Search results

Regulation, hereinafter : "GDPR"), OJ No. L 119 of 04.05.2016 S1, the following administrative offense (s) committed: In any case, from **. February 2020 until

headquarters of [S1] and a second system is operated from the site of [S2]. The video surveillance system installed at the administrative headquarters of [S1] is composed

December 9, 2018 (Annex S1, pages 314 et seq. DA), the attorney-at-law sent the defendant's attorney-at-law to the plaintiff's attorney-at-law, a letter

concept of "explicit consent" in Articles 9(1)(a), 22(2)(c) and 49(1)(a) GDPR. See the commentary on Article 9(1)(a) GDPR for explicit consent. Generally

Article 5(1)(b) does not foresee a certain form of documentation, but Articles 5(2) or 30(1)(a) GDPR require documentation and Articles 6(1)(a), 13(1)(c) and

controller’s (or processor’s) premises in accordance with Article 58(1)(f) GDPR. The search is not restricted to the business premises but a judge’s authorization

further details see Article 14(1)(d) GDPR. Similar to the ex-ante information in Article 13(1)(e) and 14(1)(e) GDPR, Article 15(1)(c) GDPR requires the controller

(Nomos 2018). Recital 70 GDPR. Recital 71 sentence 1 GDPR. Recital 71 sentence 1 GDPR. Recital 28 sentence 1 GDPR, such as Hansen, in Simitis, Hornung, Spieker

alternative means of communication which suit the data subject's specific needs. Under Article 12(1) GDPR, information “shall be provided in writing, or by other

GDPR embodies the principle of transparency in Article 5(1)(a) GDPR, outlining the controller's obligation to actively provide clear and comprehensive information

data subject’s private life, and second, the public’s interest in accessing the information, which may vary depending on the data subject’s role in public

non-material damage. Article 32(1) GDPR reflects the principle of integrity and confidentiality enshrined in Article 5(1)(f) GDPR. The controller and the

subsume the corresponding legal basis contained in Article 6(1)(a) GDPR, 6(1)(d) GDPR and 6(1)(e) GDPR respectively, and would require no additional correlation

identification of sanctionable conduct(s) and infringment(s). For a detailed analysis we refer to paragraph (1). Determination of the starting point of

public interest in the case of Article 6(1)(e) and the controller's legitimate interest in the case of Article 6(1)(f). In other words, there is a balancing

Article 13(1)(a) GDPR. Given the identical wording, see commentary on Article 13(1)(b) GDPR. Given the identical wording, see commentary on Article 13(1)(c) GDPR

Article 25 (1) and (2), Article 28(1), Article 32(1) GDPR, Article 89(1) GDPR). These measures can also be regarded as measures under Article 24(1) since they

individual rights. These criteria have the same meaning as in Article 24(1) and Article 32(1). The "nature" of the processing consists of its “the inherent characteristics”

possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III; (f) assists

May 2020 (Version 1.1), pp. 7-8 (available here). EDPB, ‘Guidelines 05/2020 on consent under Regulation 2016/679’, 4 May 2020 (Version 1.1), pp. 8-9 (available

Article 33 GDPR regulates the controller and processor's obligations in case of data breach. Pragraph 1 imposes an obligation on controllers to notify the

enforcement of the GDPR are SA's main tasks. They summarise the core idea of SA's activities. All other tasks entailed in Article 57(1) GDPR can be understood

legitimate purpose(s) (Article 5(1)(b)); lawfulness of processing (Article 6); adequate, relevant and limited to what is necessary data (Article 5(1)(c)); limited

to Article 32(1) GDPR would be an example of such an obligation. It is also important to stress that, without prejudice to the processor's liability under

ng provision of Article 56(1) GDPR. In such cases, the LSA, i.e. the SA of the place where the controller's or processor's main or sole establishment is

processor’s lead supervisory authority, version 2.1, Section 2.2, available here. Guidelines 8/2022 on identifying a controller or processor’s lead supervisory

Article 30(1)(a) states it should contain the name and contact details of the controller and, where applicable, the joint controller(s), the controller's representative

with Article 33(1) GDPR. Thus, since the supervisory authority should be aware of the data breach, it can also be involved in the controller’s procedure for

information onto a form. The form is stored in the hospital's old paper filing system, where each patient's papers are stored according to surname and first name

guide the reviewer’s decision. Otherwise, it would be completely impossible to express one's own point of view. Pursuant to Article 12(1), which expressly

to include the DPO's 'contact details', i.e. exactly the same wording used in Article 13(1)(b) GDPR. If one were to follow Apple's suggested reading, after

subject’s rights, but not deny them. The grounds for restrictions are exhaustively listed in Article 23(1) GDPR. These grounds, listed in Article 23(1)(a)-(c)

subject’s data by the controller triggers a data subject’s right under Article 13 and 14 GDPR. We reject a strict literal interpretation of Article 79(1) GDPR

CJEU: The CJEU has clarified in C-132/21 that "Article 77(1), Article 78(1) and Article 79(1) of Regulation (EU) 2016/679 [...] must be interpreted as

exercise of a SA's investigative powers under Articles 58(1)(a), (b), (c), (e) and (f) GDPR; decisions following the exercise of a SA's corrective powers

independence and expertise in data protection matters. Paragraph 1 ensures the DPO's timely and proper involvement in any data protection issues. Paragraph

Article 46 - Transfers subject to appropriate safeguards 1. In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer

objection of a SA (Article 65(1)(a) GDPR), when there are different views on which SA is the lead SA (“LSA”) (Article 65(1)(b) GDPR), and where a SA is

prior authorization, irrespective of the requirements of paragraph 1. Article 36(1) GDPR  establishes an obligation for the controller to consult the DPA

to management or the appropriate authority. Articles 39(1)(d) and (e) GDPR lay down the DPO’s obligations in relation to the Data Protection Authorities

restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment

version=1.0 https://www.garanteprivacy.it/documents/10160/0/Bilancio+di+previsione+2019+-+Sintetico.xlsx/700e5df5-f7c3-6510-1bd5-ef90e9824f17?version=1.0

Act (Zakon o varstvu osebnih podatkov (ZVOP-1)) which stayed in force for more than 4 years after the GDPR’s entrance into force. Responding to requests

data on another party’s behalf and on this party’s documented instructions (you are a sub-processor). According to Article 26(1) of the GDPR, joint controllers

the Union. Whereas the mere accessibility of the controller's, processor's or an intermediary's website in the Union, of an email address or of other contact

after IP completion day, the court is not bound (EUWA s 6(1)) but "may have regard" to them (EUWA s 6(2)). (4) The position is different in a "relevant court"

However, Article 5(1)(d) GDPR gives the controller some leeway to continue processing inaccurate data - see more details under Article 5(1)(d) GDPR. Article

necessary to protect an interest which is essential for the data subject's or another person's vital interests, including physical integrity or life, if the data

an advisory role. Articles 70(1)(a) and 70(1)(t) GDPR grant the EDPB an important and new role regarding the Regulation’s consistency mechanism. In particular

 the territory of the European Union (in breach of Article 27(1) GDPR). In such situations s SA may ask the competent authorities of the country of the processor

tie, the President's vote shall prevail. Decisions are published except for cases where there is impediment of a DPA's member. The DPA’s response or decision

May 2020 (Version 1.1), p. 28 (available here). EDPB, ‘Guidelines 05/2020 on consent under Regulation 2016/679’, 4 May 2020 (Version 1.1), p. 27 (available

burdened by data protection rules. Article 85(1) GDPR sets out a legal framework to reconcile the data subject’s right to data protection with the performance

of Article 88(1) GDPR. Therefore, for a comprehensive overview of the term ‘more specific’, please refer to section 2.1 below. Article 88(1) GDPR establishes

organisation or association referred to in paragraph 1 of this Article, independently of a data subject’s mandate, has the right to lodge, in that Member State

pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and (b) the processing is carried

referred to in paragraph 1 within the period referred to in paragraph 3. 7. The supervisory authority referred to in paragraph 1 shall take utmost account

set out in Article 51(1) and 52 GDPR, Article 54(1)(a) GDPR repeats that these should be legislated for through a Member State's domestic law. Under the

up. Indeed, the wording of Article 40(1) establishes that they “shall encourage” this (emphasis added). Article 40(1) GDPR clarifies that codes of conduct

outlines the secretariat's responsibilities, which take on a primarily administrative function. Including the secretariat within the GDPR's legislative rubric

controller is subject, under Article 6(1)(c) GDPR. In line with the general objectives of the GDPR, as outlined in Article 1 GDPR Article 16 TFEU, SAs are also

seconding supervisory authority's authorisation, confer powers, including investigative powers on the seconding supervisory authority's members or staff involved

the code of conduct. This is clear from the wording of Article 41(1) GDPR. Article 41(1) GDPR does not define accreditation. Nonetheless, Article 41(2) GDPR

accordance with that Member State’s law, must act as representative to the Board. While the Commission may participate in the EDPB’s meetings and activities, it

the company’s internal complaint mechanism, cooperation duties with the DPAs, as well as liability and jurisdiction provisions (Articles 47(1)(b), 47(2)(d)

