Search results

under Article 6(4) GDPR and further processing for a compatible purpose under Article 6(4) GDPR. See the commentary on Article 6(4) GDPR for details on the

Charter, Article 5(1)(a) GDPR and Article 6(1) GDPR. At the same time Article 6(4) GDPR clearly only further defines Article 5(1)(b) GDPR. Against the clear

(Article 15 GDPR), rectification (Article 16 GDPR), erasure (Article 17 GDPR), restriction (Article 18 GDPR), notification (Article 19 GDPR) or data portability

(Article 4(20) GDPR, Article 47 GDPR); The data transfer for internal administrative purposes (Article 6(1)(f) GDPR) with Recital 48 GDPR); The determination

dealt with in Article 12(6) GDPR. It is unclear why Article 12(2) GDPR refers to Articles 15 to 22 GDPR, while Article 11(2) GDPR only refers to Articles Articles

Regulation (GDPR): A Commentary, Article 32 GDPR, p. 636 (Oxford University Press 2020). Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 32 GDPR, margin number

of Articles 13 or 14 GDPR and Article 15(1) GDPR often overlaps, the controller has a different obligation under Article 15 GDPR to include the ex-post

rights under the GDPR, when relevant information is provided. Article 13 GDPR embodies the principle of transparency in Article 5(1)(a) GDPR, outlining the

Spain. The AEPD is an independent public body in charge of enforcing the GDPR in Spain. Its head office is in Madrid. The requirement to have a data protection

(Article 12(1) GDPR), facilitate the data subject (Article 12(2) GDPR), respond and communicate the measures taken (Article 12(3) and (4) GDPR), the principle

the SA pursuant to Article 58(2) GDPR or failure to provide access in violation of Article 58(1) GDPR. Article 83(6) GDPR is a superfluous provision and

of data established in Article 9(2)(a) GDPR, Article 9(2)(c) GDPR, Article 9(2)(g) GDPR and Article 9(2)(i) GDPR directly correlate with a specific legal

Article 25 GDPR or Article 32 GDPR. This provision assigns a proactive role to the controller who has to ensure compliance with the GDPR at all stages

21(3) GDPR and Article 17 GDPR on the right to erasure must be considered. The tight relationship between Article 21(3) and Article 17(1)(c) GDPR seems

Article 14 GDPR gives expression to the principle of transparency enshrined in Article 5(1)(a) GDPR and further defined in Article 12 GDPR. While Article

since, under Article 28(1) GDPR, a controller shall only use processors providing the same standards under Article 25 GDPR. Manufacturers or producers

protezione dei dati personali) resides in Rome and is in charge of enforcing GDPR and Directive 2002/58/CE (e-Privacy Directive) in Italy. The Garante is a

Regulation (GDPR), Article 7 GDPR, p. 350 (Oxford University Press 2020). Heckmann, Paschke, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 7 GDPR, margin

compliance with the GDPR. Article 28(3)(h) GDPR enables such a task in case processors are used. According to Article 28(3)(h) GDPR, the processor should

Article 28 of the GDPR. Article 33(2) GDPR instructs processors to notify controllers once they become “aware” of a personal data breach. The GDPR does not elaborate

Article 82 GDPR – like almost all provisions of the GDPR – is directly applicable in all Member States without any act of implementation. Article 82 GDPR leaves

to Article 60 GDPR, Article 61 GDPR, Article 62 GDPR, Article 63 GDPR, Article 64 GDPR, Article 65 GDPR, Article 66 GDPR and Article 56 GDPR. The SA is also

Authority for Belgium. It resides in Brussels and is in charge of enforcing GDPR in Belgium. The DPA consists of five bodies and an Executive Committee. The

of the most innovative elements in the GDPR related to the accountability principle (see Articles 5(2) and 24 GDPR). This provision regulates the cases in

resolution mechanism under Article 65 GDPR in connection with Article 63 GDPR is triggered (Article 60 (4) GDPR). Article 60(2) GDPR clarifies that also in cross-border

compliance with the GDPR under Article 58(2)(d) GDPR or even ban it under Article 58(2)(f) GDPR. Therefore, complaints under Article 77 GDPR should extend to

processing of personal data of deceased persons. Article 2 GDPR sets out the material scope of the GDPR. Paragraph 1 clarifies that the Regulation applies to

meaning Recital 86 GDPR). However, Article 34 GDPR does not provide a specific deadline of 72 hours as is the case in Article 33 GDPR. Instead, timelines

Article 57 GDPR (tasks of SAs), Article 58 GDPR (powers of SAs), as well as Article 65 GDPR (dispute resolution by the board), Article 63 GDPR (consistency

Authority for Denmark. It resides in Copenhagen and is in charge of enforcing GDPR in Denmark. Datatilsynet is made up of the Data Council (Datarådet) and a

Authority for Romania. It resides in Bucharest and is in charge of enforcing GDPR in Romania. The Romanian DPA is a public authority with legal personality

22(2)(c) GDPR. Finally, decisions based on explicit consent are also subjected to the safeguards laid down in Article 22(3) GDPR. Article 22(3) GDPR lays down

provisions of the GDPR require the controller to keep track of individual recipients. For example, Article 15(1)(c) GDPR and Article 19 GDPR require the disclosure

(Article 12 GDPR), information (Articles 13 and 14 GDPR), access (Article 15 GDPR), rectification (Article 16 GDPR), erasure (Article 17 GDPR), restriction

(Article 15 GDPR), rectification (Article 16 GDPR), deletion (Article 17 GDPR), restriction of processing (Article 18 GDPR), objection (Article 21 GDPR) and the

Article 9 GDPR or Article 10 GDPR data on a large-scale. A DPO is always required when processing is carried out by a public authority or body. The GDPR does

5(1)(d) GDPR gives the controller some leeway to continue processing inaccurate data - see more details under Article 5(1)(d) GDPR. Article 16 GDPR, titled

Authority for Iceland. It resides in Reykjavík and is in charge of enforcing GDPR in Iceland. You can help us filling this section! You can help us filling

application of the GDPR from Article 3 GDPR confirming that there is always a SA competent to supervise and enforce the application of the GDPR whenever it applies

their rights under the GDPR, (ii) as a result of the processing of their personal data in non-compliance with the GDPR. Article 79 GDPR is a data subject right

Regulation (GDPR): A Commentary, Article 38 GDPR, p. 707 (Oxford University Press 2020). Bergt, in Kühling, Buchner, DS-GVO BDSG, Article 38 GDPR, margin number

important to note that Article 13(1)(f) GDPR, Article 14(1)(f) GDPR, Article 15(1)(c) GDPR and Article 15(2) GDPR, make specific reference to transfers of personal

prevention (Article 23(1)(a-j) GDPR) allow for far fewer GDPR restrictions than those granted by freedom of expression. Article 85(2) GDPR poses one condition for

(Article 36(3)(c) GDPR); the contact details of the Data Protection Officer (DPO) (Article 36(3)(d) GDPR); a copy of the DPIA (Article 36(3)(e) GDPR) as well as

the scope of the LED from the scope of the GDPR. Article 10 GDPR is intended to extend the protection of the GDPR to the processing of certain criminal data

occurs when the GDPR simply refers to applicable national law as a preliminary question under a GDPR provision. In some situations where the GDPR refers to national

Article 23(1)(e) GDPR, which sets out strict requirements for the Union or Member State's law restricting GDPR rights, Article 18(2) GDPR does not make any

57 GDPR should be deemed inadmissible for the purposes of Article 31 GDPR. Article 31 GDPR can be read as a supporting provision to Article 58 GDPR. In

deals with processing within the scope of the GDPR. Part 2 deals with processing outside of the scope of the GDPR. Part 3 deals with processing by competent

Authority for Greece. It resides in Athens and is in charge of enforcing GDPR in Greece, the Greek Data Protection Act 2019, the ePrivacy Directive implementation

or infringes the GDPR or any other applicable laws, including national ones. See commentary under Article 77 GDPR. Article 78(1) GDPR establishes both

exists only in cases of Article 64(2) GDPR but not the context of Article 70(2) GDPR. According to Article 70(3) GDPR, the EDPB is obligated to “forward its

Although Article 40(5) GDPR mentions that the competent DPA will be determined through the application of Article 55 GDPR, the GDPR does not provide concrete

Regulation (GDPR) is in Slovenia directly applicable, as well as in other EU member states. There are however problems in the practical use of the GDPR which

Authority for Finland. It resides in Helsinki and is in charge of enforcing GDPR in Finland. The Office of the Data Protection Ombudsman is headed by the

from any of the GDPR’s protections. → You can find all related decisions in Category:Article 39 GDPR Just as Article 38 GDPR, Article 39 GDPR also shows similarities

(Articles 55-59 GDPR). The GDPR provides for exceptions from provisions entailed in Chapter VI (independent supervisory authorities). Article 85(2) GDPR mandates

encompasses other obligations of controllers under the GDPR. EDPB: This extends to various obligations under the GDPR, including but not limited to the implementation

(“LSA”) (Article 65(1)(b) GDPR), and where a SA is not following an opinion of the EDPB (Article 6(1)(c) GDPR). Article 65(1)(a) GDPR addresses the cases where

