Search results

to Article 60 GDPR, Article 61 GDPR, Article 62 GDPR, Article 63 GDPR, Article 64 GDPR, Article 65 GDPR, Article 66 GDPR and Article 56 GDPR. The SA is also

purposes outlined in Article 23(1)(a) to (j) GDPR (e.g. national and public security) as well as Recital 73 GDPR (e.g. protection of human life). In any case

Berlin. If their behaviour is monitored by an app, the GDPR applies. In light of Recital 14 GDPR and the EDPB guidelines, the targeting criterion covers

cooperation with other supervisory authorities, the Board and the Commission. Recital 123: Cooperation Amongst Supervisory Authorities and with the Commission The

Article 57 GDPR (tasks of SAs), Article 58 GDPR (powers of SAs), as well as Article 65 GDPR (dispute resolution by the board), Article 63 GDPR (consistency

compliance with the GDPR under Article 58(2)(d) GDPR or even ban it under Article 58(2)(f) GDPR. Therefore, complaints under Article 77 GDPR should extend to

progress. Fill in the name used for the recital if you use it so we can ensure a somewhat streamlined practice. Recital 1: The protection of natural persons

6(1)(f) GDPR, Recital 47 GDPR and the CJEU’s settled case-law 171, three cumulative conditions must be met to be able to rely on Article 6(1)(f) GDPR, ‘namely

election by a parliamentary assembly is explicitly envisaged by the GDPR in Recital 121. Share your comments here! Share blogs or news articles here! The

an access request under Article 15(1) GDPR. According to Recital 63 GDPR, the right of access under Article 15 GDPR serves data subjects to be informed about

e) of the GDPR). 8.1.4. As for breaches of Articles 5.2. and 24 of the GDPR 88. Article 24.1 of the GDPR which covers Chapter IV of the GDPR devoted to

like this: 123.45.67.89 - 25/Mar/2003 10:15:32 - http://www.google.com/search?q=cars - Firefox 1.0.7; Windows NT 5.1 - 740674ce2123e969 123.45.67.89 is

serious breach of the GDPR. The violation of Article 17, 1., a) constitutes also a violation of an essential principle of the GDPR and constitutes at least

blur or pixel images of third parties concerned. The AEPD brought forward Recital 59, emphasizing the controller to facilitate data subjects the access of

DPA (Garante) fined telecoms operator Iliad €800,000 for violating multiple GDPR and Italian Privacy code provisions. As a number of different complainants

made without legitimizing cause of those included in article 6 of the GDPR. The GDPR applies to personal data. Said regulation defines as «data personal”

gas distribution company €12,000 for a violation of Article 5(1)(f) of the GDPR. A customer of a gas distribution company (Madrileña Red De Gas, S.A.U) complained

understood as made to the GDPR, in accordance with article 94 of the last. Likewise, it is apparent from recital 173 of the GDPR that this text explicitly

party, for the alleged infringement of Article 6.1 of the GDPR, typified in Article 83.5 of the GDPR. FIFTH: Notification of the Commencement Agreement, through

administrative sanction to be imposed, we should read certain recitals of the RGPD, among others, recital 148, which indicates the following: 'In order to strengthen

2019 that it was operating. Following Article 83(5)(a)GDPR, read in the lights of Recital (148) GDPR, the AEPD issued a reprimand to the owner of the video

operations, it is necessary to fall back on article 6.1. AVG and recital 50 GDPR. Recital 50 of the GDPR states that this is a separate legal basis required for

justification or basis for the processing, violating Article 9 GDPR. AEPD highlighted that Recital 46 GDPR already recognizes that, in exceptional situations, such

the infringement of its collaboration duties as per Article 58(2) of the GDPR. The decision is the consequence of a complaint submitted by a Spanish citizen

individual for failing to comply with the right to information (Article 13 GDPR) when collecting personal data on its website. A citizen brought to the attention

under Article 6(1) GDPR. In light of this, the DPA issued a fine of €70,000 to másLUZ Energía (SIE) by virtue of Article 83(5) GDPR for unlawful processing

infringement of the data minimisation principle related, as per Article 5(1)(c) GDPR. The decision is the consequence of a complaint submitted by another Spanish

warning, in accordance with Article 58(2)(b) of the GDPR, in connection with the above-mentioned Recital 148. Therefore, in accordance with the applicable

information.” Recitals 39 and 60 of the GDPR help to specify the scope of the right of information that is given to the interested parties. Recital 39 establishes:

Regulation (EU) 2016/679, of April 27, 2016, General Data Protection (GDPR), in its recital 18, indicates that this Regulation does not apply to the processing

doubts about the identity of the person making the request”. Moreover, Recital 64 GDPR require the measures adopted to identify data subjects to be “reasonable”

means of such activity, by virtue of article 4.7 of the GDPR. For its part, article 5.1.c) of the GDPR regulates the “principles relating to processing” establishing

consequent infringement of the data minimisation principle (Article 5(1)(c) GDPR). The decision is the consequence of a complaint submitted by a Spanish citizen

is charged with committing an offense for violation of article 6.1 of the GDPR, which states that: "one. The treatment will only be lawful if it complies

consent under Article 4(11) GDPR and Article 6(1) LOPDGDD (National data protection law aimed at the implementation of the GDPR). In both articles, consent

violated the GDPR. A citizen submitted a complaint before the AEPD stating that privacy policy of www.banderacatalana.cat did not comply with the GDPR. GRUP BC

of the general information duty included in Article 13 GDPR. Is this a violation of Article 13 GDPR? The AEPD held that there had been a violation of Article

as “anonymisation”. Recital 26 of the GDPR clarifies that anonymous information does not fall within the scope of the GDPR. The GDPR does not explicitly

infringement of Article 32 GDPR. Therefore, the Spanish DPA issued a warning sanction for each violation of Article 5(1)(f) and Article 32 GDPR. AEPD highlighted

hours of employees without having informed them in accordance with Article 13 GDPR. The AEPD received a letter filed by the interested party against the respondent

account data under Article 15 GDPR? Is GDPR applicable to a case that was still pending before the DPA on 25. 5. 2018? GDPR applies to cases pending before