(Article 24(1) RoP). This provision ensures the EDPB's flexibility and ability to act. The EDPB also made use of the authorisation in Article 76(1) GDPR and

following their deliberations. Article 53(1) names four possible appointing bodies. These are a Member State's (i) parliament, (ii) government, (iii) head

secrecy are laid down in the EDPB's Rules of Procedure (“RoP”). Article 33(1) RoP stipulates that in “accordance with Art 76 (1) GDPR”, discussions of the Board

concerning the interpretation of Article 28(1) of Directive 95/46/EC ("DPD"), the Regulation's predecessor. Article 28(1) DPD established the existence of supervisory

function as guiding principles to interpreting the GDPR. Article 1(1) establishes the GDPR's two main aims. First, it aims at protecting natural persons with

processing of the data in question by the recipients. Indeed, under Article 5(1)(d) and 17(1) GDPR, each recipient is individually responsible for correcting, deleting

require the data subject’s identification remain applicable, including, but not limited to, security of processing (Article 32(1) GDPR) and the general principles

not apparent why the principle laid down in Article 72(1) GDPR should be deviated from. Article 72(1) GDPR stipulates that the Board shall take decisions

itself does not impose any formal restrictions on the Article's applicability. Article 81(1) GDPR requires that the competent court of a Member State to

bodies may not interfere in the EDPB's functioning. This arrangement stands in stark contrast to that of the Board's predecessor, the Article 29 Working

just before the deadline of 1 month. That means that if you want to appeal a decision, you've only one month to do so as there's a delay of 2 month after

delegation of power. At first glance, Article 92 GDPR's wording seems to be in conflict with Article 290(1) TFEU, but in actuality it is not. Article 92(2)

Article 71 - Reports 1. The Board shall draw up an annual report regarding the protection of natural persons with regard to processing in the Union and

take account of obligations arising from the third country's or international organisation's participation in multilateral or regional systems in particular

Article 97 - Commission reports 1. By 25 May 2020 and every four years thereafter, the Commission shall submit a report on the evaluation and review of

91 - Existing data protection rules of churches and religious associations 1. Where in a Member State, churches and religious associations or communities

research. In addition, it should take into account the Union's objective under Article 179(1) TFEU of achieving a European Research Area. Scientific research

supervisory authority’s request is to further the performance of its tasks. Following from this, the content and scope of a supervisory authority’s request is constricted

Representatives of controllers or processors not established in the Union 1. Where Article 3(2) applies, the controller or the processor shall designate

this section! You can help us filling this section! There are two options: 1) a "recurso de reposicion" to ask the AEPD to reconsider its decision or 2)

Article 99(1) GDPR, which entered the Regulation into force on 25 May 2016, generating a two-year transition period between the Regulation's entry into

and the EPD is to be found in Recital 10 and Article 1(2) EPD. Article 1(2) EPD provides that the EPD's provisions serve to "particularise and complement

Article 74 - Tasks of the Chair 1. The Chair shall have the following tasks: (a) to convene the meetings of the Board and prepare its agenda; (b) to notify

Article 99 - Entry into force and application 1. This Regulation shall enter into force on the twentieth day following that of its publication in the Official

criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when

margin number 1 (C.H. Beck 2020, 3rd Edition). Ehmann, in Ehman, Selmayr, Datenschutz-Grundverordnung, Article 93 GDPR, margin number 1 (C. H. Beck 2018

Article 42 - Certification 1. The Member States, the supervisory authorities, the Board and the Commission shall encourage, in particular at Union level

secrecy 1. Member States may adopt specific rules to set out the powers of the supervisory authorities laid down in points (e) and (f) of Article 58(1) in

the adoption of final measures regarding Facebook Ireland Limited, p.42, s. 4.2.1(available here).

processing of personal data (see Article 5(1)(a) GDPR), the need to limit the purpose of such processing (see Article 5(1)(b) GDPR), the requirement to have a

Article 43 - Certification bodies 1. Without prejudice to the tasks and powers of the competent supervisory authority under Articles 57 and 58, certification

https://www.dsb.gv.at/dam/jcr:ee7b155a-0a1f-4d00-98e9-902314c7022d/Datenschutzbericht%202022.pdf Report: Europe’s governments are failing the GDPR by Brave

Article 66 - Urgency procedure 1. In exceptional circumstances, where a supervisory authority concerned considers that there is an urgent need to act in

engagement working on the DPA's guidance service over the phone. About 58% are women and 42% men. Historical numbers (Datatilsynet's annual report 2021): 2021:

their work. The President shall exercise the employer’s rights over the public officials and the NAIH's employees. Based on constitutional provision, the Act

its Member State in accordance with Article 55(1). In that case, the urgent need to act under Article 66(1) shall be presumed to be met and require an urgent

Article 84 - Penalties 1. Member States shall lay down the rules on other penalties applicable to infringements of this Regulation in particular for infringements

provision is aimed at reinforcing the processor’s obligations to only act in line with the controller’s instructions, as well as at clarifying that these

that point, it is important to note that Article 13(1)(f) GDPR, Article 14(1)(f) GDPR, Article 15(1)(c) GDPR and Article 15(2) GDPR, make specific reference

Article 6(1)(c) GDPR (i.e. processing is necessary for compliance with a legal obligation to which the controller is subject) or Article 6(1)(e) GDPR (i

in the same sector, it may be a good idea to check the proccessing in one's own organisation in this regard as well. The activity reports usually also

Saxony's procedural law, "Lower Saxony Administrative Procedure Act", is Niedersächsisches Verwaltungsverfahrensgesetz - NVwVfG. Corresponding § 1(1) NVwVfG

Of the 1,046 complaints that were resolved from 1. 1. 2018 to 24. 5. 2018 the DPC has only made 12 formal decisions, which is equivalent to 1,1% of the

for the companies in their compliance work. On 1 October 2020, it publishes a small report helping the SME's to implement correctly GDPR: Report in French

the Act of 1 August 2018 on the organisation of the National Data Protection Commission and the general data protection framework; the Act of 1 August 2018

Acts relating to data protection in a manner which corresponds with the GDPR's regulatory framework. Given that data protection affects several different

between them. This way, Article 50 GDPR expands the exhortation under Article 57(1)(g) GDPR that calls for cooperation between EU DPAs, across borders. This provision

on the organisation and functioning of of support services for the CNPD [1]. Regulation n.º 301/2020, of March 31, on the value of fees to provide GDPR

in three distinct circumstances, as outlined below. First, under Article 64(1) GDPR, the consistency mechanism is triggered when a supervisory authority

The funding for 2022 is €1,486,803. Historical numbers: 2021: €1,226,404 2020: €1,053,392 The DVI has 33 employees as per 1st October 2022 out of totally

Relationship with previously concluded Agreements → Chapter 1: General provisions Article 1: Subject-matter and objectives Article 2: Material scope Article

Processing of the national identification number → Chapter 1: General provisions Article 1: Subject-matter and objectives Article 2: Material scope Article

for example, the Commission's legal service. It therefore, has its own legal service who goes to Court in the institutions's behalf. The Supervision and

Transfers or disclosures not authorised by Union law → Chapter 1: General provisions Article 1: Subject-matter and objectives Article 2: Material scope Article

to § 25(1)(2) LDSG and § 40(1) BDSG for complaints in the private sector within Baden-Württemberg. Complaints can be filed online on the LfDI's website

209/83, 1 BvR 269/83, 1 BvR 362/83, 1 BvR 420/83, 1 BvR 440/83, 1 BvR 484/83 (in DE) (Abstract in EN) - ECLI:DE:BVerfG:1983:rs19831215.1bvr020983 Translated:

https://www.uoou.cz/organizacni-struktura/ds-1063/archiv=0&p1=1059 Information about the law governing the DPA's activity can be found here. Complaints are governed

your complaint which is being herewith attached for your record. Next Steps: 1. A preliminary assessment of your complaint will be conducted to determine

to approve the Government's candidate for the position of the President. The Structure of the Slovak DPA: President President´s office Vice-President DPO

help us by filling in this section! Annual reports are published on BayLDA's website.

resides in Stockholm and is in charge of enforcing the GDPR in Sweden. On 1 January 2021, the Swedish data protection authority changed their name from

01008 Vitoria, Álava, Spain Webpage: https://www.avpd.euskadi.eus/s04-5213/es/ Email: [1] Phone: +34 945 016 230 Twitter: https://twitter.com/avpd_dbeb Official

Article 57(1)(f) of the GDPR, each supervisory authority is required on its territory to handle complaints which, in accordance with Article 77(1) of that

list of results displayed following a search made on the basis of a person’s name. In March 2010, Mario Costeja Gonzalez, a Spanish national, lodged a complaint

the Union. Whereas the mere accessibility of the controller's, processor's or an intermediary's website in the Union, of an email address or of other contact

basis: Art. 4 (1), (2), (7) and (8), Art. 5, Art. 44, Art. 46 (1) and (2) (c), Art. 51 (1), Art. 57 (1) (d) and (f), Art. 77 (1), Art. 80 (1) and Art. 93

State? Can Article 4(1)(a) of [Directive 95/46], read in conjunction with recitals 18 to 20 of its preamble and Articles 1(2) and 28(1) thereof, be interpreted

possible here. Subparagraph (1)(b) therefore has to be written as #1b! Example: [[Article 6 GDPR#1b|Article 6(1)(b)]] becomes Article 6(1)(b) and links to Article

and letter f., Article 5, paragraph Article 6 (1) (a) Article 32 (1), (1), (33) 1 and 35, para. 1. Below is a more detailed review of the case and a justification