Category:Article 45 GDPR Kuner, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 45 GDPR, p. 774 (Oxford

dialogue, complaints handling and inspection, Datatilsynet oversees the GDPR in Norway and supervises that authorities, companies, organisations and individuals

relevance of Article 29 GDPR were rooted in the fact that Article 28(3)(b) GDPR already seems to cover much of the scope of Article 29 GDPR. More specifically

decision pursuant to Article 45 GDPR shall be used, when it exists; second, appropriate safeguards under Article 46 GDPR, such as binding corporate rules

pursuant to Article 77 GDPR. Lastly, the NPO may file a legal remedy under Article 79 GDPR against a controller or processor regarding a GDPR infringement. The

with the GDPR (Article 31 GDPR). Direct liability of the representative is limited to the obligations set out in Article 30 and Article 58(1)(a) GDPR. Article

authority. Article 61(1) GDPR regulates how independent authorities are to cooperate to enable the uniform application of the GDPR. Supervisory authorities

Category:Article 47 GDPR Kuner, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR) Update of Selected Articles, Article 68 GDPR, p. 194 (Oxford

of the GDPR enforcement across the Member States. → You can find all related decisions in Category:Article 64 GDPR Caspar in Kühling, Buchner, GDPR Article

directly to children. As such, Article 8 GDPR stipulates additional requirements for consent by children. Article 8 GDPR applies only if the processing of data

France. The authority is established in Paris and is in charge of enforcing GDPR for France, as well as the national law for data protection "Loi Informatique

Article 89(2) and (3) GDPR also allow for specific derogation to the GDPR for these purposes, as further detailed below. Article 89(1) GDPR provides that when

the GDPR by Brave, page 6 - https://brave.com/wp-content/uploads/2020/04/Brave-2020-DPA-Report.pdf Report: Europe’s governments are failing the GDPR by

88(1) GDPR) and a conditional function (Article 88(2) GDPR). While Article 88(2) GDPR determines the scope of the opening clause, Article 88(1) GDPR establishes

Recital 167 GDPR and Article 291 TFEU, the aim of implementing acts is to “ensure uniform conditions for implementing” the GDPR. In its GDPR Certification

60, 63, 64 and 65 GDPR) immediately adopt provisional measures intended to produce legal effects on its own territory. Article 66 GDPR creates strict conditions

Article 19 GDPR therefore requires controllers, subject to certain exceptions, to communicate their exercise to recipients under Article 4(9) GDPR. The first

consideration when the GDPR was drafted. There is consequently no need to 'balance' the GDPR against other rights for a second time, as the GDPR is already the

Article 20(3) GDPR clarifies that the exercise of the right to data portability does not preclude the exercise of any other rights under the GDPR. Thus, if

outlined under other Articles of the GDPR, namely in Articles 51, 52 and 53 GDPR. The second objective, under Article 54(2) GDPR, seeks to regulate the confidentiality

Protection Regulation (GDPR), Article 75 GDPR, p. 1105 (Oxford University Press 2020). Dix, in Kühling, Buchner, DS-GVO BDSG, Article 75 GDPR, margin number 6

apply from 25 May 2018. There is no relevant recital for Article 99 GDPR. Article 99 GDPR sets out the dates of the Regulation's entry into force and application

between Article 42(1) GDPR and Article 42(2) GDPR is that in the former, the applicant for certification is subject to the GDPR, while in latter, the applicant

Articles 13 or 14 GDPR. This can be drawn from the final sentence of Article 11(1) GDPR. It must be assessed with the utmost attention whether GDPR provisions

undefined in the GDPR. “Expertise” is only referred to again under Article 41(2)(a) GDPR, although briefly. Additionally, Article 41(1) GDPR specifies that

purpose (Article 52(4)(5)(6) GDPR). Elements of SAs' complete independence are also addressed in Article 53 GDPR and Article 54 GDPR. The CJEU in the Case of

Article 62 GDPR, margin number 11 (Beck 2018, 2nd edition). Riccio, Scorza, Belisario, GDPR e normativa privacy – Commentario, Article 62 GDPR (Wolters Kluwer

decisions pursuant to Article 65 GDPR (Article 70(1)(t) GDPR). Article 68 GDPR is the first of nine Articles (Articles 68-76 GDPR) governing the EDPB set forth

conduct under Article 83 GDPR should be excluded from penalties issued under Article 84 GDPR is debated. Whilst the wording of the GDPR is simply unclear in

Category:Article 86 GDPR At para. 120 Kranenborg, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 86 GDPR, p. 1216 (Oxford University

Article 97 GDPR. Article 97 GDPR imposes a "comprehensive reporting obligation" upon the Commission. The first paragraph of Article 97 GDPR sets out the

situation, Article 95 GDPR will not be relevant, and the GDPR applies as normal. Notably, Recital 173 GDPR, which relates to Article 95 GDPR, omits reference

n Recital 121 GDPR. Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 53 GDPR, p. 888 (Oxford

rights to data subjects as the GDPR. When the provisions of Regulation 2018/1725 follow the same principles as the GDPR, they should be interpreted homogeneously

Simkus, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 87 GDPR, p. 1226 (Oxford University Press 2020). EU Commission, Survey on

under the GDPR. → You can find all related decisions in Category:Article 94 GDPR Kühling, Raab, in Kühling, Buchner, GVO BDSG, Article 94 GDPR, margin numbers

in Category:Article 74 GDPR For more on this point, see Article 72 GDPR. Dix in Kühling, Buchner, DS-GVO BDSG, Article 74 GDPR, margin number 7 (C.H. Beck

of the European Union ("TFEU"), within the scope of the GDPR. The function of Article 92 GDPR is to lay down conditions for the delegation of power as

of knowledge between them. This way, Article 50 GDPR expands the exhortation under Article 57(1)(g) GDPR that calls for cooperation between EU DPAs, across

interpreted Recital 144 GDPR to have limited the scope of Article 81 GDPR, as applying only to proceedings instigated under Article 78 GDPR. The first sentence

Article 45(5) GDPR (revocation, change of such determinations); Articles 46(2)(c) and (d) GDPR (standard protection clauses); Article 47(3) GDPR (formats and

Article 72 GDPR regulates the Board's voting procedure. Generally, the GDPR grants the EDPB a high degree of autonomy. In particular, Article 72(2) GDPR entitles

proposed amendments to the GDPR (pursuant to Article 70(1)(b) GDPR). Although not explicitly mentioned in Article 69(2) GDPR, the requirement that the Board

76 GDPR, margin number 1 (C.H. Beck 2020, 3rd edition). Docksey, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 76 GDPR, p

true also under Article 91 GDPR”. See, Tosoni, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 91 GDPR, p. 1263 (Oxford University

published under Article 70(3) GDPR. Though Article 70(3) GDPR already obliges the EDPB to make these public, Article 71(2) GDPR ensures that the public is

Article 96 GDPR if it is found to be incompatible with other GDPR provisions. → You can find all related decisions in Category:Article 96 GDPR It follows

Article 46(2)(d) GDPR, contractual clauses referred to in Article 46(3)(a) GDPR, or binding corporate rules within the meaning of Article 47 GDPR. In these cases

majority principle under Article 72(1) GDPR would have applied regardless of Article 73(1) GDPR. In addition, the GDPR explicitly legislates for a simple majority

Authority for Poland. It resides in Warsaw and is in charge of enforcing GDPR in Poland. The President of the Personal Data Protection Office performs

with Article 58(1) GDPR. Article 90 GDPR was drafted with a view to regulate potential conflicts between the application of the GDPR on the one hand, and

provisions of the GDPR. This decision refers to the Administrative cooperation between SAs (covering cooperation under Articles 56, 60, 61 and 62 GDPR) and the

when passing the GDPR. In fact, all but one EU Member State (who has sought higher protections) have voted in favor the GDPR. The GDPR is not just consisting

subject to the GDPR or, in cases where they are not established in the EU, act within the material and territorial scope of the GDPR. Article 48 GDPR refers to

data as well (see Recital 163 GDPR). Tosoni in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 98 GDPR, p. 1315 (Oxford University

enforcement of the GDPR. → You can find all related decisions in Category:Article 59 GDPR Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 59 GDPR, margin number

Authority for Hungary. It resides in Budapest and is in charge of enforcing GDPR in Hungary. The National Authority for Data Protection and Freedom of Information

organisation-fined-for-gdpr-rule-breach-1.4255692?mode=amp https://www.irishlegal.com/article/tusla-fined-40-000-in-second-gdpr-breach https://www.dataprotection

Authority for Croatia. It resides in Zagreb and is in charge of enforcing GDPR in Croatia. You can help us by filling in this section! You can help us by

Authority for Netherlands. It resides in The Hague and is in charge of enforcing GDPR in Netherlands. The AP has three commissioners: Aleid Wolfsen (head), Monique

Authority for Cyprus. It resides in Nicosia and is in charge of enforcing GDPR in Cyprus. You can help us filling this section! You can help us filling

Authority for Estonia. It resides in Tallinn and is in charge of enforcing GDPR in Estonia. You can help us by filling in this section! You can help us by

Luxembourg, headquartered in Belvaux, municipality of Salem. The CNPD oversees the GDPR in Luxembourg and advises the national parliament, the government and other

Protection Authority for the German state of Berlin. It is in charge of enforcing GDPR in the private sector, within the German state of Berlin. You can help us

Protection Authority for Malta. It resides in Sliema and is in charge of enforcing GDPR in Malta. You can help us by filling in this section! You can help us by