Article 13 GDPR. In the present case, the controller omitted this obligation. The DPA therefore held that the controller violated Article 13 GDPR by neither

BVerfGE 123, 267 <353 f.>; 126, 286 <302 f.>; 134, 366 <382 ff. margin no. 22 et seq.; 140, 317 <336 et seq. marginals 42 et seq.; 142, 123 <194 et seq

with the GDPR. Especially, if the installation of surveillance camera is contrary to the data minimisation principle, under Article 5(1)(c) GDPR. First,

the infringement of the accuracy principle, as per Article 5(1)(d) of the GDPR. The decision is the consequence of a complaint submitted by another Spanish

they do not involve family law disputes (see Schneider/Herget, loc. cit. recital 4308). bb) Measured against this, there is no objection to the labour court's

violation of article 5.1.f) of the GDPR and article 32 of the GDPR, typified in articles 83.5 and 83.4 of the GDPR, respectively The initiation agreement

the sanctioning regime imposed by the GDPR. And this is because the GDPR is a closed and complete system. The GDPR is a European standard directly applicable

data subject under Article 21(1) GDPR had been violated by the PAR. Did Mrs AAA have a right to object under Article 21 GDPR? Had the PAR infringed this right

alleged violation of article 5.1.c) of the GDPR and article 13 of the GDPR, typified in Article 83.5 of the GDPR. FIFTH: Once the aforementioned initiation

automated) and can in principle be processed manually (recital 15 of the GDPR), considering Article 2 of the GDPR that "This Regulation applies to the processing

article 6 of the GDPR. The assumptions that allow the processing of personal data to be considered lawful listed in article 6.1 of the GDPR: 1. Treatment

Articles 13 GDPR and 7 GDPR respectively? To determine the amount of the penalty, the AEPD took into account three criteria in Article 83(2) GDPR: unintentional

defendant for an infringement of Article 5(1)(a) GDPR a warning penalty in accordance with Article 58(2)(b) GDPR. Share your comments here! Share blogs or news

Resolution regarding the right to access (art. 15 GDPR) and its formalities art. 12(2) GDPR. The Health service of the Balearic Islands (Controller) didn’t

DPA (AEPD) fined a controller €3000 for the infringement of Article 32(1) GDPR, due to a data breach that was caused by the abandonment of several envelopes

article 5.1.f) of the GDPR, typified in article 83.5 of the GDPR, a warning sanction and for a violation of article 32 of the GDPR, typified in article

the publication of the judgment breach the GDPR? The AEPD held that the respondent’s actions violated the GDPR Article 5(1)(a) requirement that processing

Article 13 of the GDPR GDPR. The form used violated Article 13 of the GDPR conduct that is subsumi- ble under Article 83(5) of the GDPR, which provides:

transparency), Article 12(1), Article 7, Article 13 and Article 14 GDPR, the corresponding GDPR recitals (32, 39, 42, 47, 58, 60, 61, and 72), as well are Articles

Vodaphone violated Article 5(1)(f) GDPR, as interpreted in the light of the last sentence of the recital 39 GDPR. Share your comments here! Share blogs

(Art. 6 Para. 1 lit. f GDPR). In this context, Art. 6 Para. 1 lit. c GDPR in conjunction with the PMG and Art. 6 Para. 1 lit. f GDPR relevant: The Respondent

was responsible for violating Article 33 GDPR, and issued it with a warning pursuant to Article 58(2)(b) GDPR. The AEPD did not find the former Secretary

which was considered a data breach and therefore a violation of Article 32(1) GDPR. The Police Force of Navarra (Spain) reported to the AEPD the fact that they

(AEPD) imposed a warning on a Spanish public notary for infringing Article 13 GDPR by not offering the claimant relevant information when obtaining a copy of

processing under the GDPR. The local authorities filed a complaint with the Spanish DPA against the complainant for an alleged violation of the GDPR by finding scattered

family privacy of citizens and the full exercise of their rights.” Recital 40 of the GDPR states that “For the processing to be lawful, the Personal data

violation of the GDPR? The AEPD held that the senders of the email violated the principle of data confidentiality under Article 5(1)(f) GDPR, by revealing

infringe the principle of confidentiality established by Article 5(1)(f) GDPR? Was there a personal data breach? The AEPD considered that there was an

infringe the principle of confidentiality established by Article 5(1)(f) GDPR? Was there a personal data breach? The AEPD considered that there was an

warning to Escuela Infantil (nursery school) for the infringement of Article 13 GDPR. The decision is the consequence of a complaint filed by a Spanish citizen

precautionary measure in accordance with Art. 21 GDPR and requested a suspension in accordance with Art. 18 GDPR. On August 25, 2020, he complained again about

meaning of the GDPR, and such processing of personal data did not fall within the scope of the "household exemption". Therefore, the GDPR applied in full

article 4.1 of the GDPR, are a Personal data and its protection, therefore, is the subject of said Regulation. In the article 4.2 of the GDPR defines the concept

according to Article 23 GDPR, restrictions of obligations and rights under Article 12 GDPR - Article 22 GDPR Article 34 GDPR and Article 5 GDPR, insofar as its

controller's conduct constituted a breach of Articles 5(1)(f) and 32 GDPR and Articles 123, 132 and 132ter of the Code. Contrary to what was claimed by the

