Search results

directly or indirectly, in particular by an identifier, such as a name, an identification number, data location, an online identifier or one or more elements

not able to provide such data following an access request. A complainant, a previous worker of Amazon Spain, made an access request to Amazon in order to

directly or indirectly, in particular by an identifier, such as a name, an identification number, location, an online identifier or one or more elements

guidelines) and not the acceptance of work under an agency agreement within the meaning of the Law of Obligations Act.An impact assessment/study is not, by its nature

directly or indirectly, in particular by an identifier such as a name, identi- fication number, location data, an online identifier or one or more elements

must be sufficiently precise to be invoked by an individual and by the national courts [and imposes] an unconditional obligation. ” 4 CJEU judgment of

downloads the application form via the website of the embassy or BZ. An appointment for an intake at the consulate can be made be on the embassy's website via

Furthermore, the evaluations are only displayed when an higher amount evaluations are collected. As an additional safeguard, all students are verified via

carried out by an optician or an optician or ophthalmologist. According to the answer, many customers do not seem to know that dealing with an optician is

that was available to the creditors came from the surrender of an insurance policy and (for an amount of € 10,757) from a son of [applicants] et al. would

the law if (i) there is an infringement of a subjective right, (ii) an act or omission is in breach of a statutory duty or (iii) an act or omission is in

claimed, from the email address: ***EMAIL.1 sent an email email to the SGT and General Directorates, in which an Excel sheet was attached where you could see

Adherence to an approved code of conduct within the meaning of Article 40 or to a certification mechanism approved under Article 42 may serve as an element

exclusively at its own expense. It therefore struck down SABAM's claim for such an injunction to be issued against Netlog. SABAM is a management company which

of an adopted child. An applicant applied to the Vilnius City Administration (hereinafter - the Administration) with regards to the education of an adopted

burden of proof. It is therefore clear that an expectation of privacy arising from contract (more specifically an employment contract) has to be expressly

recidivism to be an aggravating circumstance. Se / on el / e, / 'the absence of an aggravating circumstance does not mean the existence of an aggravating circumstance

travel services to Russia offered on the website, and an offer for a group trip is requested by sending an e-mail to the registrar. Visa types other than group

of […] euros in 2015. 5. During the summer of 2015, during an internal research project on an anti-fraud mechanism, the company reused personal data contained

indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors

although Member States are in principle free to fix an appropriate fee for bringing an appeal before an administrative authority, that fee may not be set

October 2019, - an internal audit subcontracted to an audit firm covering organizational aspects, - an external audit carried out by an audit firm, in order

carried out an online control mission on the "discord.com" website and on the DISCORD mobile application on 17 November 2020. 8. On 29 December 2020, an off-site

personal information could reach an unlimited number of viewers. Dragefossen had operating revenues of around NOK 113 million and an annual profit of approx. NOK

legislator as an alternative to the judicial procedure (see articles 77 to 79 of the GDMP). The lodging of a complaint should remain an easy step for data

PT and SK (Kancelaria [...]), an administrative fine, the President of the Office for Personal Data Protection, declaring an infringement by the Chief National

indirectly, in particular by means of an identifier, such as a name, an identification number, data from location, an online identifier or one or more elements

national legislation. The DPA conducted an audit of the IT University of Copenhagen (ITU) and their use of an online proctoring service for one of their

number of persons so that the information was accessed by sending an e-mail (i.e. an automated process). 19. In this sense, it is clear that within the

there was an error in the delivery and that several letters to a couple of clients were confused. With the same date "Client indicates that an unknown person

as "personal data": any information about an identified or identifiable natural person ("data subject"); An identifiable natural person shall be considered

DPA (AEPD) against a university where they had had different roles, ("an employee, an employee with disciplinary proceedings, undergraduate student, master's

Administration Act states: When it is stipulated by law that an administrative sanction may be imposed on an enterprise, the sanction can be imposed even if no individual

proportionality assessment or an adequate weighing of interests. Therefore, the Greek DPA held that the processor acted as an independent controller within