Authority for Portugal. It resides in Lisbon and is in charge of enforcing GDPR in Portugal. The CNPD, the Portuguese Data Protection Authority, is composed

in Riga and is in charge of enforcing GDPR in Latvia.  The DVI is functionally independent institution. Besides GDPR, the regulation of the operation of

Spanish autonomous region of Catalonia. It is in charge of enforcing the GDPR in the public sector within Catalonia. You can help us by filling in this

Authority for Lithuania. It resides in Vilnius and is in charge of enforcing GDPR in Lithuania. You can help us by filling in this section! You can help us

Protection Authority for Germany. It resides in Bonn and is in charge of enforcing GDPR for Germany for the federal government and private telecommunication services

Authority for Bulgaria. It resides in Sofia and is in charge of enforcing GDPR for Bulgaria. You can help us by filling in this section! You can help us

entity that allegedly violates the GDPR description of the data processing activities that allegedly violate the GDPR list of the personal data (or at least

complementary arrangements to the provisions of the GDPR and references data processing on which the GDPR shall be applicable (§ 2 NDSG). It is more specific

complementary arrangements to the GDPR and regulates specific situations of data processing for which the GDPR is not applicable. So the GDPR is the applicable law

Authority for the German state of Baden-Württemberg. It is in charge of enforcing GDPR in the private sector within the German state of Baden-Württemberg and all

public sector for the German state of Bavaria. It is in charge of enforcing GDPR in the public sector, within the German state of Bavaria. You can help us

Protection Authority for the German state of Hesse. It is in charge of enforcing GDPR in the private sector, within the German state of Hesse. You can help us

for the German state of Rhineland-Palatinate. It is in charge of enforcing GDPR in the private sector, within the German state of Rhineland-Palatinate. You

in articles 70 and 71 GDPR. It includes ensuring the consistent application of GDPR and advising the Commission. Article 71 GDPR states that the EDPB must

Protection Authority for the German state of Saarland. It is charge of enforcing GDPR in the private sector, within the German state of Saarland. You can help

Protection Authority for the German state of Saxony. It is in charge of enforcing GDPR in the private sector, within the German state of Saxony. You can help us

Protection Authority for the German state of Bavaria. It is in charge of enforcing GDPR in the private sector, within the German state of Bavaria. Bavaria has a

Protection Authority for the German state of Bremen. It is in charge of enforcing GDPR in the private sector, within the German state of Bremen. You can help us

Authority for the German state of Saxony-Anhalt. It is in charge of enforcing GDPR in the private sector, within the German state of Saxony-Anhalt. You can

the German state of Mecklenburg-Vorpommern. It is in charge of enforcing GDPR in the private sector, within the German state of Mecklenburg-Vorpommern

Authority for Slovakia. It resides in Bratislava and is in charge of enforcing GDPR and national data protection act in Slovakia. All decisions of the Slovak

Authority for Liechtenstein. It resides in Vaduz and is in charge of enforcing GDPR in Liechtenstein. You can help us filling this section! You can help us filling

Authority for the German state of Brandenburg. It is in charge of enforcing GDPR in the private sector, within the German state of Brandenburg. You can help

for the German state of Schleswig-Holstein. It is in charge of enforcing GDPR in the private sector, within the German state of Schleswig-Holstein. You

Protection Authority for the German state of Thuringia. It is charge of enforcing GDPR in the private sector, within the German state of Thuringia. You can help

autonomous region of the Basque Country. It is in charge of enforcing the GDPR in the public sector within the Basque Country. You can help us by filling

for Finland's autonomous region of Åland. It is in charge of enforcing the GDPR in the regional and municipal governments within the Åland Islands. The Region

German state of North Rhine-Westphalia. It is in charge of enforcing the GDPR in the private sector in the German state of North Rhine-Westphalia and for

Spanish autonomous region of Andalusia. It is in charge of enforcing the GDPR in the public sector within Andalusia. You can help us by filling in this

Authority for Sweden. It resides in Stockholm and is in charge of enforcing the GDPR in Sweden. On 1 January 2021, the Swedish data protection authority changed

practice with the “essentially equivalent” level of protection guaranteed by the GDPR to EU citizens. Maximillian Schrems, an Austrian citizen, had been a Facebook

inviolability of human dignity. You can help us fill this section! In Germany the GDPR is implemented by the Bundesdatenschutzgesetz (BDSG). You can help us fill

In progress. Fill in the name used for the recital if you use it so we can ensure a somewhat streamlined practice. Recital 1: The protection of natural

Regulation provides the new data protection rules for EUls which matches the GDPR, the latter applicable across the EU/European Economic Area. By the end of

Directive 2002/58/EC, and the GDPR to the CJEU. The case was referred to the Court of Justice on 5 October 2017 - before the GDPR became applicable on 25 May

the mere infringement of GDPR provisions in itself is sufficient for the right to receive compensation under Article 82 GDPR or is it required that an

law would undoubtedly not be compatible with Art. 5(1)(f) GDPR, Art. 5(1)(a) GDPR and Art. 6 GDPR. A.9 In its final submission of August 12, 2021, the Second

the Member States. Example: Article 6(1)(a) GDPR Example: Not Art. 6 Abs 1 Lit a GDPR or Article 6 GDPR or GDPR Article 6, Sec 1(a) Recitals are also not

protection authorities (Art. 78.1 GDPR), as well as by the possibility to bring actions directly in court (Art. 79 GDPR). Against the decisions that put

interpretation of Article 15 GDPR. The Supreme Court asked the following preliminary question: 'Is Article 15(1)(c) of the GDPR to be interpreted as meaning

Infringement of Article 6 and 9 GDPR qualifies for the maximum amount for administrative fines as set out in Article 83(5) GDPR: 20,000,000 € or 4% of the total

not fulfilled its obligations under the GDPR in a number of ways: It infringed Articles 5(1)(c), (f) and 5(2) GDPR by not considering the risks to students'

of data undergoing processing pursuant to Article 15(3) GDPR. According to the CJEU, the GDPR does not contain any definition of “copy”. However, this

60 GDPR applicable in this case? Are Google LLC and Google Ireland LTD to be considered as joint controllers within the meaning of article 26 GDPR? Does

Peter Nowak Court: CJEU Jurisdiction: European Union Relevant Law: Article 15 GDPR Article 2(a) Directive 95/46/EC Decided: 20.12.2017 Parties: Peter Nowak

interests under Article 6(1)(f) GDPR. On the erasure obligations under Article 17 GDPR, the CJEU held that under Article 17(1)(d) GDPR SCHUFA will be under the

personal data to be provided pursuant to Article 15(1) GDPR: must Article 15(3) first sentence of the GDPR be interpreted as meaning that, due to the nature

law, specifically Article 83 GDPR read in conjunction with Articles 101 and 102 TFEU, would require Germany to allow that GDPR fines may be initiated directly

Article 5(2) GDPR in conjunction with Article 5(1)(a) GDPR. Failure to demonstrate that processing is performed in accordance with the GDPR The DPA noted

In United Kingdom, the GDPR has been transposed into national law through the Data Protection Act 2018. The application of the GDPR is, however, limited

Regulation (GDPR). That approach of the CJEU seems consistent with Article 6 of the General Data Protection Regulation. In addition, the GDPR's article does

of Chapter V GDPR. The complaint was transferred to the Swedish DPA in its quality of lead supervisory authority pursuant to Article 56 GDPR. Following the

right. In Italy the GDPR is implemented by the Codice in materia di protezione dei dati personali. Following the introduction of the GDPR, the Code has undergone

6(1)(a) and 4(11) GDPR in a case concerning the requirements of consent). Always use the most specific sub-paragraph (e.g. Article 6(1)(a) GDPR for consent and

help us fill this section! You can help us fill this section! In Estonia the GDPR is implemented by the Isikuandmete kaitse seadus. You can help us fill this

help us fill this section! You can help us fill this section! In Finland the GDPR is implemented by the Act 1050/2018. You can help us fill this section! You

help us fill this section! You can help us fill this section! In Ireland the GDPR is implemented by the Data Protection Act 2018 (DPA). You can help us fill

fill this section! You can help us fill this section! In Liechtenstein the GDPR is implemented by the Datenschutzgesetz (DSG). You can help us fill this

Workspace for Education until they have brought the processing in line with the GDPR. This is the Danish DPA's third decision in the case relating to Helsingor

now follows from § 102 of the Constitution. The national implementation of GDPR follows from the Personal Data Act of 2018 (personopplysningsloven), as well

has been a member of the European Union since May 1, 2004. In Poland the GDPR is implemented by the Personal Data Protection Act of May 10, 2018. By the

provisions in the national law, meaning the age of consent under GDPR is kept, namely 16 (art. 8.1 GDPR). See Article 7 of the national implementing law. See Article

chapters with 34 paragraphs, followed by the GDPR full text. When the General Data Protection Regulation (GDPR) 2016/679 was enacted, it was transposed into

65(5) GDPR without delay after the IE SA has notified its final decision to the controller920. 919 Article 65(6) GDPR. 920 Article 65(5) and (6) GDPR. Adopted

the first sentence of recital 63 GDPR. Neither the wording of Article 12(5) GDPR nor that of Article 15(1) and (3) GDPR condition the provision (to access

convictions’ within the meaning of Article 8(5) of Directive 95/46 (and Article 10 GDPR). In addition the court judged that a search engine operator does not need