The civil procedure is mainly regulated in the Law 1/2000, of 7 January, on Civil Proceedings (Ley 1/2000, de 7 de enero, de Enjuiciamiento Civil). Spanish

of the controller's obligation to inform all recipients of the exercise of the rights that the data subject has under Articles 16, 17(1) and 18 GDPR. The

information stored in the user's terminal equipment or the recording of information in the user's terminal equipment: 1 ° Either, for the sole purpose

balance of the controller’s interest and the fundamental rights and freedoms of users which call for protection under Article 1(1) Directive 95/46. Share

of its users. Also note the Spanish DPA's decision for Grindr, which contradicts several of the Norwegian DPA's findings. Share blogs or news articles here

subsection 1, letters c and f, and Article 5, subsection 1, letter a, cf. Article 6, subsection 1, and Article 32, subsection 1, Article 33, subsection 1, and

subsection 1, letters c and f, and Article 5, subsection 1, letter a, cf. Article 6, subsection 1, and Article 32, subsection 1, Article 33, subsection 1, and

accordance with clause 5.1.1 b of the terms of Google's processing of personal data for Google's advertising products and also Google's terms and conditions

Wiesbaden doubted the HBDI’s line of argument and referred the following questions to the CJEU under Article 267 TFEU: (1) Is Article 77(1) of [the GDPR], read

15 (3) sentence 1 of the GDPR (question 1). Is this also a specification or modification of the general right of access under Article 15(1) of the GDPR and

defined in paragraph 39 of Part 4 Schedule 1. In particular, the policy document must (1) explain the controller's procedures for ensuring compliance with

A minor passenger had suddenly opened the cab's door, which scraped the side of a tram. The taxi driver's insurer refused to pay out on the basis that the

List of results List of results by case List of documents Search result: 1 case(s) 1 documents analysed Deutsche WohnenCase C-807/21 Reports of Cases Information

Matters (1) Prosecutor’s offices Courts of appeal (15) Prosecutor’s offices High Court of Cassation and Justice Prosecutor’s Office Romania's judicial

with the violation of article/and 5.1. c); 6.1.; 13.1. (c);13.1(e) and13.2(a)AVG: r PAGE 01-00001582885-0002-0033-01- □1-� r L _JCourt of Appeal Brussels

violated the applicant's rights, 8&168Abs. 1S.1GWB. The invitee is to be excluded from the award procedure pursuant to section 57(1) no. 4 VgV because the

application 1.b., from §§ 1, 3 para. 1 no. 1, 4 UKlag in conjunction with §§ 307 para. 1, para. 2 no.1 in conjunction with Art. 5 para. 1 lit. a), Art

Ordinance Article 5 No. 1 letter a and c, 6, 12 Nos. 1 and 13. " The reason for the reduction in the size of the fee was the company's difficult financial

to Article 22(1) of the Labour Code, the employer requires from a person applying for employment to provide personal data including: name(s) and surname;

(2018) §1, GDPR A4, GDPR A5 (1) Judge Thyness: Questions and background of the case (2) The case concerns the validity of the Privacy Board's decision

accordance with clause 5.1.1 b of the terms of Google's processing of personal data for Google's advertising products and also Google's terms and conditions

Article 6(1)(a) and 4(11) GDPR in a case concerning the requirements of consent). Always use the most specific sub-paragraph (e.g. Article 6(1)(a) GDPR

accordance with clause 5.1.1 b of the terms of Google's processing of personal data for Google's advertising products and also Google's terms and conditions

basis of Article 6(1)(b): “...there is a risk that the Draft Decision’s failure to establish Meta IE's infringement of Article 6(1)(b) GDPR, pursuant to

processing by the defendant can only be Article 6 (1) sentence 1 lit e) DSGVO (see b) or Article 6 (1) sentence 1 lit f) DSGVO (see c), the requirements of which

used. 30EDPB's Recommendations 01/2020, point 128; IMY's translation. 31 EDPB's Recommendations 01/2020, point 77; IMY's translation. 32EDPB's Recommendations

subsection 1 point 1 of the Data Protection Act. According to Section 6, Subsection 1, Clause 1 of the Data Protection Act, Article 9, Section 1 of the Data

from the following assessment of the evidence: 2.1 The finding under 1.1 is based on the complainant's unobjectionable submissions and a consistent view

that the website's legitimate interest is based on the public's interests in the choice of health personnel. The doctor's interest must be regarded as purely

require the practitioner to provide a free copy of the patient's personal data when the patient's request is for a purpose other than those mentioned in the

Commissioner is not obliged to reach a decision on every complaint in light of Art 57(1)(f) UK GDPR. The data subject made an access request (DSAR) to Wise Payments

Finnish Data Protection Ombudsman's opinion on the lawfulness of the processing of their personal data by the City of Helsinki's Social services and healthcare

The CJEU answered preliminary questions regarding Articles 5(1)(b) GDPR and 5(1)(e) GDPR and held that national courts had to determine, using the factors

referred to as [applicant] and the State. 1 The procedure 1.1. An application dated 30 January 2019, with productions 1 to 10, was received at the Registry of

prohibited those companies from 1) making – in the general terms of use – the use of Facebook subject to the processing the user’s ‘off-Facebook data’ and 2)

exceptions in Article 9(1) GDPR, Article 15 GDPR, Article 16 GDPR, Article 18(1)(a) GDPR, Article 18(1)(b) GDPR, Article 18(1)(d) GDPR, Article 20 GDPR

The CJEU held that the remdies in Articles 77(1), 78(1) and 79(1) GDPR can be exercised concurrently with and independently of each other, even when referring

Éric PÉRÈS on February 1, 2019 as rapporteur on the basis of Article 47 of the Law of January 6, 1978. By letter dated February 1, 2019, the President of

secured in Chapter 2 § 1 in the Instrument of Government and Chapter 2 § 1 of The Fundamental Law on Freedom of Expression, and Chapter 1 § 1 in the Fundamental

before which the CNIL's decisions are challenged, pursuant to Article R 311-1, par. 4 of the Code of Administrative Justice. Any CNIL's decision can be challenged

GDPR was caused by third parties outside of the controller's control? 5) Does Article 82(1) and (2) GDPR allow the anxiety caused by a hacking attack to

fined Equifax, a credit ranking agency, €1,000,000 for failing to comply with Article 5(1)(a), 5(1)(b), 5(1)(c), 5(1)(d) and with Article 14 GDPR. The authority

when it’s necessary for duties or rights under labour law following § 6. Personal data can be processed on the basis of Article 6(1)(e) if it’s needed for

Act, ZDR-1) and in “Zakon o evidencah na področju dela in socialne varnosti (Labour and Social Security Registers Act, ZEPDSV). The employee's consent to

The DSG 1978 introduced the Constitutional Right to Data Protection in § 1 DSG. Austria also gave the ECHR constitutional status, whereby the Right to

защита на личните данни), promulgated with State Gazette No. 1/ 4.01.2002 and entered into force 1.01.2002). Bulgarian law does not define legal entities as

processed by a social network through transmission from the company’s or individual’s website. Share blogs or news articles here!

defendant: IAB Europe Interlocutory decision 01/2021 - 3/6 1. Facts and procedural history 1. Several complaints have been lodged against Interactive Advertising

business. The penalty imposed for the identified violations of Articles 5(1), 6(1) and (4) and 9 of the GDPR is not final, as the defendant has appealed against

application of art. 5, paragraph 8, of Regulation no. 1/2000 on the organization and functioning of the Guarantor's office, which provides that «In cases of particular

personal data, within the meaning of Directive 95/46? If the answer to Question 1 is that all or some of such information may be personal data within the meaning

Freedom - La Ligue des Droits de l'Homme - the defendant: IAB Europe 1. Justification 2 1. Pursuant to the agreement concluded between the parties, as ratified

us fill this section! In Luxembourg the GDPR is implemented by the Loi du 1er août 2018. You can help us fill this section! You can help us fill this section

Section 6(1)(1) of the Finnish Data Protection Act, according to which insurance institutions may, despite the general prohibition in Article 9(1) GDPR, process

commissioner's office has responded to the doctor's clinic's message on the same day and pointed out that the data protection commissioner's office has not

treaties (1) or the national provisions of § 173 sentence 1 VwGO in conjunction with § 173 sentence 1 VwGO. § 328 ZPO or §§ 108 f. FamFG (2). 53 (1) The judgment

subsection 1, point 1 of the Data Protection Act. According to Section 6, Subsection 1, Clause 1 of the Data Protection Act, Article 9, Section 1 of the Data

consequence, Meta’s assessment of the elements of Article 6(1)(f) has been skewed correspondingly. 7.2.1.3. Necessity We find Meta’s assertion of necessity

Article 6(1), Article 7(1), Article 24(1), Article 25(1), Article 32(1)(b), Article 32(1)(c) and Article 32(1)(b), Article 32(1)(c) and Article 32(1)(d). d

violated Article 5(1)(a) GDPR, Article 12 GDPR, Article 13 GDPR, Article 15 GDPR and Article 25(1) GDPR by not implementing the data subject's access request