I. Facts [2] The defendant holds a business licence as an address publisher and was active as an address trader for ten years with the aim of enabling its

Televisive Italian S.p.A. (RTI) and prohibited the broadcasting of an interview made by “Le Iene” (an Italian TV program) reporters, which infringed the Italian

imposition of an administrative fine and an injunction to appoint a data protection officer against the municipality. A. On the imposition of an administrative

Article 15(1) GDPR, but instead introduces an independent provision. The wording of Article 15(3) creates an obligation on the controller to provide the

and organisational measures to ensure an adequate level of security. A company called Gureak Lanean suffered an attempt of hacking of their servers. The

Italy held that when an individuals is asked to consent to the processing of their personal data by an algorithm in order to reach an automated decision

by Article 6(1) GDPR, after hiring a handwriting expert to determine that an alleged signature was fake. The Bulgarian DPA examined a complaint lodged

The data protection commissioner's office requested an explanation from the data controller with an explanation request dated July 4, 2023. On 10 August

rule incorrectly or makes an incorrect assessment of the facts, this could result in an incorrect decision. If NAV has used an incorrect understanding of

Nordic has stated that an order confirmation by mail is not as good documentation of a contract as an audio recording, since an order confirmation, for

punishable by a fine of 20,000,000 euros as maximum or, in the case of an enterprise, an amount equivalent to 4% as maximum of the total annual overall turnover

July 2019. Again, on 17 July 2019, NRA requested an all-round audit of its information systems by an independent external organization. NRA also developed

wanted to book accommodation in an hotel, the controller, which offered three options to do so on its website: through an external service provider, through

Protection Authority (Datatilsynet) issued a reprimand concerning the use of an acquired development and testing environment without implementing the appropriate

management platform’ (CMP), which is an interface that appears when a data subject first navigates to a websites or uses an application for the first time.

German Supreme Court (BGH - VI ZR 60/21), the court came to an opposite conclusion that an online platform collecting and publishing personal data of doctors

a company had obtained access to an employee's emails. In the first case, the company had accessed her inbox due to an acute situation where they needed

fines Vodafone €10,000 for transferring personal data from their customers to an advertising company without prior consent. After requesting the provision

The Portuguese DPA considered that an organisation is the controller of personal data when employing the services of a direct marketing company to promote

addresses in the "To" section instead of the "BBC" section while sending an email. At an unspecified time, the controller, a Romanian water supplier, incurred

In October 2020, the Polish DPA received an anonymous tip informing about this incident. The DPA started an investigation and requested information from

that CP&A maintained an online register, containing data on the cause of absenteeism in its employees. In response, it launched an own volition investigation

data as follows: 2 «any information about an identified or identifiable natural person (« the registered »); An identifiable natural person is a person who

associated an email address and/or phone number with a business account (whether as a mandatory requirement of switching prior to September 2019, or on an optional

In 2019, after conducting an internal risk analysis and a Data Protection Impact Assessment (DPIA) the hospital introduced an encryption solution for secure

CI Plus module as an alternative to a loan receiver (quasi an adapter that replaces the zapping receiver and can be inserted into an existing receiver

information. That is not an improper purpose. Court can deal with abuse of process if shown If there is an abuse in seeking a remedy for an ulterior purpose,

the same results. An automated message informing clients that the account was no longer functioning, for instance, would have been an adequate solution

controller applies for an amendment to this decision. The Deputy Data Protection Commissioner also gives the data controller an order in accordance with

AP has started an official investigation. This decision covers the period from 2012 to enwith2018. 1.2Process flow On 4 September 2018, an AP supervisor

cf. Article 24. An employee in a municipal health care center had access to highly sensitive personal data (image files) through an incorrectly configured

this is whether it is an individual case or a system-wide problem weave. If, in the case of an individual application, there is an indication that it is

"personal data": any information about an identified or identifiable natural person ("the interested party"); an identifiable natural person shall be considered

