Search results

as to the reliability of the AOD in the case - who, after all, is an entity with an interest in not disclosing the fact of the breach committed by its

Article 83 of the RGPD that an administrative fine of EUR 500 000, an injunction accompanied by a periodic penalty payment and an additional publication penalty

com/abstract=3319284. 10, i. An end user requests a web page; ii. The publisher's ad server on the web page selects an SSP; iii. The SSP then selects an Ad exchange; iv

Chamber emphasises that the purpose of imposing an administrative fine is not to only to put an end to an offence committed but, above all, to ensure effective

are monitored by an independent body. Art. 47 Charter of Fundamental Rights of the European Union – Right to an effective remedy and an impartial court

therein do not allow an individual to challenge in court the election procedure of the head of a DPA. This judgement stemmed from an appeal against a decision

its usual meaning, indicates a “faithful reproduction or transcription of an original” in opposition to a “purely general description” of data. The true

necessarily understand that they are seeing an ad or how an ad has been targeted towards them. • There is also an assessment of the impact on human rights

storage of the ID. Consent is also not valid if data subjects must complete an additional form setting out that refusal. Orange  România SA is a  provider 

2021, it appears that «[…]». The company is now planning an IPO in 2022. The audit points out that an IPO of a company means that the public has a clear interest

its holder. When an advantage or service is offered to a citizen by means of his identity card as part of a computer application, an alternative that does

luz Energía (SIE) to via an SMS. 2nd. There is certification of the digital signature of the supply contract by sending of an SMS with SIE, on July 14

The HDPA of Greece examined the complaint of an employee of the Hellenic Electricity Distribution Network Operator S.A. against the latter regarding a

Regulation as follows: "Any information about an identified or identifiable natural person (" the data subject "); an identifiable natural person is a person

Article 22(1) GDPR. In particular, it asked whether an automated creation of a credit score value constitutes an automated decision within the meaning of this

about the health of an employee of such service, when those data are required for determining that employee's working capacity. Allowing an exception to the

Article 83(5) GDPR provides that an infringer may be subject to an “administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of

a delivery address is an absolute necessity for the delivery of goods to the customers. Thus, Intervare does not detect whether an address is secret, as

An employee had submitted a complaint to the Greek Data Protection Authority about the video surveillance in the store in which she had worked. The Greek

personal data passed on to an uninvolved and unauthorized third party. This will make the Plaintiff exposed and there is also an indirect threat of potential

to process sensitive personal data When you leave an assessment on Legelisten.no, you must provide an e-mail address. For many, the email address contains

The Rotterdam Court of First Instance rejected an access request to procedural files before the State of the Netherlands as inadmissible. The Court ruled

property is Ms. A.A.A. with an e-mail address for notification purposes ***EMAIL.1 and the tenants are Mr. B.B.B. and Ms. C.C.C., with an e-mail address for notification

section 25 of the Data Protection Act (1050/2018), an appeal against this decision may be lodged with an administrative court in accordance with the provisions

resolution may be considered as an infraction. administrative action in accordance with the provisions of the RGPD, classified as an infraction in its article

Authority first.C/ES/3409/13-05-2019 complaint by A concerning receipt of an unclaimed communication policy (e-mail message) to promote the candidacy of

breach is an objective fact that does not coincide with the controller’s lack of appropriate security measures – i.e. the mere GDPR infringement. An annoyance

Supervisory Authority, “an agreement whereby a minor user consents to the processing of his or her personal data in connection with the use of an information society

ordered CARREFOUR BANQUE to pay an administrative fine of €800000. Insofar as the company took the necessary measures to put an end to the breaches of which

complaint under Article 77 GDPR. A data subject made an access request with an address publisher and direct marketing company, the controller, asking it specifically

restricted committee of the Commission impose an administrative fine on the two companies, as well as an injunction to bring into compliance the processing

recipient, and revoked), by the exporter or by an entity trusted by the exporter under a jurisdiction offering an essentially equivalent level of protection

Oy, a company that keeps a credit information register. This register gives an overview of the creditworthiness of debtors, whose debts are shown in the

person, to an indeterminate number of individuals sicas 3. An approved certification mechanism may be used in accordance with article 42 as an element that

not support as an interpretation that the legislator intended to extend the concept of "insured party" to apply also to the applicant an insurance before

construction of an office building. During the project, workers who carried out activities at the construction site registered their presence through an electronic

the claimant). The claimant states that, on January 3, 2019, he submitted an e-mail requesting the cancellation of the inclusion of his data in the Asnef

by default (Article 25(2) GDPR). The DPA suggested that if an insurance company requests an individual's health information from healthcare services, the

indirectly, in particular by means of an identifier, such as example a name, an identification number, location data, an online identifier or one or more elements

validation for an email that did not belong to the data subject. The AEPD pointed out a violation of Article 6(1) GDPR by processing data without an adequate

Letter b) GDPR to. The provision only lists the frequent repetition as an example of an "excessive" application on. However, the use of the word "in particular"

fixed phone of his office so that, in the event of an inconvenience, the recipient could request an exemption from a possible subsequent shipment. 5) Some

context, the one in which an interested party can issue the required declaration by filling in an electronic form, sending an email, uploading a scanned

data as follows: «Any information about an identified or identifiable natural person (« the registered »); An identifiable natural person is a person who

on final convictions in the credit information register Thing Correction of an error in the credit information register and entry of default information

data with AFS. The DPA opened an investigation regarding the controller. In the procedure, the controller stated that it had an agreement with AFS for the

that it had submitted an request for erasure (Article 17 GDPR), but had never received an answer form the controller. The DPA started an investigation following

to which the vacancy notice for a vacancy for an official position, including a managerial position for an official, and for the recruitment of candidates

​​constitutional protection of telecommunications includes, alongside an objective dimension, an indispensable subjective dimension, Thus, it is important to consider

electoral census for delivery to political parties (date 06/03/2019).On 17/05/2019 an envelope with a miniature name and address, with the letterhead of the PSC

health data. Following the report made by a website, the CNIL carried out an online check in September 2019. On this occasion, the Commission found that

a copy of the image of an email as an example. They also declare that the employees have a consultation portal, providing as an example impression of a

and 418 ZPO. A is neither an official document on declarations within the meaning of § 415 ZPO nor an official document on an official order, disposition

identifier was strictly necessary for the provision of an online communication service at the user's request. If an identifier had multiple purposes, the provider

which had to be taken into account as an aggravating factor. The intensity of the intervention, which had also covered an unlimited number of passers-by and

subject rights do not apply. The details on processing of personal data in an employment context are regulated in the privacy booklet published by the Dutch

sentiment. b. Existence of an effective objection 35. Finally, it must be checked whether the respondent had to take into account an objection by the complainant

The events described above imply an impact on the content of the article 13 RGPD, lacking informative sign(s) with an effective address to the that, where

(article 100.1, 5 ° LCA) and an order of compliance detailed below (article 100.1, 9 ° LCA) accompanied by an administrative fine in an amount of 15,000 euros

for months, especially considering that he was the subject of an Interpol Red Notice and an intensified search. The main reason for the principle of the

58(2)(f) GDPR, the Italian DPA imposed a temporary limitation on processing of an AI-powered ChatBot. The privacy policy did not clarify which legal basis had

The CJEU held that the mandatory disclosure, in the context of an online transparency publication, of personal information concerning a public officer