Article 32 GDPR? 4) Does Article 82(3) GDPR allow the controller to be exempt from liability for damages if the data breach as defined by 4(12) GDPR was caused

consistent with the underlying values of the GDPR and cannot be justified in the light of Article 6(1) and Article 9(2) GDPR. It followed, that the companies brought

Must Articles 77(1) and 79(1) GDPR be interpreted as meaning that the administrative appeal provided for in Article 77 GDPR constitutes an instrument for

(2000) | Disputes Act (2005) §20-2 | The Personal Data Act (2018) §1, GDPR A4, GDPR A5 (1) Judge Thyness: Questions and background of the case (2) The case

UK GDPR remains substantively the same as the EU's GDPR. This is acknowledged by the judges in this case at [11] who state 'the content of the GDPR [remains]

regarding Articles 5(1)(b) GDPR and 5(1)(e) GDPR and held that national courts had to determine, using the factors of Article 6(4) GDPR, whether further processing

obligation to provide data subjects with a privacy policy pursuant to Article 13 GDPR. Moreover, the collection of personal data and their use in the training

erasure under Article 17(1)(d) GDPR, as the data processing was not lawful. In any case, the requirements of Article 6 GDPR were no longer met 6 months after

categories of data" under Article 9 GDPR. What is the relationship between national laws (like § 151 GewO) and GDPR? Is a prediction of a political affiliation

9(1) GDPR, Article 15 GDPR, Article 16 GDPR, Article 18(1)(a) GDPR, Article 18(1)(b) GDPR, Article 18(1)(d) GDPR, Article 20 GDPR and Article 21 GDPR for

the meaning of Article 45 of the GDPR and without appropriate safeguards within the meaning of Article 46 of the GDPR. Furthermore, the plaintiff claims

Board assessed if a fine could be imposed as per Article 83(5) GDPR, cf. Article 83(2) GDPR, and in which case, how large it should be. The Board agreed

personal data under Article 9(1) GDPR. Their processing would require the data subjects' explicit consent under Article 9(2)(a) GDPR and § 151(4) GewO, ordered

meaning of Article 4 no. 2 of the GDPR and the term "transfer" within the meaning of Article 44 et seq. of the GDPR. GDPR had to be differentiated. Due to

according to Article 9(2)(a) GDPR. On the basis of the information gathered, the DPA held that the controller had violated Article 9 GDPR. As a result, and in

the applicable law, as the GDPR had entered into force since the initial complaints dating back to 2012. They found that the GDPR would indeed apply. The

controller, to correct its data processing practice in accordance with the GDPR. This decision does not assess the activities of the police in relation to

many waivers from GDPR for research purposes under Article 89 GDPR. It is questionable of the law is constitutional and in line with GDPR. § 151 of the Austrian

certain provisions of the GDPR that do not apply –Article 6 GDPR, Article 9 GDPR, Article 10 GDPR, Article 30 GDPR and Article 34 GDPR, as well as the provision

council in Greece to cease their processing activities, under Article 58(2) GDPR and Article 15(8) of Law 4624/2019, because of an unresolved data breach

of Article 6(1) GDPR; 2. Did not provide the complainant with enough information prior to the processing, in violation of Article 13 GDPR; 3. Processed more

Article 32 GDPR. Retaining personal data of an applicant for a lease after another applicant has been selected also violates Article 5(1)(e) GDPR. The customer

of law. In Netherlands the GDPR is implemented by the Uitvoeringswet Algemene verordening gegevensbescherming (“Dutch GDPR Implementation Act”). In relation

Convention of Human Rights. According to Article 29(2), Article 14 GDPR and Article 15 GDPR apply insofar as the right to freedom of expression and information

interlocutory decision, on the language to be used in a procedure concerning GDPR complaints filed by complainants in various Member States against IAB Europe

judicial order, as well as § 71 which concerns personal liberty. In Denmark the GDPR is implemented by the Databeskyttelsesloven (Data Protection Act). The age

the documents or files containing their personal data under Article 15(3) GDPR and Article 12 of the ePrivacy Directive. However, there is a right to a

Article 46 GDPR. In 2020, noyb lodged a complaint with the Austrian DPA alleging that the controller breached the provisions of Chapter V GDPR. The complaint

Fashion ID Court: CJEU Jurisdiction: European Union Relevant Law: Article 80 GDPR Article 1 Directive 95/46 Article 1(1) Directive 2009/22/EC Article 10 Directive

Protection Authority (BDPA Act). You can help us fill this section! In Belgium the GDPR is implemented by the Data Protection Act (2019). You can help us fill this

repealing Directive 95/46 / EC (General Data Protection Regulation, hereinafter “GDPR”); In view of the law of 3 December 2017 establishing the Data Protection

of Chapter V GDPR. The complaint was transferred to the Swedish DPA in its quality of lead supervisory authority pursuant to Article 56 GDPR. Following the

rights. This right is explicitly enshrined in Article 38. In Slovenia the GDPR is not implemented by the national law. Slovenia remains the only EU country

of Chapter V GDPR. The complaint was transferred to the Swedish DPA in its quality of lead supervisory authority pursuant to Article 56 GDPR. Following the

help us fill this section! You can help us fill this section! In Hungary the GDPR is implemented by the Act CXII of 2011. You can help us fill this section

help us fill this section! You can help us fill this section! In Iceland the GDPR is implemented by the Lög um persónuvernd og vinnslu persónuupplýsinga. You

help us fill this section! You can help us fill this section! In Croatia the GDPR is implemented by the Zakon o Provedbi Opće Uredbe o Zaštiti Podataka. You

us fill this section! You can help us fill this section! In Luxembourg the GDPR is implemented by the Loi du 1er août 2018. You can help us fill this section

help us fill this section! You can help us fill this section! In Latvia the GDPR is implemented by the Fizisko personu datu apstrādes likums. You can help

us fill this section! You can help us fill this section! In Slovakia the GDPR is implemented by the Zàkon o ochrane osobných údajov. You can help us fill

us fill this section! You can help us fill this section! In Lithuania the GDPR is implemented by the Asmens Duomenų Teisinės Apsaugos Įstatymas. You can

help us fill this section! You can help us fill this section! In Malta the GDPR is implemented by the Data Protection Act (2018). You can help us fill this

fill this section! You can help us fill this section! In Czech Republic the GDPR is implemented by the Zákon č. 110/2019. You can help us fill this section

attribution to an unique national number to the citizens. In Portugal the GDPR is implemented by the Lei n.º 58/2019. In Portugal the Age of consent is

Chapter 2 § 1 The Fundamental Law on Freedom of Expression. It is unsure if the GDPR is compatible to the constitutional protection. The stance of the Swedish

reference to which the Constitutionnal Council can adjudicate. In France the GDPR is implemented by the Law "Informatique et Libertés", as modified by the

infringing Article 6(1) GDPR, in relation with the lawfulness principle established by Article 5(1)(a) GDPR. Article 5(1)(d) GDPR establishes that personal

DPA is competent to act under Articles 55 and 56 GDPR, it may exercise the powers conferred by the GDPR on its national territory, irrespective of the Member

(Article 8(1) CFR, Article 9A Greek Constitution, Recital 64 GDPR), underlined that the GDPR totally respects all fundamental rights and freedoms included

telemarketing practices which revealed that Vodafone was in violation of several GDPR articles. Vodafone was ordered to implement more appropriate measures to

the principles of data processing of Article 5(1) GDPR, underlined that, based on Article 5(2) GDPR, it is the data processor's responsibility to conform

did not react either. GDPR applicable? (Article 3(2) GDPR) The DPA held that the GDPR was applicable pursuant of Article 3(2) GDPR. Because the controller

processing of data concerning health laid down in Article 9(1) GDPR is possible under Article 9(2)(h) GDPR) in a case such as the present one, are there further

Article 58(2) GDPR and impose on the respondent the responsibility to restore the fulfilment of Article 5(1)(a) GDPR and of Article 5(1)(b-f) GDPR, as well

5(1)(b) and (e), 9(2)(j), 89(1) GDPR and Section 7(1)(1) and (2)(1) GDPR. In particular, it follows from Article 9(2)(j) GDPR that the processing of data relating

The Greek DPA also considered whether or not the criteria of Article 6(4) GDPR had been respected. In this respect, the DPA found that the customers had

compliance with the principles of Article 5 GDPR and that they could be based on the legal basis of Article 6(1)(f) GDPR. The BVwG ruled that the principle of

violation of article 15 (1) cond. 12 par. 2, 3 and 4 GDPR and c) 30,000 euros for violation of Article 25 (1) GDPR because it did not in practice have the necessary

continued into 2018 (and later), after the GDPR had taken effect, everything above is referenced with GDPR Articles. Consequently, the DPA's decision item

application of the GDPR. While the DPC was arguing that it had purposefully limited the scope of its own-volition inquiry to Articles 12, 13 and 14 GDPR, and that

electronically stored material, that they had no legal basis as per Article 6(1)(f) GDPR and that they had failed to inform the employee as per Article 13 and the

point (g) of GDPR and 13 par. 1 point g. 4624/2019, and to exercise respectively the powers conferred on it by the provisions of Articles 58 GDPR and 15 Law

15(1)(h) of the GDPR, the right of data subjects to object under Article 21(1)(1)(2) of the GDPR and - in essence - in Article 22 of the GDPR as a general

website. AG Bobek is also of the opinion that Article 6(1)(c) GDPR and Article 6(3) GDPR do not preclude national rules from laying down, without any limit