Articles 6 and 13 GDPR? The AEPD decided to impose, for infringement of Article 6 GDPR, a fine of € 10000 and, for infringement of Article 13 GDPR, a fine of

79 GDPR in cases of an alleged violation of Article 15 GDPR or can such violation only be subject to a complaint before a DPA under Article 77 GDPR? Do

243. In order to strengthen the enforcement of the rules of the GDPR, recital 148 GDPR clarifies that penalties, including administrative fines, should

member states is superimposed (see Recital 146 S 4 and 5 on the GDPR; cf. also Frenzel in Paal / Pauly, GDPR-BDSG3 Art 82 GDPR margin no.1; Wybitul / Haß / Albrecht

Same principles concerning fair data processing exist in the GDPR Article 5 and Recital 39 and the Irish DPA 2018. Share blogs or news articles here!

of the data processing, in violation of Article 13 and Article 5 (1) (c) GDPR. The complainant lodged a complaint with the AEPD about the installation

infringement of the integrity and confidentiality principle, as per Article 5(1)(f) GDPR. The decision is the consequence of a complaint submitted by a Spanish citizen

Article 6.1 GDPR, read in conjunction with Articles 5.2 GDPR and 24.1 GDPR; 5) the performance of a data protection impact assessment (Article 35 GDPR) the framework

understood as references to the GDPR, in accordance with Article 94 of the latter. 34. Similarly, it follows from recital 173 of the GDPR that this text explicitly

of the GDPR according to Art. 99 Para. 2 GDPR as of May 25, 2018 follows from Art. 79 Para. 2 Sentence 1 GDPR in conjunction with recital 22 GDPR as well

whether Art. 15 GDPR applies to the investigation files at all, since according to Art. 2 Para. 2 d GDPR, Section 2a Para. 4 AO, the GDPR does not apply

(Considering 40 GDPR), Article 6.1 of the GDPR is therefore applicable and not RD 1720/2007 used by the defendant. Thus, the aforementioned article 6.1 GDPR establishes

outside the material scope of the GDPR. Also, with regards to the definition of personal data from Article 4(1) GDPR, the DPA did not reach a firm conclusion

violation of Article 12 GDPR ? Are the following practices an infringement on data subjects' information right as described in Article 12 GDPR ? Spreading the

is the Purpose of the data processing of the claimed person. III Recital 61 of the GDPR indicates: "Information on the processing of their data must be

according to Art 15 Paragraph 1 GDPR, such as the origin of the data. In accordance with Art 15 (4) GDPR and Recital 63 GDPR, the information must be restricted

understood as made to the GDPR , in accordance with Article 94 of the latter. Similarly, it appears from recital 173 of the GDPR that this text explicitly

data under Article 4(1) GDPR, especially because they allow to single out a data subject within the meaning of recital 26 of the GDPR. It is sufficient that

5(1)(b) and (e), 9(2)(j), 89(1) GDPR and Section 7(1)(1) and (2)(1) GDPR. In particular, it follows from Article 9(2)(j) GDPR that the processing of data relating

data without a legitimate basis, in breach of Article 6 GDPR. For the violation of Article 6 GDPR, the AEPD fined the controller €6,000. In order to determine

Article 58(2)(b) GDPR. The Authority ordered the Health Service to carry out a DPIA and bring its processing operations in line with the GDPR within six months

Article 13 GDPR even if the contact form is not operational? The Spanish DPA (AEPD) held that the defendant, PSI, violated Article 13 GDPR by failing to

Article 17(3) GDPR. Two doctors sued a platform for deletion of their basic profile set up on the platform without their consent under Article 17 GDPR. They argued

the provisions of the GDPR, in particular Article 5 (1) GDPR, article 24 and article 28 GDPR, all this based on article 58.2, d) GDPR and article 100, §1

Charter. 61 First, it should be noted that, in the light of recital 19 of the GDPR and recitals 9 to 12 of Directive 2016/680 and by virtue of Article 2(1)

such acts and uploaded the video to Instagram had infringed Article 6(1) GDPR, for processing personal data without a legitimate basis (namely without

article 4.1 of the GDPR, is data personnel and their protection, therefore, is the subject of said Regulation. In article 4.2 of the GDPR defines the concept

addition to or instead of the appropriate measures imposed. 79 This same recital 79Recital148 states that in this context: "In order to strengthen the enforcement

29; judgment of 29 July 2019, Pelham and others, C-476/17, EU:C:2019:624, recital 80 et seq.), the level of protection afforded by the Charter does not regularly

principle enclosed in Article 5(1)(b) GDPR. On this matter, the AEPD argued that, according to Article 5(1)(a) GDPR, Recital 39 and Article 6(1)(f), an interest

