Search results

instructive in the interpretation of Recital 23 GDPR. Contrary to the usual definition of good and services, the GDPR clarifies that processing is covered

BDSG, Article 6 GDPR, margin number 20 (C.H. Beck 2020). Recital 32 sentence 1 GDPR. Recital 32 sentence 2 GDPR. Recital 32 sentence 3 GDPR. CJEU, C‑673/17

GDPR. Recital 71 sentence 1 GDPR. Recital 71 sentence 1 GDPR. Recital 28 sentence 1 GDPR, such as Hansen, in Simitis, Hornung, Spieker, Datenschutzrecht

Knyrim, DatKomm, Article 32 GDPR, margin numbers 23 (Manz 2022). Pollirer, in Knyrim, DatKomm, Article 32 GDPR, margin numbers 23 (Manz 2022). Pollirer, in

in relation to the GDPR - usually in the form of a Restriction under Article 23 GDPR - these other rights exist in parallel to the GDPR. This means a data

of data established in Article 9(2)(a) GDPR, Article 9(2)(c) GDPR, Article 9(2)(g) GDPR and Article 9(2)(i) GDPR directly correlate with a specific legal

listed in Articles 13 GDPR. In certain cases, Article 23 GDPR may be used by Member States to exempt certain duties under Article 13 GDPR in certain situations

(Article 12(1) GDPR), facilitate the data subject (Article 12(2) GDPR), respond and communicate the measures taken (Article 12(3) and (4) GDPR), the principle

under Article 6(4) GDPR and further processing for a compatible purpose under Article 6(4) GDPR. See the commentary on Article 6(4) GDPR for details on the

and purposes outlined in Article 23(1)(a) to (j) GDPR (e.g. national and public security) as well as Recital 73 GDPR (e.g. protection of human life). In

dealt with in Article 12(6) GDPR. It is unclear why Article 12(2) GDPR refers to Articles 15 to 22 GDPR, while Article 11(2) GDPR only refers to Articles Articles

(Article 12 GDPR), information (Articles 13 and 14 GDPR), access (Article 15 GDPR), rectification (Article 16 GDPR), erasure (Article 17 GDPR), restriction

Regulation (GDPR): A Commentary, Article 32 GDPR, p. 636 (Oxford University Press 2020). Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 32 GDPR, margin number

(Article 4(23) GDPR), several supervisory authorities (SA) could be competent according to Article 55 GDPR. For this reason, Article 56(1) GDPR establishes

Article 83(8) GDPR corresponds in this respect to Recital 148 sentence 4 GDPR. Nemitz, in Ehmann,Selmayr, Datenschutz-Grundverordnung, Article 83 GDPR, margin

Article 14 GDPR gives expression to the principle of transparency enshrined in Article 5(1)(a) GDPR and further defined in Article 12 GDPR. While Article

processing of personal data of deceased persons. Article 2 GDPR sets out the material scope of the GDPR. Paragraph 1 clarifies that the Regulation applies to

of the most innovative elements in the GDPR related to the accountability principle (see Articles 5(2) and 24 GDPR). This provision regulates the cases in

the meaning Recital 86 GDPR). However, Article 34 GDPR does not provide a specific deadline of 72 hours as is the case in Article 33 GDPR. Instead, timelines

Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, page 909 (Oxford University Press 2020). See Recital 20 GDPR and CJEU, in C-245/20 - Autoriteit

Regulation (GDPR), Article 7 GDPR, p. 350 (Oxford University Press 2020). Heckmann, Paschke, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 7 GDPR, margin

since, under Article 28(1) GDPR, a controller shall only use processors providing the same standards under Article 25 GDPR. Manufacturers or producers

Article 82 GDPR – like almost all provisions of the GDPR – is directly applicable in all Member States without any act of implementation. Article 82 GDPR leaves

consideration when the GDPR was drafted. There is consequently no need to 'balance' the GDPR against other rights for a second time, as the GDPR is already the

to Article 60 GDPR, Article 61 GDPR, Article 62 GDPR, Article 63 GDPR, Article 64 GDPR, Article 65 GDPR, Article 66 GDPR and Article 56 GDPR. The SA is also

purpose (Article 52(4)(5)(6) GDPR). Elements of SAs' complete independence are also addressed in Article 53 GDPR and Article 54 GDPR. The CJEU in the Case of

natural persons”. The GDPR does not define what constitutes a “risk to the rights and freedoms of natural persons”. Recital 75 GDPR only outlines potential

prevention (Article 23(1)(a-j) GDPR) allow for far fewer GDPR restrictions than those granted by freedom of expression. Article 85(2) GDPR poses one condition

Protection Regulation (GDPR): A Commentary, Article 27 GDPR, pp. 595-596 (Oxford University Press 2020). Recital 80 sentence 5 GDPR. Ziebarth, in Sydow,

interpreted Recital 144 GDPR to have limited the scope of Article 81 GDPR, as applying only to proceedings instigated under Article 78 GDPR. The first sentence

important to note that Article 13(1)(f) GDPR, Article 14(1)(f) GDPR, Article 15(1)(c) GDPR and Article 15(2) GDPR, make specific reference to transfers of personal

to Article 23(1)(e) GDPR, which sets out strict requirements for the Union or Member State's law restricting GDPR rights, Article 18(2) GDPR does not make

22(2)(c) GDPR. Finally, decisions based on explicit consent are also subjected to the safeguards laid down in Article 22(3) GDPR. Article 22(3) GDPR lays down

(Article 15 GDPR), rectification (Article 16 GDPR), erasure (Article 17 GDPR), restriction (Article 18 GDPR), notification (Article 19 GDPR) or data portability

personal data as well (see Recital 163 GDPR). Tosoni in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 98 GDPR, p. 1315 (Oxford University

out data relating to deceased persons, this Recital confirms Recital 27 GDPR, according to which the GDPR “does not apply to the personal data of deceased

You can find all related decisions in Category:Article 36 GDPR Recital 89 GDPR. Article 36 GDPR must therefore be read as one   element within a wider framework

Article 79 GDPR, margin number 14 (rdb.at 2018). Jahnel in Jahnel, DSGVO, Article 79 GDPR, margin number 29 (Jan Sramek 2021). See Recital 141 GDPR. Moos,

in other parts of the GDPR. To begin with, Recital 141 GDPR clarifies that an SA must “act on a complaint”. Article 57(1)(f) GDPR, in turns, establishes

(Article 15 GDPR), rectification (Article 16 GDPR), deletion (Article 17 GDPR), restriction of processing (Article 18 GDPR), objection (Article 21 GDPR) and the

catalogue of penalties in Article 83 GDPR. National legislators may add provisions to fill these gaps. Under Recital 152 GDPR, these provisions may either be

under the GDPR. → You can find all related decisions in Category:Article 94 GDPR Kühling, Raab, in Kühling, Buchner, GVO BDSG, Article 94 GDPR, margin numbers

situation, Article 95 GDPR will not be relevant, and the GDPR applies as normal. Notably, Recital 173 GDPR, which relates to Article 95 GDPR, omits reference

Article 45(5) GDPR (revocation, change of such determinations); Articles 46(2)(c) and (d) GDPR (standard protection clauses); Article 47(3) GDPR (formats and

resolution mechanism under Article 65 GDPR in connection with Article 63 GDPR is triggered (Article 60 (4) GDPR). Article 60(2) GDPR clarifies that also in cross-border

(Articles 55-59 GDPR). The GDPR provides for exceptions from provisions entailed in Chapter VI (independent supervisory authorities). Article 85(2) GDPR mandates

proposed amendments to the GDPR (pursuant to Article 70(1)(b) GDPR). Although not explicitly mentioned in Article 69(2) GDPR, the requirement that the Board

57 GDPR should be deemed inadmissible for the purposes of Article 31 GDPR. Article 31 GDPR can be read as a supporting provision to Article 58 GDPR. In

88(1) GDPR) and a conditional function (Article 88(2) GDPR). While Article 88(2) GDPR determines the scope of the opening clause, Article 88(1) GDPR establishes

Articles 13 or 14 GDPR. This can be drawn from the final sentence of Article 11(1) GDPR. It must be assessed with the utmost attention whether GDPR provisions

decision pursuant to Article 45 GDPR shall be used, when it exists; second, appropriate safeguards under Article 46 GDPR, such as binding corporate rules

Although Article 40(5) GDPR mentions that the competent DPA will be determined through the application of Article 55 GDPR, the GDPR does not provide concrete

published under Article 70(3) GDPR. Though Article 70(3) GDPR already obliges the EDPB to make these public, Article 71(2) GDPR ensures that the public is

exists only in cases of Article 64(2) GDPR but not the context of Article 70(2) GDPR. According to Article 70(3) GDPR, the EDPB is obligated to “forward its

from any of the GDPR’s protections. → You can find all related decisions in Category:Article 39 GDPR Just as Article 38 GDPR, Article 39 GDPR also shows similarities

with Article 58(1) GDPR. Article 90 GDPR was drafted with a view to regulate potential conflicts between the application of the GDPR on the one hand, and

Category:Article 86 GDPR At para. 120 Kranenborg, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 86 GDPR, p. 1216 (Oxford University