The EDPS found, after the CJEU requested for an authorisation of contractual clauses under Article 48(3)(a) of the EU GDPR, that no data transfers took

followed such an approach in the assessment of fines based on the fine concept of the Data Protection Conference of 19.10.2019. Such an assessment method

ordered an employer to delete the HR evaluation data on its employees. The decision comes after a complaint filed by an employee concerning an access request

courtyards or the vicinity of commercial buildings and the area in front of an ATM, where an individual could not expect privacy in the absolute sense. Thus, the

submitted a complaint to the AEPD stating that the defendant had sent an email containing an accusation of attempted fraud, letter of dismissal, and severance

and to make an alternative available if a student is unable or unwilling to work with proctoring, without this leading to study delay. 2.8 An internal memo

also seeks an amendment of the contested judgment, but in the sense of a complete dismissal of the action. In the alternative, it is seeking an application

committed an infringement and the Authority considers that a fine is justified, the Authority should note that the Applicant has committed an infringement

GDPR. The Bank launched an internal investigation and confirmed the committal of the violation, which it attributed to an error of an employee of its local

Following an audit, the Luxembourg DPA (CNPD) imposed a fine of €18,700 on a company because of four breaches relating to the role and position of its

with INDECEMI and received an email with the details of another person who was also in the claim process, who, in turn, received an email with the data of

the complainant's personal data in an online article) was carried out for journalistic purposes. As the complainant is an former politician and the article

indirectly, in particular by reference to an identifier, such as a name, an identification number, localisation data, an online identifier or one or more factors

thus an intentional infringement and both subjective and objective conditions for impose an infringement fee is fulfilled. Assessment of whether an infringement

assertion that the application of the legal basis justified an interest in in the present case, an assessment in concreto of all the relevant factual elements

indirectly, in particular by means of an identifier, such as a name an identification number, location data, an online identifier or one or more elements

that a delivery address is an absolute necessity for the delivery of goods to the customers. Nemlig, does not detect if an address is secret, as it is

the correct manner, with an attorney at law. The fact that an IND employee was also present at the hearing, who also spoke - as an informant - does not, contrary

combination with standardized icons that allow provide an easily visible, intelligible and clearly readable form an adequate overview of the planned treatment. The

grows day by day — subscribe to GDPRtoday to get a weekly update! GDPRhub is an initiative by noyb.eu, and made possible by the contributions of hundreds

March to [...] April 2020, with varying frequency, to an individual address e-mail address of an employee of the Company These lists included only administrative

had been opened based on an administrative act that did not comply with the legal requirements. This ruling is the result by an appeal of Rossel & Cie,

measures which effectively prevent or at the very least seriously discourage an internet user, when conducting a search from within the EU on the basis of

decision that there is: - an infringement of Article 5 (1) a), b) and c) and (2) of the GDPR and Article 24 (1) of the GDPR; and - an infringement of article

decision on an administrative remedy may be suspended as a precautionary measure if the person concerned indicates his intention to bring an action. If

seems appropriate to assume an obligation to provide information about recipients in any case, but only to accept such an obligation with regard to the

implemented such an arrangement. To begin with, the DPA pointed out that only requesting a name and personal identity code when booking an appointment online

between banks, an advisory was provided containing information about the payer, including information on his address. The system did not make an assessment

indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier or one or more factors

credit registration. With an A3 coding, it is registered whether it concerns a write-off or a remission. After all, an A3 coding with an end date shows that

identified, the GP proposed to the patients, at the first contact, or with an active recall, an individual assistance plan (PAI); - until 2018, the GP only communicated

Metropolitan Court in an administrative lawsuit can be challenged. The emergency does not affect the time limit for bringing an action. The application

by an employee of the Warsaw University of Life Sciences with the rules of data processing in force at the University is evidenced by the use by an employee

court action that would only be possible later (RS0039215 [T8]). [28] An interest in an action for a declaratory judgement is to be affirmed if the request

of an unwanted text message was justified on the grounds that it was sent directly by XX Srl, without using lists from Wind Tre, on the basis of an independently

act, cannot give rise to an infringement of the GDPR. 30. The Disputes Chamber draws attention to the presence or absence of an intention does not constitute

