Search results

committee fall under national security as defined by Recital 16 GDPR, therefore, making Article 2(2)(a) GDPR applicable? 3) If question 2 is answered in the

GDPR. Recital 71 sentence 1 GDPR. Recital 71 sentence 1 GDPR. Recital 28 sentence 1 GDPR, such as Hansen, in Simitis, Hornung, Spieker, Datenschutzrecht

BDSG, Article 6 GDPR, margin number 20 (C.H. Beck 2020). Recital 32 sentence 1 GDPR. Recital 32 sentence 2 GDPR. Recital 32 sentence 3 GDPR. CJEU, C‑673/17

under Article 6(4) GDPR and further processing for a compatible purpose under Article 6(4) GDPR. See the commentary on Article 6(4) GDPR for details on the

complaint does not relate to the national issue. 2. According to recital 16 of the GDPR, this Regulation does not apply to issues of protection of fundamental

(Article 12(1) GDPR), facilitate the data subject (Article 12(2) GDPR), respond and communicate the measures taken (Article 12(3) and (4) GDPR), the principle

Regulation (GDPR): A Commentary, Article 32 GDPR, p. 636 (Oxford University Press 2020). Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 32 GDPR, margin number

dealt with in Article 12(6) GDPR. It is unclear why Article 12(2) GDPR refers to Articles 15 to 22 GDPR, while Article 11(2) GDPR only refers to Articles Articles

Articles 16 to 22 GDPR) but also allows to check if the controller has complied with the ex-ante information provided under Articles 13 or 14 GDPR. EDPB:

Article 83(8) GDPR corresponds in this respect to Recital 148 sentence 4 GDPR. Nemitz, in Ehmann,Selmayr, Datenschutz-Grundverordnung, Article 83 GDPR, margin

14(2)(g) and 15(1)(h) GDPR. Recital 50 GDPR. Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 13 GDPR, margin number 20 (C.H

Article 4(7) GDPR (definition of controller), Article 4(8) GDPR (definition of processor), Article 4(16) GDPR (definition of main establishment), Article

(Article 15 GDPR), rectification (Article 16 GDPR), erasure (Article 17 GDPR), restriction (Article 18 GDPR), notification (Article 19 GDPR) or data portability

specific criteria should not fall within the scope of this Regulation. Recital 16: Not Applicable to National Security and Common Foreign and Security Policy

of data established in Article 9(2)(a) GDPR, Article 9(2)(c) GDPR, Article 9(2)(g) GDPR and Article 9(2)(i) GDPR directly correlate with a specific legal

of the most innovative elements in the GDPR related to the accountability principle (see Articles 5(2) and 24 GDPR). This provision regulates the cases in

natural persons”. The GDPR does not define what constitutes a “risk to the rights and freedoms of natural persons”. Recital 75 GDPR only outlines potential

sanctions for infringements in the Member States. Recital 12: Article 16(2) TFEU Mandate Article 16(2) TFEU mandates the European Parliament and the Council

out data relating to deceased persons, this Recital confirms Recital 27 GDPR, according to which the GDPR “does not apply to the personal data of deceased

the meaning Recital 86 GDPR). However, Article 34 GDPR does not provide a specific deadline of 72 hours as is the case in Article 33 GDPR. Instead, timelines

Article 25 GDPR or Article 32 GDPR. This provision assigns a proactive role to the controller who has to ensure compliance with the GDPR at all stages

important to note that Article 13(1)(f) GDPR, Article 14(1)(f) GDPR, Article 15(1)(c) GDPR and Article 15(2) GDPR, make specific reference to transfers of personal

Regulation (GDPR), Article 7 GDPR, p. 350 (Oxford University Press 2020). Heckmann, Paschke, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 7 GDPR, margin

Berlin. If their behaviour is monitored by an app, the GDPR applies. In light of Recital 14 GDPR and the EDPB guidelines, the targeting criterion covers

Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, page 909 (Oxford University Press 2020). See Recital 20 GDPR and CJEU, in C-245/20 - Autoriteit

(Article 12 GDPR), information (Articles 13 and 14 GDPR), access (Article 15 GDPR), rectification (Article 16 GDPR), erasure (Article 17 GDPR), restriction

Article 82 GDPR – like almost all provisions of the GDPR – is directly applicable in all Member States without any act of implementation. Article 82 GDPR leaves

subject, under Article 6(1)(c) GDPR. In line with the general objectives of the GDPR, as outlined in Article 1 GDPR Article 16 TFEU, SAs are also required

in other parts of the GDPR. To begin with, Recital 141 GDPR clarifies that an SA must “act on a complaint”. Article 57(1)(f) GDPR, in turns, establishes

Article 79 GDPR, margin number 14 (rdb.at 2018). Jahnel in Jahnel, DSGVO, Article 79 GDPR, margin number 29 (Jan Sramek 2021). See Recital 141 GDPR. Moos,

differences between portability and access under Article 15(3) GDPR. According to Recital 68, the data should be available in an "interoperable format"

to Article 60 GDPR, Article 61 GDPR, Article 62 GDPR, Article 63 GDPR, Article 64 GDPR, Article 65 GDPR, Article 66 GDPR and Article 56 GDPR. The SA is also

large-scale, or involve processing of data under Article 9 GDPR or Article 10 GDPR. Recital 97 GDPR clarifies that the core activities of a controller are

personal data as well (see Recital 163 GDPR). Tosoni in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 98 GDPR, p. 1315 (Oxford University

5(1)(d) GDPR gives the controller some leeway to continue processing inaccurate data - see more details under Article 5(1)(d) GDPR. Article 16 GDPR, titled

(Article 15 GDPR), rectification (Article 16 GDPR), deletion (Article 17 GDPR), restriction of processing (Article 18 GDPR), objection (Article 21 GDPR) and the

from any of the GDPR’s protections. → You can find all related decisions in Category:Article 39 GDPR Just as Article 38 GDPR, Article 39 GDPR also shows similarities

purposes outlined in Article 23(1)(a) to (j) GDPR (e.g. national and public security) as well as Recital 73 GDPR (e.g. protection of human life). In any case

catalogue of penalties in Article 83 GDPR. National legislators may add provisions to fill these gaps. Under Recital 152 GDPR, these provisions may either be

22(2)(c) GDPR. Finally, decisions based on explicit consent are also subjected to the safeguards laid down in Article 22(3) GDPR. Article 22(3) GDPR lays down

Protection Regulation (GDPR): A Commentary, Article 27 GDPR, pp. 595-596 (Oxford University Press 2020). Recital 80 sentence 5 GDPR. Ziebarth, in Sydow,

interpreted Recital 144 GDPR to have limited the scope of Article 81 GDPR, as applying only to proceedings instigated under Article 78 GDPR. The first sentence

88(1) GDPR) and a conditional function (Article 88(2) GDPR). While Article 88(2) GDPR determines the scope of the opening clause, Article 88(1) GDPR establishes

checks. The 16-year age limit is not absolute. Under Article 8(1) GDPR, Member States can adjust this age requirement to anywhere between 13 and 16 years. Thus

25 May 2018, pp. 15-16 (available here). Kuner, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 49 GDPR, p. 854 f. (Oxford University

since, under Article 28(1) GDPR, a controller shall only use processors providing the same standards under Article 25 GDPR. Manufacturers or producers

Article 14 GDPR gives expression to the principle of transparency enshrined in Article 5(1)(a) GDPR and further defined in Article 12 GDPR. While Article

transfers), they may simultaneously invoke Article 16 GDPR (right to rectification) and Article 18 GDPR (right to restriction) in order to request the controller

purpose (Article 52(4)(5)(6) GDPR). Elements of SAs' complete independence are also addressed in Article 53 GDPR and Article 54 GDPR. The CJEU in the Case of

exists only in cases of Article 64(2) GDPR but not the context of Article 70(2) GDPR. According to Article 70(3) GDPR, the EDPB is obligated to “forward its

You can find all related decisions in Category:Article 36 GDPR Recital 89 GDPR. Article 36 GDPR must therefore be read as one   element within a wider framework

application of Article 65(1)(a) GDPR, (13 April 2021), margin number 57 (available here). See also Recital 143 GDPR. See Article 78(2) GDPR. Hijmans, in Kuner et

incorrect data on a regular basis could not be addressed under Article 16 GDPR as Article 16 GDPR can only be invoked to rectify existing inaccurate data but not

situation, Article 95 GDPR will not be relevant, and the GDPR applies as normal. Notably, Recital 173 GDPR, which relates to Article 95 GDPR, omits reference

under the GDPR. → You can find all related decisions in Category:Article 94 GDPR Kühling, Raab, in Kühling, Buchner, GVO BDSG, Article 94 GDPR, margin numbers

resolution mechanism under Article 65 GDPR in connection with Article 63 GDPR is triggered (Article 60 (4) GDPR). Article 60(2) GDPR clarifies that also in cross-border

Article 45(5) GDPR (revocation, change of such determinations); Articles 46(2)(c) and (d) GDPR (standard protection clauses); Article 47(3) GDPR (formats and

provisions of the GDPR. This decision refers to the Administrative cooperation between SAs (covering cooperation under Articles 56, 60, 61 and 62 GDPR) and the

Although Article 40(5) GDPR mentions that the competent DPA will be determined through the application of Article 55 GDPR, the GDPR does not provide concrete

compliance with the GDPR. Article 28(3)(h) GDPR enables such a task in case processors are used. According to Article 28(3)(h) GDPR, the processor should