€150,000 for sending unsolicited advertising messages, for not responding to an access request and for not facilitating the objection to processing of personal

this body may be considered as an administrative offense in accordance with the provisions of the GDPR, classified as an infraction in its article 83.5

July 29, 2022, an explanation of what measures the data protection officer has taken as a result of the decision, unless it applies for an amendment to this

of an illegal act will require the prior duty of information, which may be understood to have been fulfilled when the placed in a visible place an informative

An association that disclosed personal data of one of its members in a Whatsapp group was fined €3,000 for violating Articles 5(1)(f) and 32 GDPR. The

result information that is accompanied by an objectively perceptible factual error and which therefore gives an incorrect, incomplete or misleading picture

and that the term remains an autonomous concept of EU law. That means that it is not decisive if an offence is classified as an administrative offence in

they are the owner of the property being, therefore, an area of public access, which constitutes an access not authorized to said data. This document was

process, provided in particular as an ordinary way of dealing with the oral hearing of cases from May 30 to July 31, as an alternative to the purely paper-based

controller to reply to a data subject's request to delete personal data, to an objection of processing of data for marketing purposes, transfer to third

golf company AE’ (hereinafter ‘Glyfada GAAR’) which includes an event with the complainant and an employee of the company.This request was repeated on...,

not support as an interpretation that the legislator intended to extend the concept of "insured party" to apply also to the applicant of an insurance before

a credit score is a decision for the purposes of Article 22(1) GDPR, where an action taken by a third party ‘draws strongly’ from it. A data subject was

on ...2019 at ...2019 and time ... an automated telephone call from the number ..., to which he answered and heard an audio message that he had won 850

circumstances. The Belgian DPA brought an action before Court of First Instance of Brussels, Belgium on 11 September 2015, seeking an injunction against Facebook

provide for an observation period of at least five years with regard to the estimation of risk parameters. In contrast, data subjects have an interest in

certificate issued for ISO 27001 Certification (reflecting the result of an audit by an external auditor)." C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd

controller's premises. The controller argued that the DPA should have requested an explanation from the other company as well, because the data subject was not

the case to the access to written answers of an exam already decided by previous judgements. Therefore an access to the driving test videos may have the

000. Share your comments here! Share blogs or news articles here! This is an available machine translated decision. Please refer to the Greek original

La Salud) hired Electromedical and Information Services (ASEI) to carry out an internal investigation to assess whether the access to the data subject's

security.In addition, you are told that 401 GSNA is an Organic Formation of the General Staff, subject to an administrative management relationship and as a

challenge” died. The “blackout challenge” is an internet phenomenon in which participants film themselves in an autoerotic asphyxiation. This practice is

violation of Article 5 GDPR to be restored, as well as of its authority to impose an administrative fine that amounted to 8,000 EUR. The complainants claimed that

mobile app on her phone, without informing employees or customers. Following an appeal, the Norwegian Privacy Appeals Board upheld the DPA's decision. A trade

Regulation as any form of information about an identified or identifiable natural person (“the data subject”). An identifiable natural person means a natural

processing activities. The board rejected the request. Eventually, the DPA brought an appeal before the Supreme Administrative Court, which referred the following

the principle of accountability. Moreover, the processing was conducted in an opaque way with regard to both its general policy and dealing with the data

organization may be considered as an administrative offense in accordance with the provisions of the RGPD, classified as an infraction in its articles 83.5

(Garante) imposed a fine of €12.25 million on Vodafone Italia S.p.A, following an inquiry into their telemarketing practices which revealed that Vodafone was

form of processing based on Article 4(2) GDPR. The DPA has the power to issue an ex officio interim order for immediate total or partial temporary restriction

organization may be considered as an administrative offense in accordance with the provisions of the RGPD, classified as an infraction in its articles 83.5

HDPA ran an on site audit at the Ministry of Foreign Affairs as being the data controller according to VIS Regulation and VIS Decision. VIS is an information

of the principle of accountability, had to examine whether there was an issue of an adverse effect on the rights and freedoms of the mother with a view

for review by the second contested decision. The data subject claimed for an annulment of the decision by European Data Protection Supervisor (EDPS) of

rules"; HAVING DETECTED the publication by the online newspaper La Cronaca24 of an article entitled: "XX" available at the link https://... in which, citing

participant in an electronic database, it is possible that among the numerous registered calls there is an error in the number, due to an incorrect entry

resolution may be considered as an infraction administrative in accordance with the provisions of the RGPD, classified as an infringement in its article 83

DEYA X violated GDPR's data minimization principle Article 5(1)(c) by sharing an employee's personal and health data with multiple recipients without proper

restriction, and objection. In its decision, the DPA held that, in principle, an employer could not consult private emails of his employees, even if the company

forgotten was not infringed and rejected the complaint. The data subject has filed an administrative appeal against this decision. The Austrian Federal Administrative

do not preclude national rules from laying down, without any limit in time, an obligation for Internet advertising service providers to communicate certain

controller, and about the fact that their personal data could have been used for an additional purpose. The Greek DPA also found that the objections of the customers

(in ahead, the claimed one). The claim indicates the following: “I received an email from pulpower to confirm my subscription, as I had not done no management

viewed that an activity cannot be regarded as purely personal or domestic where a) its purpose is to make the data collected accessible to an unrestricted

electricity supply corresponding to the claimant's supply point, providing an email address for the invoice to be sent. To be able to carry out the requested

Energéticas, the controler, filed a lawsuit against the data subject due to an alleged debt. In the judgment , a Spanish Court of First Instance dismissed

subject could exercise their right to object and erasure. This case concerns an interlocutory judgment in the case C/13/694440/KG ZA-20-1118 MvW/JE dated

willingness to be known, as well as regarding the conditions under which such an access should be provided. This question, as the HDPA found, was never answered

failing to implement appropriate technical and organisational measures to ensure an appropriate level of security. The failure resulted in a data breach and unauthorised

the Constitution also establishes that it is prohibited the attribution to an unique national number to the citizens. In Portugal the GDPR is implemented

bureaucratic steps that severely limit individual rights. Proceedings before an administrative tribunal can take up to 2 years. You can help us fill this

administrative fines of maximum EUR 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the C/ Jorge Juan, 6 www.aepd.es 28001

and records relating to her, including any decision of the Supreme Court on an appeal. A relevant case: HDPA 12/2024 Please find relevant provisions of laws

fundamental rights of the data subject is not overridden, following § 12 (2). In an employment context, processing of personal data may take place on the basis

was fined 9898 RON (equivalent to €2000) for sending unsolicited message to an e-mail address collected indirectly from public sources for the purpose of

A car rental company filed an appeal with the Spanish National High Court against a Spanish DPA decision in which a fine of €25,000 was imposed for breaching

proceed and is not willing to open an investigation against a company established abroad that has not designated an EU Represenative. Rocketreach sells

breach from a person who became an unauthorized recipient of personal data. The breach involved sending an email with an unencrypted, non-password protected

by e-mail, by an insurance agent, who is an entity processing for an insurance company, an insurance policy containing personal data to an unauthorised