In an Article 60 GDPR procedure, the Norwegian DPA ordered an HR-services provider, pursuant to Article 58(2)(d) GDPR, to provide the data subject with

allegations. Is sending advertising emails without the consent of the recipient an infringement of Article 21 of the Spanish Information Society Services Act

directly or indirectly, in particular by an identifier, such as a name, an identification number, location data, an online identifier or one or various elements

Following an anonymous complaint against a debt collection agency the Croatian DPA issued a €2,265,000 fine for lack of security measures, lack of a processing

Those applications were used by an unknown party (allegedly an educational institution) and developed by Respondus Inc., an American company. Respondus and

indirectly, in particular by reference to an identifier, such as a name, an identification number, localisation data, an online identifier or one or more factors

NIF S7800001E, -Due to an infringement of Article 5.1.f) of the RGPD, typified in article 83.5 of the GDPR, with a warning. -For an infringement of Article

amendment; if so, it may refrain from striking out and give an opportunity to make such an amendment.” The claimant’s case 14. The claimant says that the

from The Directorate of Customs, but can not see that they have an impact on whether an infringement fine should be imposed, or the size of this. 2 The

The DSB held that the processing of teacher data of an App called "Lernsieg" to evaluate teachers is lawful on the basis of Art. 6 para. 1 lit. f GDPR

the controller relies on an overall bundled consent to anything contained in the terms and the privacy policy. This represents an “all-or nothing” approach

law firm, sent an email to multiple recipients without putting them in bcc. The complainant was one of the recipients. Does sending an email without putting

claimed party is considered responsible for an infringement typified in article 83.5.a) of the RGPD, in an initial assessment, they are considered concurrent

ban, including the preparation and sending of an updated impact analysis for the use of the Services with an expected completion time of 2-3 months from

homosexuality, political parties or diseases. The plaintiff was shown an advertisement for an Austrian politician based on the analysis that he resembled other

Inspectorate with the request to conduct an investigation into the extent to which the request to conduct an investigation into the extent to which the

accounting firm U BVBA, Z BVBA sent an e-mail to the applicant, Ms U1 and Mr U2 on 15 July 2019. On 15 July 2019, Z BVBA sent an e-mail to the applicant, Ms U1

report stated that NIF received an inquiry from the National Cyber Security Center (NCSC-NO) on 18.12.19 regarding an extract from the sport's member database

Article 83 of the GDPR that an administrative fine of up to 250,000 euros, an injunction accompanied by a fine as well as an additional penalty publication

indirectly, in particular by reference to an identifier such as a name, an identity number, location data, an online identifier or one or more factors specific

premises justifying the imposition of an administrative fine on the Company.           When deciding to impose an administrative fine on the Company, as

have not committed an offence pass in front of the exit terminal and noted that the data relating to vehicles that have not committed an offence are not transmitted

competent to adjudicate an application for compensation for material or immaterial damage resulting from an act in violation of the AVG by an administrative body

defines personal data as those belonging to “not only an ‘identified natural person’, but also an ‘identifiable natural person’”. Moreover, a representative

The Hellenic DPA fined a processor €30,000 for failing to grant an appropriate level of security of personal data under Article 32(2), Article 32(4) GDPR

rather because the ex-spouse had mistakenly introduced the email with an “i” instead of an “e” in the data subject’s name. Additionally, the HDPA noted that

DPA held that the controller had to provide an answer to the request within 14 days. The data subject made an access request for a full diagnosis report

inadmissibility, files an appeal of replacement that is resolved in an estimatory manner and gives rise to the current claim: Namely: “…Consequently, when an interested

happened, Transavia engaged an external service provider to conduct a root-cause-analysis. Circumstances of the breach: By using (i) an automated method in which