Article 72 GDPR regulates the Board's voting procedure. Generally, the GDPR grants the EDPB a high degree of autonomy. In particular, Article 72(2) GDPR entitles

the scope of the LED from the scope of the GDPR. Article 10 GDPR is intended to extend the protection of the GDPR to the processing of certain criminal data

subject to the GDPR or, in cases where they are not established in the EU, act within the material and territorial scope of the GDPR. Article 48 GDPR refers to

large-scale, or involve processing of data under Article 9 GDPR or Article 10 GDPR. Recital 97 GDPR clarifies that the core activities of a controller are

provisions of the GDPR. This decision refers to the Administrative cooperation between SAs (covering cooperation under Articles 56, 60, 61 and 62 GDPR) and the

true also under Article 91 GDPR”. See, Tosoni, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 91 GDPR, p. 1263 (Oxford University

application of Article 65(1)(a) GDPR, (13 April 2021), margin number 57 (available here). See also Recital 143 GDPR. See Article 78(2) GDPR. Hijmans, in Kuner et

Article 46(2)(d) GDPR, contractual clauses referred to in Article 46(3)(a) GDPR, or binding corporate rules within the meaning of Article 47 GDPR. In these cases

directly to children. As such, Article 8 GDPR stipulates additional requirements for consent by children. Article 8 GDPR applies only if the processing of data

authority. Article 61(1) GDPR regulates how independent authorities are to cooperate to enable the uniform application of the GDPR. Supervisory authorities

provisions of the GDPR require the controller to keep track of individual recipients. For example, Article 15(1)(c) GDPR and Article 19 GDPR require the disclosure

outlined under other Articles of the GDPR, namely in Articles 51, 52 and 53 GDPR. The second objective, under Article 54(2) GDPR, seeks to regulate the confidentiality

of knowledge between them. This way, Article 50 GDPR expands the exhortation under Article 57(1)(g) GDPR that calls for cooperation between EU DPAs, across

to Article 6 GDPR; the principles of data processing pursuant to Article 5 GDPR; the data subjects’ rights pursuant to Articles 12-23 GDPR; the obligation

sors_en Recital 121 GDPR. Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 53 GDPR, p. 888

provisions under Article 75(3) GDPR. The employees of the Board's secretariat only report to the Chair (Recital 140 GDPR). In this respect, they are therefore

differences between portability and access under Article 15(3) GDPR. According to Recital 68, the data should be available in an "interoperable format"

5(1)(d) GDPR gives the controller some leeway to continue processing inaccurate data - see more details under Article 5(1)(d) GDPR. Article 16 GDPR, titled

60, 63, 64 and 65 GDPR) immediately adopt provisional measures intended to produce legal effects on its own territory. Article 66 GDPR creates strict conditions

exclusion of Article 82 GDPR is confirmed by the last sentence of Recital 142 GDPR. In addition, Article 80(2) GDPR does not permit Member States to allow NPOs

decisions pursuant to Article 65 GDPR (Article 70(1)(t) GDPR). Article 68 GDPR is the first of nine Articles (Articles 68-76 GDPR) governing the EDPB set forth

It shall apply from 25 May 2018. There is no relevant recital for Article 99 GDPR. Article 99 GDPR sets out the dates of the Regulation's entry into force

Category:Article 45 GDPR Kuner, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 45 GDPR, p. 774 (Oxford

compliance with the GDPR under Article 58(2)(d) GDPR or even ban it under Article 58(2)(f) GDPR. Therefore, complaints under Article 77 GDPR should extend to

relevance of Article 29 GDPR were rooted in the fact that Article 28(3)(b) GDPR already seems to cover much of the scope of Article 29 GDPR. More specifically

systems of the Member States. → See Article 23 GDPR. → You can find all related decisions in Category:Article 19 GDPR. The obligation to notify under Article

Article 62 GDPR, margin number 11 (Beck 2018, 2nd edition). Riccio, Scorza, Belisario, GDPR e normativa privacy – Commentario, Article 62 GDPR (Wolters Kluwer

Article 96 GDPR if it is found to be incompatible with other GDPR provisions. → You can find all related decisions in Category:Article 96 GDPR It follows

of the GDPR enforcement across the Member States. → You can find all related decisions in Category:Article 64 GDPR Caspar in Kühling, Buchner, GDPR Article

in Category:Article 74 GDPR For more on this point, see Article 72 GDPR. Dix in Kühling, Buchner, DS-GVO BDSG, Article 74 GDPR, margin number 7 (C.H. Beck

76 GDPR, margin number 1 (C.H. Beck 2020, 3rd edition). Docksey, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 76 GDPR, p

encompasses other obligations of controllers under the GDPR. EDPB: This extends to various obligations under the GDPR, including but not limited to the implementation

compliance with the GDPR. Article 28(3)(h) GDPR enables such a task in case processors are used. According to Article 28(3)(h) GDPR, the processor should

mentioned in Recital 167 GDPR and Article 291 TFEU, the aim of implementing acts is to “ensure uniform conditions for implementing” the GDPR. In its GDPR Certification

majority principle under Article 72(1) GDPR would have applied regardless of Article 73(1) GDPR. In addition, the GDPR explicitly legislates for a simple majority

of the European Union ("TFEU"), within the scope of the GDPR. The function of Article 92 GDPR is to lay down conditions for the delegation of power as

Regulation (GDPR): A Commentary, Article 38 GDPR, p. 707 (Oxford University Press 2020). Bergt, in Kühling, Buchner, DS-GVO BDSG, Article 38 GDPR, margin number

Category:Article 47 GDPR Kuner, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR) Update of Selected Articles, Article 68 GDPR, p. 194 (Oxford

progress. Fill in the name used for the recital if you use it so we can ensure a somewhat streamlined practice. Recital 1: The protection of natural persons

when passing the GDPR. In fact, all but one EU Member State (who has sought higher protections) have voted in favor the GDPR. The GDPR is not just consisting

undefined in the GDPR. “Expertise” is only referred to again under Article 41(2)(a) GDPR, although briefly. Additionally, Article 41(1) GDPR specifies that

per Article 45(3) GDPR, and subject to regular reporting, which Article 97(2) GDPR provides for. The third paragraph of Article 97 GDPR, obliges the Commission

enforcement of the GDPR. → You can find all related decisions in Category:Article 59 GDPR Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 59 GDPR, margin number

data under Article 4(1) GDPR, especially because they allow to single out a data subject within the meaning of recital 26 of the GDPR. It is sufficient that

to in the first sentence of recital 63 GDPR. Neither the wording of Article 12(5) GDPR nor that of Article 15(1) and (3) GDPR condition the provision (to

NOYB, local case number 9782890. Page 22 of 23The Swedish Privacy Agency Diary number: DI-2020-11373 23(23) Date: 2023-06-30 4 Appeal reference 4.1 How

same applies to the right to erasure under Article 17 of the GDPR. Recital 63 of the GDPR also supports this view. It shows that the legislator wants to

proportionality (Article 8(1) CFR, Article 9A Greek Constitution, Recital 64 GDPR), underlined that the GDPR totally respects all fundamental rights and freedoms included

election by a parliamentary assembly is explicitly envisaged by the GDPR in Recital 121. Share your comments here! Share blogs or news articles here! The

of Chapter V GDPR. The complaint was transferred to the Swedish DPA in its quality of lead supervisory authority pursuant to Article 56 GDPR. Following the

Article 46 GDPR. In 2020, noyb lodged a complaint with the Austrian DPA alleging that the controller breached the provisions of Chapter V GDPR. The complaint

of Chapter V GDPR. The complaint was transferred to the Swedish DPA in its quality of lead supervisory authority pursuant to Article 56 GDPR. Following the

to Article 83 GDPR in conjunction with Article 4 No. 7 and 8 GDPR, fines for violations of the GDPR pursuant to Article 83(4) to (6) GDPR are not only to

proportionality of the measure under Article 6(4) GDPR, in accordance with the objectives referred to in Article 23(1) GDPR. It recalled that these objectives include

Fashion ID Court: CJEU Jurisdiction: European Union Relevant Law: Article 80 GDPR Article 1 Directive 95/46 Article 1(1) Directive 2009/22/EC Article 10 Directive

regarding Articles 5(1)(b) GDPR and 5(1)(e) GDPR and held that national courts had to determine, using the factors of Article 6(4) GDPR, whether further processing

subject pursuant to Article 9 (2) (a) of the GDPR ΕΙΣ/7564/05.11.2019 and the invocation of recital 47 of the GDPR 2016/679, inter alia, informed the Authority

point (g) of GDPR and 13 par. 1 point g. 4624/2019, and to exercise respectively the powers conferred on it by the provisions of Articles 58 GDPR and 15 Law

laid down in the GDPR, so that the general conditions for claims were decisive, unless the GDPR contained special rules; even under the GDPR, only non-material

15(1)(h) of the GDPR, the right of data subjects to object under Article 21(1)(1)(2) of the GDPR and - in essence - in Article 22 of the GDPR as a general

and b) GDPR. With its reply of August 23, 2019, the defendant obviously did not fulfill the further claim according to letters c) to g). Recital 53 The

complaint in accordance with Article 78, second paragraph, of the GDPR and recital 141 of the GDPR. Has the defendant observed the reasonable period in handling

to access under Article 15 GDPR because the controller was entitled to reject the request pursuant to Article 12(5)(b) GDPR. The court reasoned that this

situation is warranted. In this respect, Recital 137 GDPR states 65 66See Article 77 GDPR. See Recital 137 GDPR. 28that an urgent need to act in order to

justification or basis for the processing, violating Article 9 GDPR. AEPD highlighted that Recital 46 GDPR already recognizes that, in exceptional situations, such

an access request under Article 15(1) GDPR. According to Recital 63 GDPR, the right of access under Article 15 GDPR serves data subjects to be informed about

e) of the GDPR). 8.1.4. As for breaches of Articles 5.2. and 24 of the GDPR 88. Article 24.1 of the GDPR which covers Chapter IV of the GDPR devoted to

understood as made to the GDPR, in accordance with article 94 of the last. Likewise, it is apparent from recital 173 of the GDPR that this text explicitly