8 (1) and (5) of Directive 95/46 or in Article 9 (1), Article 10 (1) and Article 10 of Regulation 2016/679, the infringement of the data subject's fundamental

that the respondent's installed and operational video surveillance system (that includes two cameras, one at the entrance of the latter's property and one

power of attorney to exercise the data subject's right of access. Next, the DPA held that Article 6(1)(1) of the Finnish Data Protection Act (Tietosuojalaki)

protected by articles 10 (general right to privacy), 11 (inviolability of one's body), and 13 (secrecy of correspondence) of the constitution. Provisions of

data subject's personal data in violation of Article 5(1)(c) GDPR and Article 15(1) GDPR. Firstly, the DPA found a violation of Article 5(1)(c) GDPR, as

these facts, Italy’s DPA found Vodafone S.p.A in violation of the following GDPR provisions: Article 5(1) and Article 5(2) and Article 25(1): for failing to

comply with section 5.1(b) of the MDR, and for failure to comply with section 5.1(a) of the MDR. and 5.1(b), 6.1, 25.1 and 25.2, 32.1 and 32.4 of the MDR

companies use that information to determine the debtor’s creditworthiness, by assessing the debtor’s ability and/or willingness to pay, after which they can

6 Para. 1 S.1 f) GDPR are not met. Legally, the Authorization to transmit data from debtors to credit agencies, according to Art. 6 Para. 1 S. 1 f and Para

Audiovisual Media and Communication S.A. [NCAM S.A.]. The HEDNO S.A. denied the issuing of such a certificate. The company's response to the application focused

Section 6(1)(1) of the Finnish Data Protection Act, according to which insurance institutions may, despite the general prohibition in Article 9(1) GDPR, process

Authority (APO below}, what it does on June 17, 2020 » 1• 1 Impugned Decision, Exhibit 36, §§ 1 - 24. 1 PAGE 01-00003026497-0006-0025-02-01-� L_JCourt of Appeal

complainant prior to DMI's change of the institute's procedure for obtaining consent has been justified, as well as whether the institute's current processing

processing the claimant's data. Do data on the "affinity for a political party" qualify constitute personal data under Article 4(1) GDPR? If so, do they

000 only because of the DPA's long case processing time. In 2019, a company enabled automatic forwarding of an employee's emails during a sick leave, because

controller TELEKOM ROMANIA MOBILE COMMUNICATIONS S.A. and found a violation of the provisions of art. 32 para. (1) and para. (2) of the General Regulation on

according to To 1): € 1.200,00 To 2): € 300,00 To 3): € 300,00 . . . In total: € 1.800 To 1): 3 days To 2): 1 day To 3): 1 day ... In total: 5 days Ad 1): Art.

employed by the defendant from February 1, 2015 under an oral employment contract for a net amount of EUR 1,100.00 (EUR 1,475.00 gross) with a working time of

complainant. Specifically, the DSB cites Articles 5(1)(b) and (e), 9(2)(j), 89(1) GDPR and Section 7(1)(1) and (2)(1) GDPR. In particular, it follows from Article

information from the data subject's doctor in the form of a medical report, which was then distributed to the data subject's coworkers. The data subject believed

paragraph 1 sentence 1, 818 paragraph 1 and 2 BGB and the defendant owes neither the surrender of uses nor the reimbursement of pre-court attorney's fees.

controller's credit register because of three cases, requested the DPA to order controller to delete their personal data from the controller’s credit information

controller's credit register because of four cases, requested the DPA to order controller to delete their personal data from the controller’s credit information

pertaining to human dignity (Article 2(1) Greek Constitution) and to the right to freely form one's personality (Article 5(1) Greek Constitution). The HDPA focused

Administrative Court. 3. Legal Assessment 3.1. To dismiss the complaint 3.1.1. In accordance with Art. 15 Para. 1 GDPR, the data subject has the right to request

The controller also ignored HDPA's previous order to comply with the parent's request, thus violating Article 15(1) and (4) GDPR as well as the principle

ESPAÑA, S.A.U. 02/08/2023 DEUTSCHE requirement to DEUTSCHE BANK, S.A.E. 02/08/2023 Request TELEFÓNICA MOVILES to TELEFÓNICA MÓVILES ESPA- ÑA, S.A.U. 02/09/2023

legal grounds for this in Article 6(1)(f) GDPR, pursuing a third party's legitimate interest. After receiving the DPA's notification of a fine, the company

subject has objected to its processing pursuant to Article 21(1) of the GDPR (Article 17(1)(a), (c)(1) and (d) of the GDPR). A request for erasure would therefore

Article 5(1) GDPR. 5. In the present case, New York College S.A. is the controller since it is proven that it has processed the complainant’s personal data

close A's external access to the employer's server, as well as initiated forwarding of all incoming e-mails from A's e-mail box to the department head's e-mail

Article 15(1) GDPR. For the above reasons, the Hellenic DPA issued a total fine of €210.000 and instruct (the controller) to satisfy the complainant's right

the transmitted data (see point II.1.3 or II.1.3.1) at least in combination, personal data according to Art. 4 Z 1 DSGVO. For the lack of an appropriate

DEYA X violated GDPR's data minimization principle Article 5(1)(c) by sharing an employee's personal and health data with multiple recipients without proper

the public: 0117 OSLO Offl §13 cf. Fvl §13 no. 1 Their reference Our reference Date 9135764/1 20 / 01790-1 (19/01267) / EHN 22.12.2020 Decision on the imposition

Chapter 5 contains the operative part and the legal remedies clause. 1. Introduction 1.1 Legal entities involved and reason for investigation OLVG is a foundation

infringement of Article 5.1 c) AVG has been proven. f)Transparent information (Article 5.1(a); Article 12.1. and Article 13.1. and 13.2. AVG) 43.The complainant

third-party action (1.). On the complainant's side, his general right of personality (Article 2.1 in conjunction with Article 1.1 of the Basic Law) in

April 1st, 2017 to March 1st, 2020, a total of €1,438.56 28 - in the statutory contribution surcharge G...: 36 monthly payments of €4.00 from April 1st, 2017

Article 57(1)(a), Article 58(2)(d) and (i) in connection with Article 5(1)(a), (e) and (f) and (2), Article 24(1) and (2), Article 28, Article 30(1)(d) and

the relevant court act and are undisputed. 3. Legal Assessment 3.1. To I to A) 3.1.1. Legal situation: Art. 12 of Regulation (EU) 2016/679 of the European

offer of services of the Information Society. Without prejudice to Article 8(1) GDPR, for child under the age of fourteen, consent is only valid if provided

concerning the violation of Articles 5.1. c); 6.1. ; 13.1. c); 13.1. e) and 13.2. a) of the GDR:- pursuant to Article 100, § 1, 9° of the ICA, to order the respondent

June 2017, Satakunnan M a r k k i n a p ö r s s i O y k a i S a t a m e d i a O y k a t a F i n l a n d i a s § 165). Also, in the same recent decision,

respondent dated January 3, 2019. On April 1, 2019, the Director of the Spanish Data Protection Agency, granted the claimant's appeal for reconsideration. SECOND:

be issued, Art. 33 Para. 1 M 158/10 -, resolution of September 14, 2012 - 1 M 94/12 - and resolution of October 25, 2012 - 1 M 103/12 -, each juris). The

against the company COMERCIALIZADORA REGULADA GAS & POWER, S.A., belonging to NATURGY ENERGY GROUP, S.A. with NIF A08015497 (hereinafter, the claimed party)

com Oyj's customers can actually be considerably long. 14. According to the controller's view, it is good customer service and in the customer's interest

(Datatilsynet) held that the controller had breached Articles 5(1)(a) and (c), 6, 12(1) and 13 GDPR and for this fined the controller NOK 100,000 (approximately

the defendant's office located in the ***ADDRESS.1, in ***LOCALITY.2 (***LOCALITY.1) requesting the withdrawal of funds from the claimant's account, failing

contents Nos. 1, 3, 4, 5 and 83, as well as content No. 64. 1 SPMT-ARISTA is an external service for prevention and protection at work, which since 1 January

wording of Articles 21 (1) sentence 1, 22 (1) and 4 no. 4 of the GDPR as well as recitals 71 p. 1, 2 and 72 can be interpreted as follows. 1, 2 and 72 can be

of the GDPR. SECOND: APPOINT R.R.R. as instructor. and, as secretary, to S.S.S. indicating that any of them may be challenged, if applicable, in accordance

***NIF.1, for a violation of Article 6.1 and another of article 13 of the RGPD, typified in Article 83.5 letters a) and b) of the RGPD, a fine of €1,500 (€1

for 1: 1,000 euros 74 Application for 2: 1,000 euros 75 application for 3a: 3,000 euros 76 Application for 3b: 1,000 euros 77 Application for 4: 1,000

focused beyond the private property of the controller's, violating Article 5(1)(c) and 13 GDPR. On 1st of August 2022, the data subject submitted a complaint

000 for a violation of Article 5(1)(f) of the GDPR. A customer of a gas distribution company (Madrileña Red De Gas, S.A.U) complained to the AEPD claiming

to injunctive relief from § 29 para. 1 sentence 1 no. 2 BDSG old version, but from § 29 para. 1 sentence 1 no. 1 BDSG old version, although the "basic

***NIF.1 (hereinafter, the part claimed), for the installation of a video surveillance system located in URBANIZATION ***URBANIZATION.1, ***LOCALITY.1, LLEIDA

with the provisions of Article 6(1)(c), Article 6(1)(f) GDPR, or both provisions? 2.     Does the answer to Question 1 mean: a)      that the person whose

Exchange's cookie. ▪ The user identification of a DSP, often derived from the Ad Exchange's cookie that is synchronised with a cookie from the DSP's domain

breach of Articles 14.1-2 combined in Article 12.1 and 12.3, 15.1 combined with Article 12.3 and 12.2., 5.1 c) and 5.2. and 24.1-2 of the GDPR, justify

the applicant’s personal file.13      Thirdly, the DPO stated that that officer’s legal obligation to retain personal data in the applicant’s personal file