The request for a hearing must be indicated in the application. An action brought against an order is adjudicated by the court in a simplified trial out of

operates an online mail-order pharmacy under the brand "E.", which is available at "https: //www.E ..de ”. On October 6, 2018, a private person filed an online

updated for possible security vulnerabilities. It has an anti-injection system of SQL orders and an Intrusion Prevention System (IPS). Only TCP 80 (the port

the controller relies on an overall bundled consent to anything contained in the terms and the privacy policy. This represents an “all-or nothing” approach

results following an Article 17 erasure request. An online newspaper article from 2012 mentioned the complainant's resignation as the head of an educational

account of one of the applicants was a result of an investigation which included actions taken by an Uber employee such as carrying out a personal conversation

capacityindividual both administrative and criminal.An application file signed by me is attached ”.THIRD: There is an email sent by the VOX DPO of 05/16/2019responding

indirectly, in particular by means of an identifier, such as a name, an identification number, data from location, an online identifier or one or more elements

this discussion because of an incorrect delivery of the invitation. The respondent, another political party, then posted an entry on her public Facebook

The Spanish DPA (AEPD) fined an audit company €3,000 for a security breach occurred when they sent the claimant information of another client, instead

Internet for an infringement of the right to privacy and violation of the GDPR. The request is based on unlawful processing of personal data. An infringement

to comply with an application to exercise the rights set out in Articles 15 to 22 of Regulation (EU) 2016/679, it shall be initiated by an admission agreement

contract' is not simply an assessment of what is permitted by or written into the terms of a contract. [...]The concept of necessity has an independent meaning

certainly not in light of the defendant's statement that an opinion from the VTC was not possible within an acceptable period of time. 29. Finally, inasmuch as

provide access to the affected individual. The Complainant had an accident outside a store, and an Action has been filed subsequently. Access to the video footage

The Upper Tribunal dismissed an appeal against the FTT's decision to uphold three fines imposed on Leave.EU and Eldon Insurance Services by the UK DPA

The District Court of Pankow held that a controller can refuse to answer an access request under Article 15 GDPR if the effort required to comply with

they have been able to verify that due to an error in the answering process The complainant was sent a copy of an answer that was not related with the claim

"Category" of "Trainee". For the "BECA" concept, there is an accrued amount of 35 euros and an income tax deduction of 2%. The document devotes various

The Spanish DPA fined Mapfre, an insurance company, for a violation of Article 6 GDPR for processing personal data for an insurance policy without a legal

with an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element

subsequent period of 3 months. (2) The Tribunal may, on an application by the data subject, make an order requiring the Commissioner (a) to take appropriate

the perpetrators for an act that has already been sanctioned by a criminal court as a criminal offence? In this case, the AEPD found an infringement of Article

personal data was unlawful may be reviewed by way of an action for a declaratory judgment if there is an interest in a declaratory judgment. (2) Where personal

indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an on-line identifier, or to one or more factors

5(1)(c) GDPR. The controller must however inform the data subject through an information sign. On 20 May 2021, a Spanish natural person (the data subject)

directly or indirectly, in particular by an identifier, such as a name, an identification number, location, an online identifier or one or more elements

The NAIH fined €1.500 an employer in the public sector for unlawful search in archived e-mail account of former employee. An employer searched in the archived

unauthorized persons. c) .- The office is located in an industrial warehouse. To access it you must call an external bell, enter with authorization, cross the

indirectly, in particular by means of an identifier, such as aname, an identification number, location data, an online identifier or one or morevarious

that a controller, regardless of the burden of proof, has always an obligation to reply to an access request, even if the content of such a reply is merely

by e-mail to different persons outside and inside the company constitutes an infringement of Article 5(1)(f) GDPR. ATPSA's union representative at ITP

system with his phone and shared the video via WhatsApp, the AEPD carried out an investigation. The AEPD found a data breach due to the improper filming of

directly or indirectly, in particular by an identifier, such as a name, an identification number, location, an online identifier or one or more elements

police authorities at their request. It concerned an incident where the child was depicted picking up an object from the ground, which had been lost by a

controller didn’t provide an answer. On 8 August 2022, the data subject filed a complaint at the Belgium DPA for the lack of an answer to the request. The

where it finds an inadequacy in the investigation or an error that makes the conclusion impossible. In this case, I would first expect an explanation that

in relation to an access request that was answered incorrectly by a company, and ordered it to pay the claimant €1,250. The defendant is an auto-mobile manufacturer