Articles 12 and 15 GDPR regarding the right to access personal data, while it also underlined the restrictions to this right that Articles 23 GDPR and 33 Law 4624/2019

Article 32 GDPR. Retaining personal data of an applicant for a lease after another applicant has been selected also violates Article 5(1)(e) GDPR. The customer

norm addressee of Chapter V GDPR. The bB be directly responsible for BF2, which violated Art. 44 ff GDPR. Regarding The GDPR is applicable to the processing

regard on that article 2.1) GDPR read in conjunction with recital 15 of the GDPR, although an exclusion from the scope of the GDPR provides for files or a

transparency), Article 12(1), Article 7, Article 13 and Article 14 GDPR, the corresponding GDPR recitals (32, 39, 42, 47, 58, 60, 61, and 72), as well are Articles

according to Art 15 Paragraph 1 GDPR, such as the origin of the data. In accordance with Art 15 (4) GDPR and Recital 63 GDPR, the information must be restricted

of the GDPR according to Art. 99 Para. 2 GDPR as of May 25, 2018 follows from Art. 79 Para. 2 Sentence 1 GDPR in conjunction with recital 22 GDPR as well

the sanctioning regime imposed by the GDPR. And this is because the GDPR is a closed and complete system. The GDPR is a European standard directly applicable

Article 17(1)(d) GDPR since the data was unlawfully processed. The defendant claimed that its activities fall under exception in (Article 85 GDPR) read in conjunction

causality between the "GDPR breach" and the "damage". Article 82(1) GDPR requires that the damage occurs as a result of a specific GDPR breach. Although it

AB for violating Article 17 GDPR by not deleting personal data of the complainant without undue delay and Article 23 GDPR by providing incorrect information

principle enclosed in Article 5(1)(b) GDPR. On this matter, the AEPD argued that, according to Article 5(1)(a) GDPR, Recital 39 and Article 6(1)(f), an interest

1 lit. f GDPR (for the protection of the processor's legitimate interests)? Right to erasure (Art. 17 GDPR); right to object (Art. 21 GDPR)? Locations

plaintiff pursuant to Article 82(1) GDPR, since there have been violations of Article 6(1)(a) GDPR and Article 34 GDPR. The defendant also breached the obligation

operations, it is necessary to fall back on article 6.1. AVG and recital 50 GDPR. Recital 50 of the GDPR states that this is a separate legal basis required for

5(1)(a) GDPR? Is the information relating to personal data processing operations easily accessible within the meaning of Articles 12 and 13 GDPR? Is the

5(1)(b) and (e), 9(2)(j), 89(1) GDPR and Section 7(1)(1) and (2)(1) GDPR. In particular, it follows from Article 9(2)(j) GDPR that the processing of data relating

the meaning of Art. 15 (1) (2) (b) GDPR in conjunction with Art 4 No. 1 GDPR. According to recital 63 p. 7 to the GDPR, the party entitled to information

as “anonymisation”. Recital 26 of the GDPR clarifies that anonymous information does not fall within the scope of the GDPR. The GDPR does not explicitly

serious breach of the GDPR. The violation of Article 17, 1., a) constitutes also a violation of an essential principle of the GDPR and constitutes at least

(4) to (6) GDPR, the European legislator obviously had supranational antitrust law as a model. This is expressed in recital 150 of the GDPR, for example

notification system for adverse events. As emphasised in recital 76 of Regulation 2016/679 (the recitals contain a justification for the provisions of the operative

the effect that this processing was of a cross-border nature (Article 4(23)(b) GDPR). The CNIL nonetheless remained the lead supervisory authority as the

in Article 25 GDPR. Additionally, the AEPD concluded that the controller had violated Article 5(1)(f) GDPR, noting that although the GDPR does not demand

Article 32 GDPR? - Does the fact that this health data is not encrypted constitute a breach of the security obligation under Article 32 GDPR? - Does the

contact-with-brussels-airport 2 AVG, recital 53. 3Data Protection Authority, 'Strategic plan 2020-2025',page 23. Decision on the merits 47/2022 - 3/73

competence granted to the member states by Art. 23 GDPR, namely the limitation competence of Art. 23 Para. 1 e) GDPR. As far as relevant here, the AO standardizes

laid down in the GDPR, so that the general conditions for claims were decisive, unless the GDPR contained special rules; even under the GDPR, only non-material

such data. 2 Recital 3. 3 Recital 5. 3 b. the rapid technological developments which have occurred during a period of globalisation.4 As Recital (6) explains:

made without legitimizing cause of those included in article 6 of the GDPR. The GDPR applies to personal data. Said regulation defines as «data personal”

Article 34(1) GDPR as it failed to communicate the data breach to its users in an appropriate way. In this, the DPC also referred to Recital 86 GDPR which foresees

Data Protection Regulation - GDPR). The defendant has a right of refusal under Art. 12 Para. 5 Sentence 2 Letter b) GDPR to. The provision only lists the

for the year, thus violating Article 39(1)(b) GDPR regarding the DPO's duties to monitor compliance with GDPR. In view of those violations, the CNPD: imposed

28(3) GDPR. Verizon replied that the obligation to conclude a written agreement between controller and processor is not clearly stated in the GDPR. Such

under the household exception found in Article 2(2)(c) GDPR. According to this provision, the GDPR does not apply to the processing of personal data by natural

member states is superimposed (see Recital 146 S 4 and 5 on the GDPR; cf. also Frenzel in Paal / Pauly, GDPR-BDSG3 Art 82 GDPR margin no.1; Wybitul / Haß / Albrecht

personal data for such activities (recital 18 of the GDPR) and therefore, the website must operate according to the GDPR requirements. The DPA examined Orienteringsret

compliance and accountability according to Article 5(1) GDPR, Article 5(2) GDPR and Article 6(1) GDPR. Since the company had totally ignored the its compliance

view to vigorous enforcement of the rules of the GDPR. After all, as is clear from Recital 148 GDPR, the GDPR puts first and foremost that with every serious

[The equivalent GDPR Article to Article 48(3)(a) EU GDPR is Article 46(3)(a) GDPR, and Article 50(1)(d) EU GDPR is Article 49(1)(d) GDPR.] Share blogs or

reopening of the debates. 14. On 23 November 2021, the Dispute Resolution Chamber notified the Respondent of its intention to On 23 November 2021, the Dispute

Article 17(3) GDPR. Two doctors sued a platform for deletion of their basic profile set up on the platform without their consent under Article 17 GDPR. They argued

time, which is a violation of the GDPR. As to the claim for damages, the CoS notes that though Article 82(1) of the GDPR states that full compensation for

Protection Regulation) (OJ L 119, 04.05.2016, p. 1, as amended by OJ L 127, 23.05.2018, p. 2), after conducting administrative proceedings on collection

Article 16 sentence 1 GDPR is the legal basis for a request for rectification, even if the request has been submitted before the GDPR entered into force:

243. In order to strengthen the enforcement of the rules of the GDPR, recital 148 GDPR clarifies that penalties, including administrative fines, should

data breach should be reported to the DPA, according to article 33 of the GDPR as it is likely to cause risk to the rights and freedoms of the data subject

is subject’ (recital 45 of the preamble to the GDPR). (P. 85) (…) The basis of processing data, referred to in Article 6(1)(c) of the GDPR, is the processing

attorney, on 23/12/2022 the no. prot. G/EIS/12802/23-12-2022 memorandum. During the above hearing, but also with the no. prot. C/EIS/12802/23-12-2022 following

terms of personal data protection in violation of Articles 5, 6, 13, 23 and 32 GDPR. The employer dismissed the employee after a disciplinary proceeding

the ePrivacy Directive and Articles 6(1)(a) and 7 GDPR, in the lights of Article 4(11) and Recital 32 GDPR. Following this report, the GBA issued a decision

of the concept of personal data Article 4, 1) of the GDPR, as explained in Recital 26 of the GDPR, Opinion 4/2007 of the Decision on the merits 71/2020

morespecifically the articulation between article 15.4 of the GDPR and recital 63 of the GDPR, as well asbalancing the right to access and obtain data against

asserted here and based on Article 82 of the GDPR, appears questionable in view of sentence 3 of recital 146 of the GDPR. In the case in dispute, however, no damage

