 WOG, to order processing in accordance with with Articles 5.1.f, 5.2, 24 and 32 GDPR, in which in particular

breaching Article 12(3) GDPR, since it failed to notify the data subject that her erasure request was satisfied, as well as Article 24(1) GDPR, given that

officer, article 39 of the RGPD attributes to him the function of cooperate with said authority. Similarly, the domestic legal system, in article 65.4 of the

constitute of a breach of Article 5(1)(c) GDPR. Second, the AEPD recalled that, compliant with Article 13(1) and (2) GDPR, and Article 22(4) of the Law on the

existence of automated decisions, including profiling, as referred to in Article 22(1) and (4) and, at least in such cases, significant information about the logic

based comply with Article 13 of the GDPR? The Spanish DPA found that the facts constituted an infringement for violation of Article 13 of the RGPD, and

did not acknowledge that with the introduction of Title 8.4 in the Awb on the basis of Article 8:4, paragraph 1, opening words and under f of the Awb, the

assistance of the Norwegian DPA, based on GDPR rights. The DPA denied the request as per Article 55 GDPR, stating that the GDPR does not apply to his situation.

as per Article 22(2) of the Spanish Law on Information Society Services (LSSI) — amongst others, the Spanish law regulating cookies — and Article 13 of

as per Article 22(2) of the Spanish Law on Information Society Services (LSSI) —this is the Spanish law regulating cookies, connected to Article 13 of the

existence of automated decisions, including profiling, as referred to in Article 22(1) and (4) and, at least in such cases, significant information on the logic

was based on Article 6.1.f) of the GDPR, but not for all processing based on this article. […] 73 74Investigation report, page 22, point 4.4.2.3.3. WP 260

commercial register by law, this does not mean that these data may be Page 4 4 (4) re-use and disclose for any purpose. Data that can be unrestricted reused

RETAIL S.L. for alleged infringement of Article 5.1 f) of the GDPR, in accordance with Article 83.5.a) of the GDPR- Initiate sanctioning procedure against

adequate information under Article 13 GDPR, and for the processing of personal data in a manner contrary to Article 5(1)(a) of the GDPR. A data subject submitted

provisions in article 13 of the RGPD, despite the fact that personal data is collected through various forms. SECOND: In accordance with article 65.4 of Organic

accordance with provided for in article 58.2.b) of the RGPD, for an infringement of article 13 of the RGPD, typified in article 83.5 of the RGPD, a warning

there was a personal data breach pursuant to Article 4(12) GDPR. Moreover, it stated that Article 32(1) GDPR obliges controllers to take appropriate technical

automated decisions, including profiling, to which referred to in article 22, paragraphs 1 and 4, and, at least in such cases, information significant on the

[The equivalent GDPR Article to Article 48(3)(a) EU GDPR is Article 46(3)(a) GDPR, and Article 50(1)(d) EU GDPR is Article 49(1)(d) GDPR.] Share blogs or

with the provisions of section 2 of article 56 in relation to section 1 f) of article 57, both of the GDPR; and in article 47 of the LOPDGDD. SECOND: In accordance

the lack of a privacy and cookie policy on a website infringe Article 13 GDPR and Article 22(2) LSSI? The AEPD decided to impose a fine to the clinic: €

rectification under Article 16 GDPR, the right to erasure under Article 17 GDPR, and the right to restriction of processing under Article 18 GDPR. The court therefore

automated decisions, including profiling, to which referred to in article 22, paragraphs 1 and 4, and, at least in such cases, information significant on the

existence of automated decisions, including profiling, to referred to in Article 22(1) and (4) and, at least in such cases, information The importance and consequences

the same search results on the basis of Article 12 (4) GDPR has been rejected by Google . Article 21 (1) of the GDPR provides that a data subject has the

the data could be processed under the legitimate interest basis (ARTICLE 6(1)(f) GDPR). The tribunal weighted the different interests at stake and decided

reprimand to the controller in accordance with Article 58(2)(b) GDPR. Pursuant to Article 58(2)(d) GDPR, the DPA also ordered the controller to erase the

infringement of the GDPR, articles: -12 of the GDPR, in accordance with article 83.5.b) of the GDPR and 72.1.k) of the LOPDGDD, and -5.1.c) of the GDPR, in accordance

automated decisions, including profiling, to which referred to in article 22, sections 1 and 4, and, at least in such cases, information about applied logic

accordance with Article 4(1) GDPR, according to the DPA. The Court of Appeal of Brussels held that, in accordance with Article 16 GDPR, the data subject

person under article 4.1 of the RGPD is personal data and its protection, therefore, is the subject of said Regulation. Article 4.2 of the GDPR defines the