Article 32 (1) (d) • An assessment of privacy consequences has not been carried out, cf. Article 35 • Using an application with an insufficient level of

e-mail through encryption. Enforced TLS is an example of an encryption solution that can be used to protect an e-mail. In the present case, enforced TLS

had processed the complainant's data without an appropriate legal basis. The DVI received a complaint about an employer who had allegedly informed other employees

corporate email if having an email address is necessary for the workers. The Labour Chamber of the Spanish National High Court dealt with an appeal from a case

was not adequately secured, as it was transmitted in an unencrypted format. The DPA initiated an investigation in response to the complaint, in which it

explains its authority to impose an infringement fee, before explaining its assessment related to the infringement fee and whether an order should be issued. In

subjects who did not have an account with DPG Media, and had to provide a copy of their ID, as verification, before they could submit an access request pursuant

decision made at an individual presentation and the appeal instructions have not been attached. The notice must nevertheless be regarded as an appealable decision

Accounting Oversight Board following an application for approval by the Federal Minister of Finance. The transfer was based on an administive arrangement per Article

further proof of identity before fulfilling an access request. The Council of State reaffirmed that such an additional request must not be so demanding

of third parties that must be submitted so that an undertaking can qualify for the customs status of an authorised economic operator (AEO). According to

imposed a €35,000 fine on an energy company for the violation of Article 5(1)(f) GDPR and 32 GDPR because an employee accidentally sent an email to the data subject

indirectly, in particular by means of an identifier, such as a name, an identification number, location data, an online identifier or one or more elements

Company. The President of the UODO initiated an administrative proceeding against the Company to impose an administrative fine on the Company. The DPA found

imposed a €35,000 fine on an energy company for the violation of Articles 5(1)(f) and 32 GDPR because an employee accidentally sent an email to the data subject

for private life on the one hand and rights to protection of property and an effective remedy on the other hand. Directive 2002/58 provides rules determining

Persoonsgegevens (AP) launched an investigation into a possible breach of the GDPR against the provincial political party PVV Overijsssel after an individual filed a

automatically and in all cases of such an obligation on the employee. However, such an obligation of the employee may be ordered by an individual company or organization

appointing an EU representative. It further required Locatefamily.com to pay an exrta €20,000 for each two-week period it failed to appoint an EU representative

a controller €3,000 for not ensuring an adequate protection of personal data against the misuse of a processor. An employee had recorded and shared footage

Administration Act states: When it is stipulated in law that an administrative sanction may be imposed on an enterprise, the sanction is imposed even if no individual

ordinary letters by Mr M. K." bearing an illegible signature and stamp reading "W. [...] *AN*" and a copy of an unaddressed sample notification. In response

a fair trial under Article 6 ECHR. The data subject, an asset management professional, undertook an agreement with PME Investment Services. The agreement

to: • when an Assistant Director should decide to issue an electronic monitoring condition despite one of the exceptions applying; • when an electronic

after an assessment of the criteria in the Personal Data Act 2000 § 46 first paragraph, the Norwegian Public Roads Administration is ordered to pay an infringement

will that inform the data subject by means of a statement or an unambiguous active accepts an act concerning him/her concerning the processing of personal

sent an e-mail to the defendant's data protection officer. He writes the following: "Dear,I am not a customer of [defendant], yet today I received an email

confirmed an online pharmacy's (Promofarma ecom S.L) compliance with the GDPR after having used its investigation powers. The AEPD carried out an ex officio

can be assigned to an employee with the required roles (which an employee with this company role name must have), allowed roles (which an employee with this

but one an exception to a general rule from the GDPR, namely that breaches of the GDPR are possible are curbed with an administrative fine. As an exception

that it accepts of t these considerations would be based on an illegality, an irregularity or an error manifest. The fact that the person concerned by the

number [number] ; On 7 March 2016 ABN AMRO an A coding for contract number [number] ; On 7 March 2016 ABN AMRO an A coding for contract number [number] ;

Administration Act on administrative sanctions. An administrative sanction means a negative reaction that can be imposed by an administrative body, which is directed

83(5)(e) in fine of Regulation 2016/679, to an administrative fine of up to EUR 20,000,000, and in the case of an enterprise - up to 4% of its total annual

service provider provided an IP address, insofar as that legislation enables the national court seised of an application for an order for disclosure of personal

assess an application for compensation for material or immaterial damage resulting from an act in violation of the General Administrative Law Act by an administrative

personal data processing) [16] : Form no. 1: By submitting an application, an individual expresses an interest in vaccination with a vaccine against COVID-19

of his ex-wife as an individual. In response to the complaint, the defendant stated that it was the claimant herself who firstly sent an e-mail to the school’s

context of an Article 60 GDPR procedure, the Cypriot DPA reprimanded a controller for unlawfully asking a data subject’s ID when addressing an access request

companies. Employee policy breach Booking argued the fact that an employee had breached an internal protocol by not reporting the suspected incident to the

conditions that must be met for an applicant (other than the ‘privileged’ applicants pursuant to Article 263(2) TFEU) to challenge an act, where it is not the

following information: "www.***frauen.com is an offer of: N***Netzwerk GmbH & Co KG" and "www.dates***.com is an offer by: N***Netzwerk GmbH & Co KG". In order

administrative proceedings to impose an administrative fine in connection with the impossibility of carrying out an inspection in the scope of the Company's

Commissioner’s Office (ICO) has issued fines totalling £120,000 to an EU referendum campaign and an insurance company for serious breaches of electronic marketing

The Danish DPA (Datatilsynet) held that an insurance company acted in accordance with Article 15 GDPR by not disclosing to a data subject the name of the

process personal data with an appropriate level of security, as required by Article 32 GDPR. The company accepted applications via an applicant portal integrated

Prior to contact with the respondent, an announcement letter accompanied by an information leaflet as well as an email or SMS (which will refer to the

States shall issue an alert for refusal of entry and stay if the Member State, on the basis of an individual assessment, which includes an assessment of the

infringement. Where administrative fines are imposed on an undertaking, an undertaking should be understood to be an undertaking in accordance with Articles 101 and

proposed to the Commission's restricted session to impose an administrative fine on AEC and an injunction, together with a penalty payment, to bring the

and the greater the personal cost of an action, the less likely it is that an action will be committed. Thus, an attempt is made to increase the costs

authorized to initiate an investigation, including an on-site investigation, if it does so useful. Operative part The AP submits an order to the UWV for

indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors

creating an account, accounts were not locked after a certain number of failed access attempts, and part of a reference code used instead of an account

guiding principles: 1 If an intended application for legal protection is settled before lis pendens and the possible filing of an action for a declaration

Arnhem-Leeuwarden confirmed an interlocutory injunction from the Court of First Instance, stating that a copyright watchdog could not force an Internet Service Provider

Spanish DPA held that where an employee had signed an image rights transfer agreement with their employer, prior to the display of an advertisement banner using

identified, in particular by means of an identifier such as a name, an identification number, location data, an online identifier or of one or more elements

the controller relies on an overall bundled consent to anything contained in the terms and the privacy policy. This represents an “all-or nothing” approach

Under the old Personal Data Act of 2000, there was an additional requirement that the business may have an "objective need" to obtain credit information. This

Regulation as any form of information about an identified or identifiable natural person ('the data subject'). An identifiable natural person means a natural

provisions, provided that these serve to safeguard an important public interest. The complainant has an obligation to provide information and evidence to

personal data caused by an "underlying bug" is due to an infringement of the requirements of Article 32 GDPR. 88. The FR SA expressed an objection concerning