1 lit. f GDPR (for the protection of the processor's legitimate interests)? Right to erasure (Art. 17 GDPR); right to object (Art. 21 GDPR)? Locations

e) of the GDPR). 8.1.4. As for breaches of Articles 5.2. and 24 of the GDPR 88. Article 24.1 of the GDPR which covers Chapter IV of the GDPR devoted to

governed by the basic principle of GDPR, the principle of transparency (relevant Articles 12-14 of the GDPR). 4. The GDPR introduces the principle of accountability

and 35 GDPR. As a result, the DPA imposed an administrative fine of €12,000 on the CNSP and €3,000 on ITSS as joint-controller, under Article 83 GDPR. The

the processing complied with the GDPR, with the APD/GBA explicitly referring to the obligation under Article 12 GDPR to facilitate the exercise by data

controller had violated Article 5(1)(a) GDPR, Article 12 GDPR, Article 13 GDPR, Article 15 GDPR and Article 25(1) GDPR. As a result, the DPA issued a reprimand

that the controller had breached Articles 5(1)(a) and (c), 6, 12(1) and 13 GDPR and for this fined the controller NOK 100,000 (approximately €9,473). The

sufficient organizational and technical measures according to Article 25 GDPR. Piraeus Bank S.A., the controller, sent the data subject a letter informing

the information provided as per Article 13 GDPR were not compliant with the requirements of Article 12 GDPR in light of the fact that TikTok services are

subject pursuant to Article 9 (2) (a) of the GDPR ΕΙΣ/7564/05.11.2019 and the invocation of recital 47 of the GDPR 2016/679, inter alia, informed the Authority

CCTV system shall be handled as subject to Article 4(1) and Article 4(2) of GDPR Regulation. That judgment does not mean that any CCTV surveillance in workplaces

laid down in the GDPR, so that the general conditions for claims were decisive, unless the GDPR contained special rules; even under the GDPR, only non-material

relationship between Article 22(2)(b) GDPR and national law. Article 22(2)(b) GDPR provides that Article 22(1) GDPR does not apply if a decision is ‘authorised

exercise the right of access under Article 15 GDPR and the right to restriction of processing under Article 18 GDPR against three mobile telephone service providers

should have under Article 60 GDPR - Article 61(8) GDPR applied, which meant that the urgent need to act under Article 66(1) GDPR was presumed to be met and

in violation of Article 5(1)(c) GDPR and Article 15(1) GDPR. Firstly, the DPA found a violation of Article 5(1)(c) GDPR, as the controller had retained

of the GDPR – (article 13.1. c) of the GDPR) and does not mention the data retention periods personal data processed (article 13.2. a) of the GDPR more precisely);

for the year, thus violating Article 39(1)(b) GDPR regarding the DPO's duties to monitor compliance with GDPR. In view of those violations, the CNPD: imposed

(e), 6(3) and 9(1) GDPR. The preliminary questions concern the issue whether the existence of a legal obligation – Article 6(1)(c) GDPR – or a public interest

the GDPR. In light of this, the Court agreed with the DPA that the controller had violated Article 5(1)(a) GDPR, Article 12 GDPR, Article 13 GDPR, Article

defendant to the extent stipulated by the labor court, § 15 GDPR. 1. According to Art. 99 (2) GDPR, the GDPR has been in force since May 25, 2018. It is directly

thus violating Article 15(1) and (4) GDPR as well as the principle of accountability pursuant to Article 5(2) GDPR. The complainant requested twice via

and by default (Art. 25 GDPR), integrity and confidentiality (Art. 5.1.f GDPR), as well as security ofprocessing(Art. 32GDPR)......101 B.4.4. - Additional

as well as Article 6(1) GDPR and (II.) §§ 12, 50a and 50d of the Austrian Data Protection Act (DSG). The violations of the GDPR was taxed with EUR 1,200

should be well-known to everyone that the GDPR provides enhanced protection to sensitive data. Article 10 of the GDPR refers to these data collections which

alleged violation of article 5.1.f) of the GDPR and article 32 of the GDPR, typified in article 83.5 and 83.4 of the GDPR. The initiation agreement, which was

(e) and 13(2)(a) GDPR. Thus, it ordered the controller to comply with the GDPR. In addition it fined € 10,000 under Article 58(2)(i) GDPR for the violation

5(1)(f) GDPR Article 5(1)(a) GDPR Article 5(2) GDPR Article 6(1) GDPR Article 7(1) GDPR Article 24(1) GDPR Article 25(1) GDPR Article 32(1)(b) GDPR Article

Article 5(1)(a) GDPR, Article 5(1)(c) GDPR, Article 9 GDPR and Article 25(2) GDPR. As a result, and in accordance with Article 58(2)(d) GDPR, the DPA ordered

Under Article 58(2)(f) GDPR, the Italian DPA imposed a temporary limitation on processing of an AI-powered ChatBot. The privacy policy did not clarify

proportionality of the measure under Article 6(4) GDPR, in accordance with the objectives referred to in Article 23(1) GDPR. It recalled that these objectives include

Relevant Law: Article 5(1)(a) GDPR Article 5(2) GDPR Article 6(1)(f) GDPR Article 13 GDPR Article 21 GDPR Article 24 GDPR §§2-3 Forskrift om arbeidsgivers

consent under Article 8 GDPR also apply? Did the defendant, as the controller, fail to adhere to the data transparency (Article 5(1)(a) GDPR) and the data minimisation

pursuant to Art. 53 Para. 2 GDPR) are met is the responsibility of the respondent, in accordance with Art. 54 Para. 1 lit. a) GDPR, which has to monitor and

the private property of the controller's, violating Article 5(1)(c) and 13 GDPR. On 1st of August 2022, the data subject submitted a complaint against a

pursuant to Article 83(7) GDPR). Hence, the DPA merely ordered the controller to bring implement measures to ensure compliance with the GDPR, pursuant to Article

of the GDPR, and even less than one month between the deletion from the edict file and the request for deletion pursuant to Article 17 of the GDPR. Furthermore

AEPD fined in €2,000 a website for non-GDPR compliant privacy policy, violating Article 13 GDPR. On January 16, 2022 the data subject complaint against

(Maciej Szpunar) assessed the case both under the Directive 95/46 and under the GDPR and came to the same opinion under both legal frameworks: Assessing the meaning

insurance company had breached Article 5(1)(a) GDPR, Article 5(1)(c) GDPR, Article 9 GDPR and Article 25(2) GDPR as its as its practice was to process the health

audit was focused on security issues, which are provided for in Article 32 GDPR and Article 32 of VIS Regulation. Further security requirements are provided

therefore violated Articles 9(1) GDPR out of negligence. The DPA fined the controller €1,600,000 pursuant of Article 83(5)(a) GDPR and considered this a high

to as ‘GDPR’), which replaced Directive 95/56, has been applicable since 25 May 2018. In accordance with the provisions of Article 15 (1) GDPR, the data

Article 32 GDPR? - Does the fact that this health data is not encrypted constitute a breach of the security obligation under Article 32 GDPR? - Does the

to Article 83 GDPR in conjunction with Article 4 No. 7 and 8 GDPR, fines for violations of the GDPR pursuant to Article 83(4) to (6) GDPR are not only to

medical exams. HDPA accepted that the physician violated also art. 12 par. 1 GDPR obligation to facilitate the exercise of applicant’s right of access by imposing

means of such activity, by virtue of article 4.7 of the GDPR. Article 4 section 12 of the GDPR broadly defines “violations of security of personal data”

protection of Art. 82 GDPR does not cover violations of Art. 13, 14, 15, 24, 25 and Art. 34 GDPR. In addition, there is no breach of the GDPR by the defendant

This principle has, logically, been taken up again at Article 5.1(b) of the GDPR under the Principles for the Processing of Personal Data (Chapter II). 16

norm addressee of Chapter V GDPR. The bB be directly responsible for BF2, which violated Art. 44 ff GDPR. Regarding The GDPR is applicable to the processing

mandatory legal requirements to do so, violating Article 6(1) and Article 13 GDPR. A resident has installed, without the authorization of the Comunidad de

the Articles 12 of the GDPR and 12 of the LOPDGDD. It also takes into account what is stated in Considering 59 et seq. of the GDPR. In accordance with the

referred to in Article 78, second paragraph, of the GDPR is free of form. There are no requirements in the GDPR that such a message must meet. It is true that

principles of article 5 par. 1 GDPR. It is no coincidence that the GDPR includes accountability (see Article 5 para. 2 GDPR) in the regulation of the principles

The HDPA of Greece examined the complaint for the violation of GDPR against the Greek Ministry of Education and Religion of a parent who had filed a request

around the processing of personal data subject to Article 10 GDPR. Pursuant to Article 6(1)(f) GDPR, the Privacy Appeals Board conducted a balancing test, in

between 2011 and 2017, the issues had continued since the GDPR entered into force, and therefore, the GDPR applied to this case. Second, the DPA stated that that

between 2011 and 2017, the issues had continued since the GDPR entered into force, and therefore, the GDPR applied to this case. Second, the DPA stated that that

Article 82 (1) and (2) GDPR, any person who has suffered material or non-material damage as a result of a violation of the GDPR is entitled to compensation

ensure the adequate level of protection of the personal data required by the GDPR, given Cloudflare's network extended to more than one hundred countries.