57 GDPR should be deemed inadmissible for the purposes of Article 31 GDPR. Article 31 GDPR can be read as a supporting provision to Article 58 GDPR. In

Articles 13 or 14 GDPR. This can be drawn from the final sentence of Article 11(1) GDPR. It must be assessed with the utmost attention whether GDPR provisions

Category:Article 45 GDPR Kuner, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 45 GDPR, p. 774 (Oxford

prevention (Article 23(1)(a-j) GDPR) allow for far fewer GDPR restrictions than those granted by freedom of expression. Article 85(2) GDPR poses one condition for

proposed amendments to the GDPR (pursuant to Article 70(1)(b) GDPR). Although not explicitly mentioned in Article 69(2) GDPR, the requirement that the Board

published under Article 70(3) GDPR. Though Article 70(3) GDPR already obliges the EDPB to make these public, Article 71(2) GDPR ensures that the public is

Category:Article 86 GDPR At para. 120 Kranenborg, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 86 GDPR, p. 1216 (Oxford University

outlined under other Articles of the GDPR, namely in Articles 51, 52 and 53 GDPR. The second objective, under Article 54(2) GDPR, seeks to regulate the confidentiality

Article 72 GDPR regulates the Board's voting procedure. Generally, the GDPR grants the EDPB a high degree of autonomy. In particular, Article 72(2) GDPR entitles

the scope of the LED from the scope of the GDPR. Article 10 GDPR is intended to extend the protection of the GDPR to the processing of certain criminal data

true also under Article 91 GDPR”. See, Tosoni, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 91 GDPR, p. 1263 (Oxford University

subject to the GDPR or, in cases where they are not established in the EU, act within the material and territorial scope of the GDPR. Article 48 GDPR refers to

authority. Article 61(1) GDPR regulates how independent authorities are to cooperate to enable the uniform application of the GDPR. Supervisory authorities

provisions of the GDPR require the controller to keep track of individual recipients. For example, Article 15(1)(c) GDPR and Article 19 GDPR require the disclosure

Article 46(2)(d) GDPR, contractual clauses referred to in Article 46(3)(a) GDPR, or binding corporate rules within the meaning of Article 47 GDPR. In these cases

sors_en Recital 121 GDPR. Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 53 GDPR, p. 888

of knowledge between them. This way, Article 50 GDPR expands the exhortation under Article 57(1)(g) GDPR that calls for cooperation between EU DPAs, across

provisions under Article 75(3) GDPR. The employees of the Board's secretariat only report to the Chair (Recital 140 GDPR). In this respect, they are therefore

exclusion of Article 82 GDPR is confirmed by the last sentence of Recital 142 GDPR. In addition, Article 80(2) GDPR does not permit Member States to allow NPOs

Regulation (GDPR): A Commentary, Article 38 GDPR, p. 707 (Oxford University Press 2020). Bergt, in Kühling, Buchner, DS-GVO BDSG, Article 38 GDPR, margin number

Article 96 GDPR if it is found to be incompatible with other GDPR provisions. → You can find all related decisions in Category:Article 96 GDPR It follows

60, 63, 64 and 65 GDPR) immediately adopt provisional measures intended to produce legal effects on its own territory. Article 66 GDPR creates strict conditions

Article 19 GDPR therefore requires controllers, subject to certain exceptions, to communicate their exercise to recipients under Article 4(9) GDPR. The first

decisions pursuant to Article 65 GDPR (Article 70(1)(t) GDPR). Article 68 GDPR is the first of nine Articles (Articles 68-76 GDPR) governing the EDPB set forth

with Article 58(1) GDPR. Article 90 GDPR was drafted with a view to regulate potential conflicts between the application of the GDPR on the one hand, and

It shall apply from 25 May 2018. There is no relevant recital for Article 99 GDPR. Article 99 GDPR sets out the dates of the Regulation's entry into force

Article 62 GDPR, margin number 11 (Beck 2018, 2nd edition). Riccio, Scorza, Belisario, GDPR e normativa privacy – Commentario, Article 62 GDPR (Wolters Kluwer

relevance of Article 29 GDPR were rooted in the fact that Article 28(3)(b) GDPR already seems to cover much of the scope of Article 29 GDPR. More specifically

between Article 42(1) GDPR and Article 42(2) GDPR is that in the former, the applicant for certification is subject to the GDPR, while in latter, the applicant

in Category:Article 74 GDPR For more on this point, see Article 72 GDPR. Dix in Kühling, Buchner, DS-GVO BDSG, Article 74 GDPR, margin number 7 (C.H. Beck

76 GDPR, margin number 1 (C.H. Beck 2020, 3rd edition). Docksey, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 76 GDPR, p

encompasses other obligations of controllers under the GDPR. EDPB: This extends to various obligations under the GDPR, including but not limited to the implementation

mentioned in Recital 167 GDPR and Article 291 TFEU, the aim of implementing acts is to “ensure uniform conditions for implementing” the GDPR. In its GDPR Certification

majority principle under Article 72(1) GDPR would have applied regardless of Article 73(1) GDPR. In addition, the GDPR explicitly legislates for a simple majority

of the European Union ("TFEU"), within the scope of the GDPR. The function of Article 92 GDPR is to lay down conditions for the delegation of power as

of the GDPR enforcement across the Member States. → You can find all related decisions in Category:Article 64 GDPR Caspar in Kühling, Buchner, GDPR Article

when passing the GDPR. In fact, all but one EU Member State (who has sought higher protections) have voted in favor the GDPR. The GDPR is not just consisting

progress. Fill in the name used for the recital if you use it so we can ensure a somewhat streamlined practice. Recital 1: The protection of natural persons

Category:Article 47 GDPR Kuner, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR) Update of Selected Articles, Article 68 GDPR, p. 194 (Oxford

per Article 45(3) GDPR, and subject to regular reporting, which Article 97(2) GDPR provides for. The third paragraph of Article 97 GDPR, obliges the Commission

enforcement of the GDPR. → You can find all related decisions in Category:Article 59 GDPR Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 59 GDPR, margin number

data under Article 4(1) GDPR, especially because they allow to single out a data subject within the meaning of recital 26 of the GDPR. It is sufficient that

undefined in the GDPR. “Expertise” is only referred to again under Article 41(2)(a) GDPR, although briefly. Additionally, Article 41(1) GDPR specifies that

that the data subject has under Articles 16, 17(1) and 18 GDPR. The Court also made reference to Recital 10 GDPR and Article 8 of the Charter of Fundamental

same applies to the right to erasure under Article 17 of the GDPR. Recital 63 of the GDPR also supports this view. It shows that the legislator wants to

6(1)(a) GDPR Example: Not Art. 6 Abs 1 Lit a GDPR or Article 6 GDPR or GDPR Article 6, Sec 1(a) Recitals are also not shortened. Example: Recital 47 Example:

of Chapter V GDPR. The complaint was transferred to the Swedish DPA in its quality of lead supervisory authority pursuant to Article 56 GDPR. Following the

of Chapter V GDPR. The complaint was transferred to the Swedish DPA in its quality of lead supervisory authority pursuant to Article 56 GDPR. Following the

understood as made to the GDPR, in accordance with article 94 of the last. Likewise, it is apparent from recital 173 of the GDPR that this text explicitly

Article 46 GDPR. In 2020, noyb lodged a complaint with the Austrian DPA alleging that the controller breached the provisions of Chapter V GDPR. The complaint

complaint in accordance with Article 78, second paragraph, of the GDPR and recital 141 of the GDPR. Has the defendant observed the reasonable period in handling

of Chapter V GDPR. The complaint was transferred to the Swedish DPA in its quality of lead supervisory authority pursuant to Article 56 GDPR. Following the

laid down in the GDPR, so that the general conditions for claims were decisive, unless the GDPR contained special rules; even under the GDPR, only non-material

to Article 83 GDPR in conjunction with Article 4 No. 7 and 8 GDPR, fines for violations of the GDPR pursuant to Article 83(4) to (6) GDPR are not only to

situation is warranted. In this respect, Recital 137 GDPR states 65 66See Article 77 GDPR. See Recital 137 GDPR. 28that an urgent need to act in order to

norm addressee of Chapter V GDPR. The bB be directly responsible for BF2, which violated Art. 44 ff GDPR. Regarding The GDPR is applicable to the processing

should be well-known to everyone that the GDPR provides enhanced protection to sensitive data. Article 10 of the GDPR refers to these data collections which

information to be communicated must be based on recital 63 of the GDPR. According to recital 63 sentence 1 of the GDPR, the data subject’s right to information

to access under Article 15 GDPR because the controller was entitled to reject the request pursuant to Article 12(5)(b) GDPR. The court reasoned that this

violations of the provisions of the GDPR. It should be borne in mind here that recital 146 sentence 3 of the GDPR requires a broad interpretation in order

an access request under Article 15(1) GDPR. According to Recital 63 GDPR, the right of access under Article 15 GDPR serves data subjects to be informed about

gas distribution company €12,000 for a violation of Article 5(1)(f) of the GDPR. A customer of a gas distribution company (Madrileña Red De Gas, S.A.U) complained

Article 32 GDPR. Retaining personal data of an applicant for a lease after another applicant has been selected also violates Article 5(1)(e) GDPR. The customer

‘means reasonably likely’ to be used to identify a data subject (recital 26 GDPR and recital 16 EUDPR) was limited. Rather, the court should have looked at