Article 82 (1) and (2) GDPR, any person who has suffered material or non-material damage as a result of a violation of the GDPR is entitled to compensation

data without a legitimate basis, in breach of Article 6 GDPR. For the violation of Article 6 GDPR, the AEPD fined the controller €6,000. In order to determine

performance of this purchase contract (Article 6(1)(b) GDPR). Therefore, the processing is compatible with the GDPR. In the Netherlands, as of 1 July 2018 a passenger

the publication of the judgment breach the GDPR? The AEPD held that the respondent’s actions violated the GDPR Article 5(1)(a) requirement that processing

from its database. The litigation chamber concluded to a violation of the GDPR considering that: - the controller did not stop the sending of direct marketing

meaning of the GDPR, and such processing of personal data did not fall within the scope of the "household exemption". Therefore, the GDPR applied in full

to information under Article 15 of the GDPR, especially since it can be deduced from recitals 9 and 10 of the GDPR that the European legislator did not intend

article 12, second paragraph, of the GDPR. 78. Recital 59 of the GDPR further clarifies the standard in Article 12 of the GDPR: “There should be arrangements

ones processing. Decision on the merits 07/2021 - 14/25 10 recital 50 GDPR. Recital 50 of the GDPR states that this is a separate legal basis required for

breach (Article 32 GDPR). Does the plaintiff have a right to compensation according to Article 82(1) GDPR and does Article 82(3) GDPR stipulate a reversal

of Art. 9 GDPR do not apply because the plaintiff did not seek to process that kind of data. The legality is thus determined by Art. 6 GDPR. In the absence

of access under Article 15 GDPR? By denying the complainant access, did the respondent infringe Articles 12(1) or 12(2) GDPR? The NAIH that the complainant's

which it is up to him to implement (article5.1.a) of the GDPR - explained in recital 39 of the GDPR). Different consequencesarising from one or the other

according to the first sentence of recital 41 of the GDPR, a legal basis, on which (the here relevant) Art. 9(2)(i) of the GDPR is based, does not necessarily

processing of personal data is carried out in accordance with the GDPR. In doing so, the GDPR requires, among other things, that the nature and scope of the

the provisions of the GDPR, in particular Article 5 (1) GDPR, article 24 and article 28 GDPR, all this based on article 58.2, d) GDPR and article 100, §1

6.1.f) GDPR) and in this balancing the considerations of the GDPR related to Art. 6.1.f) GDPR eligible [...] be taken, in particular Recital 47. Thus

controller/employer, the free of the worker's consent can be questioned (Recital 43 of the GDGR and opinion of the Group of Article 29" on data protection

considers that, in accordance with the provisions of recital 63 of the GDPR and Article 15(4) of the GDPR, it is not obliged to respond to them if it would

Article 17 GDPR (cf. Article 17 (3) b GDPR). In that case, the data subject does not have the right to object as referred to in Article 21 GDPR, because

right to lodge a complaint as per Article 77 GDPR, in conjunction with Recital 141, and Article 57(1)(f) GDPR. The Board referenced an earlier decision (PVN-2017-09)

with the principles of the GDPR, in particular that of lawfulness, by violating the provisions of Articles 6 and 5(1)(a) GDPR. Share your comments here

violation of Article 5(1)(c) GDPR, and the controller had no legal basis for the processing as required by Article 6 GDPR. As a result of the violations

Article 6.1 GDPR, read in conjunction with Articles 5.2 GDPR and 24.1 GDPR; 5) the performance of a data protection impact assessment (Article 35 GDPR) the framework

(ANSPDCP) fined leasing company €15,000 for violation of Article 32(1) and (2) GDPR after investigating a data breach reported by the company, where the personal

data to be delete. It brought a legal action based on Article 17 GDPR and Article 21 GDPR, read in conjunction with the Dutch Data Protection Act (Wet bescherming

LPACAP), for the alleged infringement of Article 6.1 of the GDPR, typified in Article 83.5 of the GDPR. SEVENTH: Notification of the aforementioned initiation

2.1.2. The scope of the GDPR and the jurisdiction of the Disputes Chamber34. In principle, the defendant argues that the GDPR would not apply in thisfile

administrative sanction to be imposed, we should read certain recitals of the RGPD, among others, recital 148, which indicates the following: 'In order to strengthen

means of such activity, by virtue of article 4.7 of the GDPR. For its part, article 5.1.c) of the GDPR regulates the “principles relating to processing” establishing

via letter as well. According to the BVwG, this is in line with recital 63 of the GDPR ("Where possible, the controller should be able to provide remote

proceedings”, that “Recital 65 of the GDPR also includes the exception of the legal defense as provided for in article 17.3.e of the GDPR to the right to erasure"

sensitive personal data under Article 9 GDPR and their lack of valid consent to do so under Article 6(1) GDPR. In 2020, the Norwegian Consumer Council

Article 9(2)(j) GDPR could be a legal basis for scientific research purporses or statistical purposes. Lastly, Recital 46 of the GDPR specifically mentions

controller for the purposes of Article 4(7) GDPR, and Company A was the processor for the purposes of Article 4(8) GDPR. The DPA found that both Companies A and

is charged with committing an offense for violation of article 6.1 of the GDPR, which states that: "one. The treatment will only be lawful if it complies

warning, in accordance with Article 58(2)(b) of the GDPR, in connection with the above-mentioned Recital 148. Therefore, in accordance with the applicable

violation of Article 12 GDPR ? Are the following practices an infringement on data subjects' information right as described in Article 12 GDPR ? Spreading the

although the Applicant’s letter is June 2020 It is dated 23 July, and it was not actually dispatched until 23 July 2020. The Applicant a In support of its statement

accurate and lawfully processed (see recital 63 GDPR). Automated decision-making and profiling 4.8. Pursuant to Article 22 GDPR, [applicants] have the right,

information.” Recitals 39 and 60 of the GDPR help clarify the scope of the right of information provided to interested parties. Recital 39 establishes:

However, the DPA concluded that the controller did not violate Article 15(2) GDPR by asking for more information to identify the data subject when the data

of the GDPR, and even less than one month between the deletion from the edict file and the request for deletion pursuant to Article 17 of the GDPR. Furthermore

own security protocols. This therefore breached Article 5(1)(f) GDPR and Article 32 GDPR. The initial sanction for infringing Article 5(1)(f) was a fine

constitutes personal data, and is thus the scope of the GDPR. In accordance with recital 59 of the GDPR, the controller should be obliged to respond to requests

proceeding personal data under Article 5(1)(a) GDPR. Lursoft claim to be have such a legal basis under Article 6(1)(c) GDPR. However, this was rejected by the Latvian

consent under Article 8 GDPR also apply? Did the defendant, as the controller, fail to adhere to the data transparency (Article 5(1)(a) GDPR) and the data minimisation

in both Belgium and the UK, violated Article 15(1) GDPR, Article 15(3) GDPR and Article 12(3) GDPR GDPR for deleting data instead of providing access to

subjects? The Polish DPA found that the University violated Article 33(1) GDPR and Article 34, because it had notified neither the supervisory authority

personal data to the jewellery company Pandora SA according to Article 17 GDPR. The company asked him to submit his passport or driving license before considering

"more options" page or definitively confirm the creation of their account. 23. 23. If the architecture described in the previous point means that the user

Article 12(3) in relation to Article 15 GDPR. The Garante hence applied an administrative fine as per Article 83(5) GDPR. The amount of such fine was set at

of the general information duty included in Article 13 GDPR. Is this a violation of Article 13 GDPR? The AEPD held that there had been a violation of Article

all the persona data mentioned by virtue of Article 15(1) GDPR, in the lights of Recital (63) GDPR. Thus, the authority ruled that the lack of a complete

verifying the identity of the requesting third party. It also recalled Recital 40 GDPR, which emphasises that each data processing must be based on consent

10 complainant (article 6.1 a) of the GDPR combined with article 7 of the GDPR), (2) article 6.1 c) of the GDPR in that the publication results on the

Respondent explained that the GDPR does not recognize any express “group privilege”, but it can be deduced from Recital 48 to the GDPR that an exchange of customer

under Article 21 GDPR can be made at any time and several times. It also found that a provisional measure can be granted under Article 21 GDPR if an urgent

(minutes of acceptance of oral explanations are attachments No. 1 and No. 23 to the inspection protocol) that a survey was conducted in order to identify

Articles 6 and 13 GDPR? The AEPD decided to impose, for infringement of Article 6 GDPR, a fine of € 10000 and, for infringement of Article 13 GDPR, a fine of

hours of employees without having informed them in accordance with Article 13 GDPR. The AEPD received a letter filed by the interested party against the respondent

Article 77(1) GDPR and subsequently the right of judicial remedy against the supervisory authority under Article 78(1) GDPR. Article 79 (1) GDPR provides for

of the GDPR. 92. 92. Firstly, the restricted formation emphasises that, in this case, the criterion provided for in Article 83(2)(a) of the GDPR relating

account data under Article 15 GDPR? Is GDPR applicable to a case that was still pending before the DPA on 25. 5. 2018? GDPR applies to cases pending before

infringement of Article 32 GDPR. Therefore, the Spanish DPA issued a warning sanction for each violation of Article 5(1)(f) and Article 32 GDPR. AEPD highlighted

(AEPD) imposed a warning on a Spanish public notary for infringing Article 13 GDPR by not offering the claimant relevant information when obtaining a copy of

provisions of the GDPR that are directly applicable do not supersede the provisions of the VStG and to the extent that Art. 83 (8) GDPR and recital 148 are ordered

Articles 6, 7 and 12 of the GDPR. In the contested decision, the Belgian DPA found the infringement of Article 6, 7, 12, 13 and 24 GDPR sufficiently proven. In

Article 77 GDPR was very clear and limited in scope. However, the DSB went on to assert a violation of Article 12 GDPR and Article 15(1)(h) GDPR, acting beyond

understood as references to the GDPR, in accordance with Article 94 of the latter. 34. Similarly, it follows from recital 173 of the GDPR that this text explicitly

constitutes personal data according with Article 4(1) GDPR therefore its processing falls within the scope of GDPR. The DPA also analysed whether the controller