Madrid sedeagpd.gob.es 4/4 The exposed facts suppose, on the part of the claimed, the commission of the infraction of article 22.2 of the LSSI. This offense

unclear, cf. the preparations for the act, Prop. 56 LS (2017-2018) points 4.4.7 and 4.5.7. The question has not previously been put to the fore, and there is

proceedings Article 77 (1) and Article 22 (b) of the General Data Protection Regulation. may be submitted in the case provided for in Under Article 77 (1) of

the investigations that are being carried out. " SEVENTH: Article 22.4 of the LOPD provides: "4. Personal data recorded for law enforcement purposes will

data subject’s consent under Article 6(1)(a) GDPR, which in turn meets the conditions for consent laid out in Article 7 GDPR. The AEPD highlighted that this

of the duty of information as per article 13 GDPR. The DPA imposed thus a fine of €1000 for violating Article 13 GDPR. Share your comments here! Share blogs

content provided in the subsequent article 13, article 22.4 of the LOPDGDD determines that “[…] It will be understood that it has been fulfilled by placing

assessment against the GDPR A. Identification of the controllers involved (Article 4.7 GDPR) 24. In accordance with Article 4.7 GDPR, it must be the controller

obtain such recordings through the camera, with grounds on Article 6(1)(e) GDPR and Article 22 of the Spanish Data Protection Act (LOPDGDD), that allows

that the controller had not violated Article 45 GDPR nor any of the subsequent Articles from Chapter V of the GDPR. The AEPD took into account that the

Data Protection Regulation (2016/679) Article 12 (4), Article 17 (3), Article 21 (2) and (3), Article 25 (2), Article 58 (2) (b) Section 2 of the Health Care

of article 17 of the GDPR. X Classification of the infringement of article 17 of the GDPR The aforementioned infringement of article 17 of the GDPR supposes

Appeals Board assessed if a fine could be imposed as per Article 83(5) GDPR, cf. Article 83(2) GDPR, and in which case, how large it should be. The Board

regarding Article 6(1) GDPR and consent requirements regulated previously to GDPR. The fact that the infringements related to Article 25 GDPR did not include

(Considering 40 GDPR), Article 6.1 of the GDPR is therefore applicable and not RD 1720/2007 used by the defendant. Thus, the aforementioned article 6.1 GDPR establishes

democratic legitimation necessary under Article 23(1) second sentence in conjunction with Article 20(1) and (2) and Article 79(3) of the Basic Law. Since data

of processing (Article 32 GDPR), the transparency principle (Article 13 GDPR) and its information duties related to cookies (Article 22(2) of the Spanish

of these data (hereinafter, GDPR); and in article 47 of the LOPDGDD. SECOND: In accordance with the provisions of article 55 of the RGPD, the Agency Spanish

the terms required by article 22.2. ”, which may be sanctioned nothing with a fine of up to € 30,000, in accordance with article 39 of the aforementioned

regarding Article 6(1) GDPR and consent requirements regulated previously to GDPR. The fact that the infringements related to Article 25 GDPR did not include

aepd.es 28001 – Madrid sedeagpd.gob.es 4/6 The physical image of a person, in accordance with article 4.1 of the GDPR, is data personnel and their protection

rectification.(article 16 of the GDPR), the right to be forgotten (article 17 of the GDPR), and the right to limit the use ofdata processed unlawfully (article 18

any third party marketing. The ICO held that SPF was in breach of Regulation 22 PECR because it instigated the transmission of the 28,523,745 unsolicited

any third party marketing. The ICO held that SSL was in breach of Regulation 22 PECR because it instigated the transmission of the 128,895,718 unsolicited

answered in accordance with the requirements of Article 12 GDPR and within the time limit set in Article 12(3) GDPR. As the complainant continued to receive marketing

internal compliance and accountability according to Article 5(1) GDPR, Article 5(2) GDPR and Article 6(1) GDPR. Since the company had totally ignored the its

with Articles 15 to 22. exercise of their rights under this Article. Article 11 (2) In the cases referred to in paragraphs 15 to 22, the controller shall

claimed, by thealleged violation of Article 5.1.c) of the RGPD, typified in Article 83.5 of theRGPD.FIFTH: On 06/22/20, this Agency received a written allegations

with the provisions of section 2 of article 56 in relation to section 1 f) of article 57, both of the GDPR; and in article 47 of the LOPDGDD. SECOND: In accordance

in Article 17 GDPR (cf. Article 17 (3) b GDPR). In that case, the data subject does not have the right to object as referred to in Article 21 GDPR, because

existence of automated decisions, including profiling, as referred to in Article 22(1) and (4) and, at least in such cases, significant information about the logic