Article 17(1)(d) GDPR since the data was unlawfully processed. The defendant claimed that its activities fall under exception in (Article 85 GDPR) read in conjunction

e) of the GDPR). 8.1.4. As for breaches of Articles 5.2. and 24 of the GDPR 88. Article 24.1 of the GDPR which covers Chapter IV of the GDPR devoted to

reprimand concerning the requirements for consent as required by Article 6(1)(a) GDPR. Datatilsynet examined a complaint regarding the processing of personal data

(according to the Federal Court of Justice, Judgment of December 16, 2020 - IV ZR 294/16 - para. 26). At the same time it follows from the wording "relevant"

(Google Spain and Google), paragraph 60. Page 8 of 16 The EU Court subsequently clarified in C-210/16 (Wirtschaftsakademie Schleswig-Holstein), that the

possible principal place of business (within the meaning of Article 4 (16) of the GDPR)14. 26. Google Belgium SA acknowledged that Google Ireland Ltd was Google's

operations, it is necessary to fall back on article 6.1. AVG and recital 50 GDPR. Recital 50 of the GDPR states that this is a separate legal basis required for

regarding Articles 5(1)(b) GDPR and 5(1)(e) GDPR and held that national courts had to determine, using the factors of Article 6(4) GDPR, whether further processing

laid down in the GDPR, so that the general conditions for claims were decisive, unless the GDPR contained special rules; even under the GDPR, only non-material

justification or basis for the processing, violating Article 9 GDPR. AEPD highlighted that Recital 46 GDPR already recognizes that, in exceptional situations, such

1 lit. f GDPR (for the protection of the processor's legitimate interests)? Right to erasure (Art. 17 GDPR); right to object (Art. 21 GDPR)? Locations

regard on that article 2.1) GDPR read in conjunction with recital 15 of the GDPR, although an exclusion from the scope of the GDPR provides for files or a

the ePrivacy Directive and Articles 6(1)(a) and 7 GDPR, in the lights of Article 4(11) and Recital 32 GDPR. Following this report, the GBA issued a decision

LPACAP), for the alleged infringement of Article 6.1 of the GDPR, typified in Article 83.5 of the GDPR. SEVENTH: Notification of the aforementioned initiation

asserted here and based on Article 82 of the GDPR, appears questionable in view of sentence 3 of recital 146 of the GDPR. In the case in dispute, however, no damage

deliberations. In its deliberations. 16. On 14 December 2021 the Litigation Chamber receives the defendant's response to the proposal to 16. On 14 December 2021 the

causality between the "GDPR breach" and the "damage". Article 82(1) GDPR requires that the damage occurs as a result of a specific GDPR breach. Although it

view to vigorous enforcement of the rules of the GDPR. After all, as is clear from Recital 148 GDPR, the GDPR puts first and foremost that with every serious

ones processing. Decision on the merits 07/2021 - 14/25 10 recital 50 GDPR. Recital 50 of the GDPR states that this is a separate legal basis required for

5(1)(b) and (e), 9(2)(j), 89(1) GDPR and Section 7(1)(1) and (2)(1) GDPR. In particular, it follows from Article 9(2)(j) GDPR that the processing of data relating

of the GDPR according to Art. 99 Para. 2 GDPR as of May 25, 2018 follows from Art. 79 Para. 2 Sentence 1 GDPR in conjunction with recital 22 GDPR as well

compliance and accountability according to Article 5(1) GDPR, Article 5(2) GDPR and Article 6(1) GDPR. Since the company had totally ignored the its compliance

as “anonymisation”. Recital 26 of the GDPR clarifies that anonymous information does not fall within the scope of the GDPR. The GDPR does not explicitly

may be considered a principal establishment within the meaning of Article 4(16) of the Regulation; CONSIDERED that recent press articles have reported the

is subject’ (recital 45 of the preamble to the GDPR). (P. 85) (…) The basis of processing data, referred to in Article 6(1)(c) of the GDPR, is the processing

2017, C ‑ 434/16, ECLI: EU: C: 2017: 994) and Breyer (CJEU 19 October 2016, C-582/14, ECLI: EU: C: 2016: 779) 16 Recital 26 of the GDPR: The principles

principle enclosed in Article 5(1)(b) GDPR. On this matter, the AEPD argued that, according to Article 5(1)(a) GDPR, Recital 39 and Article 6(1)(f), an interest

with the principles of the GDPR, in particular that of lawfulness, by violating the provisions of Articles 6 and 5(1)(a) GDPR. Share your comments here

the sanctioning regime imposed by the GDPR. And this is because the GDPR is a closed and complete system. The GDPR is a European standard directly applicable

243. In order to strengthen the enforcement of the rules of the GDPR, recital 148 GDPR clarifies that penalties, including administrative fines, should

unrelated to the purpose of Article 15 GDPR. According to recital 63 of the GDPR, the right of access under Article 15 GDPR serves the data subject to be aware

member states is superimposed (see Recital 146 S 4 and 5 on the GDPR; cf. also Frenzel in Paal / Pauly, GDPR-BDSG3 Art 82 GDPR margin no.1; Wybitul / Haß / Albrecht

28(3) GDPR. Verizon replied that the obligation to conclude a written agreement between controller and processor is not clearly stated in the GDPR. Such

Article 17(3) GDPR. Two doctors sued a platform for deletion of their basic profile set up on the platform without their consent under Article 17 GDPR. They argued

Article 6.1 GDPR, read in conjunction with Articles 5.2 GDPR and 24.1 GDPR; 5) the performance of a data protection impact assessment (Article 35 GDPR) the framework

transparency), Article 12(1), Article 7, Article 13 and Article 14 GDPR, the corresponding GDPR recitals (32, 39, 42, 47, 58, 60, 61, and 72), as well are Articles

[The equivalent GDPR Article to Article 48(3)(a) EU GDPR is Article 46(3)(a) GDPR, and Article 50(1)(d) EU GDPR is Article 49(1)(d) GDPR.] Share blogs or

all the persona data mentioned by virtue of Article 15(1) GDPR, in the lights of Recital (63) GDPR. Thus, the authority ruled that the lack of a complete

according to the first sentence of recital 41 of the GDPR, a legal basis, on which (the here relevant) Art. 9(2)(i) of the GDPR is based, does not necessarily

Rights of the European Union (Charter) and Article 16 (1) TFEU (compare recitals to the GDPR [recital] 1, 2). It is intended to “contribute to the completion

subjects? The Polish DPA found that the University violated Article 33(1) GDPR and Article 34, because it had notified neither the supervisory authority

AEPD fined in €2,000 a website for non-GDPR compliant privacy policy, violating Article 13 GDPR. On January 16, 2022 the data subject complaint against

opening clause in Article 86 GDPR if the disclosure involves personal data? The court held that the VIG complies with Article 86 GDPR: The provisions of this

for the year, thus violating Article 39(1)(b) GDPR regarding the DPO's duties to monitor compliance with GDPR. In view of those violations, the CNPD: imposed

omission of TOMs (Art. 32 GDPR) The requirements of the European fundamental rights, which the GDPR in accordance with Art. 1 Para. 2 GDPR therefore suggest that

infringement of Article 32 GDPR. Therefore, the Spanish DPA issued a warning sanction for each violation of Article 5(1)(f) and Article 32 GDPR. AEPD highlighted

proceedings”, that “Recital 65 of the GDPR also includes the exception of the legal defense as provided for in article 17.3.e of the GDPR to the right to erasure"

such data. 2 Recital 3. 3 Recital 5. 3 b. the rapid technological developments which have occurred during a period of globalisation.4 As Recital (6) explains:

in Article 25 GDPR. Additionally, the AEPD concluded that the controller had violated Article 5(1)(f) GDPR, noting that although the GDPR does not demand

to information under Article 15 of the GDPR, especially since it can be deduced from recitals 9 and 10 of the GDPR that the European legislator did not intend

5(1)(a) GDPR? Is the information relating to personal data processing operations easily accessible within the meaning of Articles 12 and 13 GDPR? Is the

meaning of the GDPR, and such processing of personal data did not fall within the scope of the "household exemption". Therefore, the GDPR applied in full

accurate and lawfully processed (see recital 63 GDPR). Automated decision-making and profiling 4.8. Pursuant to Article 22 GDPR, [applicants] have the right,

via letter as well. According to the BVwG, this is in line with recital 63 of the GDPR ("Where possible, the controller should be able to provide remote

Decision No. 01/2019 of 16 January 2020. Available at: https://gegevensbeschermingsautoriteit.be/publications/beslissing-nr.-01-2019-van-16-januari-2019.pdf 59

that Article 16 sentence 1 GDPR is the legal basis for a request for rectification, even if the request has been submitted before the GDPR entered into

as personal data under Article 4(1) GDPR. The argument, that these data could not be rectified under Article 16 GDPR was waived as incorrect (and could