The French DPA (CNIL) imposed a €150,000 fine on an undisclosed data controller operating an online shopping for failing to properly secure personal data

the to transfer personal data to a third country or an international organisation; or whether or not an adequacy decision by the Commission exists; or, in

when creating an account by a person via the mobile application and that a password consisting of six characters was accepted when creating an account via

suggested to exist an ongoing threat to the Claimant's personal data, such as to justify an injunction. 
 
 The prospect of an award of an injunction seems

states that the Motor Insurance Agency is not an operator that could be excluded from the application of an administrative penalty, taking into account that

adds that he had knowledge of this debt through an SMS and appeared in a shop of the claimed to obtain an invoice for the amount of € 56.88 although the

provided by an external actor in third countries, the treatment may be presumed to have entailed a particular risk of infringement registered privacy. An impact

€1500 fine against an individual for installing security cameras pointed towards the public street and nearby private properties without an adequate information

received from the registrar An explanation has been requested from the controller with an explanation request dated 22 January 2021 and an additional explanation

Article 123 of the LPACAP, the interested parties may lodge, on an optional basis, an appeal for a reversal to the Director of the Spanish Data Protection

Article 123 of the LPACAP, the interested parties may lodge, on an optional basis, an appeal for reversal to the Director of the Spanish Data Protection

Dutch, TikTok failed to provide an adequate explanation of how the app collects, processes and uses personal data. This is an infringement of privacy legislation

indirectly, in particular by means of an identifier such as a name, an identification number, location data, an online identifier or one or more elements

(controller) published an Excel sheet on its website. This Excel sheet contained personal data of vehicle owners who had requested an address change. The

the staff council is suspended as long as an employee is prohibited from conducting official business or an official is temporarily suspended due to a

threshold of the door of the store (the mara captures an important part of the sidewalk without observing an information sign), for outside, the silhouette of

income etc.). In April 2021, the controller sent an email to everyone who registered for the project with an unencrypted Excel file attached, which contained

functions during an investigation, as Vodafone did not comply with an order to provide information to the DPA. The Spanish DPA (AEPD) launched an investigation

event of an alarm going off and the presence of intruders is detected. The establishment does not have a video surveillance system but rather an intruder

procedure 1. On May 6, 2018, the complainant sends an email to the Data Protection Authority (DPA) requesting an opinion on a data processing operation carried

initated an inquiry. The Ministry was summoned to answer a questionnaire. It stated that the drones had also been used for other purposes : scouting an area

ruled that the collection and use of name and VAT number by an accountant on behalf of an heir without a relevant order constitutes a violation of articles

argument that the scope of the violations is limited, the DPA noted that (1) an email address in itself is personal data, even without references to names

address: [...], is an incomplete application for revoking consent to the processing of personal data. In the Company's opinion, such an e-mail may constitute

categories of recipients and, in the case of an intention to transfer to a third country, to showing whether an adequacy decision or other appropriate safeguards

designed by the controller company. Following an initial complaint, the controller removed the picture within an hour of posting and re-uploaded it after covering

personali) imposed a fine of € 30.000 on a local public health body for using an attendance detection system based on biometric data of employees. Following

this body may be considered as an administrative offense in accordance with the provisions of the RGPD, classified as an offense in its articles 83.5 and

contains, among other things, an overview of which aspects are to be taken into account, both in the assessment of whether an infringement fee is to be imposed

additional box implies an agreement to trade in personal data. According to the Inspectorate, the defendant also does not demonstrate that an objection received

corresponding to a purchase that the claimant had not made, of an amount of 1500 euros. As it is an amount high, the respondent entity proceeded, subsequently

and Article 12.3 AVG - If Article 21.1 AVG imposes an obligation on the controller to make the Where an obligation follows from Article 21.1 AVG for the