AEPD pursuant to Article 72(1)(m). The AEPD does not specify the provision of Article 21 on which it bases its decision. Article 21 GDPR states that the

provided for in Article 12.3 of the GDPR, nor informed the claimants of a possible reason for its inaction as required by article 12.4 of the GDPR. It also considers

trained in GDPR matters. With GDPR in force for over a year, the controller should have had at least measures in place concerning the Articles 15-22 GDPR and

( *** POSITION 1) for an infraction of Article 6.1.f) of the GDPR, in accordance with Article 83.5 of the GDPR ”. In the face of it, no allegations have

controller within the meaning of Article 4(7) of the AVG. 3.4 Violation regarding the reporting of a violation 3.4.1 Introduction Article 33(1) of the AVG stipulates

other two conditions of Article 6 (1) (f) of the GDPR are not met. (26) The second condition of Article 6 (1) (f) of the GDPR is that the processing of

service in the terms required by article 22.2. ", and may be sanctioned with a fine of up to € 30,000, in accordance with article 39 of the aforementioned LSSI

reprimand to the company for not complying with Article 13 GDPR, since it failed to even mention the GDPR in its Privacy Policy. Share your comments here

refers to older national laws, instead of GDPR. Does an non-updated privacy policy infringe Article 13 GDPR? Shoud the AEPD calculate the fine by taking

violated the GDPR and the consent given through such a banner cannot be considered a valid consent under Article 6(1)(a) GDPR and Article 4(11) GDPR. Further

specific enough and did not comply with Article 13 GDPR. Does the lack of precision enough to infrige Article 13 GDPR? The AEPD found that the information

(definition) Article 4.1: Data subject (definition) Article 4.2: Processing (definition) Article 4.3: Restriction of processing (definition) Article 4.4 : Profiling

Consequently, based on Article 83(5)(a) GDPR, the hospital was fined to pay a fine of EUR 30.000,00 for violation of Article 5(1)(f) GDPR. Corrective measures

exercising their rights in bad faith. The AEPD brought forward Article 12(5) GDPR, as well as Article 7 of the Spanish Civil Code, that states that rights must

point 4.7. of the judgment article 6, d) and article 6, e) of the GBA law, but this should be read as article 6.1. d) and Article 6.1. e) of the GDPR. Decision

with the provisions of section 2 of article 56 in relation to section 1 f) of article 57, both of the GDPR; and in article 47 of the LOPDGDD. SECOND: In accordance

therefore an infringement of Article 5 at the time of the facts. 1, a) GDPR, Article 6, Article 12.1 GDPR and Article 14.1 a) GDPR. 90. In addition, a controller

and transparency (Article 5.1 a) GDPR), purpose limitation (Article 5.1 b) GDPR) and minimum data processing (Article 5.1 c) GDPR); 4) the legal basis for

force of the GDPR, the controller also sent him a separate revocation letter referring to the operational reasons under Article 38(3) GDPR, second sentence

of these data (hereinafter, GDPR); and in article 47 of the LOPDGDD. SECOND: In accordance with the provisions of article 55 of the RGPD, the Agency Spanish

observations. Firstly, the right to be forgotten can be found in Article 17 GDPR and Article 93 of the LOPDGDD, the Spanish data protection law. It establishes

the processing is based on Article 6(1)(a) or on Article 9, (c) where the processing is based on Article 6(1)(a) or Article 9(2)(a), the existence of the

"private life" in Article 8.1 ECHR (Wittwer in Schwimann, ABGB-Takom4 § 1328a Rz 3; Danzl in KBB5 § 1328a ABGB Rz 3; RV 173 BlgNR 22nd GP 17). 1.4 'Personal rights'

the data subjects, therefore breaching Article 6 GDPR, as well as Article 5(1)(b) GDPR. Thirdly, Article 30 GDPR stipulates that the controller must keep

the alleged violation of article 5.1.f) of the GDPR and article 32 of the GDPR, typified in article 83.5 and 83.4 of the GDPR. The initiation agreement

communications under Article 14 GDPR were not legally necessary, as in the present case, Article 23 GDPR restrictions were applicable. Article 23 GDPR establishes