Article 17 GDPR (cf. Article 17 (3) b GDPR). In that case, the data subject does not have the right to object as referred to in Article 21 GDPR, because

from its database. The litigation chamber concluded to a violation of the GDPR considering that: - the controller did not stop the sending of direct marketing

no consent in the event of silence, default boxes or inactivity. Recital 43 of the GDPR states that: Consent is presumed not to have been freely given if

right to information according to Art 15 GDPR, especially since it can be derived from recitals 9 and 10 of the GDPR that the European legislator is reducing

the provisions of the GDPR, in particular Article 5 (1) GDPR, article 24 and article 28 GDPR, all this based on article 58.2, d) GDPR and article 100, §1

performance of this purchase contract (Article 6(1)(b) GDPR). Therefore, the processing is compatible with the GDPR. In the Netherlands, as of 1 July 2018 a passenger

violated the GDPR. A citizen submitted a complaint before the AEPD stating that privacy policy of www.banderacatalana.cat did not comply with the GDPR. GRUP BC

article 12, second paragraph, of the GDPR. 78. Recital 59 of the GDPR further clarifies the standard in Article 12 of the GDPR: “There should be arrangements

regarding the consent request and referred to Article 7 GDPR and Recital 32 GDPR. Specifically, the use of pre-ticked boxes rendered consent invalid, resulting

plaintiff pursuant to Article 82(1) GDPR, since there have been violations of Article 6(1)(a) GDPR and Article 34 GDPR. The defendant also breached the obligation

understood as made to the GDPR , in accordance with Article 94 of the latter. Similarly, it appears from recital 173 of the GDPR that this text explicitly

item a) GDPR, in conjunction with Article 13 GDPR. 12. Because, since a lack of compliance with the provisions of article 5 par. 1 item a) GDPR principles

AB for violating Article 17 GDPR by not deleting personal data of the complainant without undue delay and Article 23 GDPR by providing incorrect information

provide sufficient information to verify the data subject's identity? Recital 64 of the GDPR states that the data controller should take all reasonable steps

violated Article 5(1)(c) GDPR and Article 15 GDPR. Firstly, the HDPA found that the controller violated Article 5(1)(c) GDPR because its transmission of

controller, to correct its data processing practice in accordance with the GDPR. This decision does not assess the activities of the police in relation to

warning, in accordance with Article 58(2)(b) of the GDPR, in connection with the above-mentioned Recital 148. Therefore, in accordance with the applicable

blur or pixel images of third parties concerned. The AEPD brought forward Recital 59, emphasizing the controller to facilitate data subjects the access of

therefore violated Articles 9(1) GDPR out of negligence. The DPA fined the controller €1,600,000 pursuant of Article 83(5)(a) GDPR and considered this a high

data breach should be reported to the DPA, according to article 33 of the GDPR as it is likely to cause risk to the rights and freedoms of the data subject

of Article 32 GDPR in conjunction with Article 5(1)(f) GDPR? The Romanian DPA (ANSPDCP) found that the controller violated Article 32 GDPR as they had not

affected by this limitation. Page 16 Decision on the Merits 15/2021 - 16/32freedoms of others ”. Recital 63 of the GDPR explains in this regard that “this

of the GDPR. 92. 92. Firstly, the restricted formation emphasises that, in this case, the criterion provided for in Article 83(2)(a) of the GDPR relating

17 of the AVG) are included below. Recital 59 of the GDPR further clarifies the standard in Article 12 of the GDPR: Arrangements should be made available

data to be delete. It brought a legal action based on Article 17 GDPR and Article 21 GDPR, read in conjunction with the Dutch Data Protection Act (Wet bescherming

violation of article 5.1.f) of the GDPR and article 32 of the GDPR, typified in articles 83.5 and 83.4 of the GDPR, respectively The initiation agreement

applicant to the e-mail address [..] on 16 February 2019, enclosing the pdf form containing his / her related request, - 02/16/2019 a power of attorney issued

made without legitimizing cause of those included in article 6 of the GDPR. The GDPR applies to personal data. Said regulation defines as «data personal”

corrective measures as per Article 58(2) GDPR, and that, although there was a violation of Articles 5(1)(a) and (e) GDPR, “the circumstances referred to above

individual for failing to comply with the right to information (Article 13 GDPR) when collecting personal data on its website. A citizen brought to the attention

second purpose that follows12 GDPR, recital 45.13 Conclusions of the defendant, p. 5.14 Ibidem, p. 7. Page 16 Decision 55/2021 - 16/34directly from the latter

understood as references to the GDPR, in accordance with Article 94 of the latter. 34. Similarly, it follows from recital 173 of the GDPR that this text explicitly

modified following the decision of the Data Protection Supervisor, 1710/523/16 (issued on 6/11/2018). As far as disclosure of information is concerned, it

para. of the GDPR, the law or regulation that constitutes the legal basis referred to in letters c) and e) of co. 1 of art. 6 of the GDPR, could contain

and equipment used in treatment. This principle is reinforced in recital 49 of the GDPR, stating that the processing of personal data will be carried out

the Google Analytics framework constituted personal data. It cited Recital 30 GDPR to establish that online identifiers (e.g. IP addresses, information

time, which is a violation of the GDPR. As to the claim for damages, the CoS notes that though Article 82(1) of the GDPR states that full compensation for

Data, https://wetten.overheid.nl/BWBR0033572/2013-03-01. 47See also recital 75 of the GDPR. 12/41Date Unidentified May 31, 2021 [CONFIDENTIAL] processing infringes

breach (Article 32 GDPR). Does the plaintiff have a right to compensation according to Article 82(1) GDPR and does Article 82(3) GDPR stipulate a reversal

21(1) of the GDPR, persons such as [the claimant] can object to the processing of their personal data on the basis of Article 6(1)(e) or (f) GDPR due to their

brief, two reply briefs, additional observations and a new brief, filed on 16 May, 1 August and 19 December 2019 and on 11 February, 18 May and 10 June

to the GDPR, imposed a fine in the amount of € 10.000 and ordered Cavauto srl. to communicate the proposed changes in view of compliance with GDPR. The Italian

Vodaphone violated Article 5(1)(f) GDPR, as interpreted in the light of the last sentence of the recital 39 GDPR. Share your comments here! Share blogs

with article 24 GDPR. They are contained in article 25 of the AVG mentioned above and are explained in more detail in recital 78 GDPR. The defendant therefore

found that customers’ order data is health data and fall within Article 9(1) GDPR. Amazon does not collect health data stricto sensu but it can draw conclusions

Article 9(2)(j) GDPR could be a legal basis for scientific research purporses or statistical purposes. Lastly, Recital 46 of the GDPR specifically mentions

Article 32 GDPR? - Does the fact that this health data is not encrypted constitute a breach of the security obligation under Article 32 GDPR? - Does the

party, for the alleged infringement of Article 6.1 of the GDPR, typified in Article 83.5 of the GDPR. FIFTH: Notification of the Commencement Agreement, through

is charged with committing an offense for violation of article 6.1 of the GDPR, which states that: "one. The treatment will only be lawful if it complies

in public, publicly available records that is accessible to anyone. Page 16 16- Infotv. Pursuant to Section 26 (2), public personal data in the public interest

administrative sanction to be imposed, we should read certain recitals of the RGPD, among others, recital 148, which indicates the following: 'In order to strengthen

Company claimed that under the GDPR, there is no right that a trade union can exercise. They thought that the justiciability of GDPR is limited only to the natural

held itself competent to enforce the Directive. The DPA referenced Recital 173 GDPR and EDPB Opinion 05/2020 on this point. The DPA held that the controller’s

processing of personal data is carried out in accordance with the GDPR. In doing so, the GDPR requires, among other things, that the nature and scope of the

competent supervisory authority in accordance with Article 55 of the GDPR, on 16 July 2019 and to the Prosecutor's Office of Sofia City on 17 July 2019

consent under Article 8 GDPR also apply? Did the defendant, as the controller, fail to adhere to the data transparency (Article 5(1)(a) GDPR) and the data minimisation

edition 2018, Article 6 DSGVO, marginal 16). The GDPR does not explicitly define the concept of necessity. However, recital 39 provides a clue. Here it says:

the publication of the judgment breach the GDPR? The AEPD held that the respondent’s actions violated the GDPR Article 5(1)(a) requirement that processing

2.1.2. The scope of the GDPR and the jurisdiction of the Disputes Chamber34. In principle, the defendant argues that the GDPR would not apply in thisfile

violation of Article 12 GDPR ? Are the following practices an infringement on data subjects' information right as described in Article 12 GDPR ? Spreading the

Charter. 61 First, it should be noted that, in the light of recital 19 of the GDPR and recitals 9 to 12 of Directive 2016/680 and by virtue of Article 2(1)

(Considering 40 GDPR), Article 6.1 of the GDPR is therefore applicable and not RD 1720/2007 used by the defendant. Thus, the aforementioned article 6.1 GDPR establishes

Article 13 of the GDPR GDPR. The form used violated Article 13 of the GDPR conduct that is subsumi- ble under Article 83(5) of the GDPR, which provides:

such a request must be made in accordance with Article 16 GDPR (for (improvements) or Article 17 GDPR (for deletions) can be addressed to étLgyerwerkinesverantwoordeliike

relationship between the GDPR and the DSG with regard to the exceptions mentioned in Art. 2 Para. 2 GDPR. According to Art. 16 (2) TFEU, there is a Union

of the general information duty included in Article 13 GDPR. Is this a violation of Article 13 GDPR? The AEPD held that there had been a violation of Article

Article 82 (1) and (2) GDPR, any person who has suffered material or non-material damage as a result of a violation of the GDPR is entitled to compensation

Article 13 GDPR. In the present case, the controller omitted this obligation. The DPA therefore held that the controller violated Article 13 GDPR by neither

information.” Recitals 39 and 60 of the GDPR help to specify the scope of the right of information that is given to the interested parties. Recital 39 establishes:

investigation into CP&A's compliance with Article 9, as well as Article 32 GDPR. Since Article 9 GDPR prohibits the processing of special categories of data, including