LPACAP), for the alleged infringement of Article 6.1 of the GDPR, typified in Article 83.5 of the GDPR. SIXTH: On October 13, 2022, DIGI requests the extension

option. The AEPD also found that there had been a violation of Article 7 GDPR before the controller allowed the user to choose what specific processing

her". 8. Recital 32 of the GDPR materially states that "When the processing has multiple purposes, consent should be given for all of them". Recital 42 materiallyprovides

wording of Article 5 Paragraph 1 Letter b) GDPR (“specified […] purposes”) and the wording in Recital 39 Sentence 6 GDPR, (“In particular, the specific purposes

also supported by Recital 128 GDPR. Therefore, the court found the independent nature of the church supervisory authorities to be GDPR-compliant. Second

to Art. 79 GDPR, is not an exhaustive list of further available remedies. This also does not follow from recitals 9, 11 and 13 of the GDPR, which speak

interpretation of the GDPR. Second, the court argued with the drafting history of the GDPR which connects Article 15(3) GDPR to Article 20(1) GDPR, showing that

negligence of the infringement (Article 83(2)(b) GDPR) the impact on basic personal identifiers (Article 83(2)(g) GDPR) Share your comments here! Share blogs or

the fact that the GDPR incorporates EU antitrust law not only from the wording of the provision, but also from recital 150 to the GDPR. This states: "Where

Article 16 sentence 1 GDPR is the legal basis for a request for rectification, even if the request has been submitted before the GDPR entered into force:

therefore violated Articles 9(1) GDPR out of negligence. The DPA fined the controller €1,600,000 pursuant of Article 83(5)(a) GDPR and considered this a high

95/46/EC (hereinafter: general data protection regulation or GDPR), and Article 6 (1) of the GDPR. 2. The Authority finds that Customer 1 violated the principle

of Article 15 of the GDPR, typified in Article 83.5 of the GDPR, as well as for the alleged infringement of Article 17 of the GDPR, typified in the Article

LPACAP, for the alleged infringement of Article 6.1 of the GDPR, typified in Article 83.5 of the GDPR. SIXTH: On January 23, 2023, DIGI requests a copy of the

the Article 12 of the GDPR, in conjunction with Article 17 of the GDPR. V Classification of the infringement of article 12 of the GDPR The aforementioned

in Article 25 GDPR. Additionally, the AEPD concluded that the controller had violated Article 5(1)(f) GDPR, noting that although the GDPR does not demand

established in article 5 of the GDPR. The security of personal data is regulated in articles 32, 33 and 34 of the GDPR. III The GDPR defines personal data security

excessive for the intended purpose of processing as per Article 5(1)(c) GDPR and Recital 39 GDPR. The AEPD issued a reprimand on the controller. Share your comments

Regarding the substitution of the fine with a reprimand, the DPA alluded to Recital 148 GDPR which stated that the applicable sanctions for the violation of the

Article 81 of the GDPR, but not the actually relevant Article 82 of the GDPR. The claims asserted in the counterclaim under Article 82 of the GDPR were confirmed

performance of a contract (Article 6(1)(b) GDPR) and for legitimate interest (Article 6(1)(f) GDPR). Article 6(1)(b) GDPR In its original draft decision, the

Therefore, the AEPD fined the controller €2000 for a violation of Article 5(1)(f) GDPR. In order to determine the amount of the fine, the DPA took into account

(Article 5(2) GDPR), of engagement of a processor (Article 28 GDPR), and in respect of the security of processing of personal data (Article 32 GDPR). However

according to Article 6(1)(c) GDPR would be a valid legal basis, related to the exception provided by Article 9(2)(h) GDPR: the employer has the obligation

of the GDPR – (article 13.1. c) of the GDPR) and does not mention the data retention periods personal data processed (article 13.2. a) of the GDPR more precisely);

Adopted 13 GDPR for processing on foot of Article 6(1)(b) GDPR . The IE recalls the general requirement of transparencyunder Article5(a)GDPR 54,anditsp

the processing (Article 21(1) GDPR). Finally, the DPA fined the controller €12,000 for a violation of Article 6(1) GDPR due to the lack of a valid legal

subject. For violating Article 6 GDPR, the DPA fined the controller €4,000 and ordered, in accordance with Article 58(2) GDPR, the removal of the device in

process. It considers that the process of adaptation to the GDPR. . In accordance with Recital 82 of the RGPD, the registration of activities of Treatment

system. When the workers asked about the information listed under Article 13 GDPR, they only received a generic answer saying that the personal data were being

c) GDPR in conjunction with Article 5.1 a) GDPR and Article 5.2 GDPR. - Violation of article 13.1 d) GDPR in conjunction with article 5.1 a) GDPR and

with the requirements of Articles 13 and 14 of the GDPR? In relation to Article 13 and 14 of the GDPR, the AEPD held that the information CaixaBank provided

5(1)(f) GDPR and a fine of €100,000 for the violation of Article 37 GDPR. The DPA issued a reprimand for the violations of Article 5(1)(e) GDPR and Article

point b) GDPR and Article 100, §1, 5 ° WOG to be reprimanded for the infringement of Article 25 (1) GDPR; b. on the basis of Article 83 GDPR and Articles

information required under Art. 14 GDPR. recital 60 The defendant requests Recital 61 reject the complaint. Recital 62 As justification, she repeats her

accordance with Article 6(2) GDPR and Article 6(3) GDPR for adaptation to the application of Article 6(1)(c) GDPR and Article 6(1)(e) GDPR. The court stressed that

legal grounds for the processing: Article 6(1)(b) GDPR and Article 6(1)(f) GDPR. Article 6(1)(f) GDPR, however, was only recently added as a legal ground

personal data from Article 9 GDPR. According to the AEPD, even if the controller may had relied on the exemption on Article 9 GDPR(2)(f), since the data were