2023 standard B-VG Art 133 Paragraph 4 DSG §24 DSG §4 GDPR Art 12 GDPR Art 15 GDPR Art 15 Paragraph 1 litc GDPR Art77 UWG §26b paragraph 1 B-VG Art. 133

principles of article 5 par. 1 GDPR. It's not a coincidence that the GDPR includes accountability (already mentioned above article 5 par. 2 GDPR) in the regulation

pursuant to Article 4(2) of the GDPR, and the applicant operating and managing the Facebook page is a controller pursuant to Article 4(7) of the GDPR, given

regarding Articles 5(1)(b) GDPR and 5(1)(e) GDPR and held that national courts had to determine, using the factors of Article 6(4) GDPR, whether further processing

under Article 15 GDPR, in a timely manner as well as in clear and transparent form. Second, the DPA looked at the right to erasure under Article 17 GDPR

according to article 4.1 of the GDPR, are a Personal data and its protection, therefore, is the subject of said Regulation. In the article 4.2 of the GDPR defines

private doctor for violating Article 32 GDPR by making his patients' health data freely accessible on the web, and Article 33 GDPR by not notifying the DPA

fined a municipality €409,768 (NOK 4,000,000) for breaches of Article 5(1)(f) GDPR, Article 24 GDPR and Article 32 GDPR after a serious ransomware attack

in line with Article 13 GDPR. On the DSB's request, the controller declared R*** Hotels GmbH as its representative under Article 27 GDPR and sent a reply

infringement of article 21.1 of the LSSI, typified in Article 38.4.d) of theLSSI, a sanction of warning.B) For an infringement of article 13 of the RGPD

Nuuday A / S 'processing in accordance with Article 22 of the Data Protection Regulation. It follows from Article 22 (2) of the Data Protection Regulation.

(hereinafter referred to as GDPR); and in article 47 of the LOPDGDD. SECOND: In accordance with the provisions of article 55 of the RGPD, the Agency Spanish

provided for in Article 15 GDPR and Article 13 LOPDGDD was exercised. Secondly, the DPA noted that a valid legal basis under Article 6(1) GDPR is required

1 No. 4 DSG 3) a) Section 52 para. 2 no. 7 DSG 2000 in conjunction with § 69 (5) DSG b) Art. 62 Para. 1 No. 4 DSG 4) a) Section 52 para. 2 no. 4 DSG 2000

violated Article 5(1)(e) GDPR and Article 25(2) GDPR. As a result, the DPA issued a reprimand to the controller in accordance with Article 58(2)(b) GDPR. Pursuant

been deleted by the employer upon request pursuant to Article 16, Article 17 and Article 5(1)(d) GDPR (inaccuracy of personal data). Therefore, the employer

(2016/679) Article 5 (1) (a), Article 12 (1), (2) and (6) , Article 13, Article 15 (1) (h), (3) and (4), Article 58 (2) (c) and (d) subparagraphs Article 34 (1)

processing of personal data within the meaning of Article 4 GDPR and is it justified on the basis of Article 6 GDPR? Can the controller raise the argument that

of rectification of Article 16 GDPR and Article 14 of LOPDGDD, the national data protection law, the DPA stated that Article 12(4) LOPDGDD obliges the

permissible in accordance with Article 133, Paragraph 4, B-VG.The revision is permitted in accordance with Article 133, Paragraph 4, B-VG. text Reasons for the

of article Article 24.1, and in relation to the obligations referred to in the previous section, The information obligation provided for in Article 5 of

constitute personal data under Article 4(1) GDPR? If so, do they qualify as special categories of personal data under Article 9 GDPR? Is the defendant obliged

violating Article 5(1)(f) GDPR, Article 5(1)(a) GDPR, Article 5(2) GDPR, Article 12 GDPR, Article 13 GDPR, Article 14 GDPR, Article 24(1) GDPR, and Article

sanctioning procedure, under Article 83(5)(a) of the GDPR, against AAA on 21 December 2022, due to a infringement of Article 6. AAA was the father of the

Articles 6 and 13 GDPR? The AEPD decided to impose, for infringement of Article 6 GDPR, a fine of € 10000 and, for infringement of Article 13 GDPR, a fine of

images, in violation of Article 5(1)(a) GDPR? The Spanish DPA (AEPD) found that the defendant's conduct violated Article 5(1)(a) GDPR, as a broader principle

increase or decrease. 4.4 Conclusion The AP sets the total fine at €400,000. 8For the justification, see paragraphs 4.3.1 and 4.3.2. 24/25Date Unidentified

fulfilled. The school breaches Article 6(1)(b) in combination with Article 6(4) and Article 6(1) Articles 24 and 25 GDPR Furthermore, as the school continued

the Law: "Article 36. Taxpayers 1. They are taxpayers, as taxpayers, natural or legal persons, and the entities referred to in article 35.4 of Law 58/2003

within the meaning of Article 4(15) GDPR and Article 9(1) GDPR. Processing of sensitive data requires a legal basis under Article 9(2) GDPR. In the present case

for the violation of Article 6 GDPR and € 4 000 for the violation of article 13, under the power conferred by Article 83(5) GDPR. Share your comments here

circulation of these data (hereinafter GDPR); and in article 47 of the LOPDGDD. SECOND: In accordance with the provisions of article 55 of the RGPD, the Agency Spanish