possible GDPR violations. The Spanish DPA highlighted that the physical image of a person is personal data within the meaning of Article 4(1) GDPR. Therefore

Article 77 GDPR was very clear and limited in scope. However, the DSB went on to assert a violation of Article 12 GDPR and Article 15(1)(h) GDPR, acting beyond

Article 15 GDPR." The DPA rejected the request for review. Genealogical research on a family surname did not fall within the scope of Article 15 GDPR, as "personal

LPACAP), for the alleged infringement of Article 6.1 of the GDPR, typified in Article 83.5 of the GDPR. SEVENTH: Notification of the aforementioned initiation

subject when his data would be removed. DPA hold that Alektum Oy has violated GDPR Article 15 Subsection 1 and 2 as well as Article 12 Subsection 3 in all three

and unauthorised access to the data. The infringement of Article 32 of the GDPR led to a €10,000 fine (RON 48,748). The infringement of Article 3 of Law

infringement of Article 32 GDPR. Therefore, the Spanish DPA issued a warning sanction for each violation of Article 5(1)(f) and Article 32 GDPR. AEPD highlighted

system of the penitentiary center of Villena (Alicante), violating Article 32 GDPR. On 14, 19 and 21 September 2021, three penitentiary associations lodged

investigations the CNIL found five breaches of the GDPR: -         Violation of the right to object, Article 21(2) GDPR: no procedure was implemented to ensure effectively

justification or basis for the processing, violating Article 9 GDPR. AEPD highlighted that Recital 46 GDPR already recognizes that, in exceptional situations, such

processing (Article 5(1)(a) GDPR), data minimisation (Article 5(1)(c) GDPR), and data protection by default (Article 25(2) GDPR). The DPA suggested that if

an access request under Article 15(1) GDPR. According to Recital 63 GDPR, the right of access under Article 15 GDPR serves data subjects to be informed about

data without a legitimate basis, in breach of Article 6 GDPR. For the violation of Article 6 GDPR, the AEPD fined the controller €6,000. In order to determine

who had been subject to a disciplinary procedure, pursuant to Article 17 GDPR, because the interests of Google and third parties outweighed the data subject's

to access under Article 15 GDPR because the controller was entitled to reject the request pursuant to Article 12(5)(b) GDPR. The court reasoned that this

5(1)(a) GDPR? Is the information relating to personal data processing operations easily accessible within the meaning of Articles 12 and 13 GDPR? Is the

the sanctioning regime imposed by the GDPR. And this is because the GDPR is a closed and complete system. The GDPR is a European standard directly applicable

personali (Italy) Jurisdiction: Italy Relevant Law: Article 58(2)(f) GDPR Article 66(1) GDPR Type: Investigation Outcome: Violation Found Started: Decided: 22

party, for the alleged infringement of Article 6.1 of the GDPR, typified in Article 83.5 of the GDPR. FIFTH: Notification of the Commencement Agreement, through

constitutes a special rule with regard to the GDPR, since it prohibits the legal bases mentioned in Article 6 GDPR from being invoked in order to be able to

Article 16 sentence 1 GDPR is the legal basis for a request for rectification, even if the request has been submitted before the GDPR entered into force:

"one-stop mechanism" according to Articles 56 and 60 of the GDPR does not apply established by the GDPR and, therefore, in accordance with the provisions of articles

the political communication legal under article 4 GDPR? The DPA held that in the light of Article 4 GDPR, Article 13 of the national law 3471/2006 and Article

Article 23 GDPR. Restrictions on the right to information under Art. 15 GDPR result in particular from the express provision in Art. 15 (4) GDPR that the

under Article 6(1) GDPR. In light of this, the DPA issued a fine of €70,000 to másLUZ Energía (SIE) by virtue of Article 83(5) GDPR for unlawful processing

article 4.1 of the GDPR, is data personnel and their protection, therefore, is the subject of said Regulation. In article 4.2 The GDPR defines the concept

the controller had not violated Article 45 GDPR nor any of the subsequent Articles from Chapter V of the GDPR. The AEPD took into account that the controller

processing operations. The controller was found to have breached Article 9 GDPR as its practice was to process the health data of life insurance applicants

the GDPR in conjunction with Article 83(1)(a) of the GDPR. 5 of the GDPR, and with Article 21(5) of the GDPR, and with Article 21(2)(a) of the GDPR. 1(b)

having any previous relationship with her. The HDPA held that according to the GDPR and Article 11 of L. 3471/2006, in electronic political communication a politician

with the GDPR at the Municipal Office of the Mayor of Aleksandrów Kujawski. The UODO found that the local government did not comply with the GDPR because

000: €50,000 for the violation of Article 5(1)(f) GDPR and €30,000 for the violation of Article 32 GDPR. The original fine of €80,000 was reduced to €48

outdated and was no longer of importance to society. Pursuant to Article 17(1) GDPR, the data subject had requested Google LLC (the controller) to remove several

Article 5(1)(e) GDPR and Article 25(2) GDPR. As a result, the DPA issued a reprimand to the controller in accordance with Article 58(2)(b) GDPR. Pursuant to

breaching Article 6(1) GDPR, and required the company to implement a policy for conducting credit ratings per Article 24 GDPR. A person lodged a complaint

implementation of Regulation (EU) 2016/679 (GDPR).As the processing activity does not relate to a period of time during which the GDPR applied and, according to the

reprimand concerning the requirements for consent as required by Article 6(1)(a) GDPR. Datatilsynet examined a complaint regarding the processing of personal data

imposed a record fine of €50 million on Google for several violations of GDPR including processing personal data without a lawful basis, violating the

personal data from a surveillance footage, thus breaching Article 5(1)(a) GDPR and Article 6. The company appealed to the Norwegian Privacy Appeals Board

article 4.1 of the GDPR, is data personnel and their protection, therefore, is the subject of said Regulation. In article 4.2 of the GDPR defines the concept

that “Recital 65 of the GDPR also includes the exception of the legal defense as provided for in article 17.3.e of the GDPR to the right to erasure",

that the controller had not answered a rectification request from Article 16 GDPR. The data subject wanted the employer to rectify a productivity record deriving

concept of "personal data", currently translated into Article 4(1) of the GDPR. With the amendment of 2013 and the introduction of a new exception in the

Directive and the right to access under the GDPR. First the Court clarified that both the ePrivacy Directive and the GDPR apply. It considered that the right of

Data Protection Regulation - GDPR). The defendant has a right of refusal under Art. 12 Para. 5 Sentence 2 Letter b) GDPR to. The provision only lists the

Privacy Ordinance, Legislative Commentary, and Öman, Data Protection Ordinance (GDPR) etc. A comment, Norsteds Juridik AB, 2019, page 329. There is no statutory

subjects? The Polish DPA found that the University violated Article 33(1) GDPR and Article 34, because it had notified neither the supervisory authority

calls, and for not providing relevant information under Articles 13 and 14 GDPR during the calls. The controller – PLUS REAL ADVERTISEMENT – provides marketing

found that the Socialist Party of Catalonia (PSC-PSOE) violated Article 21 GDPR due to unsolicited political propaganda sent after the data subject exercised

of article 32 of the GDPR since they are not referred to by the GDPR and were created without being related to or based on the GDPR. The AP disagrees with

freedom of expression and information within the meaning of Article 17(3)(a) GDPR. The controller also stated that there were compelling legitimate grounds

transparency as found in Articles 12, 13 and 14 GDPR. The second fine was imposed as BBVA breached Article 6 GDPR (legality of processing). The decision relates

made without legitimizing cause of those included in article 6 of the GDPR. The GDPR applies to personal data. Said regulation defines as «data personal”

Authority: AEPD (Spain) Jurisdiction: Spain Relevant Law: Article 6(1)(a) GDPR Regulation 1024/2012 (IMI Regulation) Article 21(1) LSSI Article 22(2) LSSI

processing of personal data and the free circulation of these data (hereinafter, GDPR); and in article 47 of the Law Organic 3/2018, of December 5, Protection

Obligation to notify the registered (customers) pursuant to GDPR art. 34? It follows from GDPR art. 34 that Nemlig and Intervare as data controllers in case

from my list of recipients, in accordance with the provisions of Article 18 GDPR. 4) He proceeded to remove the recipient’s e-mail address from the list of

Authority: HDPA (Greece) Jurisdiction: Greece Relevant Law: Article 4(7) GDPR Article 11 L. 3471/2006 Type: Complaint Outcome: Upheld Started: Decided:

and right to privacy. Health data are sensitive data covered by Article 9 GDPR. According to Article 137 of the Italian Data Protection Code, health data

Article 17(1)(d) GDPR since the data was unlawfully processed. The defendant claimed that its activities fall under exception in (Article 85 GDPR) read in conjunction

to them after they exercised their right to data portability (Article 20 GDPR) and right to object (Article 21). After a contractual relationship with

gas distribution company €12,000 for a violation of Article 5(1)(f) of the GDPR. A customer of a gas distribution company (Madrileña Red De Gas, S.A.U) complained