***LOCATION.1, dated November 29, 2021, Verbal Trial XXX/2020, in which ruling dismissed fully the claim filed by Fusiona Soluciones Energéticas, S.A, against

functions assigned to the control authorities in the article 57.1 and the powers granted in article 58.1 of the Regulation (EU) 2016/679 (General Data Protection

referred to as [applicant] and the State. 1 The procedure 1.1. An application dated 30 January 2019 with productions 1 to 7 was received at the Registry of

for the Authority to deal with L’s complaint against 401 GWN, pursuant to Articles 57(1), point (g) of GDPR and 13 par. 1 point g. 4624/2019, and to exercise

violation of articles 38.1, 38.3, 39.1 a) and 39.1 b) of the GDPR; - to issue an injunction against Company A to comply with Article 38.1 of the GDPR, within

defendant asked the applicant to renew the defendant's access to information, and in particular information on (1) the telephone numbers of advertisers ; (2) the

com/resources/assets/slt3lc6tev37/1M1j5uuFDuLTYiZJJDPBag/bda8d591447971b3df2bccf5aa4e0916/Customer_DPA_v.3_1_-_en_1_Oct_2020.pdf https://edpb.europa.e

applicant's international wanted notice. In addition to the applicant's name and age, the news contains public information about the applicant's crime and

91 Paragraph 1, 709 S. 1, S. 2 ZPO. 44 The amount in dispute is set at a total of 16,000.00 EUR. The determination is based on §§ 48 Abs. 1 GKG, 3 ZPO.

complaint against the complainant regarding the latter's posts on social media that violated the College's Code of Conduct due to their homophobic and racist

(c)), C/EX/2332-1/14-05-2019 (for the complaint under (b) and (c)) and C/EX/2332-1/14-05-2019 (for the complaint under (d)). d'), C/EX/3218- 1/06-06-2019 (for

this data and had therefore violated Articles 9(1) GDPR out of negligence. The DPA fined the controller €1,600,000 pursuant of Article 83(5)(a) GDPR and

with Art. 2 para. 1, Art. 1 para. 1 GG, Art. 17 para. 1 lit. d) DSGVO, because her personal data is stored according to Art. 6 para. 1 lit. f. DSGVO had

GDPR), grants each control authority and as established in articles 47, 48.1 and 64.1 of the Law Organic 3/2018, of December 5, Protection of Personal Data

minimization, Article 5(1)(c) GDPR: inadequate and offensive comments or irrelevant comments related to people's health were found in the company's customer file;

healthcare personnel: Article 6(1)(f), legitimate interest. For the subjective personal data about healthcare personnel: Article 6(1)(f), legitimate interest

”According to the insurance company’s claims, the retention of the complainant’s data was necessary, in accordance with Article 17 (1) (a) of the GDPR, to meet the

Furthermore, the DPA found the bank’s proposal, of correcting the complainant’s name in the online banking website but not in the bank's underlying systems, to be

e7141c720c53441c2483c; has_js=1; _gid=GA1.2.1837808855.1597415922; _gat=1 Upgrade-Insecure-Requests 1 If-None-Match" 1597405902-1" Cache-Control max-age=0”

the employee’s wrongful acts and his employment has changed in such a way as to distinguish it from the employer’s liability. The employee’s activities must

also a reference to that decision. Relative highlights of the Greek DPA's Directive 1/2011 is that the CCTV (i) shall be used as a supervising tool only when

a data subject's arrest warrant, as this information was outdated and was no longer of importance to society. Pursuant to Article 17(1) GDPR, the data

the claimant's medical data to unauthorized persons constitutes a violation of article 5.1.f) of the GDPR SAW The violation of article 5.1.f) of the RGPD

Article 102 (1) (1) and (3) of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019. item 1781), as well as Article 57 (1) (a),

respectively. III Article 5.1.f) of the GDPR Article 5.1.f) “Principles relating to processing” of the GDPR establishes: "1. The personal data will be:

of children’s personal data. The DPA held that the legal basis for the processing activities could hardly be determined from the controller's privacy policy

grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, Protection of Personal Data

be/content/ECLI:BE:CASS:2021:ARR.20211007.1N.4/FR?HiLi=eNpLtDK2qs60MrAutjI2sFJKT01PLUvNK05K LU7OSC3KzcxLL04sLckvyixJzSxRss60MoSqdHd1dw1z9Qt2cg129nAN8vX0cw92DA3xD/IM

wording, approved by the 1st Commission on July 27, 2017 , which consisted of the splitting of article 1 into two articles - 1 and 2 - with consequent remuneration

Schufa’s processing was compliant with domestic law. The data subject then appealed to the Administrative Court of Wiesbaden, under Article 78(1) GDPR.

that the physician violated also art. 12 par. 1 GDPR obligation to facilitate the exercise of applicant’s right of access by imposing as the unique way

***LOCALIDAD.1 (***PROVINCIA.1), on August 7, 2019, with identification number certified ***ATESTADO.1` and the invoice number ***FACTURA.1 issued by VDF

Recipient Interim opening practicability H o w F o f b o a r d s Treatment round: 27/01/2021,(1 B ru ssel Section Market Court room 19A Judgment Offered on

reported a data breach on city council X's website, because citizens' personal data was easily accessible on the controller's website by modifying the last five

violating Article 5(1)(c) and Article 5(1)(e) GDPR. The DPA of Berlin fined Deutsche Wohnen SE for violating Article 5(1)(c) and Article 5(1)(e) GDPR, because

company’s letter of 04-01¬ 2019 under the name ‘Zariropoulos S.A.’, which we attach.’It is apparent from that letter that the company Zariropoulos S.A. carried

administrative procedures." II Article 5.1.f) of the GDPR Article 5.1.f) "Principles relating to processing" of the GDPR establishes: "1. Personal data will be: (…)

processing data for credit scoring purposes in light of Articles 5(1)(c), 5(1)(e) and 6(1)(f) GDPR and held that financial data may be stored for more than

complainant outlined that they sent an email to BBVA’s data protection officer outlining that BBVA’s application did not provide the possibility to refuse

controller’s privacy policy did not mention any legal basis, and the DPA determined that the legal grounds of Article 6(1)(b), 6(1)(c), Article 6(1)(d) and

exception to the duty of confidentiality in Portuguese tax law, an individual's National Tax Number and associated home address are both considered personal

subject's personal data. Even then, the company should have responded to the request and said that the company no longer processes the data subject's personal

to Article 58 ( 1) of the Data Protection Regulation [1] . 2 (e) . However, all affected data subjects who are specifically Intervare's customers must be

need to monitor those places and even people's belongings workers. This should lead us, in the appellant's opinion, to apply in this case the principle

case, the collection of children's personal data takes place when using services provided directly to them; - Article 25(1) of the Regulation, which requires

considered the low number of affected data subjects (1); the fact that the controller is a small company (only 1 employee); and the low volume of data processed

functions assigned to the control authorities in the article 57.1 and the powers granted in article 58.1 of the Regulation (EU) C/ Jorge Juan, 6 www.aepd.es 28001

lorsque les données à caractère personnel sont collectées auprès d’elles. 1. S’agissant de l’accessibilité de l’information 41. '''En premier lieu''', le

Articles 15(1) and 12(2), (3) and (4) as the controller did not respond to the access request and did not facilitate the exercise of the data subject's rights;

défendeurs", tous deux représentés par Mme Caroline Curtis. 1. Champ d'application de la procédure 1. L'affaire a été portée devant la Chambre du contentieux

telephone number of the complainant’s office indicates that, if the recipient so wishes, they are excluded. The applicant’s collaborators had been specifically

such actions of Article 25 of the Code of Civil Procedure1. 1 See, by way of example, the Authority's Decision No 73/2018. 5 3. As is clear from the content

communication and that he did not obtain the recipient's consent. Moreover, he initially collected the complainant's contact details for different purposes. However

national DPAs with an “endeavour to reach consensus” (Article 60(1) GDPR). In its binding decision 1/2021, the EDPB added that, even in case of an own-volition

Data Protection Code, health data can be processed without the data subject´s consent provided that the controller complies with the principle of essentiality

of article 16 par. 1 and 2 of law 3917/2011, par. 1 and 2 of article 11 of law 3471/2006 were amended, so that with article 11 par. 1 of law 3471/2006 "The

article 72.1.e) of the LOPDGDD. -13, in accordance with article 83.5.a) of the RGPD and for the purposes of prescription in the article 72.1.h) of the LOPDGDD

extensive investigation. Google's main arguments were that the complaints are inadmissible and there was a violation of the company's right to a fair trial (art

authority initiated proceedings for the alleged infringement of Article 5(1)(d) GDPR against the political party aforementioned. The Political party acknowledged

sent (a) on ... and at ..., with the apparent sender's number "..." and (b) on ... at ..., with 1 Ave. 1-3 Kifissia Street, 11523 Athens, Greece T: 210 6475

(definition) Article 5.2: Principle of accountability Article 6.1.a: Legal basis of consent Article 6.1.f: Legal basis of overriding legal interest Article 6.4:

the administrative procedure as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations

information stored in the user's terminal equipment or the writing of information in the user's terminal equipment : 1° Either, has the sole purpose of