company, Iberdrola Clientes, S.A.U for infringing Article 21 GDPR, Article 48(1)(b) LGT, and Article 23(4) LOPDGDD. The initial proposed fine was €10000 however

of these data (hereinafter, GDPR); and in article 47 of the LOPDGDD. SECOND: In accordance with the provisions of article 55 of the RGPD, the Agency Spanish

to be qualified as a health data pursuant to Article(4)(15) GDPR and that the scope of protection of Article 9(2) must be taken into account as a standard

year 2005-2006, 29 708, no. 19 (p. 523) Article 4:32 The obligation from this article is taken over from Article 52 of the Wfd. Under Section 14(2) of the

inform the affected parties as provided for in Article 12 GDPR and Article 13 GDPR. According to Article 30(1) GDPR a record must be kept by the responsible

held that the controller violated Article 12(1) GDPR, Article 12(2) GDPR, Article 15(1) GDPR and Article 15(3) GDPR. The controller had deleted the data

medical consultant pursuant to Article 15 GDPR? The Datatilsynet held that the insurance company did act in line with Article 15 GDPR. The DPA did not consider

information provided was in breach of Article 13 GDPR. Therefore, the authority warned the controller (Article 83(5) GDPR) and requested to complete the notice

breach of the obligation to inform pursuant to Article 14 of the GDPR 20. According to Article 14 of the GDPR: 1. Where personal data has not been collected

appropriate consent. This affected 4,500,000 people in 2019. Violation of Article 5, Article 6 , Article 7 and Article 21 , due to many complaints of undesired

6www.aepd.es28001 - Madridsedeagpd.gob.es Page 4 4/7with Article 6, paragraph 1, letter a), or Article 9, paragraph 2, letter a), and this is notbased

personal data laid down by Article 4(1) and (2) GDPR. The DPA then quotes ECJ, 11 December 2014, Ryneš, case C-212/13 (point 22), EDPB Guidelines 3/2019

DE SA’s objection on Article 33(3) GDPR fails to meet the requirements set out in Article 4(24) GDPR Infringement of Article 34 GDPR on the communication

accountability (Article 5 (2) and 24 (1), (2) GDPR), privacy by design (Article 25 (1) GDPR) and as controller towards its data processors (Article 28 GDPR). Consequently

AEPD held that the telecoms company 's actions were a breach of Article 6(1) GDPR. Article 6(1) does not apply here because they failed to prove that they

right to access under Article 15 GDPR because the controller was entitled to reject the request pursuant to Article 12(5)(b) GDPR. The court reasoned that

paying profiles. II.4. Article 12(1),(2) and (3), Article 17, Article 19, Article 24(1) and Article 25(1) AVG 63. Article 12 (1) GDPR stipulates that the

Protection Officer (DPO) under Section 4 of Chapter 4 of the GDPR (see in particular Article 37 GDPR to Article 39 GDPR). One of these audit proceedings concerned

by the alleged violation of Article 32 of the RGPD, Article 5.1.f) of the RGPD, Article 25 of the RGPD, typified in Article 83.5 of the RGPD. FOURTH: On

fundamental principles of the GDPR, notably Article 5(1)(a) and (e) GDPR. The DPA found violations of various provisions of the GDPR. It held that the controller

the performance of a contract (Article 6(1)(b) GDPR) and for legitimate interest (Article 6(1)(f) GDPR). Article 6(1)(b) GDPR In its original draft decision

violation of article 6.1. f) of the RGPD, in relation with article 20.1 c) of the LOPDGDD, typified in article 83.5.a) of the cited GDPR That by writing

minimisation principle related, as per Article 5(1)(c) GDPR, and the lack of transparent information, as per Article 12 GDPR. The decision is the consequence

other legal basis for processing under Article 6 GDPR, the controller had violated Article 5(1)(a) and Article 6(1) GDPR. Taking into account the low income

investigation granted to the control authorities in article 57.1 of Regulation (EU) 2016/679 (GDPR). Thus, dated 12/04/20, an information request is addressed

meaning of Article 4. The Dispute Resolution Chamber notes that consulting personal data does constitute processing within the meaning of Article 4(2) of the

of these data (hereinafter, GDPR); and in article 47 of the LOPDGDD. SECOND: In accordance with the provisions of article 55 of the RGPD, the Agency Spanish

of his personal data would be based 5. 1, a) GDPR, Article 6, Article 12.1 GDPR and Article 14.1 a) GDPR. 67. Moreover, a controller, in this case defendant

information under Article 13 GDPR is illegal. Consequently, the APED decided to issue a fine of €1.500 for the violation of Article 13 GDPR. Share your comments

of a Commission decision on adequacy , or in Article 46, Article 47 or the second subparagraph of Article 49 (1) (a) the period for which the personal

proper manner. According to the DPA, the controller violated Article 15 GDPR and Article 13 LOPDGDD which establish that the data subject has the right

the basis of Article 58, paragraph 2, point b) GDPR and Article 100, §1, 5 ° WOG to be reprimanded for the infringement of Article 25 (1) GDPR; b. on the

reply. The AKI reminded the defendant of its obligation under Article 13 GDPR and Article 14 GDPR to inform the data subject in a concise, clear, comprehensible

against the respondent, for the alleged infringement of Article 6 of the RGPD, typified in Article 83.5 of the RGPD. In view of the foregoing, the following