Data, https://wetten.overheid.nl/BWBR0033572/2013-03-01. 47See also recital 75 of the GDPR. 12/41Date Unidentified May 31, 2021 [CONFIDENTIAL] processing infringes

relevant additional information referred to in paragraph 2information. Page 23 23[14. Paragraphs 5 to 4 shall not apply if and to the extent that:(a) the data

under Article 5(1)(a) and Article 5(2) GDPR respectively]. The Spanish DPA even made reference to Recital 40 GDPR on the legality of processing. The Spanish

Thus, it violated Article 15 GDPR. The Datatilsynet issued an injunction and ordered the company, as foreseen under 58(2)(c) GDPR, to carry out a concrete

measure against the University of Rome "La Sapienza" - 23 January 2020 Register of measures n. 17 of 23 January 2020 THE GUARANTOR FOR THE PROTECTION OF PERSONAL

1 b) GDPR) and the legality of the processing (Article 6.1 GDPR); as well • compliance with the responsibility of the controller (Article 24 GDPR), security

Article 23 GDPR. Restrictions on the right to information under Art. 15 GDPR result in particular from the express provision in Art. 15 (4) GDPR that the

Resolution regarding the right to access (art. 15 GDPR) and its formalities art. 12(2) GDPR. The Health service of the Balearic Islands (Controller) didn’t

activities of SPARTOO SAS did not comply with a series of GDPR provisions (art. 5§1(c), 5§1(e), 13, 32 GDPR). In that respect, CNIL imposed a fine of 250,000 euros

4 No. 1 GDPR. The query of this date in the order form on the plaintiff's homepage is also a processing operation within the meaning of the GDPR. Because

opening clause in Article 86 GDPR if the disclosure involves personal data? The court held that the VIG complies with Article 86 GDPR: The provisions of this

increasedregulations.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es Page 23 23/23In accordance with the above,the Director of the Spanish Agency for Data

established in article 5 of the GDPR. The security of personal data is regulated in articles 32, 33 and 34 of the GDPR. III The GDPR defines personal data security

line with Article 13 GDPR. On the DSB's request, the controller declared R*** Hotels GmbH as its representative under Article 27 GDPR and sent a reply to

Sections 3, 4, 6, 11, 12, 13, 16, 17, 21, 23-24. Section 4 (5), Section 5 (3) to (5), (7) and (8), Section 13 (2) § 23, § 25, 25 / G. § (3), (4) and (6), 25

processing under the GDPR. The local authorities filed a complaint with the Spanish DPA against the complainant for an alleged violation of the GDPR by finding scattered

warning to Escuela Infantil (nursery school) for the infringement of Article 13 GDPR. The decision is the consequence of a complaint filed by a Spanish citizen

entitled to receive the information requested to ABN AMRO on the basis of the GDPR, considering they were not personal data. In the context of a litigation

exclude the defendant from the proceedings. Decision on the substance 39/2020- 23/23 FOR THESE REASONS, the Data Protection Authority's Litigation Chamber, after

para. of the GDPR, the law or regulation that constitutes the legal basis referred to in letters c) and e) of co. 1 of art. 6 of the GDPR, could contain

found that customers’ order data is health data and fall within Article 9(1) GDPR. Amazon does not collect health data stricto sensu but it can draw conclusions

(Art. 6 Para. 1 lit. f GDPR). In this context, Art. 6 Para. 1 lit. c GDPR in conjunction with the PMG and Art. 6 Para. 1 lit. f GDPR relevant: The Respondent

cookies is the IDE cookie of the domain doubleclick.net. SECOND: On 02/14/23, a request letter is sent to the OPENHOST entity S.L. to inform this Agency

was responsible for violating Article 33 GDPR, and issued it with a warning pursuant to Article 58(2)(b) GDPR. The AEPD did not find the former Secretary

77 GDPR equals the right to claim a full substantive investigation and a full substantive assessment by the supervisory authority? Article 57 GDPR provides

and C”. 57See in particular Articles 5.1.a) and 12 of the GDPR, see also recital (39) of the GDPR. 58cf. points 11 and 12 of this decision. 59“Objective 2

interpretation of the GDPR. Second, the court argued with the drafting history of the GDPR which connects Article 15(3) GDPR to Article 20(1) GDPR, showing that

the processing (Article 21(1) GDPR). Finally, the DPA fined the controller €12,000 for a violation of Article 6(1) GDPR due to the lack of a valid legal

provision of personal data on the account is explicitly allowed by the GDPR as Recital 63 GDPR states that, where possible, the controller should be able to provide

VwGO). Recital 64 The fact that the 2022 census collects and processes personal data within the meaning of Art. 4 No. 1 GDPR (Art. 4 No. 2 GDPR), which

personal data of French data subject and held that the GDPR was applicable pursuant of Article 3(2)(a) GDPR. The DPA determined that the controller offered services

article 82(1) GDPR, asking for the data controller to be held liable for the damage caused to them by the data processing which infringed the GDPR. Should a

professional secrecy or other economic or social damage referred to in recital 85 of the GDPR Preamble. Therefore, bearing in mind the principle of accountability

of the GDPR or the second sentence of Article 12(5) of the GDPR or is not limited by EU or German law within the meaning of Article 23 of the GDPR. Above

from the preamble to the GDPR that the GDPR aims to provide natural persons with a consistent and high level of protection (recital 10). This may indicate

profile of this person (35 to 37). justification point). 11 Recital 85. 12 Recital 87. 13 Recital 93. 14 In the judgment, the CJEU addressed issues concerning

the fact that the GDPR incorporates EU antitrust law not only from the wording of the provision, but also from recital 150 to the GDPR. This states: "Where

of the GDPR – (article 13.1. c) of the GDPR) and does not mention the data retention periods personal data processed (article 13.2. a) of the GDPR more precisely);

Article 13 GDPR. In the present case, the controller omitted this obligation. The DPA therefore held that the controller violated Article 13 GDPR by neither

Act and, subsequently, the GDPR. Request for compensation in case his data is processed unlawfully is also in line with the GDPR. The facts that this may

personal data under Article 9(1) GDPR. Their processing would require the data subjects' explicit consent under Article 9(2)(a) GDPR and § 151(4) GewO, ordered

the Article 12 of the GDPR, in conjunction with Article 17 of the GDPR. V Classification of the infringement of article 12 of the GDPR The aforementioned

member state law within the meaning of Art. 23 GDPR. According to Art. 23 Para. 1 GDPR, the rights from Art. 15 GDPR can be restricted by legislation of the

of the GDPR be considered as a restriction on the right to a free copy of the personal data processed by the controller under Article 23(1) GDPR? b) If

violation of Articles 12 and 13 GDPR? Did Nestor fail to respect the exercises of the right of access in violation of Article 15 GDPR? Did Nestor fail to satisfy

Article 2(2)(c) GDPR. When the cameras also record, as in this case, public or private spaces, this provisions doesn’t apply. Therefore, the GDPR was applicable

of the GDPR, which is a condition for a reprimand pursuant to Article 58(2)(b) GDPR. Material scope of the GDPR According to the court, the GDPR applies

Company claimed that under the GDPR, there is no right that a trade union can exercise. They thought that the justiciability of GDPR is limited only to the natural

fairness and transparency under Article 5(1)(a) GDPR, and the principle of accountability under Article 5(2) GDPR. Additionally, the HDPA held that the employer’s

the infringement of the accuracy principle, as per Article 5(1)(d) of the GDPR. The decision is the consequence of a complaint submitted by another Spanish

such acts and uploaded the video to Instagram had infringed Article 6(1) GDPR, for processing personal data without a legitimate basis (namely without

incur major costs of implementation which under Article 32(2) GDPR makes a breach of 32(1) GDPR more likely. Despite the fact that not all data was classified

with article 24 GDPR. They are contained in article 25 of the AVG mentioned above and are explained in more detail in recital 78 GDPR. The defendant therefore

according to Article 23 GDPR, restrictions of obligations and rights under Article 12 GDPR - Article 22 GDPR Article 34 GDPR and Article 5 GDPR, insofar as its

with Article 33 GDPR and Article 34 GDPR. Consequently, it issued a reprimand to the controller in accordance with Article 58(2)(b) GDPR. First, the DPA

constitute a violation of the GDPR? The AEPD held that the email constituted a confidentiality breach and violated Article 32 GDPR, as the law firm had failed

data subject under Article 21(1) GDPR had been violated by the PAR. Did Mrs AAA have a right to object under Article 21 GDPR? Had the PAR infringed this right

article 6 of the GDPR. The assumptions that allow the processing of personal data to be considered lawful listed in article 6.1 of the GDPR: 1. Treatment

fraudulently in the complainant's name. This was in breach of Article 6(1) GDPR (lawfulness of processing). Vodafone payed the reduced fine of €36000 (guilty

LPACAP), for the alleged infringement of Article 6.1 of the GDPR, typified in Article 83.5 of the GDPR. SIXTH: On October 13, 2022, DIGI requests the extension

Charter. 61 First, it should be noted that, in the light of recital 19 of the GDPR and recitals 9 to 12 of Directive 2016/680 and by virtue of Article 2(1)

pursuant to Art. 14 par. 5 lit. b GDPR? The President of UODO found that: 1) The applicable provision is the Art. 14 GDPR since the data controller collects

Officer (DPO) under Section 4 of Chapter 4 of the GDPR (see in particular Article 37 GDPR to Article 39 GDPR). One of these audit proceedings concerned a Luxembourg