Authority: AEPD (Spain) Jurisdiction: Spain Relevant Law: Article 6(1)(f) GDPR Type: Complaint Outcome: Upheld Started: Decided: 09.06.2020 Published: 09

that the French DPA was not competent in this case. Apple argued that the GDPR was applicable and that the Irish DPA was instead the competent authority

erasure (“right to be forgotten”) of Article 17 GDPR and Article 19 of Regulation 2018/1725. Under GDPR, such prolonged and unrestricted data retention

communication? The HDPA held that the politician is a data controller under the GDPR and needs to establish a valid legal basis to process personal data. Unsolicited

serious breach of the GDPR. The violation of Article 17, 1., a) constitutes also a violation of an essential principle of the GDPR and constitutes at least

in Article 25 GDPR. Additionally, the AEPD concluded that the controller had violated Article 5(1)(f) GDPR, noting that although the GDPR does not demand

Article 17(3) GDPR. Two doctors sued a platform for deletion of their basic profile set up on the platform without their consent under Article 17 GDPR. They argued

that use the TC-string? (Article 4(1) GDPR) 2) a) Is IAB a (joint) controller (Article 4(7) GDPR and Article 24(1) GDPR)? b) Does it matter whether or not

Article 6(1)(b) GDPR, and to bring its processing into compliance with Article 6(1) GDPR. Furthermore, pursuant to Articles 58(2)(i) and 83 GDPR, and under

Article 6(1)(b) GDPR, and to bring its processing into compliance with Article 6(1) GDPR. Furthermore, pursuant to Articles 58(2)(i) and 83 GDPR, and under

99 GDPR |GDPR_Article_Link_3=Article 99 GDPR |GDPR_Article_4= |GDPR_Article_Link_4= |GDPR_Article_5= |GDPR_Article_Link_5= |GDPR_Article_6= |GDPR_Article_Link_6=

35(7) GDPR, for not complying with the principle of transparency under Article 5(1) GDPR and for not anonymising the data under Article 25(1) GDPR, among

99 GDPR |GDPR_Article_Link_3=Article 99 GDPR |GDPR_Article_4= |GDPR_Article_Link_4= |GDPR_Article_5= |GDPR_Article_Link_5= |GDPR_Article_6= |GDPR_Article_Link_6=

on the free movement of such data, and repealing Directive 95/46/EC (the ‘GDPR’), which requires data to be processed lawfully, fairly and in a transparent

cross-border processing (Article 4(23) GDPR). Therefore, the cooperation mechanism was applicable (Articles 56(1) GDPR and 60 GDPR), with the Norwegian DPA as lead

2(2)(c) GDPR Article 4(1) GDPR Article 4(2) GDPR Article 4(7) GDPR Article 4(11) GDPR Article 6 GDPR Article 9 GDPR Article 31 GDPR Article 58 GDPR Type:

5(1)(f) GDPR, Article 5(1)(a) GDPR, Article 5(2) GDPR, Article 12 GDPR, Article 13 GDPR, Article 14 GDPR, Article 24(1) GDPR, and Article 25 GDPR, as a result

exercising their right to access (Article 15 GDPR), not mentioning any of the elements of Article 14 GDPR regarding the processing of data, but only mentioning

The Greek DPA found that a polling company had violated Articles 12 and 15 GDPR, for failing to respond to an access request submitted by a participant in

accordance with Article 13 GDPR. In addition, the HDPA found that the Ministry violated the obligation of Article 35(9) GDPR in relation to the expression

the building lawful in accordance with Articles 5, 6, 12, 13, 25, and 32 GDPR? The ANSPDCP first held that the processing of the image coming from the

12(3) GDPR and Article 12(4) GDPR when a data subject may exercise their right of access according to Article 15(1) GDPR and Article 15(3) GDPR. Then,

force until GDPR came into force. It, thus, violated the principle of accountability according to Article 5(2) GDPR and Article 5(1)(a) GDPR. The HDPA found

Article 5 (1)(e)GDPR, the duty to provide information under Article 13 GDPR, and the obligation to carry out a DPIA under Article 35(3)(b) GDPR. The CNDP also

CYTA violated articles 5 (1), 24 (1) and (2), 25 (1) and (2) and 32 of the GDPR and instructed CYTA to establish such security measures and practices, so

Protection Act may also be based on violations of the GDPR, despite the lack of implementation of Article 80(2) GDPR in Austria. Matching customer data with a data

line with Article 13 GDPR. On the DSB's request, the controller declared R*** Hotels GmbH as its representative under Article 27 GDPR and sent a reply to

constituted a violation of the provisions of Article 5(1)(a) GDPR, Article 5(1)(f) GDPR, Article 6(1)(a) GDPR. As such, the DPA imposed a fined on the controller

information provided to data subjects was less than that required by the GDPR, and the information was not provided in an intelligible and easily accessible

Does the GDPR preclude national regulations which, among other things, grant associations the power to take action for violations of the GDPR by way of

personal data under Article 17 GDPR, to restrict processing of personal data Article 18 GDPR, to data portability under Article 20 GDPR and to object to the processing

DPA (Commissioner) fined the Cyprus Police €6000 for violating Article 32 GDPR for disclosing personal data to unauthorised persons. A series of media publications

data in violation of Article 5(1)(a) GDPR, Article 6(1) GDPR, Article 12(3) GDPR, Article 12(4) GDPR and Article 15 GDPR. As such, the DPA issued a fine of

could not rely on Article 6(1)(c) GDPR as a legal basis. This made the processing also unlawful under Article 5(1)(a) GDPR. The HDPA fined the municipality

personal data - for which a violation was established - in compliance with the GDPR within 3 months. This is the second decision following this investigation

13, 24, 32, 35 and 58(2)(f) GDPR. UAB IT Solutions Success was fined €3,000 for violating Articles 5, 13, 24, 32 and 35 GDPR. The Lithuanian DPA (VDAI)

Article 25 GDPR and the liability principle of 5(2) GDPR. The DPA finally found out that the provision on impact assessment, as per Article 35 GDPR was also

the prohibition under Article 9 (1) GDPR and without relying on any specific exemptions under Article 9 (2) (4) GDPR. Feel free to add your comment here

supervisory authority under Article 56 GDPR, which initiated the cooperation mechanism according to Article 60 GDPR. The controller explained in its submissions

21(2) and 21(4) GDPR. Moreover, the DPA held that the controller violated Article 5(1)(a), 5(1)(c), 5(2), 6(1), 12(2), 21(2) and 21(4) GDPR. The controller

of employment as per Article 88 GDPR. For these reasons, the Garante: - With the power conferred by Article 58(2)(i) GDPR, imposed a fine of €20,000 on Gaypa

reprimand to the telecommunication company Wind Hellas for violation of the GDPR and of the national law implementing the ePrivacy Directive and it issued

imposed by the GDPR. Firstly, that the purpose of processing was determined, explicit and legitimate in accordance with Article 5(1)(b) GDPR when considering

nor clear. Therefore, the purpose limitation principle from Article 5(1)(b) GDPR had been infringed. The DPA also added that the fact that the use of the

in accordance with Article 51 and 55 GDPR, this authority is competent to supervise the application of the GDPR to this case. This is because, while Google

object under Article 21(2) GDPR in conjunction with Article 12(1) GDPR, Article 12(2) GDPR, Article 13 GDPR and Article 14 GDPR. Telenet asked for permission

its web form and via e-mail, acting contrary to Article 13(1) GDPR and Article 13(2) GDPR. Further, the AZOP held that the controller failed to adopt appropriate

their health status, without appropriate legal grounds, as required by art. 6 GDPR and art 2-ter and 2-septies of the Italian Privacy Code, and going against

2022, the DPA issued decision 103/2022, fining the controller for several GDPR related violations. The controller appealed this decision at the Market Court

Article 5(1) GDPR Article 6 (1) GDPR Article 6(4) GDPR Article 9 GDPR Article 14 GDPR Article 30 GDPR Article 35 GDPR and Article 36 GDPR. The fine was

that nominate a representative under Article 27 GDPR do not outsource liability for breaches of the GDPR. A representative can only be held responsible

(f), 9 and 32(1)(b) GDPR.” Pursuant to Article 58(2)(i), the DPA hence imposed an administrative fine as per Article 83(4) and (5) GDPR. Given that the conduct

Adopted 13 GDPR for processing on foot of Article 6(1)(b) GDPR . The IE recalls the general requirement of transparencyunder Article5(a)GDPR 54,anditsp

violation of article 5(a), 6 and 9 GDPR definition of the data retention period, in violation of Article 5(1)(e) GDPR adequate definition of the relationship

the GGC. 2(i) of the GDPR, the effective, proportionate and dissuasive administrative fine provided for in Article 83 of the GDPR, both to remedy compliance

obligations under Articles 24 and 32 of the GDPR which led to the personal data breach, as per Article 4(12) of the GDPR, including with regards to the complainant’s

out in their entirety from Morocco, so that the GDPR did not apply in this case. As per Articles 3 GDPR and 8 of the French Data Protection Act, the CNIL

their response cf. Article 15 - fulfill the other requirements as per the GDPR, including the fundamental principles for processing personal data cf. Article

on EOS Matrix as a data controller due to the multiple violations of the GDPR. The DPA received an anonymous petition stating that EOS Matrix had unauthorized

negotiated the role of data management procedures of a bank, under the aegis of GDPR. In April 2019, Client A asked Hellenic Bank to update his information. During

omission of TOMs (Art. 32 GDPR) The requirements of the European fundamental rights, which the GDPR in accordance with Art. 1 Para. 2 GDPR therefore suggest that

Articles 5(1)(a) and 6(1)(b) GDPR. In addition, the AEPD decided to impose a fine of 1.000 € in accordance with Article 83(5)(a) GDPR by taking into consideration