The complaint was then transferred to the Disputes Chamber as per Article 62 WOG. On 22 February 2022, the complainant informed the Disputes Chamber that

terminated, must be assessed in the light of Article 6 GDPR and not Article 10 GDPR. Article 6(1)(f) GDPR provides a sufficient basis for processing. The

he assessment: violation of Article 57.4 AVG (third plea in law from X). X submits that the decision violates Article 57.4 of the AVG where this provision

information correctly published at the time. The DPA noted that under Article 17(3)(b) GDPR, personal data shall not be erased if their processing is necessary

for the alleged violation of Article 5.1.f) of the RGPD, in relation to article 5 of the LOPDGDD, as indicated in article 83.5 a) of the RGPD. The telematic

amount of the fine under Article 83(2) GDPR. The data subjects complains about the violation of its right of access (Article 15 GDPR) by the Istituto Nazionale

2019, GDPR Art. 37, para. 1; Döpfler , EU-GDPR and BDSG, 2nd edition 2020, GDPR Art. 37, marginal 1; Paal / Pauly, DS-GVO BDSG, 2nd ed. 2018, GDPR Art.

The Administrative Court of Mainz (VG Mainz) held that Article 9 GDPR does not apply to a processor who captures special categories of data on camera,

Autoriteit Persoonsgegevens disagrees: Article 78(2) GDPR defines the applicable time frame in line with Article 4:13(1) of the Dutch Administrative law

data on the basis of Article 6.1.e GDPR ? - Did the administration sharing confidential data with a third party violates article 25 GDPR ? - Should the administration

automated decisions, including profiling, to be referred to in article 22, paragraphs 1 and 4, and, at least in such cases, information significant on the

requests for information according to Article 15(1) GDPR. The ‘Business secrecy’ exception only applied to Article 15(4) GDPR, where a data subject would request

data had taken place, meaning GDPR obligations did not apply. Are these magnetic cards personal data within Article 4(1) GDPR? If so, did the MCP infringe

right of access under Article 15 GDPR? By denying the complainant access, did the respondent infringe Articles 12(1) or 12(2) GDPR? The NAIH that the complainant's

their employees. The DPA found a violation of Article 5(1)(b) GDPR, Article 5(1)(c) GDPR and Article 13 GDPR. Following a visit to the premises of two public

company result in a breach of Article 37 GDPR? The Spanish DPA (AEPD) found that Conseguridad SL had violated Article 37(1)(b) GDPR by not having designated

existence of automated decisions, including profiling, referred to in Article 22(1) and (4) and, at least in such cases, significant information about the logic

the respondent, by the alleged violation of Article 5.1.c) of the RGPD, as defined in Article 83.5 of the GDPR. SIXTH: Formal notification of the agreement

violation of Article 6(1) GDPR; 2. Did not provide the complainant with enough information prior to the processing, in violation of Article 13 GDPR; 3. Processed

according to Article 9(2)(a) GDPR. On the basis of the information gathered, the DPA held that the controller had violated Article 9 GDPR. As a result

Networks AB for violating Article 17 GDPR by not deleting personal data of the complainant without undue delay and Article 23 GDPR by providing incorrect

time, which is a violation of the GDPR. As to the claim for damages, the CoS notes that though Article 82(1) of the GDPR states that full compensation for

Appeal considered that Article 96 GDPR does not provide a time limit for the validity of international agreements concluded prior GDPR and that a ban on some

under Article 36 GDPR) regarding the compliance of the envisaged processing with the GDPR. According to the Commission, the legal basis was Article 6(1)(e)

Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es Page 4 4/5The LOPDGDD states in its article 5:" 1. Those responsible and in charge of data processing

Privacy Ordinance article 58 no. 2. 4.2 Requirements for treatment protocol Pursuant to Article 30 of the Privacy Regulation (and Article 24 of Directive

highly sensitive personal data exposed, thus breaching Article 32(1)(b) GDPR and Article 32(2), cf. Article 24. An employee in a municipal health care center

people affected and the level of damage the elves suffered (article 83.2.4 of the GDPR) 4.1.4. The Data Protection Authority should have taken into account

publicly available on the Internet. However, it follows from Article 28(1) GDPR and Article 28(3)(f) GDPR that the data processor (in this instance Kombit A/S)

explanatory statement of the law, Article 10 defines the Authority’s competence in compliance with Article 55 GDPR.Article 55 GDPR provides for a restriction