Norwegian DPA (Datatilsynet) stating that they had been subject to an unauthorized credit rating. An employee of the credit rating agency has indeed triggered a

club (UAB VS FITNESS), fingerprint scanning is required. It then initiated an own volition investigation of a possible breach of the GDPR. The VDAI found

constitute an economic activity for the service provider. ... c) "Service provider" or "provider": natural or legal person that provides an information

protection by an organ that exercises judicial activity, which is not the case here as there is no connection with court or legal proceedings, it was an issue

reachyou later than usual.” (It might be an automatic response). 8.4. On 19 May 2019, the data subject sent an email to , saying the following: I’m sorry

viewing of an apartment that was advertised for sale, without their consent and knowledge. The photo was available on a public website via an URL link.

employees' fingerprints. Security An employer may ask an employee to give a fingerprint for, for example, access control. Sometimes an employee is obliged to give

to established case law, Internet advertising is usually only an invitation to submit an offer. The Senate sees no reason to deviate from this basic rule

rights or special dangers or (3) in the interest of private documentation if an identification of persons is not intended. It is unclear if this national

liability of each in the event of breach of data protection laws. Fashion ID, an online retailer clothing company, embedded the ‘Like’ social plug-in from

subject, and not on whether identification is possible for an 'average reader'. This is an appeal of the earlier case T‑384/20 - OC v European Commission

imposed a warning on an association for the protection of prison workers for publishing personal data without consent on Twitter. An association for the

Norwegian Data Protection Authority's assessment of an infringement fee of NOK 100,000 for having monitored an employee's e-mail box without a legal basis, cf

83(5)(e) in fine of Regulation 2016/679, to an administrative fine of up to EUR 20,000,000, and in the case of an undertaking, up to 4% of its total annual

photographed and / or photographed by the selfie box during an active action. In connection with the start of an event, it is announced over loudspeakers that there

within 30 days by either: - an appeal to the Data Protection Inspectorate pursuant to the Administrative Procedure Act; or - an appeal to Tallinn Administrative

conducting an inspection before starting an administrative offense case is also in the manager's interest, because not every inspection results in an administrative

Act , an administrative sanction may be imposed on an enterprise itselfif no individual has shown guilt. This means that Oslo Municipality has an objectiveliability

data subjects were harmed in any way. After an overall assessment, the PVN concluded (under doubt) that an administrative fine for such a violation should

not therefore mean that an administrative body is obliged to provide a copy of the documents containing those personal data. An administrative body may

educational magazines, received an e-mail from the individual in charge of its web-portal. This individual stated that an external alleged researcher had

remembered that the complainant was an employee of a higher federal authority and repeated the request to present an ID card in order to obtain a PeP (politically

question per. email, even if they had an email address registered with the Zoo. Against this background, Zoo stated that an extract of e-mail addresses had been

in these proceedings, has made an attempt to justify such proceedings. Considering that the Company is an entrepreneur, an entity professionally participating

performance of an agreement involving the data subject or, at the request of the person concerned, to take measures before concluding an agreement take;

in particular by means of assignment to an identifier such as a name; an identification number, location data, an online identifier or one or more factors

basis. The Slovenian DPA (IP) was asked for an opinion concerning the scope of GDPR Article 15. Within the GDPR, an individual can only request their own personal

Secure @ Mail. In the case of an advisory email about new e-mail in Secure @ Mail, the advisory email will include: include an ID number on the email, a link

with an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element

personal data to Google LLC in the U.S. The respondent is an online retail company. The complainant is an individual represented by noyb - European Centre for

complex, the organization acting as a data controller can state that it needs an additional time of up to two months. In the case of one complainant, Alektum

Court has ruled on the merits of the case. According to the Court, an appeal against an administrative decision can only be effective if the applicant is

Following an investigation, the Croatian DPA (AZOP) held that data processor, an IT company, did not take necessary measures to achieve an adequate level

by means of an invoice form signed by her, that an amount of € 32,368 be transferred to her by virtue of this money loan in order to pay an invoice from

There is no place for an independent appeal against the order under point 1, only on the merits of the case may be challenged in an appeal against a decision

appellant may challenge this decision within 30 days by submitting an appeal to an administrative court in accordance with the Code of Administrative Court

breach of Article 83(6) GDPR for failure to comply with an order of the DPA, the DPA imposed an administrative fine of €440,000 on the controller pursuant

The controller requested a copy of an identity document for identification purposes. Following the request of an official identity document, the data

systematically requesting an ID card for the exercise of right by a data subject a violation of Article 12 GDPR ? Are the following practices an infringement on

require a certain degree of seriousness to be taken into account. An employer dismissed an employee for having allegedly faked their sick leave. The employer

Benefits Department used the applicants' nationality (Dutch/not Dutch) as an indicator in an automated "risk-classification model", to assess which applications

The Spanish DPA held that sending an e-mail without using the BCC (Blind Carbon Copy) option is an infringement of Article 5(1)(b) and (f) GDPR. In particular

indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors

requests from an Airbnb customer (the data subject) to Airbnb Ireland UC (the controller); an access request under Article 15 GDPR and an erasure request

self-employed and liberal professionals to switch from a paper to an electronic invoice. Due to an error in the selection of e-mail addresses, a number of the

indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors

Does the tracking of a company vehicle (which an employee is also free to use in his leisure time) by an employer via a GPS positioning system require

the protection of personal information. Access to an employee's or former employee's e-mail box is an intrusive treatment of personal information, and constitutes

new call on 20/10/2020. The company reports that due to an obvious and unacceptable error by an employee, the implementation of the inclusion of the number

require a national court, called upon to give a ruling on an application for an injunction against an intermediary whose services are used by a third party

reason, the processing of personal data from an electoral roll for an election in 2012 not possible for an election in 2018. As regards the lack of transparency

held that according to § 59 (4) of the Federal Data Protection Act (BDSG), an authority obliged to provide information to a data subject may only request

State adopted an almost identical decision concerning an appeal brought by the mother company Facebook Inc.. The only differences concern an argument raised

State adopted an almost identical decision concerning an appeal brought by the daughter company Facebook Ireland. The only differences concern an argument raised

until the expiry of the time limit for bringing an action to challenge the decision or, in the case of an administrative action, until the final decision

may take place regardless of whether the person is convicted of an offence that entails an increased risk of relapse into “DNA relevant” crime. Thus, the

register and no longer has a legal representative. If an investigation in this case were to reveal an illegal processing of personal data, the right to impose

the fact that the entry / exit card is an excessive measure. 2. On 17/10/2019, an Officer of my Office sent an email to his XXXXXXXX Defendant's staff's

send an email to ciao@ecooltra.com for there is evidence that you no longer want to use the account. ELEVENTH: On October 30, 2018 at 4:26 p.m. an email