Comunicación with €8,000 for the infringement of Articles 6(1), 13 and 14 GDPR, as the company gathered and re-used data from the Andalusian Education Department

for data processing under Article 21 GDPR and the principle of liability under Article 2(4) GDPR and Article 24 GDPR. The complainant, the data subject,

request, violating GDPR Article 12(3) and Article 15. The delay also led to the deletion of requested data, violating Article 5(1) GDPR. A complainant legally

supervisory authority in the case under Article 56 GDPR. The DPC started a cooperation procedure under Article 60 GDPR and opened an investigation. In its submissions

Article 5 GDPR, Article 6(1) GDPR and Article 9 GDPR. Article 5 GDPR establishes the principles of data processing. Firstly, Article 5(1)(a) GDPR notes that

of the GDPR. 92. 92. Firstly, the restricted formation emphasises that, in this case, the criterion provided for in Article 83(2)(a) of the GDPR relating

the GDPR and additional mechanisms should be implemented so that users with hacked accounts could be also identified according to Article 12(6) GDPR. Share

with GDPR transparencyobligations under Article 13(1)(c) GDPR involves a separateand different legalassessment tothatrequired in Article6(1)(b) GDPR.TheIE

Article 4(1) GDPR. These statistics even included health data which qualify as a special category of personal data under Article 9(1) GDPR. The Datatilsynet

and transparency established in Article 5(1)(a) GDPR. Moreover, the DPA found a violation of Article 13 GDPR, since the controller did not correctly inform

recipients of personal data constitute a violation of the GDPR. It also held that Article 77 GDPR grants an independent right to lodge a complaint with a

contrary to GDPR, specifically, articles Articles 5(1)(a) and 6(1)(a) GDPR. Though the Hospital acknowledged that the form was not adapted to the new GDPR rules

and (4) GDPR. Therefore, the Belgian DPA found the controller to have breached Article 15 GDPR in conjunction with Article 12(3) and (4) GDPR, and it mandated

(Datenschutzbehörde - DSB) held that the doctor had violated Article 5(1)(a) GDPR and Article 9(1) and (2) GDPR as the patients had not given their ecplicit consent to the

under Article 41 GDPR (redacted as "code S***", code M*** and code U***"). These codes had been approved by the DSB under Article 40(5) GDPR. Inverstigations

possible breach of the GDPR. The VDAI found that the sports club had violated the following GDPR provisions: It violated Article 9(1) GDPR by processing the

Article 33 GDPR. The DPA also ordered the controller to communicate the data breach to the affected data subjects pursuant to Article 34 GDPR. The specific

infringement of Article 6(1) GDPR. Furthermore, he argued the infringement of Article 26 GDPR (joint responsibility) and Article 44 GDPR (third country transfer)

000 under Article 58(2) GDPR and Article 83(4) GDPR for the breach of Article 32(2), Article 32(4) GDPR and Article 28(3) GDPR. As for the controller,

addition to the violation of Article 32 GDPR, the Chamber found that the financial institution had violated: Article 25 GDPR on data protection by design and

for monitoring the former employee's email account, as per Article 6(1)(f) GDPR. The DPA further held that the company failed to: provide the data subjects

Article 12(1) GDPR. 2) Whether the controller has provided the data subject with adequate information under Article 13(1)(d) and 2(b) GDPR in connection

Article 30(1) GDPR, despite employing fewer than 250 persons, because of the risk to the rights and freedoms of the data subject (article 30(5) GDPR). Share

and repealing Directive 95/46/EC (General Data Protection Regulation, ‘the GDPR’, OJ 2016 L 119, p. 1), read in combination with Article 77(1) thereof, to

“anonymisation”. Recital 26 of the GDPR clarifies that anonymous information does not fall within the scope of the GDPR. The GDPR does not explicitly define “anonymisation”

as required under Article 263 TFEU. Following the entry into force of the GDPR, the Irish DPA received complaints from users and non-users (the data subjects)

fraud prevention under Article 6(1)(f) GDPR. Did the company’s policy breach Article 6 or any other articles of the GDPR? The Garante held that the policy breached

complaint against Google. The DPA noted that the lawful basis was Article 6(1)(f) GDPR and referred to the Article 29 Group's guidelines WP225 relating to search

(Article 5(2) GDPR), of engagement of a processor (Article 28 GDPR), and in respect of the security of processing of personal data (Article 32 GDPR). However

the principles of Article 5 GDPR is not cured by the existence of a legitimate purpose and legal basis (cf. GDPR 38/2004, GDPR 43/2019). In addition, the

The DPA assessed the appropriate sanctions in accordance with Article 83(2) GDPR and suggested a fine of approximately €67,000 (DKK 500,000). The DPA in Denmark

(2) point b) of the GDPR, because violated: - Article 6 (1) of the GDPR, 16 - Article 5 (2) of the GDPR, - Article 7 (1) of the GDPR, - Paragraphs (1) –

Article 6.1 GDPR, read in conjunction with Articles 5.2 GDPR and 24.1 GDPR; 5) the performance of a data protection impact assessment (Article 35 GDPR) the framework

(Art. 6 Para. 1 lit. f GDPR). In this context, Art. 6 Para. 1 lit. c GDPR in conjunction with the PMG and Art. 6 Para. 1 lit. f GDPR relevant: The Respondent

performance of a contract (Article 6(1)(b) GDPR) and for legitimate interest (Article 6(1)(f) GDPR). Article 6(1)(b) GDPR In its original draft decision, the

access request, provided an incomplete dataset in English. Could Article 15 GDPR be exercised although the personal are expected to be already possessed by

and transparency (Article 5(1)(a), 6 and 9 GDPR) as well as its obligations under Article 12, 14, 15 and 27 GDPR. The DPA fined the controller €20,000,000

period. The IP clarified that under the GDPR consent does not have to be handwritten. According to Article 4(11) GDPR, "consent of the data subject means any

5(1)(c) GDPR, the DPA fined the controller €50,000. In its assessment of the fine, the DPA noted three aggravating factors per Article 83(2) GDPR: (1) the

(the controller); an access request under Article 15 GDPR and an erasure request under Article 17 GDPR. Regarding the erasure request specifically, when the

suffice to claim damages under Article 82 GDPR? The court held that neither §26(1) BDSG nor Article 6(1)f GDPR legitimize the processing of employee data

contrary to Article 9(1) GDPR. The DPA’s decision focused more on the national privacy law within the employment context rather than GDPR. Share blogs or news

capture images of common areas of the neighborhood violates Article 5 of the GDPR (data minimization). A neighbor had placed cameras in his door directed to

system error fails to register the account closing, lead to a violation of the GDPR? The ANSPDCP found that the controller sent, to the e-mail address of a natural

processing. This lead to a security incident, in breach of Article 28(1) and 32 GDPR, for which the controller was fined RON 9,836.6 (approximately €2,000). Additionally

principles in Article 5 GDPR. This includes notifying the data subjects about processing in accordance with Articles 12 and 13 GDPR. The DPA held that the

12(1) GDPR. The AP outlined that, in the event of an infringement of Article 12(1) of the GDPR, pursuant to Article 58(2)(i) and Article 83(5) GDPR, read

to the GDPR, imposed a fine in the amount of € 10.000 and ordered Cavauto srl. to communicate the proposed changes in view of compliance with GDPR. The Italian

violating Articles 6(1), 13(1) and (2), and 25(1) and (2) and 32(1)(a) and (d) GDPR. A sports betting agency, acting as the controller, offered players (the

Officer (DPO) under Section 4 of Chapter 4 of the GDPR (see in particular Article 37 GDPR to Article 39 GDPR). One of these audit proceedings concerned a Luxembourg

breaching Article 12(3) GDPR, since it failed to notify the data subject that her erasure request was satisfied, as well as Article 24(1) GDPR, given that the

the electricity supplier has committed three violations of Article 12(3) GDPR , because the company delayed to satisfy the complainants' right to access

although the individual had objected to that according to Article 21(3) GDPR. The complainant received a commercial message from Dante Internațional SA

Article 32(1)(a), Article 32(1)(b), Article 32(1)(d) GDPR to be breached. Pursuant to Article 82(2) GDPR, the DPA took several aggravating factors into account

personal data is consent (Article 6(1)(a) GDPR) given while registering to the newsletter. Article 8(1) GDPR establishes the age at which a minor can legally

under Article 37(7) GDPR. The DPA ordered the controller to comply with his obligations under Article 13(1)(b) GDPR and Article 37(7) GDPR and to publish the

Article 83.7 GDPR, but it is in any case established that in its interpretation the context of Article 83.7 GDPR and the purpose of the GDPR. 26. The Belgian

the time of the first communication (Art. 14(3)(a) and (b) GDPR). However, Art. 14(1) to (4) GDPR shall not apply if and to the extent that the data subject

in both Belgium and the UK, violated Article 15(1) GDPR, Article 15(3) GDPR and Article 12(3) GDPR GDPR for deleting data instead of providing access to

trained in GDPR matters. With GDPR in force for over a year, the controller should have had at least measures in place concerning the Articles 15-22 GDPR and

system of an individual shall be handled as subject to Article 4(1) of the GDPR Regulation. The meaning of that conclusion is that the Data Controller is

employer should explore the specific exceptions in Article 9(2)(b) GDPR to Article 9(2)(j) GDPR to lawfully process health-related data of employees. An employee