9(2)(a) GDPR and Article 6(1)(a) GDPR. Thus, the Danish DPA held that the processing was also not following the principles of Article 5(1) GDPR. Against

was responsible for violating Article 33 GDPR, and issued it with a warning pursuant to Article 58(2)(b) GDPR. The AEPD did not find the former Secretary

hours of employees without having informed them in accordance with Article 13 GDPR. The AEPD received a letter filed by the interested party against the respondent

the infringement of its collaboration duties as per Article 58(2) of the GDPR. The decision is the consequence of a complaint submitted by a Spanish citizen

means of such activity, by virtue of article 4.7 of the GDPR. For its part, article 5.1.c) of the GDPR regulates the “principles relating to processing” establishing

Officer (DPO) under Section 4 of Chapter 4 of the GDPR (see in particular Article 37 GDPR to Article 39 GDPR). One of these audit proceedings concerned a Luxembourg

36 GDPR) regarding the compliance of the envisaged processing with the GDPR. According to the Commission, the legal basis was Article 6(1)(e) GDPR, as

77 GDPR equals the right to claim a full substantive investigation and a full substantive assessment by the supervisory authority? Article 57 GDPR provides

provisions of the GDPR that are directly applicable do not supersede the provisions of the VStG and to the extent that Art. 83 (8) GDPR and recital 148 are ordered

consent under Article 4(11) GDPR and Article 6(1) LOPDGDD (National data protection law aimed at the implementation of the GDPR). In both articles, consent

under Article 6(1) GDPR. In light of this, the DPA issued a fine of €70,000 to másLUZ Energía (SIE) by virtue of Article 83(5) GDPR for unlawful processing

violation of Articles 12 and 13 GDPR? Did Nestor fail to respect the exercises of the right of access in violation of Article 15 GDPR? Did Nestor fail to satisfy

95/46/EC (hereinafter: general data protection regulation or GDPR), and Article 6 (1) of the GDPR. 2. The Authority finds that Customer 1 violated the principle

for data processing under Article 21 GDPR and the principle of liability under Article 2(4) GDPR and Article 24 GDPR. The complainant, the data subject,

violation of Article 5(1)(c) GDPR, and the controller had no legal basis for the processing as required by Article 6 GDPR. As a result of the violations

the fine under Article 83(2) GDPR. The data subjects complains about the violation of its right of access (Article 15 GDPR) by the Istituto Nazionale per

6.1.f) GDPR) and in this balancing the considerations of the GDPR related to Art. 6.1.f) GDPR eligible [...] be taken, in particular Recital 47. Thus

interpretation of the GDPR. Second, the court argued with the drafting history of the GDPR which connects Article 15(3) GDPR to Article 20(1) GDPR, showing that

article 5.1.f) of the GDPR, typified in article 83.5 of the GDPR, a warning sanction and for a violation of article 32 of the GDPR, typified in article

established in article 5 of the GDPR. The security of personal data is regulated in articles 32, 33 and 34 of the GDPR. III The GDPR defines personal data security

according to her, no breach of the GDPR can be noted. 3. The hearing of October 16, 2020 26. At the hearing on October 16, 2020, the parties had the opportunity

Thus, it violated Article 15 GDPR. The Datatilsynet issued an injunction and ordered the company, as foreseen under 58(2)(c) GDPR, to carry out a concrete

According to Recital 47 GDPR, the reasonable expectations of the data subject at the time of processing must also be set aside. Although the recital is primarily

proceeding personal data under Article 5(1)(a) GDPR. Lursoft claim to be have such a legal basis under Article 6(1)(c) GDPR. However, this was rejected by the Latvian

Article 77 GDPR was very clear and limited in scope. However, the DSB went on to assert a violation of Article 12 GDPR and Article 15(1)(h) GDPR, acting beyond

considers that, in accordance with the provisions of recital 63 of the GDPR and Article 15(4) of the GDPR, it is not obliged to respond to them if it would

Article 13 GDPR even if the contact form is not operational? The Spanish DPA (AEPD) held that the defendant, PSI, violated Article 13 GDPR by failing to

Article 12(3) in relation to Article 15 GDPR. The Garante hence applied an administrative fine as per Article 83(5) GDPR. The amount of such fine was set at

the infringement of the accuracy principle, as per Article 5(1)(d) of the GDPR. The decision is the consequence of a complaint submitted by another Spanish

The Hungarian DPA (NAIH) found a violation of Article 15 GDPR and obliged a controller to grant a complainant access to his personal data. A complainant

and C”. 57See in particular Articles 5.1.a) and 12 of the GDPR, see also recital (39) of the GDPR. 58cf. points 11 and 12 of this decision. 59“Objective 2

Article 83.4.a of the GDPR. Assessing the circumstances modifying liability, both adverse and favourable, contemplated in article 83.2 GDPR, the AEPD established

capture images of common areas of the neighborhood violates Article 5 of the GDPR (data minimization). A neighbor had placed cameras in his door directed to

Madrid sedeagpd.gob.es 2/16 *** URL.7 *** URL.8 *** URL.9 *** URL.10 *** URL.11 *** URL.12 *** URL.13 *** URL.14 *** URL.15 *** URL.16 *** URL.17 *** URL.18

own security protocols. This therefore breached Article 5(1)(f) GDPR and Article 32 GDPR. The initial sanction for infringing Article 5(1)(f) was a fine

Respondent explained that the GDPR does not recognize any express “group privilege”, but it can be deduced from Recital 48 to the GDPR that an exchange of customer

Articles 13 GDPR and 7 GDPR respectively? To determine the amount of the penalty, the AEPD took into account three criteria in Article 83(2) GDPR: unintentional

Officer (DPO) under Section 4 of Chapter 4 of the GDPR (see in particular Article 37 GDPR to Article 39 GDPR). One of these audit proceedings concerned a Luxembourg

Article 77(1) GDPR and subsequently the right of judicial remedy against the supervisory authority under Article 78(1) GDPR. Article 79 (1) GDPR provides for

activities of SPARTOO SAS did not comply with a series of GDPR provisions (art. 5§1(c), 5§1(e), 13, 32 GDPR). In that respect, CNIL imposed a fine of 250,000 euros

1 b) GDPR) and the legality of the processing (Article 6.1 GDPR); as well • compliance with the responsibility of the controller (Article 24 GDPR), security

(2) point b) of the GDPR, because violated: - Article 6 (1) of the GDPR, 16 - Article 5 (2) of the GDPR, - Article 7 (1) of the GDPR, - Paragraphs (1) –

The claimant based his request on Articles 17(1)(a) and (c) GDPR and Articles 10 and 21 GDPR. The Court first examined its competence to rule on the request

Data Protection Regulation, hereinafter GDPR), and C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/16 in accordance with the provisions of Title

satisfy the conditions of equivalence and effectiveness (compare the judgment of 16 December 1976, C-33/76, Rewe, ECLI:EU:C:1976:188, and the judgment of 13 July

third party company. The DPA held that the hospital is a controller under the GDPR. The technical and organisational measures adopted by the controller through

[…] Decision on the merits 46/2024 - 10/16 reverted to Article 6.1. GDPR and recital 50 GDPR. In recital 50 GDPR8 is states that a separate legal basis

from the preamble to the GDPR that the GDPR aims to provide natural persons with a consistent and high level of protection (recital 10). This may indicate

also supported by Recital 128 GDPR. Therefore, the court found the independent nature of the church supervisory authorities to be GDPR-compliant. Second

states that it was never done any other use of this data than the one intended. 16. Hospital Y adds that the system was implemented as a result of a "historic

standard B-VG Art 133 Paragraph 4 DSG §24 DSG §4 GDPR Art 12 GDPR Art 15 GDPR Art 15 Paragraph 1 litc GDPR Art77 UWG §26b paragraph 1 B-VG Art. 133 today

data in the context of telephone jokes. Article 6 GDPR (legality of processing) and Articles 13 and 14 GDPR (transparency) were infringed. The decision is

sensitive personal data under Article 9 GDPR and their lack of valid consent to do so under Article 6(1) GDPR. In 2020, the Norwegian Consumer Council

accordance with Article 4(1) GDPR, according to the DPA. The Court of Appeal of Brussels held that, in accordance with Article 16 GDPR, the data subject has the

This was not compatible with freedom of opinion and freedom of the press. 16 The challenged judgment did not violate the complainant's general right of

VwGO). Recital 64 The fact that the 2022 census collects and processes personal data within the meaning of Art. 4 No. 1 GDPR (Art. 4 No. 2 GDPR), which

also special categories of data, and failed to comply with Art. 5, 6 and 9 GDPR and Art. 2-ter and 2-septies of the Italian Privacy Code. The school "Crucoli

controller has acted in violation of article 15.1. and 15.3 GDPR. 3 2See also Recital 59 GDPR. […] The controller should be obliged without undue delay and

of the GDPR. The scope of application of the GDPR is opened pursuant to Art. 2 and Art. 3 of the GDPR. Recital21 Pursuant to Art. 2(1) of the GDPR, the Regulation

which was considered a data breach and therefore a violation of Article 32(1) GDPR. The Police Force of Navarra (Spain) reported to the AEPD the fact that they

information necessary for the performance of its tasks (Article 58(1)(e) GDPR). The controller notified to the President of the UODO a personal data breach

came from abusive call centers that process personal data without respecting GDPR. Secondly, the Garante found out a wrongful management of contact lists,

under Article 21 GDPR can be made at any time and several times. It also found that a provisional measure can be granted under Article 21 GDPR if an urgent

personal data of French data subject and held that the GDPR was applicable pursuant of Article 3(2)(a) GDPR. The DPA determined that the controller offered services

especially in the area of ​​fines,uncontroversially expressed in recital 150 of the GDPR “In order to reinforceand harmonize administrative sanctions for

of the GDPR, and even less than one month between the deletion from the edict file and the request for deletion pursuant to Article 17 of the GDPR. Furthermore

protection of Art. 82 GDPR does not cover violations of Art. 13, 14, 15, 24, 25 and Art. 34 GDPR. In addition, there is no breach of the GDPR by the defendant

the reference to Article 79(2) GDPR from Article 82(6) GDPR, and the fact that one could argue that Article 82(6) GDPR overrides Member State procedural