GDPR by requiring a legitimate interest for granting an access request, and by not responding to an access request, thus denying the data subject its rights

were not kept in connection with an obligation under pharmaceutical law and (b) had not been taken along in the context of an audit of the operation of a Section

violation was found since the data breach was an isolated incident and the controller complied with Article 33 GDPR. An investigation was started on 20 December

authorized by the government (the Disputes Chamber of the GBA acts here as an organ of an administrative authority - which, although it depends on the legislature

indirectly, in particular by reference to an identifier such as a name, an identification number, a location data, an on-line identification or one or more

which includes an Israeli journalist, Raviv Drucker, an Israeli website, Seventh Eye, and one of its staff writers, Oren Persico, and an American journalist

indirectly, in particular by reference to an identifier such as a name, an identity number, location data, an online identifier or to one or more factors

directly or indirectly, in particular by an identifier, such as a name, an identification number, data location, an online identifier or one or more elements

not able to provide such data following an access request. A complainant, a previous worker of Amazon Spain, made an access request to Amazon in order to

directly or indirectly, in particular by an identifier, such as a name, an identification number, location, an online identifier or one or more elements

guidelines) and not the acceptance of work under an agency agreement within the meaning of the Law of Obligations Act.An impact assessment/study is not, by its nature

directly or indirectly, in particular by an identifier such as a name, identi- fication number, location data, an online identifier or one or more elements

must be sufficiently precise to be invoked by an individual and by the national courts [and imposes] an unconditional obligation. ” 4 CJEU judgment of

downloads the application form via the website of the embassy or BZ. An appointment for an intake at the consulate can be made be on the embassy's website via

Furthermore, the evaluations are only displayed when an higher amount evaluations are collected. As an additional safeguard, all students are verified via

carried out by an optician or an optician or ophthalmologist. According to the answer, many customers do not seem to know that dealing with an optician is

that was available to the creditors came from the surrender of an insurance policy and (for an amount of € 10,757) from a son of [applicants] et al. would

the law if (i) there is an infringement of a subjective right, (ii) an act or omission is in breach of a statutory duty or (iii) an act or omission is in

claimed, from the email address: ***EMAIL.1 sent an email email to the SGT and General Directorates, in which an Excel sheet was attached where you could see

Adherence to an approved code of conduct within the meaning of Article 40 or to a certification mechanism approved under Article 42 may serve as an element

exclusively at its own expense. It therefore struck down SABAM's claim for such an injunction to be issued against Netlog. SABAM is a management company which

of an adopted child. An applicant applied to the Vilnius City Administration (hereinafter - the Administration) with regards to the education of an adopted

burden of proof. It is therefore clear that an expectation of privacy arising from contract (more specifically an employment contract) has to be expressly

recidivism to be an aggravating circumstance. Se / on el / e, / 'the absence of an aggravating circumstance does not mean the existence of an aggravating circumstance

travel services to Russia offered on the website, and an offer for a group trip is requested by sending an e-mail to the registrar. Visa types other than group

of […] euros in 2015. 5. During the summer of 2015, during an internal research project on an anti-fraud mechanism, the company reused personal data contained

indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors

although Member States are in principle free to fix an appropriate fee for bringing an appeal before an administrative authority, that fee may not be set

October 2019, - an internal audit subcontracted to an audit firm covering organizational aspects, - an external audit carried out by an audit firm, in order

carried out an online control mission on the "discord.com" website and on the DISCORD mobile application on 17 November 2020. 8. On 29 December 2020, an off-site

personal information could reach an unlimited number of viewers. Dragefossen had operating revenues of around NOK 113 million and an annual profit of approx. NOK

legislator as an alternative to the judicial procedure (see articles 77 to 79 of the GDMP). The lodging of a complaint should remain an easy step for data

PT and SK (Kancelaria [...]), an administrative fine, the President of the Office for Personal Data Protection, declaring an infringement by the Chief National

indirectly, in particular by means of an identifier, such as a name, an identification number, data from location, an online identifier or one or more elements

national legislation. The DPA conducted an audit of the IT University of Copenhagen (ITU) and their use of an online proctoring service for one of their

number of persons so that the information was accessed by sending an e-mail (i.e. an automated process). 19. In this sense, it is clear that within the

there was an error in the delivery and that several letters to a couple of clients were confused. With the same date "Client indicates that an unknown person

as "personal data": any information about an identified or identifiable natural person ("data subject"); An identifiable natural person shall be considered

DPA (AEPD) against a university where they had had different roles, ("an employee, an employee with disciplinary proceedings, undergraduate student, master's

Administration Act states: When it is stipulated by law that an administrative sanction may be imposed on an enterprise, the sanction can be imposed even if no individual

proportionality assessment or an adequate weighing of interests. Therefore, the Greek DPA held that the processor acted as an independent controller within

I. Facts [2] The defendant holds a business licence as an address publisher and was active as an address trader for ten years with the aim of enabling its

Televisive Italian S.p.A. (RTI) and prohibited the broadcasting of an interview made by “Le Iene” (an Italian TV program) reporters, which infringed the Italian

imposition of an administrative fine and an injunction to appoint a data protection officer against the municipality. A. On the imposition of an administrative

Article 15(1) GDPR, but instead introduces an independent provision. The wording of Article 15(3) creates an obligation on the controller to provide the

and organisational measures to ensure an adequate level of security. A company called Gureak Lanean suffered an attempt of hacking of their servers. The

Italy held that when an individuals is asked to consent to the processing of their personal data by an algorithm in order to reach an automated decision

by Article 6(1) GDPR, after hiring a handwriting expert to determine that an alleged signature was fake. The Bulgarian DPA examined a complaint lodged

The data protection commissioner's office requested an explanation from the data controller with an explanation request dated July 4, 2023. On 10 August

rule incorrectly or makes an incorrect assessment of the facts, this could result in an incorrect decision. If NAV has used an incorrect understanding of

Nordic has stated that an order confirmation by mail is not as good documentation of a contract as an audio recording, since an order confirmation, for

punishable by a fine of 20,000,000 euros as maximum or, in the case of an enterprise, an amount equivalent to 4% as maximum of the total annual overall turnover

July 2019. Again, on 17 July 2019, NRA requested an all-round audit of its information systems by an independent external organization. NRA also developed

wanted to book accommodation in an hotel, the controller, which offered three options to do so on its website: through an external service provider, through

Protection Authority (Datatilsynet) issued a reprimand concerning the use of an acquired development and testing environment without implementing the appropriate

management platform’ (CMP), which is an interface that appears when a data subject first navigates to a websites or uses an application for the first time.

German Supreme Court (BGH - VI ZR 60/21), the court came to an opposite conclusion that an online platform collecting and publishing personal data of doctors

a company had obtained access to an employee's emails. In the first case, the company had accessed her inbox due to an acute situation where they needed

fines Vodafone €10,000 for transferring personal data from their customers to an advertising company without prior consent. After requesting the provision

The Portuguese DPA considered that an organisation is the controller of personal data when employing the services of a direct marketing company to promote

addresses in the "To" section instead of the "BBC" section while sending an email. At an unspecified time, the controller, a Romanian water supplier, incurred

In October 2020, the Polish DPA received an anonymous tip informing about this incident. The DPA started an investigation and requested information from

that CP&A maintained an online register, containing data on the cause of absenteeism in its employees. In response, it launched an own volition investigation

data as follows: 2 «any information about an identified or identifiable natural person (« the registered »); An identifiable natural person is a person who

associated an email address and/or phone number with a business account (whether as a mandatory requirement of switching prior to September 2019, or on an optional

In 2019, after conducting an internal risk analysis and a Data Protection Impact Assessment (DPIA) the hospital introduced an encryption solution for secure

CI Plus module as an alternative to a loan receiver (quasi an adapter that replaces the zapping receiver and can be inserted into an existing receiver

controller applies for an amendment to this decision. The Deputy Data Protection Commissioner also gives the data controller an order in accordance with

information. That is not an improper purpose. Court can deal with abuse of process if shown If there is an abuse in seeking a remedy for an ulterior purpose,

the same results. An automated message informing clients that the account was no longer functioning, for instance, would have been an adequate solution