Regulation No. 1/2000; REPORTER Attorney Guido Scorza; WHEREAS, THE GUARANTOR: a) pursuant to art. 58, par. 2, lett. d) and f) and 66, par. 1 of the Regulation:

to data subject's right to access. The HDPA highlighted that even when the data controller does not keep any record of the data subject's personal data,

promotion and sale of advertising space to make the provider's services profitable, when the provider's processing was carried out on the territory of a member

publishing a blog for some time under the pseudonym ***PSEUDONYM.1, which is titled “***BLOG.1” (***URL.1 in which he makes assertions such as that the complaining

against the ANSPDCP's decision before the Tribunalul Bucureşti (Regional Court, Bucharest, Romania) which then requested the CJEU'S preliminar ruling on

Details see CNPD (Portugal) Tribunal da Relação de Lisboa - 842/16.5T8ALQ.L1-3 on the monitoring the speed of vehicles through radar and the use of photographic

within the scope of the GDPR. Furthermore, pursuant to Article 70(1)(u) GDPR, one of the EDPS's tasks is to promote cooperation and the effective bilateral and

personal data outside the "metadata" of the videoconference. Furthermore, Annex 1 of the draft decree covers how to access to the electronic file and consultation

Articles 15 to 22 of the RGPD, regulated in article 64.1 of the LOPDGDD, according to the which: "1. When the procedure refers exclusively to the lack of

Scope of Directive 95/46 Processing for solely journalistic purposes 1. Article 3(1) of Directive 95/46/EC is to be interpreted as meaning that an activity

First law on processing of personal data in Cyprus was L. 138(1)/2001 for the harmonisation of national law with the Directive 95/46/EC. This law was amended

- Does the fact that the data breach was brought to the doctor's attention by the CNIL's control department relieve the doctor of his obligation to notify

against complainant’s arguments for the following reasons: 1) Article 78(2) GDPR defines the applicable time frame in line with Article 4:13(1) of the Dutch

personal data by the Jehovah’s Witnesses Community for a period of six months unless those conditions were observed. The Jehovah’s Witnesses Community appealed

The CJEU ruled that personal data collected on the basis of Article 6(1)(e) may be used in legal proceedings, but the judge has to consider the principle

Articles 15 to 22 of the RGPD, regulated in article 64.1 of the LOPDGDD, according to the which: "1. When the procedure refers exclusively to the lack of

consistent with the fundamental right to respect for private life. The individual’s legal interest was grounded to the imposition of penalty points after some

from Telmore A / S's website and Yousee A / S's website that Nuuday A / S is the data controller for Telmore A / S 'and Yousee A / S' processing of personal

not exceed what is necessary, established under Articles 8 (1), 5 (4, 5), 6 (1), and 11 (1) of the Covenant ICOV, comply with the requirement of collection

Articles 12(1), 14(1)(c), 14(2) and 14(3) GDPR. In addition, Datatilsynet also issued criticism in relation to Article 5(1)(a) GDPR for the controller’s attempt

with Article 6 (1). 1, letter b, if the processing is necessary to comply with a legal obligation in accordance with Article 6 (1). 1, letter c, if the

details. 201907720/1/A3. Date of judgment: 9 December 2020 SECTION ADMINISTRATIVE LAW Judgment on the appeals of: 1. [appellant under 1], residing at [place

follows: Article 5(1)(c) , Article 5(1)(e) and Article 6(1)(f) of the GDPR The DPC found that Airbnb did not validly rely on Article 6(1)(f) of the GDPR as

GDPR. II.2.1. Article 5. 1.f) GDPR II.2.1.1. Findings in the Inspection Report 5. The first element that is the subject of the Inspectorate's investigation

comply with XXX: 1. to stop filming outside one's own property (either by dismantling the camera(s) or directing it so that only one's own property remains);

Statistics Denmark's internal list. Justification for the Danish Data Protection Agency's decision 3.1 It is clear from Article 6 (1) of the Data Protection

Protection Agency's decision 3.1. Processing of personal data using ProctorExam 3.1.1. It follows from Article 2 (1) of the Data Protection Regulation 1, that the

by theEDPBareset forthinArticle 60(4) andArticle 65(1)(a)GDPR 1. 3.1 Objection(s) expressed by CSA(s) in relationto a draft decision 17. The EDPBnotes thatseveralCSAs

Applicant's personal data 1. According to the Applicant's declaration, the Applicant forwarded his name, tax identification number, mother's name, place

municipality's filing system, which had been created on the basis of the complainant's request of 17 January 2018 about the municipality's subscription

Appeal confirmed the District Court's assessment that Google's interest, and the public's right, outweigh complainant's interest, especially considering a

Gruppen A / S 'observance of the duty to provide information complied with the regulation's basic principle of transparency. SIF Gruppen A / S has informed

on Article 6(1)(c) GDPR. In particular, the appellant argued that pursuant to Article 6(3) GDPR, a public interest task under Article 6(1)(c) GDPR must

no. 2, Art. 5 para. 1 lit. f, Art. 6 Para. 1 lit. c and lit. f, Art. 13, Art. 51 Para. 1, Art. 57 Para. 1 lit. f and Art. 77 Para. 1 of Regulation (EU)

By decision of 7 May 2018, the Minister rejected [the applicant's] and [the appellant's] request for the deletion ('erasure') of their personal data. By

protection rules. 4.1. The legal basis for the treatment 4.1.1. It is clear from Article 6 (1) of the Data Protection Regulation 1, letter a, that the

to the Debtor's telephone number, as there is no reference to the Applicant's name, only a registration number to identify his client's case. According

disagreed with the IMY's findings of GDPR breaches in two instances, holding that the controller did not breach Articles 12(1) and 13(1)(e) GDPR. On the other

the postal inquiries of Customer 1, the Authority determines that Customer 1 has violated Article 12 (1) and Article 14 (1) points a) and c) of the General

The Dutch Council of State (RvS) ruled that a data subject's search for evidence that the Municipal Executive unlawfully processed personal data does not

complainant's personal data. At the same time, the President of the company's Management Board stated that "the Company obtained the Complainant's personal

EDBP's guidelines 5/2020 regarding consent in accordance with regulation 2016/679, section 3.1, pp. 7-14 and the Danish Data Protection Authority's guidance

Protection Agency's decision 3.1. Authorization to record telephone conversations 3.1.1. Pursuant to Article 9 (1) of the Data Protection Regulation 1, there is

mandated by Article 33(1). Did the secretariat of the DPA breach its data security obligations under Articles 32(1), 33(1), and 34(1)? The Datatilsynet found

Articles 5(1)(f), as well as 32(1) and (2). As a consequence, the ANSPDCP issued an administrative fine of €2000 against Sanatatea Press Group S.R.L. Share

of a document containing customers personal data. On the DADA CREATION S.R.L.'s website, the following personal data were made available: e-mail addresses

12 (1) of the GDPR, as it did not provide transparent and understandable information, - Article 15 (1) and Article 17 (1) of the GDPR, Article 12 (1) -

Gazette I No. 165/1999 as amended; §§ 2 Z 1, Z 6 and Z 15, 5 Z 4, 6 Para. 1 and Para. 2, 11 Para. 1 and 21 Para. 1 Z 1 of the Financial Market Money Laundering

CiAgImkxOG4uaW1wb3J0LmNvbnRlbnQiIDogIlR1byBzaXPDpGx0w7YiLAogICJidXR0b24uYm9sZCIgOiAidHJ1ZSIsCiAgImkxOG4uc21hbGwuaW1hZ2UiIDogIlBpZW5pIGt1dmEiLAogICJpMT

re-examined complaint about financial service provider’s incomplete response to data subject’s access request after appeal. The appellant complained that

requirement of Articles 5.1.a, 5.1.b, 6.1.c), 6.3, 9.2.i), 12.1, 13.1.c), 13.2.a), 13.2.d), 13.2.e), 30.1.a) and 30.1.d), 35.1 and 35.7 of the GDPR 9. The

imposed a fine of €20000 on Gaypa s.r.l. for checking its employee's professional email account in order to protect the company's interests. The Garante found

section 1, subsection 1, section 14, subsections 1–2, section 15, subsections 1 and 3. and subsection 4, 3 points, section 16, subsection 1, section 18

the DE SA’s objections on Article 5(1)(f), Article 24 and 32 GDPR, as well the IT SA’s objection on Article 5(2) GDPR - as well as the LSA’s response to

at/presse/news/201*/berichteneu*3*1*8*.php from May 11, 2017 reads as follows (formatting not 1: 1 reproduced, accessed on August 31, 2020): [Editor's note: The article

accountant had processed the data subject's personal data in violation of Article 5(1)(a) GDPR, Article 6(1) GDPR, Article 12(3) GDPR, Article 12(4) GDPR

impose additional requirements. This decision should be compared to: RvS - 201907720/1/A3 Share blogs or news articles here! The decision below is a machine

procedure until the CJEU's decision on the Austrian Supreme Court's request for preliminary ruling regarding the interpretation of Article 15(1)(c) GDPR is published

financial statements for the period from 1.1.2018 to 31.12.2018". This document was publicly available on the controller's website. The controller refused to

under one year). 1On the IP address […] identified by Client 1, the Authority's acting administrator found that it was the Authority's Internet the IP address

imposed by sections 24.1., 28.1. and 30.1. of the DGPS ; -On 11 June 2019, the Disputes Chamber decides, pursuant to Article 95, § 1, 1° and 98 of the ICA

re-examined complaint about financial service provider’s incomplete response to data subject’s access request after appeal The DPA examined appeal against

investigation of the controller S.C. Type Top Food Industry S.R.L and found a violation of the provisions of art. 5 par. (1) lit. b) and c) and par. (2),

secrecy (Section 1 (1) DSG) as follows The appeal is dismissed as unfounded. Legal basis: Article 51(1), Article 57(1)(f) and Article 77(1) of Regulation

follows: "§ 26b paragraph 1 (1) trade secret is information that" § 26b paragraph one, (1) trade secret is information that 1. is secret because it is neither

disclosure of personal data by bank to the data subject's wife under Article 5 (1) (a) GDPR and Article 5 (1) (f) GDPR. An additional €50,000 was added for the

breach of Article 6(1)(f) GDPR, as the controller did not discontinue the data subject's email. Finally, the right under Article 17(1)(e) GDPR was infringed