July 2021. 7GDPR, Art. 12. 8 GDPR, Art. 12.2 and 12.3. 9GDPR, Art. 12.3. 1 GDPR, Art. 12.3. 1 GDPR, Art. 12.4. Decision 158/2022 - 6/13 26. Secondly, it

carry out an investigation of SLIMPAY's GDPR compliance. The DPA found out that SLIMPAY breached several GDPR provisions. The DPA noted that some of the

activity the request relates. The defendant draws on case law, as well as Recital 63 GDPR, which at sentence seven states: "Where the controller processes a large

alleged infringement of Article 6.1 of the GDPR, typified in Article 83.5 of the GDPR. SIXTH: On January 23, 2023, DIGI requests a copy of the file and

fraud prevention under Article 6(1)(f) GDPR. Did the company’s policy breach Article 6 or any other articles of the GDPR? The Garante held that the policy breached

democratic society as required under Article 23(1)(j) GDPR. Moreover, the exception provided for under Article 6(4) GDPR which allows processing for different

(articles 12 and 14 of the GDPR); A breach of his right of access (article 15 of the GDPR); A breach of Article 28 of the GDPR with regard to its status

data in the context of telephone jokes. Article 6 GDPR (legality of processing) and Articles 13 and 14 GDPR (transparency) were infringed. The decision is

Article 28 BayVwVfG (cf. also GDPR recital 129). As a remedial measure, the prohibition order is based on Art. 58 (2) GDPR. Since this is a prohibition

5(1)(f) GDPR, Article 5(1)(a) GDPR, Article 5(2) GDPR, Article 12 GDPR, Article 13 GDPR, Article 14 GDPR, Article 24(1) GDPR, and Article 25 GDPR, as a result

came from abusive call centers that process personal data without respecting GDPR. Secondly, the Garante found out a wrongful management of contact lists,

wrongly relied on the GDPR to redact documents. In this judgment, the Supreme Court clarified the relationship between the GDPR and domestic evidentiary

understood as made to the GDPR , in accordance with Article 94 of the latter. Similarly, it appears from recital 173 of the GDPR that this text explicitly

pieces of information (see also Recital 63 GDPR). In accordance with Article 15 Paragraph 3 GDPRArticle 15 Paragraph 3 GDPR, the controller provides a copy

the GDPR also applied to facts before the above-mentioned date. The Court noted that the entry-into-force of the GDPR according to Article 99 GDPR represents

information to The Data Protection Officer. Page 22 of 23 Page 23 The Data Inspectorate DI-2019-9432 2 3 (23) How to appeal If you want to appeal the decision

DPA initiated supervision pursuant to Article 56 GDPR in accordance with the Article 60 GDPR cooperation mechanism. The handover of the complaint was made

had violated Article 6(1) GDPR since the legitimate interest assessment on which the processing was based (Article 6(1)(f) GDPR) was understood as insufficient

damage. As can be seen from recital 146 sentence 3 of the GDPR, the concept of damage is to be interpreted broadly. Recital 75 GDPR cites as examples of damage

Officer (DPO) under Section 4 of Chapter 4 of the GDPR (see in particular Article 37 GDPR to Article 39 GDPR). One of these audit proceedings concerned a Luxembourg

website, Ms. A.A.A., herein the data controller, violated Article 6 GDPR and Article 13 GDPR, as well as Article 22.2 LSSI (Spanish national law). The data

under Article 13 GDPR. Incidentally, the DPA also found that such a privacy policy was not complete and did not comply with the GDPR requirements. In addition

information required under Art. 14 GDPR. recital 60 The defendant requests Recital 61 reject the complaint. Recital 62 As justification, she repeats her

personal data under Article 15(1) GDPR is limited by the law. Limitations result from Article 13(4) GDPR and Article 23(1)(e) GDPR in conjunction with §§ 32a

3 of Recital 51 GDPR, the DSB found that the pictures taken from the data subject did not constitute biometric data according to Article 9(1) GDPR because

review under Article 78 GDPR. The disputed infringement occurred before the GDPR came into legal force according to Article 99 GDPR. Therefore, the data subject's

view to vigorous enforcement of the rules of the GDPR. 24. As is clear from recital 148 GDPR, the GDPR stipulates that in every serious infringement - therefore

Regarding the substitution of the fine with a reprimand, the DPA alluded to Recital 148 GDPR which stated that the applicable sanctions for the violation of the

Articles 57 and 58 GDPR. The NO DPA is the supervisory authority established in line with Article 51(1) GDPR to monitor the application of the GDPR on the territory

accordance with Article 6(2) GDPR and Article 6(3) GDPR for adaptation to the application of Article 6(1)(c) GDPR and Article 6(1)(e) GDPR. The court stressed that

controller violated Article 6 GDPR because it had no legal basis to disclose the email addresses. It reasoned that Article 6(1)(a) GDPR was not applicable because

communications using the GDPR, specifically on the basis of Article 4.11, Article 6.1.a GDPR (consent requirement) and Article 13 GDPR (information to be provided)

Articles 6.1.C and 9.2.i) of the GDPR. 86. In accordance with Article 6.3 of the GDPR, read in the light of recital 41 of the GDPR, the processing of 26 personal

term "pain and suffering" is not used in Art. 82 GDPR or in the other norms of the GDPR. Art. 82 (1) GDPR only standardizes a “claim for damages” for every

also supported by Recital 128 GDPR. Therefore, the court found the independent nature of the church supervisory authorities to be GDPR-compliant. Second

included in the final text in recital 80 of Directive 2016/6805. Although this difference raises the question of why recital (20) of the preamble to the

ECLI:EU:C:1996:404). 9.3. The purpose of the GDPR, as reflected in recitals 1 and 2 in the preamble to the GDPR, is the protection of natural persons with

allowed the processing of sensitive data based on consent and that recital 42 GDPR states that to be freely given, a consent must be based on a real choice

accordance with Art. 17 General Data Protection Regulation (GDPR), after writing of May 23, 2018 the deletion of the entry concerning him about his Bankruptcy

activities fell within the territorial scope of the GDPR under Article 3 GDPR. The territorial scope of the GDPR applies if the processing activities are related

Data Protection Regulation (GDPR). The provisions of Article 15 (4) of the General Data Protection Regulation (GDPR) and Recital 63 of the General Data Protection

forward a balancing test as required by Articles 21(1) and 6(1)(e) GDPR and Recital 69 GDPR. It found that the BKR registration was made correctly and the

member states is superimposed (see Recital 146 S 4 and 5 on the GDPR; cf. also Frenzel in Paal / Pauly, GDPR-BDSG3 Art 82 GDPR margin no.1; Wybitul / Haß / Albrecht

excessiveness of the request under Article 12(5) GDPR alleging that the data subject uses Article 15 GDPR only to verify the validity of the premium increases

95/46/EC (hereinafter: general data protection regulation or GDPR), and Article 6 (1) of the GDPR. 2. The Authority finds that Customer 1 violated the principle

infringement of GDPR can result in non-material damage and that a data subject must receive full and effective compensation of the damages under GDPR, do not mean

controller and processor in the GDPR”, adopted on July 7, 2021. 6 GDPR, Art. 12. 7GDPR, Art. 12.2 and 12.3. 8 GDPR, Art. 12.3. 9 GDPR, art. 12.3. Decision 172/2022

with the GDPR or whether it also covers damages arising from infringements of any provision of the GDPR. It pointed out that Article 82(1) GDPR refers to

violation of the GDPR? The AEPD held that the senders of the email violated the principle of data confidentiality under Article 5(1)(f) GDPR, by revealing

Court of Stuttgart points out that the absence of information of Article 13 GDPR constitutes an unfair trade-based action as understood by § 3 of the national

(and 4(1) GDPR), because the applicant was not identified, and was not identifiable according to the 'means reasonably likely to be used' (Recital 16 Regulation

data in violation of the GDPR. The DPA also held that Google had processed personal data in violation of Articles 5(1)(b) and 6 GDPR by sending notifications

the data minimization principle, as foreseen in Article 5(1)(c) GDPR and Recital 39 GDPR. Share your comment here! Share blogs or news articles here! See

c) GDPR in conjunction with Article 5.1 a) GDPR and Article 5.2 GDPR. - Violation of article 13.1 d) GDPR in conjunction with article 5.1 a) GDPR and

under Article 15(1) GDPR are not covered as such by Article 82(1) GDPR. The court reached this conclusions by looking at Recital 146 GDPR and at the original

precautionary measure in accordance with Art. 21 GDPR and requested a suspension in accordance with Art. 18 GDPR. On August 25, 2020, he complained again about

competence granted to the member states by Art. 23 GDPR, namely the limitation competence of Art. 23 Para. 1 e) GDPR. As far as relevant here, the AO standardizes

of the GDPR. The scope of application of the GDPR is opened pursuant to Art. 2 and Art. 3 of the GDPR. Recital21 Pursuant to Art. 2(1) of the GDPR, the Regulation

(Considering 40 GDPR), Article 6.1 of the GDPR is therefore applicable and not RD 1720/2007 used by the defendant. Thus, the aforementioned article 6.1 GDPR establishes

information under Article 13 GDPR, and for the processing of personal data in a manner contrary to Article 5(1)(a) of the GDPR. A data subject submitted a

and 21 GDPR. No unlawful processing by BKR so that Art. 17 para. 1 lit. d GDPR is not applicable. BKR filed an objection pursuant to art. 21 GDPR to consider

paragraph 5 of the GDPR, Article 15, fourth paragraph of the GDPR and Article 23 of the GDPR (further elaborated in Article 41 of the GDPR Implementation Act