The Spanish authority held that the defendant had infringed Article 6(1) GDPR by disclosing the video without the consent of those appearing in it. The

investigative actions. In light of provisions (Article 4 (15) GDPR, Article 9 GDPR, Article 6 GDPR) the vaccination of a person against Covid-19 implies the

only investigating GDPR infringements but also breaches of the Directive ePrivacy, transcribed into French law. It reminded that GDPR and ePrivacy each

information under Article 13 GDPR, and for the processing of personal data in a manner contrary to Article 5(1)(a) of the GDPR. A data subject submitted a

10. Recital 32 of the GDPR materially states that "When the processing has multiple purposes, consent should be given for all of them". Recital 42 materially

AEPD both the GDPR and the LSSI regulate the same situation. It considers the LSSI a lex specialis that is to be applied instead of the GDPR since the controller’s

procedural GDPR violation had occurred, arguing that the Austrian DPA transferred the complaint to the AEPD when pursuant to Article 60(8) GDPR, the Austrian

trends during the COVID-19 pandemic was carried out in compliance with the GDPR, since the Government had implemented appropriate measures to prevent data

communications using the GDPR, specifically on the basis of Article 4.11, Article 6.1.a GDPR (consent requirement) and Article 13 GDPR (information to be provided)

applicants' rights. Consequently, the Ministry violated Article 32 GDPR and Article 24 GDPR. The DPA also found that visa applicants were insufficiently informed

data in the context of telephone jokes. Article 6 GDPR (legality of processing) and Articles 13 and 14 GDPR (transparency) were infringed. The decision is

it has nothing to do with the matter that the reference to the Recital 64 of the GDPR to which the defendant refers, like those other subsequent references

Article 15(1) GDPR. The data subject was not entitled to further disclosure. On the applicability of the GDPR: The court determined that the GDPR and the data

of Article 9 GDPR. In the DSB held that the processing violated Articles 5, 6 and 9 GDPR: Consent under Articles 6(1)(a), 7 and 9(2)(a) GDPR cannot be considered

member states is superimposed (see Recital 146 S 4 and 5 on the GDPR; cf. also Frenzel in Paal / Pauly, GDPR-BDSG3 Art 82 GDPR margin no.1; Wybitul / Haß / Albrecht

alleged violation of articles 32.1 and 5.1.f) of the GDPR, typified in article 83.4.a) and 83.5.a) of the GDPR, with warning. Receipt by the claimant of the agreement

cause physical, material or immaterial damage. In this same sense, recital 83 of the GDPR states that: “(83) In order to maintain security and prevent processing

83.5.a) of the aforementioned Regulation 2016/679. In this sense, Recital 40 of the GDPR states: “(40) For the processing to be lawful, the personal data

employees. The DPA found a violation of Article 5(1)(b) GDPR, Article 5(1)(c) GDPR and Article 13 GDPR. Following a visit to the premises of two public bodies

Article 31 GDPR in conjunction with Article 58(1)(e) GDPR. The AEPD, therefore, agreed to impose a penalty of € 20000 under Article 83(5)(e) GDPR. The fact

understood. Article 15 of the GDPR belongs to Chapter III of the GDPR, entitled "The rights of the data subject". Recital 11 in the preamble states that

processing activities. compliance with the GDPR, including the effectiveness of the measures (GDPR recital 74). In summary, this principle requires a conscious

infringement of article 5.1.f) of the GDPR and article 32 of the GDPR, typified in articles 83.5 and 83.4 of the GDPR, respectively. The startup agreement

established in articles 12 of the GDPR and 12 of the LOPDGDD. Furthermore, what is expressed in Recitals 59 et seq. of the GDPR is taken into account. In accordance

pursuant to Article 56 GDPR. It concluded that the controller violated Articles 5(1)(a), 7(3), 9(1), and 13(2)(c), and 17(1) GDPR. It imposed a temporary

Article 58 GDPR Supporting this they, amongst others, used the Case Versalis Spa v Commission, C-511/11, as well as the Recital 40 of the GDPR as basis of

access to said data.” III Violation of article 5.1 f) of the GDPR Article 5.1.f) of the GDPR, Principles relating to processing, states the following: "1

RGPD, it is taken into account Consider what is stated in Recital 39 of the aforementioned GDPR: “39. All processing of personal data must be lawful and

Respondent explained that the GDPR does not recognize any express “group privilege”, but it can be deduced from Recital 48 to the GDPR that an exchange of customer

12(5)(1) GDPR apply. However, it leaves open whether the material scope of application of the GDPR is opened or not opened due to Article 2(2)(a) GDPR. In any

permissible in accordance with Art. 88 GDPR in conjunction with Section 26 BDSG, the violation of the GDPR required for Art. 82 GDPR was already lacking. There is

Information Acts and the GDPR. Due to the questions of EU law raised by the case with regard to Article 23(1)(e) GDPR and Article 23(1)(j) GDPR, the BVerwG had

according to the first sentence of recital 41 of the GDPR, a legal basis, on which (the here relevant) Art. 9(2)(i) of the GDPR is based, does not necessarily

constituted an infringement of Article 5(1)(f) GDPR for violating the principle of confidentiality and Article 32 GDPR for failing to implement appropriate technical

violation of Article 5(1)(e) GDPR and Article 32 GDPR, but the DPA dismissed its previous finding of the Article 5(1)(b) GDPR violation. The DPA found that

various marketing purposes did not have a legal basis under Article 6(1) GDPR. Bonnier News AB was fined 13,000,000 SEK (approx. € 1.90 million) for the

established in articles 12 of the GDPR and 12 of the LOPDGDD. Furthermore, what is expressed in Recitals 59 et seq. of the GDPR is taken into account. In accordance