95/46/EC) on the same date (see Article 94 GDPR). That the initiating petition in this case dates from 22 May 2018 and that Article 48, paragraph 10 of the (Dutch)

required by Article 12 GDPR. The DPA clarified that the right of information and the right of access are distinct. An access request under Article 15 GDPR is not

as established in article 5 of the GDPR. The security of personal data is regulated in articles 32, 33 and 34 of the GDPR. III The GDPR defines personal

data breaches from more than twenty Danish banks in accordance with Article 33 GDPR. The reported data breaches concern the accidental disclosure of personal

(hereinafter, LPA- CAP), for the alleged violation of Article 5.1.c) of the RGPD, typified in Article 83.5 of the GDPR. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid

processing under Article 6(1), and failing to comply with the obligation to provide information under Article 13 GDPR. On the topic of Article 6(1) GDPR the Norwegian

a violation of Article 5(1)(b) GDPR. As a result, the DPA issued a reprimand to the controller in accordance with Article 58(2)(b) GDPR. Generally, a controller

S.A.U., with NIF A80907397, for the alleged violation of article 6.1. GDPR typified in article 83.5.a) of the aforementioned RGPD. 1. APPOINT Mr. D.D.D

to in Article 9 of the GDMPR in order to infer that such consent would not be necessary for data not referred to in that Article, since Article 4 of the

under Article 15 GDPR to the defendant and requested i.a. information on concrete recipients of their personal data under Article 15(1)(c) GDPR. The defendant

approved appeal of Article 5(1)(a), Article 12(1), Article 13(1) and Article 13(2). The appeal for Article 5(1)(c), Article 6(1) and Article 8 GDPR was not approved

under Article 4(1) GDPR. These statistics even included health data which qualify as a special category of personal data under Article 9(1) GDPR. The Datatilsynet

violation of Article 5(1)(f) GDPR and a fine of €100,000 for the violation of Article 37 GDPR. The DPA issued a reprimand for the violations of Article 5(1)(e)

to the public, violating Article 24 GDPR. The decision discusses as well, the relationship between directive 95/46/EC and GDPR. The DPA highlighted that

of these data (hereinafter, GDPR); and in article 47 of the LOPDGDD. SECOND: In accordance with the provisions of article 55 of the RGPD, the Agency Spanish

companies Menzis and VGZ € 50.000 for insufficient security measures under Article 32 GDPR. Translated summary by the AP (The Netherlands): In 2018, the Authority

request under Article 21 GDPR can be made at any time and several times. It also found that a provisional measure can be granted under Article 21 GDPR if an urgent

Protection Officer (DPO) under Section 4 of Chapter 4 of the GDPR (see in particular Article 37 GDPR to Article 39 GDPR). One of these audit proceedings concerned

required by Article 13 of the GDPR GDPR. The form used violated Article 13 of the GDPR conduct that is subsumi- ble under Article 83(5) of the GDPR, which provides:

UC (the controller); an access request under Article 15 GDPR and an erasure request under Article 17 GDPR. Regarding the erasure request specifically,

Articles 5 and 6 GDPR? The AEPD held that publishing personal data on Twitter without the consent of the claimant is a violation of Article 6 GDPR, due to the

in accordance with Article 5, paragraph 1, preamble and under b, of the GDPR. 4.4. Article 6, paragraph 1, opening words, of the GDPR stipulates that processing

ends and means of such activity, by virtue of article 4.7 of the GDPR. Article 4 section 12 of the GDPR broadly defines “violations of security of personal

regulated in article 6 of the GDPR. The assumptions that allow the processing of personal data to be considered lawful listed in article 6.1 of the GDPR: 1. Treatment

lawfulness, fairness and transparency under Article 5(1)(a) GDPR, and the principle of accountability under Article 5(2) GDPR. Additionally, the HDPA held that the

of Article 12(1) GDPR. The AP outlined that, in the event of an infringement of Article 12(1) of the GDPR, pursuant to Article 58(2)(i) and Article 83(5)

future incoming communications" (note cit., p. 6). 1.4. On 10 September 2019, pursuant to Article 166, paragraph 5, of the Code, the Office notified the

n. 9698724] Injunction order against Roma Capitale - 22 July 2021 Record of measures n. 294 of 22 July 2021 THE GUARANTOR FOR THE PROTECTION OF PERSONAL

guarantee of digital rights. Article 22.4 of the LOPDGDD provides as follows: "The duty of information provided for in Article 12 of Regulation (EU) 2016/679