AP has started an official investigation. This decision covers the period from 2012 to enwith2018. 1.2Process flow On 4 September 2018, an AP supervisor

cf. Article 24. An employee in a municipal health care center had access to highly sensitive personal data (image files) through an incorrectly configured

this is whether it is an individual case or a system-wide problem weave. If, in the case of an individual application, there is an indication that it is

"personal data": any information about an identified or identifiable natural person ("the interested party"); an identifiable natural person shall be considered

The EDPS found, after the CJEU requested for an authorisation of contractual clauses under Article 48(3)(a) of the EU GDPR, that no data transfers took

followed such an approach in the assessment of fines based on the fine concept of the Data Protection Conference of 19.10.2019. Such an assessment method

ordered an employer to delete the HR evaluation data on its employees. The decision comes after a complaint filed by an employee concerning an access request

courtyards or the vicinity of commercial buildings and the area in front of an ATM, where an individual could not expect privacy in the absolute sense. Thus, the

submitted a complaint to the AEPD stating that the defendant had sent an email containing an accusation of attempted fraud, letter of dismissal, and severance

and to make an alternative available if a student is unable or unwilling to work with proctoring, without this leading to study delay. 2.8 An internal memo

also seeks an amendment of the contested judgment, but in the sense of a complete dismissal of the action. In the alternative, it is seeking an application

committed an infringement and the Authority considers that a fine is justified, the Authority should note that the Applicant has committed an infringement

GDPR. The Bank launched an internal investigation and confirmed the committal of the violation, which it attributed to an error of an employee of its local

Following an audit, the Luxembourg DPA (CNPD) imposed a fine of €18,700 on a company because of four breaches relating to the role and position of its

with INDECEMI and received an email with the details of another person who was also in the claim process, who, in turn, received an email with the data of

the complainant's personal data in an online article) was carried out for journalistic purposes. As the complainant is an former politician and the article

indirectly, in particular by reference to an identifier, such as a name, an identification number, localisation data, an online identifier or one or more factors

grows day by day — subscribe to GDPRtoday to get a weekly update! GDPRhub is an initiative by noyb.eu, and made possible by the contributions of hundreds

indirectly, in particular by means of an identifier, such as a name an identification number, location data, an online identifier or one or more elements

that a delivery address is an absolute necessity for the delivery of goods to the customers. Nemlig, does not detect if an address is secret, as it is

the correct manner, with an attorney at law. The fact that an IND employee was also present at the hearing, who also spoke - as an informant - does not, contrary

combination with standardized icons that allow provide an easily visible, intelligible and clearly readable form an adequate overview of the planned treatment. The

thus an intentional infringement and both subjective and objective conditions for impose an infringement fee is fulfilled. Assessment of whether an infringement

assertion that the application of the legal basis justified an interest in in the present case, an assessment in concreto of all the relevant factual elements

had been opened based on an administrative act that did not comply with the legal requirements. This ruling is the result by an appeal of Rossel & Cie,

measures which effectively prevent or at the very least seriously discourage an internet user, when conducting a search from within the EU on the basis of

March to [...] April 2020, with varying frequency, to an individual address e-mail address of an employee of the Company These lists included only administrative

decision that there is: - an infringement of Article 5 (1) a), b) and c) and (2) of the GDPR and Article 24 (1) of the GDPR; and - an infringement of article

decision on an administrative remedy may be suspended as a precautionary measure if the person concerned indicates his intention to bring an action. If

seems appropriate to assume an obligation to provide information about recipients in any case, but only to accept such an obligation with regard to the

implemented such an arrangement. To begin with, the DPA pointed out that only requesting a name and personal identity code when booking an appointment online

between banks, an advisory was provided containing information about the payer, including information on his address. The system did not make an assessment

indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier or one or more factors

credit registration. With an A3 coding, it is registered whether it concerns a write-off or a remission. After all, an A3 coding with an end date shows that

identified, the GP proposed to the patients, at the first contact, or with an active recall, an individual assistance plan (PAI); - until 2018, the GP only communicated

Metropolitan Court in an administrative lawsuit can be challenged. The emergency does not affect the time limit for bringing an action. The application

by an employee of the Warsaw University of Life Sciences with the rules of data processing in force at the University is evidenced by the use by an employee

court action that would only be possible later (RS0039215 [T8]). [28] An interest in an action for a declaratory judgement is to be affirmed if the request

of an unwanted text message was justified on the grounds that it was sent directly by XX Srl, without using lists from Wind Tre, on the basis of an independently

act, cannot give rise to an infringement of the GDPR. 30. The Disputes Chamber draws attention to the presence or absence of an intention does not constitute

In an Article 60 GDPR procedure, the Norwegian DPA ordered an HR-services provider, pursuant to Article 58(2)(d) GDPR, to provide the data subject with

allegations. Is sending advertising emails without the consent of the recipient an infringement of Article 21 of the Spanish Information Society Services Act

directly or indirectly, in particular by an identifier, such as a name, an identification number, location data, an online identifier or one or various elements

Following an anonymous complaint against a debt collection agency the Croatian DPA issued a €2,265,000 fine for lack of security measures, lack of a processing

Those applications were used by an unknown party (allegedly an educational institution) and developed by Respondus Inc., an American company. Respondus and

indirectly, in particular by reference to an identifier, such as a name, an identification number, localisation data, an online identifier or one or more factors

The DSB held that the processing of teacher data of an App called "Lernsieg" to evaluate teachers is lawful on the basis of Art. 6 para. 1 lit. f GDPR

NIF S7800001E, -Due to an infringement of Article 5.1.f) of the RGPD, typified in article 83.5 of the GDPR, with a warning. -For an infringement of Article

amendment; if so, it may refrain from striking out and give an opportunity to make such an amendment.” The claimant’s case 14. The claimant says that the

from The Directorate of Customs, but can not see that they have an impact on whether an infringement fine should be imposed, or the size of this. 2 The

the controller relies on an overall bundled consent to anything contained in the terms and the privacy policy. This represents an “all-or nothing” approach

law firm, sent an email to multiple recipients without putting them in bcc. The complainant was one of the recipients. Does sending an email without putting

claimed party is considered responsible for an infringement typified in article 83.5.a) of the RGPD, in an initial assessment, they are considered concurrent

ban, including the preparation and sending of an updated impact analysis for the use of the Services with an expected completion time of 2-3 months from

homosexuality, political parties or diseases. The plaintiff was shown an advertisement for an Austrian politician based on the analysis that he resembled other

Inspectorate with the request to conduct an investigation into the extent to which the request to conduct an investigation into the extent to which the

accounting firm U BVBA, Z BVBA sent an e-mail to the applicant, Ms U1 and Mr U2 on 15 July 2019. On 15 July 2019, Z BVBA sent an e-mail to the applicant, Ms U1

report stated that NIF received an inquiry from the National Cyber Security Center (NCSC-NO) on 18.12.19 regarding an extract from the sport's member database