(AEPD) imposed a warning on a Spanish public notary for infringing Article 13 GDPR by not offering the claimant relevant information when obtaining a copy of

such as rectification (Art. 16 GDPR), erasure (Art. 17 GDPR) or compensation (Art. 82 GDPR). 119 Cf. BVerwG, judgment of 16 September 2020. 120 - 6 C 10

also its technical capacity. The District Court invoked Article 24 and Recital 78 GDPR and concluded that data controllers must take appropriate technical

controller for the purposes of Article 4(7) GDPR, and Company A was the processor for the purposes of Article 4(8) GDPR. The DPA found that both Companies A and

The Spanish DPA fined a bank €25,000 for a violation of Article 16 GDPR. The controller made a considerable delay in handling the requests for rectification

of Art. 9 GDPR do not apply because the plaintiff did not seek to process that kind of data. The legality is thus determined by Art. 6 GDPR. In the absence

the fact that the GDPR incorporates EU antitrust law not only from the wording of the provision, but also from recital 150 to the GDPR. This states: "Where

family privacy of citizens and the full exercise of their rights.” Recital 40 of the GDPR states that “For the processing to be lawful, the Personal data

entitled to receive the information requested to ABN AMRO on the basis of the GDPR, considering they were not personal data. In the context of a litigation

not compliant with Article 13 GDPR. The CNPD held that the controller infringed Article 5(1)(c) GDPR and Article 13 GDPR and decided to: - impose an administrative

warning to Escuela Infantil (nursery school) for the infringement of Article 13 GDPR. The decision is the consequence of a complaint filed by a Spanish citizen

of the GDPR – (article 13.1. c) of the GDPR) and does not mention the data retention periods personal data processed (article 13.2. a) of the GDPR more precisely);

fairness and transparency under Article 5(1)(a) GDPR, and the principle of accountability under Article 5(2) GDPR. Additionally, the HDPA held that the employer’s

had violated Article 6(1) GDPR since the legitimate interest assessment on which the processing was based (Article 6(1)(f) GDPR) was understood as insufficient

pursuant to Article 12 (4) of the GDPR, hence the Customer’s request for access did not meet the requirements of the GDPR. III.1.2. The Customer's request

with the GDPR. Especially, if the installation of surveillance camera is contrary to the data minimisation principle, under Article 5(1)(c) GDPR. First,

information required under Art. 14 GDPR. recital 60 The defendant requests Recital 61 reject the complaint. Recital 62 As justification, she repeats her

with the GDPR or whether it also covers damages arising from infringements of any provision of the GDPR. It pointed out that Article 82(1) GDPR refers to

of the GDPR, which is a condition for a reprimand pursuant to Article 58(2)(b) GDPR. Material scope of the GDPR According to the court, the GDPR applies

the GDPR”, adopted on July 7, 2021. 6 GDPR, Art. 12. 7GDPR, Art. 12.2 and 12.3. 8 GDPR, Art. 12.3. 9 GDPR, art. 12.3. Decision 172/2022 - 5/13 16. In the

dated 16 March 2020, page 16. 32 Submissions dated 16 March 2020, page 16-17. 33 Translation provided by the Archbishop with submissions dated 16 March

under Article 15(1) GDPR are not covered as such by Article 82(1) GDPR. The court reached this conclusions by looking at Recital 146 GDPR and at the original

examinations is neither comparable with "national security" (see recital 16 sentence 1 GDPR) or data processing by constitutional protection authorities (cf

Articles 6 and 13 GDPR? The AEPD decided to impose, for infringement of Article 6 GDPR, a fine of € 10000 and, for infringement of Article 13 GDPR, a fine of

alleged violation of article 5.1.c) of the GDPR and article 13 of the GDPR, typified in Article 83.5 of the GDPR. FIFTH: Once the aforementioned initiation

automated) and can in principle be processed manually (recital 15 of the GDPR), considering Article 2 of the GDPR that "This Regulation applies to the processing

C-434/16, ECLI:EU:C:2017:994) and Breyer (CUJE, 19 October 2016, C-582/14, ECLI:EU:C:2016:779). 5GDPR, Art. 4, 2). GDPR, recitals 74, 79 and 81; GDPR, art

article 6 of the GDPR. The assumptions that allow the processing of personal data to be considered lawful listed in article 6.1 of the GDPR: 1. Treatment

fraudulently in the complainant's name. This was in breach of Article 6(1) GDPR (lawfulness of processing). Vodafone payed the reduced fine of €36000 (guilty

DPA (AEPD) fined a controller €3000 for the infringement of Article 32(1) GDPR, due to a data breach that was caused by the abandonment of several envelopes

79 GDPR in cases of an alleged violation of Article 15 GDPR or can such violation only be subject to a complaint before a DPA under Article 77 GDPR? Do

the judgment of the Regional Court of Linz of 27 February 2019, 36 Cg 1/18x-16, in non-public session rightly recognized The appeal is not granted. Orders

the university of Rome “la Sapienza”, acting as a data controller under the GDPR. The data controller did not process personal data with an appropriate level

with the requirements of Articles 13 and 14 of the GDPR? In relation to Article 13 and 14 of the GDPR, the AEPD held that the information CaixaBank provided

c) GDPR in conjunction with Article 5.1 a) GDPR and Article 5.2 GDPR. - Violation of article 13.1 d) GDPR in conjunction with article 5.1 a) GDPR and

order processing pursuant Article4(23)GDPR.Asthemain establishment ofWhatsApp IE (asdefined in Article4(16) GDPR)wasfound tobe in Ireland,the IE SA was

under Article 13 GDPR. Incidentally, the DPA also found that such a privacy policy was not complete and did not comply with the GDPR requirements. In addition

accordance with Article 6(2) GDPR and Article 6(3) GDPR for adaptation to the application of Article 6(1)(c) GDPR and Article 6(1)(e) GDPR. The court stressed that

reached by means other than email exchanges. c) Weighing of interests (recital 47 GDPR): It is important to take into account the expectations of the data

2022, Art. 82 GDPR marginal number 14). With regard to recital 146 sentence 1 of the GDPR, however, processing must have violated the GDPR (Nemitz, in:

profile of this person (35 to 37). justification point). 11 Recital 85. 12 Recital 87. 13 Recital 93. 14 In the judgment, the CJEU addressed issues concerning

term "pain and suffering" is not used in Art. 82 GDPR or in the other norms of the GDPR. Art. 82 (1) GDPR only standardizes a “claim for damages” for every

4(1) GDPR), because the applicant was not identified, and was not identifiable according to the 'means reasonably likely to be used' (Recital 16 Regulation

view to vigorous enforcement of the rules of the GDPR. 24. As is clear from recital 148 GDPR, the GDPR stipulates that in every serious infringement - therefore

of Article 9 GDPR. In the DSB held that the processing violated Articles 5, 6 and 9 GDPR: Consent under Articles 6(1)(a), 7 and 9(2)(a) GDPR cannot be considered

website, Ms. A.A.A., herein the data controller, violated Article 6 GDPR and Article 13 GDPR, as well as Article 22.2 LSSI (Spanish national law). The data

December 2017, Acacia and D'Amato, C-397/16 and C-435/16, EU:C:2017:992, point 31, and 17 April 2018, Egenberger, C-414/16. EU:C:2018:257, point 44, and the case-law

excessiveness of the request under Article 12(5) GDPR alleging that the data subject uses Article 15 GDPR only to verify the validity of the premium increases

fraud prevention under Article 6(1)(f) GDPR. Did the company’s policy breach Article 6 or any other articles of the GDPR? The Garante held that the policy breached

in both Belgium and the UK, violated Article 15(1) GDPR, Article 15(3) GDPR and Article 12(3) GDPR GDPR for deleting data instead of providing access to

Article 34(1) of the GDPR-2. The appeal procedure is provided for in the GDPR for personal data falling under Article 1(1) of the GDPR. This provides that

of the data processing, in violation of Article 13 and Article 5 (1) (c) GDPR. The complainant lodged a complaint with the AEPD about the installation

infringement of the integrity and confidentiality principle, as per Article 5(1)(f) GDPR. The decision is the consequence of a complaint submitted by a Spanish citizen

whether that data is correct and has been processed lawfully (see recital 63 GDPR ). The GDPR is the successor to the Personal Data Directive 7 , as implemented

member states is superimposed (see Recital 146 S 4 and 5 on the GDPR; cf. also Frenzel in Paal / Pauly, GDPR-BDSG3 Art 82 GDPR margin no.1; Wybitul / Haß / Albrecht