Administrative Court's application of Article 16 GDPR. The Administrative Court had correctly assumed that, while Article 16 GDPR was applicable, it could not be established

purpose to process special categories of data according to Article 9 (1) GDPR is not proportional and necessary, as there are less restrictive measures

valid legal basis in line with Article 6(1)(e) GDPR, Article 6(2) and (3) GDPR nor with Article 9(2)(g) GDPR. Making reference to case law of the CJEU and

B-VG Art133 Para.4 DSG §1 DSG §24 GDPR Art12 GDPR Art14 GDPR Art32 GDPR Art5 GDPR Art57 GDPR Art58 GDPR Art6 GDPR Art77 GDPR Art83 VwGVG §28 paragraph 2 saying

the GDPR. SAW Classification of the infringement of article 12 of the GDPR If confirmed, the aforementioned infringement of article 12 of the GDPR could

paragraph 1 GDPR and Article 25 (1) GDPR 84. Based on Article 12(1) GDPR, Article 13(1) and (2) GDPR and Article 14(1) and paragraph 2 of the GDPR, it is necessary

unauthorized access to said data (The underlining is from the AEPD). Recital 75 of the GDPR lists a series of factors or assumptions associated with Risks to

persuasive weight.   82.  Recital 24 of the GDPR is relevant to the construction of Article 3(2)(b) GDPR and Article 3(2)(b) UK GDPR, this reads as follows:

established in articles 12 of the GDPR and 12 of the LOPDGDD. Furthermore, what is expressed in Recitals 59 et seq. of the GDPR is taken into account. In accordance

points out that the term “personal data”, as explained in Article 4.1 GDPR, Recital 26 GDPR as well as Group Opinion 4/2007 Data protection and the case law

several GDPR violations by the controller, and went on to assess whether they could give rise to the award of immaterial damages under Article 82 GDPR also

accountability pursuant to Article 5(2) UK GDPR because it failed to demonstrate compliance with Article 5(1)(a) and (c) UK GDPR principles of lawfulness, fairness

83.5.a) of the aforementioned Regulation 2016/679. In this sense, Recital 40 of the GDPR states: “(40) For the processing to be lawful, personal data must

regarding Article 6(1) GDPR and consent requirements regulated previously to GDPR. The fact that the infringements related to Article 25 GDPR did not include

Articles 6(1)(b), 5(1)(b) and 5(1)(c) GDPR? The Spanish DPA (AEPD) deemed itself competent under Article 58(2) GDPR in conjunction with Article 47 of the

from the GDPR under Article 2(2) of the GDPR. 165. Article 2(2) of the GDPR outlines certain types of processing of personal data to which the GDPR does not

in directive 95/46/EC, which was replaced by the GDPR. 90. Thus, since the entry into force of the GDPR, the "consent" provided for in the aforementioned

Article 17(1)(d) GDPR since the data was unlawfully processed. The defendant claimed that its activities fall under exception in (Article 85 GDPR) read in conjunction

2 of the GDPR, Article 24.1 of the GDPR, Article 25.1 of the GDPR and Articles 32.1 and 32.2 GDPR; 2. Articles 35.1, 35.2, 35.3 and 35.7 GDPR; and 3. Article

Article 51 of the GDPR. 17. By Article 57(1) of the GDPR, it is the Commissioner's task to monitor and enforce the application of the GDPR. 18. By Article

Article 4(16) GDPR." Consequently, the DPA concluded that the cooperation mechanism and procedure set out in Article 56(1) GDPR and Article 60 GDPR did not apply

Article 5(1)(f) GDPR. As the respective data was not rectified in time after receiving a complaint, it also resulted in a breach of Article 32 GDPR. On 5 July

initial copy of the medical history under Article 15(3) GDPR in conjunction with Article 12(3) GDPR. The Court of Appeal amended the judgment to dismiss the

less severity depending on the effects 86 GDPR, art. 16 87 GDPR, art. 17.1.a 88 GDPR, art. 18.1.a 89 G.HAAS, GDPR legal guide: the regulations on the protection

data, the DPA considered that the defendant had violated Article 6(1)(a) GDPR, and fined them €1500. Share your comments here! Share blogs or news articles

Articles 6.1.C and 9.2.i) of the GDPR. 86. In accordance with Article 6.3 of the GDPR, read in the light of recital 41 of the GDPR, the processing of 26 personal

Article 24(1), Article 25(1), Article 32(1)(b) and (d), and Article 32(2) GDPR due to a lack of a reliably conducted risk analysis, combined with the lack

LPACAP), for the alleged infringement of article 6.1 of the GDPR, typified in Article 83.5 of the GDPR. The startup agreement was sent, in accordance with the

us using the form at the bottom. II.-1 Administrative violation Recital 61) of the GDPR indicates that: “Information on the treatment of their personal

imposed, has limited himself to transcribing the Recital 148 of the RGPD since the aforementioned recital takes into consideration only two elements: that

regarding Article 6(1) GDPR and consent requirements regulated previously to GDPR. The fact that the infringements related to Article 25 GDPR did not include

on a large scale. Despite The GDPR does not define what is meant by large-scale processing, both the recital 91 of the GDPR as the Working Party of article

to the properties, defending the baseless claims of B. as well as A". GDPR' Recital 111 provides that provisions should be made where the transfer is occasional