Article 12 GDPR - Article 16 GDPR and whether the controller's processing activities fulfill the principle of transparency in Article 5(1)(a) GDPR and accountability

administrative fine. The DPA found that an entrepreneur violated Article 34 GDPR by not notifying the data subjects about the breach of their personal data

allow them to adequately develop the functions that the GDPR assigns them, as Recital 97 of the GDPR recalls, "The level of necessary specialized knowledge

Article 31 GDPR in conjunction with Article 58(1)(e) GDPR. The AEPD, therefore, agreed to impose a penalty of € 20000 under Article 83(5)(e) GDPR. The fact

with the requirements of Articles 13 and 14 of the GDPR? In relation to Article 13 and 14 of the GDPR, the AEPD held that the information CaixaBank provided

several GDPR violations by the controller, and went on to assess whether they could give rise to the award of immaterial damages under Article 82 GDPR also

whether that data is correct and has been processed lawfully (see recital 63 GDPR ). The GDPR is the successor to the Personal Data Directive 7 , as implemented

powers of the GDPR are linked to the application of the GDPR. National legislation may assign functions and powers inspired by the GDPR, but can also grant

reached by means other than email exchanges. c) Weighing of interests (recital 47 GDPR): It is important to take into account the expectations of the data

of contract (Article 6(1)(b) GDPR), legal obligation (Article 6(1)(c) GDPR) and legitimate interest (Article 6(1)(f) GDPR) and determined that the controller

democratic society to protect the objectives set out in Article 23(1) of the GDPR. According to recital 50, in order to protect these important objectives of general

from the GDPR under Article 2(2) of the GDPR. 165. Article 2(2) of the GDPR outlines certain types of processing of personal data to which the GDPR does not

therefore violated Articles 9(1) GDPR out of negligence. The DPA fined the controller €1,600,000 pursuant of Article 83(5)(a) GDPR and considered this a high

obtain the deletion of the data referred to in Article 17 GDPR, because Article 17 (3) (b) GDPR precludes this. By publishing the decision, the District

is also confirmed by the explanations in recitals 75, 85 and 146 of the GDPR. First, recital 146 of the GDPR, which specifically concerns the right to

transparent manner in relation to the data subject": UK GDPR Art 5(1)(a). This provision is supplemented by Recital 39 which provides, relevantly: "Any processing

of this recital focuses on the data processing activity itself and not on who the actor is. The Court concluded that both Recital 122 and Recital 128 focus

paragraph 2, GDPR). 5) Uber does not explicitly mention the right to data portability/data portability in it privacy statement (art.13,2,b,GDPR). 2/23 Date Unmarked

79 GDPR in cases of an alleged violation of Article 15 GDPR or can such violation only be subject to a complaint before a DPA under Article 77 GDPR? Do

Article 6 GDPR. The DPA established that notwithstanding that the controller has a legal basis for processing, processing is still in breach of the GDPR when

lines and under f, of the GDPR. 14. For a successful appeal to Article 6, paragraph 1, opening lines and under f, of the GDPR, three conditions must be

responsible (Nemitz in Ehmann/Selmayr, Datenschutz-Grundverordnung² Art 82 Rz 23). Where several controllers or several processors or one controller and one

results in particular from Article 23.1 of the Basic Law in conjunction with the Treaties of the European Union. Article 23.1 of the Basic Law obliges the

Article 33(1) GDPR by failing to inform the DPA of the data breach. Second, the DPA held that the controller violated Article 28(1), (3) and (9) GDPR by not concluding

comply with Article 33 (3) of the GDPR. The DPA assessed that the Zoo did not comply with Article 34(1) of the GDPR by failing to carry out an adequate

general validity. In particular, § 23.3 RVG expressly applies only to proceedings in which, unlike those under § 23.1 RVG, the fees are not based on the

Article 9(1) GDPR. Since Article 9 GDPR was not applicable, the DPA examined the lawfulness of the processing under Article 6(1)(e) GDPR which was put

5-9 of the GDPR to press activities does not prevent the application of art. 17 GDPR to press activities; 2) art. 17 sec. 3 lit. a of the GDPR through its

entails that the civil court has exclusive jurisdiction to hear such a request. 23. The Division is of the opinion that in this transitional phase, in which

01"). 21 See in particular Articles 5.1(a) and 12 of the GDPR, see also Recital (39) of the GDPR. _____________________________________________________________

2022, Art. 82 GDPR marginal number 14). With regard to recital 146 sentence 1 of the GDPR, however, processing must have violated the GDPR (Nemitz, in:

consent cf. Article 9(2)(a) GDPR and Article 6(1)(a) GDPR. The DPA referred to Article 4(11) GDPR, Article 7 GDPR and Recital 32 regarding the conditions

minimis threshold. In comparison to pre-GDPR legislation, the court found no difference in the wording of Article 82(1) GDPR which would prevent the continued

placed emphasis on the fundamental rights nature of the GDPR, pointing to Recitals 10 and 59 GDPR. Recital 10 establishes that Member States should provide for

LPACAP), for the alleged infringement of Article 6.1 of the GDPR, typified in Article 83.5 of the GDPR. FIFTH: Notified of the aforementioned start-up agreement

of Article 4(1) GDPR. Nevertheless, in this case the controller had the right to disregard the request in light of Article 12(5)(b) GDPR, as the latter

also for treatments carried out for statistical or research purposes (see recital no. 26 of the Regulation and "WP29 Opinion 05/2014 on Anonymization techniques"

article 12.3 . was also committed GDPR and Articles 21.2 and 21.3 GDPR. 3See in that regard also recital 70 of the GDPR: When personal data is processed

dedicated to article 5.1. a) of the GDPR, being able to rely on one of the bases of lawfulness of the article 6.1. of the GDPR. When the data controller plans

negligence of the infringement (Article 83(2)(b) GDPR) the impact on basic personal identifiers (Article 83(2)(g) GDPR) Share your comments here! Share blogs or

Article 5(1)(a) GDPR and Article 6(1) GDPR The DPA held that the controller did not violate Article 5(1)(a) GDPR and Article 6(1) GDPR. The DPA stated

and against accidental loss, destruction or alteration of data. 23. Recital 83 of the GDPR envisages that “[...] the controller [...] assesses the risks

based on a clear interest legitimate in accordance with article 6.1. f) and recital 47 of the Regulation General Data Protection 679/2016, by our company, having

border processing pursuant Article4(23)GDPR.Asthemain establishment ofWhatsApp IE (asdefined in Article4(16) GDPR)wasfound tobe in Ireland,the IE SA was

accordance with the GDPR (Art. 24(1) GDPR), that data protection principles such as data minimisation are effectively implemented (Art. 25(1) GDPR) and that a

data as personal data from the point of collection, and references Recital 26 GDPR. Because of this, the DPA assessed the interference the collection of

Articles 6(1)(b), 5(1)(b) and 5(1)(c) GDPR? The Spanish DPA (AEPD) deemed itself competent under Article 58(2) GDPR in conjunction with Article 47 of the

of the GDPR, article 6, paragraph 1 of the GDPR, article 24 (1) GDPR and Article 25 (1) and (2) GDPR; b. a breach of Article 12(1) and (6) GDPR, Article

consent regulated in Chapter II of the GDPR (Articles 6, 7 GDPR) (cf. Pauly, in: Paal/Pauly, GDPR/BDSG, a.a.O., Art. 44 GDPR no. 2). 122This is missing in the

the reference to Article 79(2) GDPR from Article 82(6) GDPR, and the fact that one could argue that Article 82(6) GDPR overrides Member State procedural

data is a form of processing as referred to in the GDPR (article 4 sub 2 GDPR). Article 6 of the GDPR provides that the processing of personal data is only

that therefore the exemption under Article 2(2)(c) GDPR applied. Article 2(2)(c) GDPR states that the GDPR will not apply if the data is processed in the course

Paragraph 3 GDPR specifies content requirements for an appropriate legal basis, which are clear and precise in the context of recital 41 of the GDPR and should

compliance with the GDPR. Second, the court stressed that not every violation necessarily leads to liability under Article 82 GDPR. As a matter of fact

336. 56 GDPR, recital 45. 57 Article 29 Working Party, op. cit. p. 23. Decision on the merits 77/2023 – 22/49 GDPR, insofar as said processing is carried

noting Recital 148 GDPR, which states that a reprimand may be issued in case of a minor infringement. 21Also worth noting is that under the GDPR, only administrative

Article 5(1)(b) GDPR and against the provisions of Article 5(1)(a) GDPR and Article 6(1)(f) GDPR in conjunction with Article 6(4) GDPR. Further, the DSB

that the GDPR does not apply to the processing of the data of the companies of the complainant's customers with referring to recital 14 of the GDPR, the Disputes

only investigating GDPR infringements but also breaches of the Directive ePrivacy, transcribed into French law. It reminded that GDPR and ePrivacy each

especially in the area of ​​fines,uncontroversially expressed in recital 150 of the GDPR “In order to reinforceand harmonize administrative sanctions for

standard B-VG Art 133 Paragraph 4 DSG §24 DSG §4 GDPR Art 12 GDPR Art 15 GDPR Art 15 Paragraph 1 litc GDPR Art77 UWG §26b paragraph 1 B-VG Art. 133 today

particular that the wording of Article 23(1)(5) excludes the application of the so-called "legalising consent", 3. Article 23(1)(3) and Article 26(1)(3) of the

above. 103. In accordance with the aforementioned Article 23 GDPR, as explained in recital 73 GDPR, however, the rights of data subjects can only be limited

these breaches also entailed a violation of Articles 12(1) GDPR, 5(1)(a) GDPR and 5(2) GDPR. Regarding the information provided by Klarna on the purpose

with GDPR transparencyobligations under Article 13(1)(c) GDPR involves a separateand different legalassessment tothatrequired in Article6(1)(b) GDPR.TheIE

under Article 4(1) GDPR. Moreover the court found that the controller can refuse to act on the request according to Article 12(5)(b) GDPR, because the request

paragraph 1 GDPR and Article 25 (1) GDPR 84. Based on Article 12(1) GDPR, Article 13(1) and (2) GDPR and Article 14(1) and paragraph 2 of the GDPR, it is necessary