(Art. 6 Para. 1 lit. f GDPR). In this context, Art. 6 Para. 1 lit. c GDPR in conjunction with the PMG and Art. 6 Para. 1 lit. f GDPR relevant: The Respondent

minimis threshold. In comparison to pre-GDPR legislation, the court found no difference in the wording of Article 82(1) GDPR which would prevent the continued

that the GDPR does not apply to the processing of the data of the companies of the complainant's customers with referring to recital 14 of the GDPR, the Disputes

Regulation (EU) 2016/679, of the European Parliament and of the Council, of 04/27/16, regarding the Protection of Natural Persons in what regarding the Processing

option. The AEPD also found that there had been a violation of Article 7 GDPR before the controller allowed the user to choose what specific processing

Art. 11, art. 13-16, art. 18-22, art. 27, art. 28 sec. 2-10 and art. 30 GDPR; 3. This means that the provision of Art. 17 of the GDPR regulating the so-called

contract (recital 44 of the GDPR), on the basis of a legal obligation, for the performance of a task in the public interest (recital 45 of the GDPR) or in

(5) GDPR regarding the exercise of the trade of the address method and direct marketing companies, which are within the borders of the GDPR (Recital Gr

Article 5(1)(b) GDPR and against the provisions of Article 5(1)(a) GDPR and Article 6(1)(f) GDPR in conjunction with Article 6(4) GDPR. Further, the DSB

our candidates: some new residents had apparently not received the letter'. 16. The defendant refers to Article 17(3)(2) of the Electoral Code of 12 April

data without a legitimate basis, in breach of Article 6 GDPR. For the violation of Article 6 GDPR, the AEPD fined the controller €6,000. In order to determine

purposes pursued by Article 15 of the GDPR, it is noted that, as specified in Recital 11, the purpose of the GDPR is to strengthen and specify in detail

AEPD concluded that the defendant could have breached Article 13 GDPR, Article 7 GDPR and Article 22(2) LSSI: there was no identification of the data controller

referred to in Article 15.1.a) to h), GDPR. In accordance with Article 12.1 GDPR, read in conjunction with recital 58 hereof Regulation, the controller

that the term "damages" in Article 82(1) GDPR is to be understood broadly according to sentence 3 of Recital 146 GDPR. The interpretation of the term must

4(1) GDPR are only living persons (Recital 27 GDPR) the data concerning already deceased persons does not constitute personal data under the GDPR. Secondly

the GDPR also applied to facts before the above-mentioned date. The Court noted that the entry-into-force of the GDPR according to Article 99 GDPR represents

controller violated Article 6 GDPR because it had no legal basis to disclose the email addresses. It reasoned that Article 6(1)(a) GDPR was not applicable because

ECLI:EU:C:1996:404). 9.3. The purpose of the GDPR, as reflected in recitals 1 and 2 in the preamble to the GDPR, is the protection of natural persons with

grounds for processing according to Art 6 Para 1 GDPR (see Art 6 Para 1 lit a GDPR; as well as recital 43 GDPR). Only one (valid) consent is subsequently one

Charter, as well as Article 78, paragraph (2) of the GDPR, read in the light of recital (143) of the GDPR, to conclude that any decision adopted by the CNPD

Article 12(3) GDPR. Therefore, the DPA ruled that because the processing carried out by the controller breached Article 12 GDPR and Article 15 GDPR. Since the

communications using the GDPR, specifically on the basis of Article 4.11, Article 6.1.a GDPR (consent requirement) and Article 13 GDPR (information to be provided)

negligence of the infringement (Article 83(2)(b) GDPR) the impact on basic personal identifiers (Article 83(2)(g) GDPR) Share your comments here! Share blogs or

5(1)(f) GDPR, Article 5(1)(a) GDPR, Article 5(2) GDPR, Article 12 GDPR, Article 13 GDPR, Article 14 GDPR, Article 24(1) GDPR, and Article 25 GDPR, as a result

as too vague and thus inadmissible (BGH, judgment of 16 November 2006 - I ZR 191/03, juris para. 16 - Telephone advertising for individual contracts; BGH

DPA (Garante) fined telecoms operator Iliad €800,000 for violating multiple GDPR and Italian Privacy code provisions. As a number of different complainants

Article 12(2) GDPR, by not enabling the data subject to exercise their right to rectification stated in Article 16 GDPR. Article 12(2) GDPR thus includes

outside the material scope of the GDPR. Also, with regards to the definition of personal data from Article 4(1) GDPR, the DPA did not reach a firm conclusion

01"). 21 See in particular Articles 5.1(a) and 12 of the GDPR, see also Recital (39) of the GDPR. _____________________________________________________________

accordance with Article 6(1)(f) GDPR? - Does the controller process audio and video data in accordance with 5(1)(c) GDPR? - Does the information provided

facilitator but, as specified in Recital 80 GDPR, the person who acts on behalf of the controller with regard to the GDPR obligations. The DPA held that

review under Article 78 GDPR. The disputed infringement occurred before the GDPR came into legal force according to Article 99 GDPR. Therefore, the data subject's

processing under the GDPR. The local authorities filed a complaint with the Spanish DPA against the complainant for an alleged violation of the GDPR by finding scattered

Article 78(1) GDPR, which pertains to the right to an effective remedy against legally binding decisions made by a DPA. They referred to Recitals 141 and 143

violation of the GDPR? The AEPD held that the senders of the email violated the principle of data confidentiality under Article 5(1)(f) GDPR, by revealing

infringe the principle of confidentiality established by Article 5(1)(f) GDPR? Was there a personal data breach? The AEPD considered that there was an

infringe the principle of confidentiality established by Article 5(1)(f) GDPR? Was there a personal data breach? The AEPD considered that there was an

Article 9(1) GDPR. Since Article 9 GDPR was not applicable, the DPA examined the lawfulness of the processing under Article 6(1)(e) GDPR which was put

procedure fall within the scope of the GDPR pursuant to Article 2(1) of the GDPR and consequently the rules of the GDPR apply to these processing. The Authority

is also in line with recitals 146 and 75 of the GDPR. Recital 146 refers to the processing of personal data. Recital 75 describes, by way of example, risks

activities fell within the territorial scope of the GDPR under Article 3 GDPR. The territorial scope of the GDPR applies if the processing activities are related

and Article 13 GDPR. The Italian DPA ordered the controller to bring processing operations into conformity with the provisions of GDPR and imposed a fine

carry out an investigation of SLIMPAY's GDPR compliance. The DPA found out that SLIMPAY breached several GDPR provisions. The DPA noted that some of the

her”. 7. Recital 32 of the GDPR materially states that “When the processing has multiple purposes, consent should be given for all of them”. Recital 42 materially

meaning of Article 4(1) GDPR and thus cannot be object of an access request under Article 15(3) GDPR. Making reference to CJEU case C-434/16, the court reiterated

lines and under f, of the GDPR. 14. For a successful appeal to Article 6, paragraph 1, opening lines and under f, of the GDPR, three conditions must be

incur major costs of implementation which under Article 32(2) GDPR makes a breach of 32(1) GDPR more likely. Despite the fact that not all data was classified

personal data was automated. Thus Article 2(1) GDPR applies and the processing falls within the scope of the GDPR. The DPA assessed that a summons to one of

(Chapter III) of the GDPR at the third stage: Right to rectification (Art. 16 GDPR), Right to erasure or right to be forgotten (Art. 17 GDPR), Right to restriction

a basis of lawfulness own. Recital 50 of the GDPR 11 is explicit in this regard. These legal bases 9Recital 50 of the GDPR: [...] In order to establish

obtain the deletion of the data referred to in Article 17 GDPR, because Article 17 (3) (b) GDPR precludes this. By publishing the decision, the District

line with Article 13 GDPR. On the DSB's request, the controller declared R*** Hotels GmbH as its representative under Article 27 GDPR and sent a reply to

Article 81 of the GDPR, but not the actually relevant Article 82 of the GDPR. The claims asserted in the counterclaim under Article 82 of the GDPR were confirmed

Article 58(2)(b) GDPR. The Authority ordered the Health Service to carry out a DPIA and bring its processing operations in line with the GDPR within six months

Article 28 BayVwVfG (cf. also GDPR recital 129). As a remedial measure, the prohibition order is based on Art. 58 (2) GDPR. Since this is a prohibition

Article 5(1)(f) GDPR. Furthermore, the controller was responsible for implementing appropriate security measures according to Article 32(1)(b) GDPR, for guaranteeing

infringement of GDPR can result in non-material damage and that a data subject must receive full and effective compensation of the damages under GDPR, do not mean

are based on a different legal basis Art. 6 (1) GDPR than the consent pursuant to Art. 6 (1) lit. a GDPR was based. services on were used on the website

Article 15(1) GDPR. The data subject was not entitled to further disclosure. On the applicability of the GDPR: The court determined that the GDPR and the data

than Article 8 GRC (the latter only protects natural persons). As Article 16(2) TFEU leaves it to member states to grant data protection rights to legal

provision of personal data on the account is explicitly allowed by the GDPR as Recital 63 GDPR states that, where possible, the controller should be able to provide

Article 13(1)(c) and (2)(a) of the GDPR. II.4. Article 5 GDPR, Article 24 (1) GDPR and Article 25 (1) and (2) GDPR II.4.1. Findings in the Inspection Report

article 4.1 of the GDPR, is data personnel and their protection, therefore, is the subject of said Regulation. In article 4.2 of the GDPR defines the concept