6www.aepd.es28001 - Madridsedeagpd.gob.es Page 4 4/11FOUNDATIONS OF LAWIBy virtue of the powers that article 58.2 of the RGPD recognizes to each authoritycontrol

accordance with Article 33 GDPR to the Belgian DPA. Nonetheless, there were suspicions that the controller did not comply with Article 32 GDPR. Especially

infringement of Article 5.1 b) in conjunction with Article 6.4. AVG, on article 5.1 a) in conjunction with article 6.1. AVG and on article 5.1 c) GDPR has been

Protection, pursuant to Article 83(3) and Article 83(4)(a) and Article 83(5)(e) of Regulation 2016/679, in conjunction with Article 103 of the Personal Data

under Article 6(1)(f) GDPR is not a valid legal basis for the processing of cookies. The Italian DPA also held that the controller violated Article 122 of

to article 4.1 of the RGPD, is a piece of information personal and their protection, is therefore the subject of the said Regulation. In Article 4(2) of

SAW The violation of article 32 of the GDPR is typified in article 83.4.a) of the aforementioned GDPR in the following terms: "4. Violations of the following

coverage of the image of the third party shall not be required.” 4. As follows from Article 12 (4) of Law 2472/1997, the controller was required to respond to

municipalities has not complied with Article 28 (1) of the Data Protection Regulation. Article 32 (3) (f), cf. Article 32, as the company has not implemented

data breach (Article 32 GDPR). Does the plaintiff have a right to compensation according to Article 82(1) GDPR and does Article 82(3) GDPR stipulate a reversal

for the alleged violation of Article 5.1.f) of the GDPR and Article 32 of the GDPR, typified in Article 83.5 of the GDPR. FIFTH: Notified of the aforementioned

violation of Article 12 GDPR ? Are the following practices an infringement on data subjects' information right as described in Article 12 GDPR ? Spreading

and the GDPR, in particular with regard to the competence, tasks and powers of data protection authorities ). 4. In article 4 par. 7 of the GDPR, a data

publication of the judgment breach the GDPR? The AEPD held that the respondent’s actions violated the GDPR Article 5(1)(a) requirement that processing must

that the article’s publication was in violation of Article 5(1)(c) GDPR, Article 6(1)(f) GDPR, when read in line with Article 85 GDPR. Article 5(1)(c) outlines

April 2016 (General Data Protection Regulation - GDPR), in conjunction with Article 3, Article 4(2) and Article 6(1)(b), all of which are applicable to the

for which they were collected pursuant to Article 5, paragraph 1, b) of the GDPR 22. Article 5.1.b) of the GDPR provides that “Personal data must be: / (…)

cf. Article 4 no. 2. The search engine provider is responsible for the processing of personal data that takes place in that connection, cf. Article 4 no

consent of the 10 complainant (article 6.1 a) of the GDPR combined with article 7 of the GDPR), (2) article 6.1 c) of the GDPR in that the publication results

minimisation under Article 5(1)(c) GDPR, and contrary to the obligation to obtain the freely given consent of the data subject under Article 6(1)(a) GDPR, when refusal

infringement of Article 32.1 of the GDPR typified as a serious infringement in Article 73 f) of the LOPDGDD and in Article 83.4 of the GDPR. For its part

way of a finding under article 15 of the GDR instead of the provisions of article 15 of the GDR. 36, § 4 and § 5 as well as Article 38, § 1 of the Law of

without references to names. Moreover, (2) it included health data (Article 4(15) GDPR) as the newsletters were send to patients of the respected medical

executed. Legal basis: Article 4 lines 1, 2 and 5, Article 11 paragraphs 1 and 2, Article 12 paragraph 2, Article 17 paragraph 1 and Article 58 paragraph 2 lit

accordance with Article 60(3) GDPR. Ten DPAs (AT, DE, ES, FI, FR, HU, IT, NL, NO, SE) raised objections, in accordance with Article 60(4) GDPR, to the Draft

violation of Articles 13 and 14 of the GDPR, and a fine of €4 million for a violation of Article 6 of the GDPR, and ordered CaixaBank, to conduct a review

pay to [the employee] compensation/amount, pursuant to Article 7:683(4) in conjunction with Article 7:682(6) of the Dutch Civil Code, equal to the gross

according to article 4.1 of the RGPD, is a piece of information personal and their protection, therefore, is object of said Regulation. In Article 4.2 The RGPD

the general data protectionArticle 5 (1) (a), Article 5 (2), Article 12 (1) and (4) ofArticle 14, Article 15 and Article 21 (4).1.3. The Authority condemns