3 of Recital 51 GDPR, the DSB found that the pictures taken from the data subject did not constitute biometric data according to Article 9(1) GDPR because

the alleged violation of the articles: -6.1 of the GDPR, in accordance with article 83.5.a) of the GDPR and article 72.1.b) of the LOPDGDD. C/ Jorge Juan

data and on the free movement of such data. 3 Recital 3. 4 Recital 5. § Recital 7. 7 See, i particular, Recitals 11, 148, 150, and Article 5, Chapter IV and

process this data under Article 6(1)(b) GDPR for the performance of a contract, and as well as Article 6(1)(c) GDPR to comply with legal obligations for lodging

and 7(1) GDPR; Articles 5, paragraph 2 and 24 GDPR; Articles 12, paragraph 1, j° 13 and 14 GDPR; Article 5(1)(e) GDPR; and Article 7(3) GDPR. - order the

infringement of Article 13 GDPR is considered a very serious breach and could be fined with the amounts established in Article 83(5) GDPR, in this case, the AEPD

with GDPR transparencyobligations under Article 13(1)(c) GDPR involves a separateand different legalassessment tothatrequired in Article6(1)(b) GDPR.TheIE

c) of the GDPR, typified in article 83.5 of the GDPR, and for the alleged infringement of article 13, typified in article 83.5.b) of the GDPR. SIXTH: The

exceptional provisions of § 9 of the Data Protection Act and Art. 85 of the GDPR are not applicable. The Facebook posting disclosed personal data of a public

intrusive and therefore could not be based on Article 6(1)(f) GDPR. Secondly, Article 5(1)(c) GDPR indicates that personal data should be adequate, relevant

corresponding interest can be found in the GDPR. Notably, the PG referenced Recital 52 and Article 9 GDPR. Recital 52 GDPR states that a derogation from the prohibition

. 7. Recital 32 of the GDPR materially states that “When the processing has multiple purposes, consent should be given for all of them” . Recital 42 materially

article 15 of the GDPR. V Classification of the infringement of article 15 of the GDPR The aforementioned infringement of article 15 of the GDPR supposes the

the Inquiry 2.1 The GDPR is the legal regime covering the processing of personal data in the European Union. As a regulation, the GDPR is directly applicable

Articles 63 to 66 GDPR. The GDPR also established a cooperation mechanism between the supervisory authorities. It follows from Article 60 GDPR that the lead

allow them to adequately develop the functions that the GDPR assigns them, as Recital 97 of the GDPR recalls, "The level of necessary specialized knowledge

DPA considered the infringement of Article 5 GDPR, Article 24(1) GDPR, as well as Articles 25(1) and (2) GDPR. Secondly, the DPA addressed the access request

4(1) of the GDPR. I further note that the text of the accompanying recital (Recital 26 of the Directive) is very similar to the text of Recital 26 of the

day) a complaint under Art. 77 GDPR because of the "Unlawful obtaining of consent to data transfer (violation of Art. 7 GDPR)” and requested a declaration

violated the article 15 of the GDPR, infringement typified in article 83.5 a) of the GDPR. IV. Secondly, article 32 of the GDPR "Security of treatment", states

Article 12(3) GDPR and Article 15 GDPR due to a failure to respond to an access request that was submitted around a month after the GDPR became applicable

5(1)(a) GDPR. Lastly, the notice that informed visitors about the ShareArt system did not contain all the elements required by Article 13 GDPR. Consequently

required by Article 13 GDPR. Furthermore, the AEPD, highlighted that the RFEF did not provide the information required by Article 13(3) GDPR about further processing

for the alleged violation of Article 35 of the GDPR, Article 32 of the GDPR and Article 13 of the GDPR, typified in Articles 83.5 of the RGPD and Article

the territorial scope of the GDPR (Article 3 GDPR) as it was based exclusively in the USA and under US law, and thus the GDPR is not applicable. It also

line with Article 13 GDPR. On the DSB's request, the controller declared R*** Hotels GmbH as its representative under Article 27 GDPR and sent a reply to

impose a reprimand sanction (58.2 b) GDPR) on VOX for its lack of diligence in implementing security measures (32 GDPR). In addition, the AEPD did not consider

/ Weichert / Sommer, EU-GDPR and BDSG, 2nd edition 2020, Art. 9 GDPR marginal 3).9 GDPR does not allow recourse to Art. 6 GDPR (Albers / Veit in Wolff

26 GDPR. The agreements between Criteo and its commercial partners did not contain specific obligations in relation to the requirements of the GDPR, such

personal data under Article 9 GDPR, the AEPD held that a Data Protection Impact Assessment (DPIA) under Article 35 GDPR should have been carried out in

basis under Article 6(1) GDPR and in violation of transparency obligations in the privacy policy under Article 5(1)(a) and 13 GDPR. The DPA in the first instance

Reference to Art. 79 GDPR does not justify any jurisdiction, since Art. 79 GDPR (like Art. 77 GDPR) only refers to violations of the GDPR but not on national

powers of the GDPR are linked to the application of the GDPR. National legislation may assign functions and powers inspired by the GDPR, but can also grant

Article 12 GDPR, read in conjunction with Article 17 GDPR. VI Sanction of the infringement of Article 12 GDPR The infringement of Article 12 of the GDPR entails

of Article 7(4) GDPR. Based on these considerations, the AEPD issued a €2,000,000 fine against Caixabank for infringing Article 6 GDPR in relation to Article