The DPA noted that the lawful basis was Article 6(1)(f) GDPR and referred to the Article 29 Group's guidelines WP225 relating to search engine results

legislation) was legitimate and allowed under Article 6 (1) (e) of the GDPR. However, the Council of State (CoS) rules that the municipality did not inform the

audit of Y Municipality's processing of personal data on complaints in connection with a search function on Y Municipality's website. 1. Decision After a review

Paragraph 24(1) and (1) and (2) of the B-VG. 5 DSG as amended, with the provisos that part 1. of the ruling concerning the data protection complaint of 1 February

Board and, therefore, issue this Decision. 1. Facts of the Case 1.1 Allegations included in the complaint 1.1.1 On 26/09/2022, a complaint was submitted

Paragraph 1 S. 1, § 99 Paragraph 2, § 108 Paragraph 1 S. 1, § 146 Paragraph 4 S. 1, S. 6, § 152 Paragraph 1, § 154 Paragraph 2, Paragraph 3, § 162 Paragraph 3

Article 5 (1) (a), Article 12 (1), (2) and (6) , Article 13, Article 15 (1) (h), (3) and (4), Article 58 (2) (c) and (d) subparagraphs Article 34 (1) (2), Article

data subject's name of the register. The Court balanced Hoist's interest against the data subject's. On that basis, it held that Hoist's interest outweighed

3. The Draft Decision concerned Meta IE’s compliance with Article 5(1)(a) and (c), Article 6(1), Article 12(1), Articles 13, 24, 25 and 35 GDPR in respect

that the controller had violated Article 5(1)(f) GDPR, Article 17(1) GDPR, Article 25(1) GDPR, Article 32(1) GDPR and Article 32(2) GDPR. As a result,

information. These are the companies KMD A / S, Fujitsu A / S, LIFA A / S and INSPARI A / S. Kombit A / S has stated that no data has been publicly available

the safeguards necessary for that purpose.” 1.3 The reasons for the Commissioner’s findings are set out below. 1.4 This case relates to two individuals with

The appellant's claim that the injunction was not enforceable is devoid of purpose because the appellant's representative sent December 1AKI-lease confirmation:

Justification for the Danish Data Protection Agency's decision 3.1 Article 32 (1) of the Data Protection Regulation. 1 The Data Inspectorate assumes that BroBizz

addition, the controller attached Google's terms and Google's privacy policy concerning its cloud services. Google’s terms specify the information that google

person? The AEPD held that the telecoms company 's actions were a breach of Article 6(1) GDPR. Article 6(1) does not apply here because they failed to prove

documents relating to the data subject's debt, and if so, have these been received by the controller? Was the insolvency file's accuracy verified before transfer

this interpretation follows the CJEU’s logic as expressed in paragraph 46 of their judgment of the of 17 July 2014, Y.S. The Council stated that “although

Ticketmaster UK Limited, 30 St. John Street, London, EC1M 4-AY 13 November 2020 1 INTRODUCTION & SUMMARY 1.1 This Penalty Notice is given to Ticketmaster (UK)

Federal Law Gazette No. 51/1991 as amended, in conjunction with §§ 1, 3 Paragraph 1 and TP 1 Federal Administrative Fees Ordinance 1983, BGBl No. 24 as amended

Protection1) Article 6 (Regulation. 1, as well as Articles 13 and 14. Below is a detailed examination of the case and a justification for the Authority's decision

Article 17(1)(d). The DPA also found that the municipality were in breach of the principles of lawfulness, fairness and transparency, cf. Article 5(1)(a), and

the controller's interest. Consequently, the DPA held that the camera surveillance and livestreaming violated Article 6(1) and Article 5(1)(a) and fined

sec. 1, art. 25 sec. 1, art. art. 28 sec. 1, art. 28 sec. 3 lit. h, 32 sec. 1 lit. b and lit. d, art. 32 sec. 2, art. 33 paragraph. 1, art. 34 sec. 1 Regulation

that the controller had a legal basis for processing children's health data under Article 6(1)(e) GDPR (exercise of official authority) and Article 9(2)(b)

client's data. After making a change of address in her telephone company, in the company's systems it still appeared as joint holder the complainant's ex-husband

Mr. *** NAME.1 ***LASTNAME 1; born on 08/05/1985, in *** LOCALIDAD.2 (*** COUNTRY.1); son of Gabriel and Viorica. Nationality: *** COUNTRY. 1. Address: street

Regulation [1] and the Data Protection Act [2]. The Data Inspectorate's planned inspection of Varde Municipality focused on the municipality's compliance

Raiffeisen Bank S.A. and Vreau Credit S.R.L. and fined the two data controllers for violation of Article 32(1), (2) and (4) GDPR. On the 1st of October 2019

rules ofof the Data Protection Regulation1)[1] Article 6 (. 1 and1) of the Data Protection Act[2] section 11 (. 1. However, the Data Inspectorate finds that

imposed by sections 24.1., 28.1. and 30.1. of the DGPS ; -On 11 June 2019, the Disputes Chamber decides, pursuant to Article 95, § 1, 1° and 98 of the ICA

years according to Section 98 (1) WTBG or seven years according to Section 132 (1) Federal Fiscal Code ("BAO") or Section 212 (1) Corporate Code (“UGB”). -

bytheEDPBareset forthinArticle60(4) andArticle 65(1)(a)GDPR 1. 3.1 Objection(s) expressed by several CSA(s) in relationto a DraftDecision 19. The EDPB notes

25 / N. §, 51 / A. § (1), Articles 52-54. §- in Section 55 (1) - (2), Sections 56-60. §, 60 / A. § (1) - (3) and (6), § 61 (1) paragraph 61 (a) and (c)

data without the accuracy required according to Article 5(1)(d) GDPR. BBVA sent the claimant's personal data to a collection agency. The claimant had no

generalis, cf. the Ordinance's Proposition 173. The Ordinance's rules on principles, basis for processing, information, the data subject's rights, the data controllers'

Article 1 (1). b) Lack of adequate information on the purpose of data processingThe General Data Protection Regulation5. According to Article 1 (1) (a),

General pursuant to Article 15 of the Garante's Regulation No. 1/2000; Dr Agostino Ghiglia as rapporteur; WHEREAS 1. The report against the company and the preliminary

in Working Life and Article 5(1)(a) and (c), 6(1) and 9(1) GDPR? The Finnish DPA held that the collection of applicant’s religious beliefs, health status

for the disclosure to the data subjects's employer and was therefore in violation of Articles 5(1)(a) and 6(1) GDPR. The recordings had already been handed

obtained from the school's website, where the BF's data can still be found today. The assessment relates to the BF's professional and not private activities

personal data follow from Article 5 (1) of the Privacy Regulation. We refer to Article 5 (1) (a), (b), (c) and (f): «1. Personal information must (...) (a)

Ubels in Amsterdam. 1Process 1.1 Appellants are hereinafter jointly referred to as [Appellants] and separately as [Appellant sub 1] and [Appellant sub

complainant ’s basic personal data such as name and address. Vodafone España, S.A.U. acknowledged its responsibility in accordance with Article 85 (1) LPACAP

from Art. 2 Para. 1 in conjunction with Art. 1 Para. 1 GG.42 III. The decision on costs is a mixed cost decision (Section 155 (1) Sentence 1 VwGO) on the one

articles 6.1.a in relation to article 8.1- and the LOPDGD -Article 7-, the information provided on the website ***URL.1, for which GRUP BC, S.L. was responsible

hereinafter: GDPR), OJ No. L 119 of 4.5.2016 p. 1; § 1 paragraph 1 and 2, § 18 paragraph 1 and § 24 paragraph 1 and paragraph 5 of the Data Protection Act (DSG)

Art. 82 Para. 1, Para. 2, Art. 5 Para. 1 lit. a Var. 1, Article 6 paragraph 1 subparagraph. 1 lit. 1, Article 6 paragraph 1 subparagraph. 1 lit. a, Art.

them by e-mail on 1 4 January 2021. 1.2. In the petition, Y2 and Y1 ask: Declare this appeal admissible, admissible and well-founded; 1}-before doing reconsideration

items 1, 3, 5, 6 and 7 of the defendant's decision of 23 November 2018 are lawful and do not infringe the plaintiff's rights (§ 113.1 sentence 1 VwGO)

OrdinanceArticle 5 No. 1 letter f, and the Privacy Regulation 32 No. 1. letter book d The background and reasons for the decision follow below. 1. The case 1.1. Description