101 and 102 TFEU (see Recital 150 GDPR) only applies to those within the meaning of Articles 101 and 102 TFEU (see Recital 150 GDPR). is relevant for the

(1) Data Protection Act - Next search term). 3 Previous search termGDPR; see also Recital 211: "This impact assessment should in particular address the measures

point b) GDPR and Article 100, §1, 5 ° WOG to be reprimanded for the infringement of Article 25 (1) GDPR; b. on the basis of Article 83 GDPR and Articles

for more details. Decision date June 23, 2023 standard B-VG Art 133 Paragraph 4 DSG §1 Paragraph 1 GDPR Art5 GDPR Art6 Paragraph 1 Directive 2014/65/EU

taking into account their relationship to the controller, as stated in Recital 47 GDPR in connection with the EDPB Guidelines 3/2019 on processing personal

Article 13(1)(c) and (2)(a) of the GDPR. II.4. Article 5 GDPR, Article 24 (1) GDPR and Article 25 (1) and (2) GDPR II.4.1. Findings in the Inspection Report

the content provider did not necessarily have to lead to the same result. 23 3 The Hamburg Commissioner for Data Protection and Freedom of Information

reply to the request for information. In its decision, the DPA cited Recital 35 GDPR which specifies that data related to health ‘includes information on

conduct infringed Article 6(1) GDPR in conjunction with Article 83(5)(a) GDPR for the following reasons. Article 6(1) GDPR provides that the processing of

on the merits 46/2024 - 10/16 reverted to Article 6.1. GDPR and recital 50 GDPR. In recital 50 GDPR8 is states that a separate legal basis is required for

Article 4(16) GDPR." Consequently, the DPA concluded that the cooperation mechanism and procedure set out in Article 56(1) GDPR and Article 60 GDPR did not apply

Serooskerken clerk Pronounced in public on November 10, 2021 290. APPENDIX GDPR Recital, recital 39 (...) Personal data may only be processed if the purpose of the

interpretation of the term 'controller' in the GDPR. Indeed, it follows from recital 9 of the preamble to the GDPR that the objectives and principles of Directive

Letter a GDPR). (Article 58 Paragraph One Litera a, GDPR). From this provision, taken together with Article 31 of the GDPR, Article 31 of the GDPR results

confidentiality. Second, the DPA found a violation of Article 32 GDPR. The DPA held Article 32 GDPR requires the controller to have a complete protocol that must

on treatments or procedures (see Recital 63 GDPR). b. If the data is processed in accordance with Article 28 of the GDPR, I request that you additionally

accordance with Article 4(1) GDPR, according to the DPA. The Court of Appeal of Brussels held that, in accordance with Article 16 GDPR, the data subject has the

to Article 2 (1) of the GDPR, the GDPR applies to the processing of data in the present case. The relevant provisions of the GDPR in the present case are

Article 77 GDPR. The Austrian DPA argued that a legal person does not fall within the personal scope of the GDPR pursuant to Article 1(1) and (2) GDPR. Therefore

(Article 6(1)(b) GDPR) and legitimate interests (Article 6(1)(f) GDPR), the DPA found that the controller violated Article 13(1)(c) GDPR by indicating an

privacy policy did not refer to GDPR. Clearview did not have a representative in the Union as mandated by Article 27 GDPR. Accordingly, the activities of

wording of Article 5 Paragraph 1 Letter b) GDPR (“specified […] purposes”) and the wording in Recital 39 Sentence 6 GDPR, (“In particular, the specific purposes

access request under Article 15 GDPR to the office and also requested her personal data to be deleted under Article 17 GDPR. The data subject also claimed

Art. 6 Para. 3 GDPR sets out the content requirements for an appropriate legal basis, which in connection with Recital 41 of the GDPR should be clear

(5) GDPR regarding the exercise of the trade of the address method and direct marketing companies, which are within the borders of the GDPR (Recital Gr

personal data was automated. Thus Article 2(1) GDPR applies and the processing falls within the scope of the GDPR. The DPA assessed that a summons to one of

supported by the structure of Article 78 GDPR, which is strictly intertwined with Article 77 GDPR. Indeed, Article 78(2) GDPR provides the data subject with the

complaining party, thereby contravening article 6 of the GDPR. In this sense, Recital 40 of the GDPR states: “(40) For the processing to be lawful, personal

also falls within the scope of Article 23(1)(e) GDPR, and thus the processing does not violate Article 6(4) GDPR. Hence, the Court concluded that all of

Article 12(3) GDPR. Therefore, the DPA ruled that because the processing carried out by the controller breached Article 12 GDPR and Article 15 GDPR. Since the

Administration did not provide the relevant information under Article 13 GDPR when processing expressions of interest for COVID-19 vaccination on the e-government

her”. 7. Recital 32 of the GDPR materially states that “When the processing has multiple purposes, consent should be given for all of them” . Recital 42 materially

LinkedIn and Salesforce.com. The DPA held that the GDPR was not applicable according to Article 3 GDPR. The controller was a company based in the United

under point 7, they argue. 3.23 The grievance succeeds. Uber argued, without any further explanation, that under Article 23(1)(c), (d) and (h) AVG it is

Letter f GDPR. It is true that the processing of personal data for direct mail can also represent a legitimate interest according to recital 47 GDPR. However

purposes pursued by Article 15 of the GDPR, it is noted that, as specified in Recital 11, the purpose of the GDPR is to strengthen and specify in detail

and 7(1) GDPR; Articles 5, paragraph 2 and 24 GDPR; Articles 12, paragraph 1, j° 13 and 14 GDPR; Article 5(1)(e) GDPR; and Article 7(3) GDPR. - order the

may refuse to comply with access requests under Article 15 GDPR pursuant to Article 12(5)(b) GDPR if they are aimed exclusively at achieving objectives that

Articles 15 GDPR and 12(3) GDPR. The LAG held that a mere violation of the GDPR does not give rise to a right to compensation under Article 82(1) GDPR. The LAG

Article 5.1.f) of the GDPR, typified in Article 83.5 of the GDPR and of Article 32 of the GDPR, typified in Article 83.4 of the GDPR. In order to issue said

following the ruling of January 23, 1998, partially transcribed in the SSTS of October 9, 2009, Rec 5285/2005, and 23 of October 2010, Rec 1067/2006, that

corresponding interest can be found in the GDPR. Notably, the PG referenced Recital 52 and Article 9 GDPR. Recital 52 GDPR states that a derogation from the prohibition

set out in the GDPR, notably those of Article 5 GDPR. As for the second question, the CJEU assessed whether the provisions of the GDPR should be interpreted

data that is needed also for purposes other than those included in Recital 63 GDPR. Moreover, the court held that the access request cannot be considered

done using a water meter and its readout. Article 12(5) GDPR in conjunction with Article 18(1)(d) GDPR does not prevent the charging of an administrative fee

. 7. Recital 32 of the GDPR materially states that “When the processing has multiple purposes, consent should be given for all of them” . Recital 42 materially

applicants' rights. Consequently, the Ministry violated Article 32 GDPR and Article 24 GDPR. The DPA also found that visa applicants were insufficiently informed

permissible in accordance with Art. 88 GDPR in conjunction with Section 26 BDSG, the violation of the GDPR required for Art. 82 GDPR was already lacking. There is

Article 83.4.a of the GDPR. Assessing the circumstances modifying liability, both adverse and favourable, contemplated in article 83.2 GDPR, the AEPD established

Article 13 GDPR even if the contact form is not operational? The Spanish DPA (AEPD) held that the defendant, PSI, violated Article 13 GDPR by failing to

17(3)(b) GDPR nor on Article 18(1)(c) GDPR in order to prevent the automatic deletion of the recordings, as the right to access under Article 15 GDPR is not

procedure fall within the scope of the GDPR pursuant to Article 2(1) of the GDPR and consequently the rules of the GDPR apply to these processing. The Authority

c), typified in article 83.5.a) of the GDPR. SIXTH: Notified of the initiation agreement, the claimant on 09/23/2021 requested extension of the term to

investigation regarding the compliance of processing operations with the GDPR at the ClickQuickNow Sp. z o. o. The UODO found that the company did not

excessive for the intended purpose of processing as per Article 5(1)(c) GDPR and Recital 39 GDPR. The AEPD issued a reprimand on the controller. Share your comments

(2) and 24 (1), (2) GDPR), privacy by design (Article 25 (1) GDPR) and as controller towards its data processors (Article 28 GDPR). Consequently, the Garante

territorial scope of the GDPR, Article 3 of the GDPR assumes of two different cases. In the first case (Article 3.1 of the GDPR), the data processing carried

her". 8. Recital 32 of the GDPR materially states that "When the processing has multiple purposes, consent should be given for all of them". Recital 42 materiallyprovides