Article 83 of the GDPR that an administrative fine of up to 250,000 euros, an injunction accompanied by a fine as well as an additional penalty publication

have not committed an offence pass in front of the exit terminal and noted that the data relating to vehicles that have not committed an offence are not transmitted

indirectly, in particular by reference to an identifier such as a name, an identity number, location data, an online identifier or one or more factors specific

premises justifying the imposition of an administrative fine on the Company.           When deciding to impose an administrative fine on the Company, as

competent to adjudicate an application for compensation for material or immaterial damage resulting from an act in violation of the AVG by an administrative body

defines personal data as those belonging to “not only an ‘identified natural person’, but also an ‘identifiable natural person’”. Moreover, a representative

The Hellenic DPA fined a processor €30,000 for failing to grant an appropriate level of security of personal data under Article 32(2), Article 32(4) GDPR

rather because the ex-spouse had mistakenly introduced the email with an “i” instead of an “e” in the data subject’s name. Additionally, the HDPA noted that

DPA held that the controller had to provide an answer to the request within 14 days. The data subject made an access request for a full diagnosis report

inadmissibility, files an appeal of replacement that is resolved in an estimatory manner and gives rise to the current claim: Namely: “…Consequently, when an interested

happened, Transavia engaged an external service provider to conduct a root-cause-analysis. Circumstances of the breach: By using (i) an automated method in which

The request for a hearing must be indicated in the application. An action brought against an order is adjudicated by the court in a simplified trial out of

operates an online mail-order pharmacy under the brand "E.", which is available at "https: //www.E ..de ”. On October 6, 2018, a private person filed an online

updated for possible security vulnerabilities. It has an anti-injection system of SQL orders and an Intrusion Prevention System (IPS). Only TCP 80 (the port

results following an Article 17 erasure request. An online newspaper article from 2012 mentioned the complainant's resignation as the head of an educational

account of one of the applicants was a result of an investigation which included actions taken by an Uber employee such as carrying out a personal conversation

capacityindividual both administrative and criminal.An application file signed by me is attached ”.THIRD: There is an email sent by the VOX DPO of 05/16/2019responding

indirectly, in particular by means of an identifier, such as a name, an identification number, data from location, an online identifier or one or more elements

this discussion because of an incorrect delivery of the invitation. The respondent, another political party, then posted an entry on her public Facebook

The Spanish DPA (AEPD) fined an audit company €3,000 for a security breach occurred when they sent the claimant information of another client, instead

the controller relies on an overall bundled consent to anything contained in the terms and the privacy policy. This represents an “all-or nothing” approach

Internet for an infringement of the right to privacy and violation of the GDPR. The request is based on unlawful processing of personal data. An infringement

to comply with an application to exercise the rights set out in Articles 15 to 22 of Regulation (EU) 2016/679, it shall be initiated by an admission agreement

contract' is not simply an assessment of what is permitted by or written into the terms of a contract. [...]The concept of necessity has an independent meaning

provide access to the affected individual. The Complainant had an accident outside a store, and an Action has been filed subsequently. Access to the video footage

certainly not in light of the defendant's statement that an opinion from the VTC was not possible within an acceptable period of time. 29. Finally, inasmuch as

The Upper Tribunal dismissed an appeal against the FTT's decision to uphold three fines imposed on Leave.EU and Eldon Insurance Services by the UK DPA

The District Court of Pankow held that a controller can refuse to answer an access request under Article 15 GDPR if the effort required to comply with

they have been able to verify that due to an error in the answering process The complainant was sent a copy of an answer that was not related with the claim

"Category" of "Trainee". For the "BECA" concept, there is an accrued amount of 35 euros and an income tax deduction of 2%. The document devotes various

The Spanish DPA fined Mapfre, an insurance company, for a violation of Article 6 GDPR for processing personal data for an insurance policy without a legal

with an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element

subsequent period of 3 months. (2) The Tribunal may, on an application by the data subject, make an order requiring the Commissioner (a) to take appropriate

the perpetrators for an act that has already been sanctioned by a criminal court as a criminal offence? In this case, the AEPD found an infringement of Article

The NAIH fined €1.500 an employer in the public sector for unlawful search in archived e-mail account of former employee. An employer searched in the archived

personal data was unlawful may be reviewed by way of an action for a declaratory judgment if there is an interest in a declaratory judgment. (2) Where personal

indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an on-line identifier, or to one or more factors

5(1)(c) GDPR. The controller must however inform the data subject through an information sign. On 20 May 2021, a Spanish natural person (the data subject)

directly or indirectly, in particular by an identifier, such as a name, an identification number, location, an online identifier or one or more elements

unauthorized persons. c) .- The office is located in an industrial warehouse. To access it you must call an external bell, enter with authorization, cross the

that a controller, regardless of the burden of proof, has always an obligation to reply to an access request, even if the content of such a reply is merely

by e-mail to different persons outside and inside the company constitutes an infringement of Article 5(1)(f) GDPR. ATPSA's union representative at ITP

system with his phone and shared the video via WhatsApp, the AEPD carried out an investigation. The AEPD found a data breach due to the improper filming of

directly or indirectly, in particular by an identifier, such as a name, an identification number, location, an online identifier or one or more elements

police authorities at their request. It concerned an incident where the child was depicted picking up an object from the ground, which had been lost by a

controller didn’t provide an answer. On 8 August 2022, the data subject filed a complaint at the Belgium DPA for the lack of an answer to the request. The

indirectly, in particular by means of an identifier, such as aname, an identification number, location data, an online identifier or one or morevarious

where it finds an inadequacy in the investigation or an error that makes the conclusion impossible. In this case, I would first expect an explanation that

in relation to an access request that was answered incorrectly by a company, and ordered it to pay the claimant €1,250. The defendant is an auto-mobile manufacturer

The French DPA (CNIL) imposed a €150,000 fine on an undisclosed data controller operating an online shopping for failing to properly secure personal data

the to transfer personal data to a third country or an international organisation; or whether or not an adequacy decision by the Commission exists; or, in

when creating an account by a person via the mobile application and that a password consisting of six characters was accepted when creating an account via

suggested to exist an ongoing threat to the Claimant's personal data, such as to justify an injunction. 
 
 The prospect of an award of an injunction seems

states that the Motor Insurance Agency is not an operator that could be excluded from the application of an administrative penalty, taking into account that

adds that he had knowledge of this debt through an SMS and appeared in a shop of the claimed to obtain an invoice for the amount of € 56.88 although the

provided by an external actor in third countries, the treatment may be presumed to have entailed a particular risk of infringement registered privacy. An impact

€1500 fine against an individual for installing security cameras pointed towards the public street and nearby private properties without an adequate information

received from the registrar An explanation has been requested from the controller with an explanation request dated 22 January 2021 and an additional explanation

Article 123 of the LPACAP, the interested parties may lodge, on an optional basis, an appeal for a reversal to the Director of the Spanish Data Protection

Article 123 of the LPACAP, the interested parties may lodge, on an optional basis, an appeal for reversal to the Director of the Spanish Data Protection

Dutch, TikTok failed to provide an adequate explanation of how the app collects, processes and uses personal data. This is an infringement of privacy legislation

indirectly, in particular by means of an identifier such as a name, an identification number, location data, an online identifier or one or more elements