14 days. D e s c r i p t i o n s : [1] The Respondent is the nation's leading Logistics and postal service provider, whose The defendant's main business

For all the above, the AEPD hold that HM HOSPITALES 1989, S.A. breached Articles 5(1)(a) and 6(1)(a) GDPR and therefore, imposed a fine of €48,000 pursuant

N. Boers. Considerations 1. The court assumes the following facts and circumstances. 1.1. On October 14, 2019, the plaintiff's representative submitted

retroacts1) History1. The complainant lodges a complaint with the DPA about a request for erasure ofpersonal data processed by Y1 (hereinafter Y1). In his

decree has not changed the content of Article 11.5 1 invoked, now replaced by Article 1-9 § 5. 1Article 1-9 § 5: Correction of an error made in an act, an

appeal is admissible; however, it is not justified. Legal assessment 1.1 Paragraph 1328a(1) of the ABGB states Anyone who unlawfully and culpably encroaches

particular in Art. 5 Para. 1 lit. f, Art. 24 Para. 1 sentence 1, Art. 25 Para. 1 and Para. 2 sentence 1, Art. 28 Para. 1 and Art. 89 Para. 1 sentence 2 (...). The

EXAMPLE On [...] February 2019, pursuant to Article 78(1), Article 79(1)(1) and Article 84(1)(1-4) of the Act of 10 May 2018 on the protection of personal

Societate de Administrare a unui Fond de Pensii Administrat Privat S.A. and NN Asigurări de Viață S.A., two insurance providers (controllers) owned by the same

2,500.00 s.A, on the appeals of the plaintiff party (appeal interest EUR 1,700.-- s.A.) and the defendant party (appeal interest EUR 800.-- s.A.) against

upheld the FiS decision that Google's practice to regularly inform webmasters of the removal of search results was contrary to Article 5(1)(a) GDPR (principle

§ 56 subsection 1, subsection 2 point 8, § 58 subsection 1, § 10 of the Personal Data Protection Act (IKS) and Article 58 paragraph 1 point d and paragraph

discovered that the claimant’s signature was missing from the section “signature of old owner”. Did Vodafone’s failure to get the claimant’s signature constitute

measures to ensure security of processing under Article 32(1)(a), Article 32(1)(b), and Article 32(1)(d) GDPR, which led to a data breach. The Controller is

Protection Agency's decision. 2. Payment Denmark's guidelines and procedures Payment Denmark, prior to the audit visit, sent a copy of the authority's procedures

deadline for the operator's decision is one month from the receipt of the request. An appeal is possible against the operator's silence or against his refusal

for more details. 1T a t b e s t a n d 2The parties are in dispute over the deletion of the plaintiff's personal data from the defendant's credit agency.

24, 28 and 31 October and 1 November 2019 THIRD: On 25/03/20, the entity DIGITAL VIRGO ESPAÑA, S.A., refers to this Agency's written reply, attaching to

to this contract. " 1. That "Requests are not sent by TESTA RESIDENCIAL SOCIMI, S.A. directly but by a third entity EQUIFAX IBERICA S.L. " 2. In response

2 lit. a, Art. 5 para. 1 lit. a, Art. 12 para. 1, para. 2 and para. 3, Art. 13, Art. 27, Art. 57 para. 1 lit. f, Art. 58 para. 1 lit. b and para. 2 lit

salary payments subject to contribution to the S.S., to the determination of the bases of contribution to the S.S. and to the concepts of joint collection and

basis under Article 6, paragraph 1, letter f to obtain the complainant's credit information. 7. Infringement fee 7.1. General information about infringement

the controller's processing. In this case, however, the DPA appears to merge the employee's unauthorised processing with the controller's processing. Share

company's finances are then sufficiently taken into account. The fee of NOK 100,000 constitutes 2.0% of the company's turnover in 2019 and 2.1% of the

the restaurant's wine room (zone 1). The second camera was located in the restaurant's lounge area and covered the staircase from the 1st floor (main floor)

deletion of information about the father's ethnicity in accordance with the privacy regulation article 17 no. 1. As's view of the case in brief They have several

same reasons, the defendant's failure to prevent automatic erasure does not violate Art. 18(1) GDPR. According to Article 18(1)(c) of the GDPR, a data subject

DSG), Federal Law Gazette I no. 165/1999 as amended; Sections 1(1)(1) and (2), 2(1), 3(1)(1), (1a) and (2) and 4 of the Epidemics Act 1950 (hereinafter: EpiG)

college's communication of the reasons for dismissal of one of its former teachers to their colleagues and students was in violation of Article 6(1)(f) GDPR

changes of applicant's email? The DPA held that the Administration did not have a right under the GDPR to unilaterally change the applicant's email address according

outside of the company's area of business. Consequently, Lindstrand Trading did not have a legal basis for such processing as per Article 6(1)(f) GDPR. Did Lindstrand

implemented. Regular evaluation of measures Article 32 (1) of the Data Protection Regulation Article 1 (1) (d) states that in order to ensure a level of security

violated Articles 6(1)(a) and 5(1)(a) GDPR. Moreover, the AEPD stated that apart from the unlawful processing of the complainant’s personal data Vodafone

GDPR, Articles 5(1)(a), 12(1) and 13(1)(c) have been infringed.” Issue 4 (Additional Issue) – Whether Facebook Infringed the Article 5(1)(a) GDPR Principle

hereinafter “the complainant” - Y1, hereinafter “defendant 1” - Mr Y2, hereinafter “Respondent 2” 1. Facts and procedure 1. On December 11, 2019, the complainant

violation of Article 5(1)(c) GDPR; It violated Article 13(1) and (1) GDPR, and Article 5(1) GDPR by failing to adequately inform data subject's about the processing

proceedings, so that the defence's motion to discontinue the proceedings did not have to be granted. 1. (1) The BfDI's penalty notice sets out the data

credit registry office's (BKR) processing of a data subject’s personal data was lawful, the data subject’s interests overrode the office’s legitimate interest

for a preliminary ruling. In ground 1, [the appellant] states that his request is based on Articles 1, 6 paragraph 1 (f) and 21 of the AVG and therefore

the data subject’s interests, rights and freedoms, pursuant to Article 6(1)(f) GDPR. In this regard, the DPA found that the data subject’s phone number was

company´s employee. The controller (Giessegi Industria Mobili S.p.A.) was in a contractual relationship with a processor (Verizon Connect Italy S.p.A.) providing

challenge 1/23/2020 The contested administrative act or operation Procedure of the Data Protection Inspectorate 22.01.2020 Decision No 2.1-1 / 19/4627

Energy) infringed Article 6(1) of the GDPR as it processed the complainant's data without a legal basis. The data subject's personal data were incorporated

Reweb s.r.l. [...] as well as for the protection of the rights of Reweb s.r.l. in court" (note 12/3/2020 cited. p. 1); - “the dispute between Reweb s.r.l

this case. Description of the case 3.1. The complaint involved the Controller’s failure to comply with the complainant’s erasure request (article 17 of the

From a legal point of view, it follows that D.1 The legal situation: D.1.1. infringement of Article 1(1) of the DSG 2000: A decision on this part of the

Article 6(1) GDPR, in addition to violating the principle of data minimisation in Article 5(1)(c) GDPR. Concerning the second issue of the controller’s handling

Wohnen SE € 14.5 million for violation of Article 5(1)(e) and Article 25(1) GDPR as the company's archive system was structurally unable to delete unnecessary

Information Case No. 2.1.-3/19/4304 RESOLUTION: Pursuant to Section 85(2) of the Administrative Procedure Act (HMS) I decide: 1) uphold the request for

minimisation. 1.1. The Authority finds ex officio that the applicant has infringed the applicant’s right to exercise the data subject’s rights and the

applicable legal basis in art. 6.1AVG." With regard to the requirement of transparent information (art. 5.1.a), art. 12.1 and art. 13.1 and 13.2 GDPR}, the Disputes

request for the registered person's right of inspection and confirming the registered person's identity to comply with Article 5(1)(c) and Article 12(2) and (6)

secret search of the complainant's office on XXXX.2020. When processing the BF's personal data, the respondent violated the BF's fundamental right to secrecy

Article 6(1) GDPR? The Spanish DPA held that the documentation in the file provides evidence that G.L.P. Instalaciones 86, S.L violated Article 6(1) GDPR,

Regulation) Article 1, paragraph 2, Article 5, Article 6, paragraph 1, subparagraph f, Article 17(1)(a), (c) and (d), Article 17(3)(a), Article 21(1) Judgments

Garante Regulation No 1/2000; REPORTER Dr. Antonello Soro; PRESENTED 1. The complaint against the company and the investigation activity. 1.1 By complaint of

fine of approximately €150,000 (1,600,000 SEK) on the University Hospital Board for the violation of Articles 5(1)(f) and 32(1) GDPR. The data breach notification

allowed such sharing in the device's operating system. These the users had further agreed to Grindr's terms of use, Grindr's privacy policy, and decided not

Spanish DPA found a company in breach of Article 58(1) GDPR for failing to comply with a DPA's request for access to information in the course of an investigation

stressed that one's personal identification number is often known to several other people. Thus, the DPA considered that the controller's appointment booking

service provider €1,200,000 for disclosing unverified personal data of customers to debt recovery services against Articles 5(1) and 6(1) GDPR. Tet (the

Agency's processing of personal data has not taken place in accordance with the rules in the Data Protection Regulation [1], Article 32 (1). 1. Below is