24.1. of the GDPR] include the implementation of appropriate data protection policies by the data controller”. 29. Recital 74 of the GDPR adds that “it

of contract (Article 6(1)(b) GDPR), legal obligation (Article 6(1)(c) GDPR) and legitimate interest (Article 6(1)(f) GDPR) and determined that the controller

relationship between the GDPR and the GDPR with regard to the exceptions mentioned in Art. 2 Para. 2 GDPR must be dealt with. According to Article 16 (2) TFEU, there

under Article 12(1) GDPR and Article 14 GDPR, as the controller had failed to fulfill the informational obligations under Article 14 GDPR. The municipality

Rights of the European Union (Charter) and Article 16 (1) TFEU (compare recitals to the GDPR [recital] 1, 2). It is intended to “contribute to the completion

pieces of information (see also Recital 63 GDPR). In accordance with Article 15 Paragraph 3 GDPRArticle 15 Paragraph 3 GDPR, the controller provides a copy

able to check its legality (Recital 63 GDPR). The information must comply with the transparency requirement of Art 12 Para 1 GDPR, which requires that information

Article 6 GDPR. The DPA established that notwithstanding that the controller has a legal basis for processing, processing is still in breach of the GDPR when

included in the final text in recital 80 of Directive 2016/6805. Although this difference raises the question of why recital (20) of the preamble to the

Article 4(16) GDPR." Consequently, the DPA concluded that the cooperation mechanism and procedure set out in Article 56(1) GDPR and Article 60 GDPR did not

LPACAP), for the alleged infringement of Article 6.1 of the GDPR, typified in Article 83.5 of the GDPR. FIFTH: Notified of the aforementioned start-up agreement

infringement of Article 13 GDPR as defined in Article 83(5)(b) GDPR. This initiation agreement was notified and delivered to the controller on 16 December 2022. The

demonstrate compliance (“accountability”).” Art. 6 GDPR: Article 6, GDPR: According to Article 6 Paragraph 1 of the GDPR, processing is only lawful if at least one

55(3) GDPR a DPA does not have the competence to oversee processings such as the ones at issue in the present case. The Court mentioned Recital 20 GDPR

point b) GDPR and Article 100, §1, 5 ° WOG to be reprimanded for the infringement of Article 25 (1) GDPR; b. on the basis of Article 83 GDPR and Articles

according to Article 23 GDPR, restrictions of obligations and rights under Article 12 GDPR - Article 22 GDPR Article 34 GDPR and Article 5 GDPR, insofar as its

publication was in violation of Article 5(1)(c) GDPR, Article 6(1)(f) GDPR, when read in line with Article 85 GDPR. Article 5(1)(c) outlines the principle of

comply with Article 5(2) GDPR. The DPA determined that the controller violated Article 15 GDPR. The DPA stated that Article 15(1)(c) GDPR must be interpreted

less severity depending on the effects 86 GDPR, art. 16 87 GDPR, art. 17.1.a 88 GDPR, art. 18.1.a 89 G.HAAS, GDPR legal guide: the regulations on the protection

data that is needed also for purposes other than those included in Recital 63 GDPR. Moreover, the court held that the access request cannot be considered

Article 31 GDPR in conjunction with Article 58(1)(e) GDPR. The AEPD, therefore, agreed to impose a penalty of € 20000 under Article 83(5)(e) GDPR. The fact

in later cases): The GDPR was enacted on the basis of Article 16 TFEU in particular (see the preamble and recital 12 of the GDPR). However, the wording

According to the respondent, the GDPR in fact implements Article 52 of the Charter and this follows from recital 4 of the GDPR. It considered that: “the processing

data in violation of the GDPR. The DPA also held that Google had processed personal data in violation of Articles 5(1)(b) and 6 GDPR by sending notifications

1 lit. c GDPR. It cannot be deduced from Section 256 IO that Insolvency data (at all) also based on other permitted circumstances Art. 6 GDPR may no longer

not override the data subject's right to privacy. Pursuant to Article 17(1) GDPR, the data subject had requested Google LLC (the controller) to remove several

with Article 33 GDPR and Article 34 GDPR. Consequently, it issued a reprimand to the controller in accordance with Article 58(2)(b) GDPR. First, the DPA

Article 15(1) GDPR with its reply from December 2019. The Court first held that the BayLfSt was a controller within the meaning of Article 4(7) GDPR. Next, the

reinstate the employer for the violation of his data protection rights under the GDPR. Share your comments here! Share blogs or news articles here! The decision

rectification (Article 16 GDPR) 95. The complainant also addressed a correction request to the defendant. In accordance with Article 16 of the GDPR, the data subject

the rights and freedoms of natural persons” (recital n. 74 of the RGPD). Based on the art. 25 of the GDPR, it is then established that the owner, "both

Articles 6.1.C and 9.2.i) of the GDPR. 86. In accordance with Article 6.3 of the GDPR, read in the light of recital 41 of the GDPR, the processing of 26 personal

supported by the structure of Article 78 GDPR, which is strictly intertwined with Article 77 GDPR. Indeed, Article 78(2) GDPR provides the data subject with the

based on a clear interest legitimate in accordance with article 6.1. f) and recital 47 of the Regulation General Data Protection 679/2016, by our company, having

infringement of article 5.1.f) of the GDPR and article 32 of the GDPR, typified in articles 83.5 and 83.4 of the GDPR, respectively. The startup agreement

the improper implementation of the GDPR. First, the Court acknowledged that the right to inspection under article 15 GDPR is not absolute or unlimited, but

definition of "personal data" in Article 4(1) GDPR. The DPA reminded the controller that, as defined in Recital 26 GDPR, pseudonymisation is a mere technical measure

paragraph 1 GDPR and Article 25 (1) GDPR 84. Based on Article 12(1) GDPR, Article 13(1) and (2) GDPR and Article 14(1) and paragraph 2 of the GDPR, it is necessary

EU:C:2008:54, marginal no. 68; judgment of 16 January 2008, marginal no. 68, EU:C:2008:54, marginal no. 68; judgment of 16 January 2007, marginal no. 8, marginal

remedy (Article 12(4) GDPR). Accordingly, as they failed to respond in such a way, the authority had infringed Articles 12 and 15 GDPR. With regard to corrective

Article 82(1) GDPR, because the controller unlawfully disclosed the data to its customers. The court also held that under Article 82 GDPR the violation

pursuant to Art. 14 par. 5 lit. b GDPR? The President of UODO found that: 1) The applicable provision is the Art. 14 GDPR since the data controller collects

Paragraph 3 GDPR specifies content requirements for an appropriate legal basis, which are clear and precise in the context of recital 41 of the GDPR and should

pursuant to article 46 GDPR Uber (iv) the existence of automated decision-making, including those laid down in Articles 22(1) and 22(4) GDPR (at least meaningful

Article 12 GDPR. On the other hand, the company had undermined individuals rights of access (Article 15 GDPR) and right to be forgotten (Article 17 GDPR) by:

101 and 102 TFEU (see Recital 150 GDPR) only applies to those within the meaning of Articles 101 and 102 TFEU (see Recital 150 GDPR). is relevant for the

regard to the modalities in Article 12 GDPR. Recital 58 of the GDPR states that information under Article 14 GDPR can be provided in electronic form, for

Articles 57 and 58 GDPR. The NO DPA is the supervisory authority established in line with Article 51(1) GDPR to monitor the application of the GDPR on the territory

violated Article 6(1) GDPR. However, this violation alone was not sufficient to justify a claim for damages. Pursuant to Article 82(1) GDPR, a claim for damages

In accordance with Article 36 GDPR, the Garante must decide on the adequacy of the intended processing under the GDPR. After careful examination, the

controller did not notify the DPA, it violated Article 33(1) GDPR. Moreover, it violated Article 34(1) GDPR since it did not provide the data subjects with the

invoked Recital 1 GDPR and Recital 4 GDPR and the definition of processing under Article 4(2) GDPR. Then, it noted that according to Article 9 GDPR and Recital

definition of Article 4(16) GDPR, and therefore declared its competency to act as the lead supervisory authority under Article 56(1) GDPR. The AEPD then investigated

compliance with the GDPR by application of Article 8 of the Charter of Fundamental Rights of the European Union (EU), of article 16 of the Treaty on the

to be in violation of Article 5(1)(a) GDPR, Article 6 GDPR, Article 9 GDPR, Article 12 GDPR and Article 13 GDPR and started a procedure to adopt corrective

Article 6(1) of the GDPR is violated. 1.9 The plaintiff has appealed against this decision. A hearing took place on September 16, 2021. 1.10 In the decision

Article 77 GDPR. The Austrian DPA argued that a legal person does not fall within the personal scope of the GDPR pursuant to Article 1(1) and (2) GDPR. Therefore

processing activities. compliance with the GDPR, including the effectiveness of the measures (GDPR recital 74). In summary, this principle requires a conscious

view to a powerful enforcement of the rules of the GDPR. As is clear from Recital 148 GDPR, the GDPR states after all, it is important to note that for

and 7(1) GDPR; Articles 5, paragraph 2 and 24 GDPR; Articles 12, paragraph 1, j° 13 and 14 GDPR; Article 5(1)(e) GDPR; and Article 7(3) GDPR. - order the

to Article 2 (1) of the GDPR, the GDPR applies to the processing of data in the present case. The relevant provisions of the GDPR in the present case are

85 GDPR, so that Chapter II (including Art 6 GDPR) to VII and IX of the GDPR do not apply. The regulation of § 9 DSG, which is based on Art 85 GDPR, is