Para.4 DSG §1 DSG §24 paragraph 1 DSG §24 paragraph 5 GDPR Art17 GDPR Art4 GDPR Art5 GDPR Art58 GDPR Art6 VwGVG §28 paragraph 2 saying W101 2213581-1/5E

interest. Based on Article 2 (1) of the GDPR, the GDPR must be applied to the data management in this case. GDPR Article 4, point 1: "personal data": for

by article 9 of the GDPR -with- recital 51 of the GDPR- and, in addition, many other data not regulated in that precept- to. Recital 75 mentions in detail

organisation are not excluded as such from the scope of the GDPR. To the contrary, Article 9(2)(d) GDPR explicitly states that special categories of data can

under Article 24(1) GDPR, Article 25 (1) GDPR, Article 32(1)(b) GDPR and Article 32(1)(d) GDPR and Article 32 GDPR#2"Article 32(2) GDPR. Share blogs or news

Article 58(2)(d) GDPR. First, the AEPD established that the GDPR was applicable under Article 3(1) GPDR or, if not, at least Article 3(2)(a) GDPR would apply

consent was not valid as a legitimate basis from Article 6(1) GDPR, in relation to Article 7 GDPR, and thus processing was unlawful. On these grounds, the AEPD

standard B-VG Art133 Para.4 DSG §24 paragraph 1 DSG §24 paragraph 5 GDPR Art12 GDPR Art15 GDPR Art4 VwGVG §28 paragraph 2 WTBG 2017 §80 saying W101 2218962-1/10E

explicit provisions like the GDPR, which generally clarify the roles of the data controller. However, the terms of the GDPR ("controller", "processor")

4 DSG §1 DSG §24 DSG §24 paragraph 1 DSG §24 paragraph 5 DSG §7 GDPR Art4 GDPR Art5 GDPR Art6 VwGVG §28 paragraph 2 B-VG Art. 133 today B-VG Art. 133 valid

of Article 4(15) GDPR. The DSB founds that the GDPR does not apply due to the household exception provided for in Article 2(2)(c) GDPR. Pursuant to Article

persons from the wording of these standards recognizable (cf. recital 41 second sentence GDPR). The respective directly with the control The respondent's

1.f) of the RGPD and Article 32 of the GDPR, typified in Article 83.5 of the GDPR and Article 83.4 of the GDPR respectively. SIXTH: The aforementioned

of the GDPR. The mechanisms for the protection of the rights and freedoms of citizens and would be contrary to the spirit of the GDPR. The GDPR is endowed

data transfers would not be valid in accordance with Article 49(1) GDPR and Article 7 GDPR, given that consent was required within the contract without an

with recital 63 of the GDPR. If the other party argues that it was not provided with the information pursuant to Article 14(2)(c) and (d) of the GDPR (existence

present complaint was filed on 1 August 2019. On the basis of the above recital, the period of time that has elapsed so far - also in view of the requests

5(1)(d) GDPR and data protection by design of Article 25(1) GDPR. In addition, the DPA held that the controller violated Articles 5(1)(a) and 13 GDPR by not

1.f) of the RGPD and Article 32 of the GDPR, typified in Article 83.5 of the GDPR and Article 83.4 of the GDPR. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid

2022, Art. 82 GDPR marginal number 14). With regard to recital 146 sentence 1 of the GDPR, however, processing must have violated the GDPR (Nemitz, in:

violation of Article 5(1)(c)(e) GDPR and a prevailing legitimate interest of the defendant according to Article 6(f) GDPR. It must be noted that the judgment

dissemination of sec- trade creds. For this purpose, it mentions recital 63 of the GDPR, as legitimate maker of "discriminating the information that can

6 (1) lit. f GDPR throughout. Other reasons (Art. 6 Para. 1 lit. a-e GDPR) were not shown by BF2 in the procedure. Art. 6 (1) (f) GDPR enables the processing

and 32 GDPR in this case would constitute a double violation of the GDPR, when in fact Article 5(1)(f) GDPR is merely a concretion of Article 32 GDPR. The

that is not necessary for the performance of that contract." 8. Recital 43 of the GDPR states: "Consent is presumed not to be freely given ... if the performance

85 GDPR, so that Chapter II (including Art 6 GDPR) to VII and IX of the GDPR do not apply. The regulation of § 9 DSG, which is based on Art 85 GDPR, is

processed personal data without consent, therefore violating Article 6(1) GDPR. While the initial processing of the personal data was justified for the

of application of Article 58(2)(c) GDPR. On 19.02.2019, the data subject sent an access request under Article 15 GDPR to a controller (an Austrian municipality)

under the GDPR. Literature and data protection authorities therefore agree that Section 13 (6) TMG expired with the introduction of the GDPR. Even if one

expressly stated in the GDPR, that supervisory authorities should monitor and enforce the GDPR, and with the provision in the GDPR that 'breaches' of data

matter before a court (Art. 78 GDPR) and before the supervisory authority (Art. 77 GDPR) could not be inferred from the GDPR from a systematic point of view

the determination of Art. 6 (1) lit. f previous search term GDPR next search term, recital (47) specifically states: "The lawfulness of processing may

consent regulated in Chapter II of the GDPR (Articles 6, 7 GDPR) (cf. Pauly, in: Paal/Pauly, GDPR/BDSG, a.a.O., Art. 44 GDPR no. 2). 122This is missing in the

13 and 14 GDPR, objected to the processing pursuant to Article 21 GDPR and requested the restriction of the processing under Article 18 GDPR. The controller

found that GDPR does not prevent the claimant from exercising their basic right. In this regard the court referred to Article 6(1)(f) GDPR to highlight

under the GDPR. Pursuant to Articles 58(2)(i) and 83 GDPR, the DPA imposed a PLN 1,968,524 fine on the controller for the above-discussed GDPR violations