(controller) published an Excel sheet on its website. This Excel sheet contained personal data of vehicle owners who had requested an address change. The

the staff council is suspended as long as an employee is prohibited from conducting official business or an official is temporarily suspended due to a

threshold of the door of the store (the mara captures an important part of the sidewalk without observing an information sign), for outside, the silhouette of

income etc.). In April 2021, the controller sent an email to everyone who registered for the project with an unencrypted Excel file attached, which contained

functions during an investigation, as Vodafone did not comply with an order to provide information to the DPA. The Spanish DPA (AEPD) launched an investigation

event of an alarm going off and the presence of intruders is detected. The establishment does not have a video surveillance system but rather an intruder

procedure 1. On May 6, 2018, the complainant sends an email to the Data Protection Authority (DPA) requesting an opinion on a data processing operation carried

initated an inquiry. The Ministry was summoned to answer a questionnaire. It stated that the drones had also been used for other purposes : scouting an area

ruled that the collection and use of name and VAT number by an accountant on behalf of an heir without a relevant order constitutes a violation of articles

argument that the scope of the violations is limited, the DPA noted that (1) an email address in itself is personal data, even without references to names

address: [...], is an incomplete application for revoking consent to the processing of personal data. In the Company's opinion, such an e-mail may constitute

categories of recipients and, in the case of an intention to transfer to a third country, to showing whether an adequacy decision or other appropriate safeguards

designed by the controller company. Following an initial complaint, the controller removed the picture within an hour of posting and re-uploaded it after covering

personali) imposed a fine of € 30.000 on a local public health body for using an attendance detection system based on biometric data of employees. Following

this body may be considered as an administrative offense in accordance with the provisions of the RGPD, classified as an offense in its articles 83.5 and

contains, among other things, an overview of which aspects are to be taken into account, both in the assessment of whether an infringement fee is to be imposed

corresponding to a purchase that the claimant had not made, of an amount of 1500 euros. As it is an amount high, the respondent entity proceeded, subsequently

additional box implies an agreement to trade in personal data. According to the Inspectorate, the defendant also does not demonstrate that an objection received

and Article 12.3 AVG - If Article 21.1 AVG imposes an obligation on the controller to make the Where an obligation follows from Article 21.1 AVG for the

Union or Member State Law (as e.g. the VIG) stipulate an obligation to publish the results of checks An internet platform ("Frag den Staat") requested the

laws. During an ongoing dispute at a Norwegian Court of Appeal regarding the award of occupational injury insurance between a complainant and an insurance

constitutive of an infraction, attributable to the claimmado , for violation of art. 5.1 c) RGPD.The known facts are constitutive of an infraction, attributable

indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier or one or more factors

the computer’s desktop. An additional camera had ot be installed on the students’ devices, as a mandatory condition to sit an exam. The second camera captured

is associable to an identified or identifiable person (not only associable to person physical), and that, in addition, constitutes an automated treatment

transpired that the transfers were occurring due to an internal IT error, which Company B labelled as an "internal configuration error." The Luxembourg DPA

pre-recorded from a generic account and an individual account. It can also be accessed from a connection from an external computer station using its identifiers

particular reference to an identifier is considered identifiable such as the name, an identification number, location data, an online identifier or one

balancing of interests under Article 21(1) GDPR. A data subject working as an accountant had submitted false documents to the bank and was consequently

Televisión Española, S.A. (RTVE), had published an unaltered audio recording of her speaking in court. An investigation by the DPA confirmed multiple instances

Following an investigation the AEPD imposed a fine of 20.000 EUR on IBERIA Airlines for the violation of Article 6(1)(f) GDPR, when further sending unsolicited

via e-Boks regarding an investigation. Statistics Denmark responded to the inquiry on 11 September 2020. It appeared from this that an error must have occurred

In an Article 60 GDPR procedure, the Danish DPA reprimanded Danske bank for a violation of Article 32(1) GDPR. A technical error resulted in the unauthorised

Article 2(2)(c) GDPR. Person A (the complainant) who lives in an apartment building received an e-mail from their neighbour along with a recording marked “Tal

generic errors at the basis of an undue contact or an unsuitable response, is not suitable for eliminating Society, provided that an adequate structuring of systems

may also be read as an application to change the date of dissolution in the contested decision to a later date. 3.7. Trigion lodged an appeal in which it

conviction of A and his background as an expert. A's private family relationship is also mentioned. Search match c) led to an article on […] .no and was about

directly or indirectly, in particular by an identifier, such as a name, an identification number, data location, an online identifier or one or more elements

and proceedings without an order or fine against the controller. The parent complained to the DPA about this decision using an internal administrative

indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier or one or more factors

case, as an additional or substitute for the measures referred to in article 58, paragraph 2, letters a) to h) and j). When deciding to impose an administrative

third parties as highly risky. In this regard, an unencrypted access to the system does not guarantee an adequate level of security. The data controller

The Spanish DPA (AEPD) warned a Home Owners' Association for an infringement of Article 5(1)(f) GDPR, due to the disclosing of personal data in a debtors

the group. In 2017, the controller asked the DPA of Thüringen whether such an appointment was lawful, due to concerns of conflict of interests and lack

Adherence to an approved code of conduct pursuant to article 40 or to a certification mechanism approved under article 42 may serve as an element to demonstrate

notwithstanding an appeal. The decision to erase data in accordance with Article 100, § 1, 10°, is not enforceable by provision. § 2 An appeal may be lodged

indirectly, with particular reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more characteristic

to the question of whether the title is an integral part of the name 19. The question of whether the title is an integral part of the name is similarly

Appeal), with the Data Protection Authority as defendant. Such an appeal can be lodged by means of an inter partes petition stating the conditions referred to

address the other informational obligations under Article 15 GDPR. An oral response to an access request was insufficient. Under Article 15 GDPR, the controller

the controller. The data subject filed an administrative appeal against this decision with the Audencia Nacional (“AN”) who annulled the decision of the AEPD

compiled from an electronic database based on the path shown at the bottom. 6 The content of the reply letter did not provide the Applicant with an accurate

the certificate request and in the face of silence I request an appearance by requesting an appointment at the AEAT without having obtained a satisfactory

proceedings of an upcoming trial, and had used such data to send those members an individual letter requesting the extrajudicial payment of an amount of money

The AEPD fined a consultancy company €12,000 for sending an unsolicited commercial communication to the complainant, after they had been previously fined

financial advisor, suing through a collaborating company that will deposit an amount in an account in a bank. The respondent was notified of this circumstance

controller should provide an overview of distinct, well-defined purposes for which personal data is processed, along with an indication of the (categories

costs, declaring the requests for information and the request for an affirmation in lieu of an oath to have been dealt with. She submits and is of the opinion

proof of consent and legitimate interest An essential condition for the legality of data management is that it has an appropriate legal basis be. Article 6

they inform having suffered from a cyberattack. Thus, the AEPED carried out an investigation. Th AEPD found there was no evidence showing illegal access

The Croatian DPA imposed an administrative fine in the amount of EUR 5,470,000.00 on EOS Matrix as a data controller due to the multiple violations of

data subject's rights seriously and a request to exercise a right requires an immediate answer by the controller. Non-compliance can lead to administrative

judgment is based on an incorrect legal assessment. He requests the amendment in the sense of a statement of claim or, in the alternative, an application for

Graasvold, Ellen Økland Blinkenberg, Hans Marius Tessem) The case concerns an appeal from X Mission Assembly on the Data Inspectorate's decision of 19 March

personal data. On 12 September 2019, the director of the AEPD agreed to initiate an investigation to clarify the facts that have not were not mentioned in the

interim measures under Article 21 GDPR because the appellant failed to prove an urgent interest. The complainant asked his bank (ING Bank N.V.) to remove