Union or Member State Law (as e.g. the VIG) stipulate an obligation to publish the results of checks An internet platform ("Frag den Staat") requested the

laws. During an ongoing dispute at a Norwegian Court of Appeal regarding the award of occupational injury insurance between a complainant and an insurance

constitutive of an infraction, attributable to the claimmado , for violation of art. 5.1 c) RGPD.The known facts are constitutive of an infraction, attributable

indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier or one or more factors

the computer’s desktop. An additional camera had ot be installed on the students’ devices, as a mandatory condition to sit an exam. The second camera captured

is associable to an identified or identifiable person (not only associable to person physical), and that, in addition, constitutes an automated treatment

transpired that the transfers were occurring due to an internal IT error, which Company B labelled as an "internal configuration error." The Luxembourg DPA

pre-recorded from a generic account and an individual account. It can also be accessed from a connection from an external computer station using its identifiers

particular reference to an identifier is considered identifiable such as the name, an identification number, location data, an online identifier or one

balancing of interests under Article 21(1) GDPR. A data subject working as an accountant had submitted false documents to the bank and was consequently

Televisión Española, S.A. (RTVE), had published an unaltered audio recording of her speaking in court. An investigation by the DPA confirmed multiple instances

Following an investigation the AEPD imposed a fine of 20.000 EUR on IBERIA Airlines for the violation of Article 6(1)(f) GDPR, when further sending unsolicited

via e-Boks regarding an investigation. Statistics Denmark responded to the inquiry on 11 September 2020. It appeared from this that an error must have occurred

In an Article 60 GDPR procedure, the Danish DPA reprimanded Danske bank for a violation of Article 32(1) GDPR. A technical error resulted in the unauthorised

Article 2(2)(c) GDPR. Person A (the complainant) who lives in an apartment building received an e-mail from their neighbour along with a recording marked “Tal

generic errors at the basis of an undue contact or an unsuitable response, is not suitable for eliminating Society, provided that an adequate structuring of systems

may also be read as an application to change the date of dissolution in the contested decision to a later date. 3.7. Trigion lodged an appeal in which it

conviction of A and his background as an expert. A's private family relationship is also mentioned. Search match c) led to an article on […] .no and was about

directly or indirectly, in particular by an identifier, such as a name, an identification number, data location, an online identifier or one or more elements

third parties as highly risky. In this regard, an unencrypted access to the system does not guarantee an adequate level of security. The data controller

and proceedings without an order or fine against the controller. The parent complained to the DPA about this decision using an internal administrative

indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier or one or more factors

case, as an additional or substitute for the measures referred to in article 58, paragraph 2, letters a) to h) and j). When deciding to impose an administrative

the group. In 2017, the controller asked the DPA of Thüringen whether such an appointment was lawful, due to concerns of conflict of interests and lack

Adherence to an approved code of conduct pursuant to article 40 or to a certification mechanism approved under article 42 may serve as an element to demonstrate

The Spanish DPA (AEPD) warned a Home Owners' Association for an infringement of Article 5(1)(f) GDPR, due to the disclosing of personal data in a debtors

notwithstanding an appeal. The decision to erase data in accordance with Article 100, § 1, 10°, is not enforceable by provision. § 2 An appeal may be lodged

indirectly, with particular reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more characteristic

to the question of whether the title is an integral part of the name 19. The question of whether the title is an integral part of the name is similarly

Appeal), with the Data Protection Authority as defendant. Such an appeal can be lodged by means of an inter partes petition stating the conditions referred to

address the other informational obligations under Article 15 GDPR. An oral response to an access request was insufficient. Under Article 15 GDPR, the controller

the controller. The data subject filed an administrative appeal against this decision with the Audencia Nacional (“AN”) who annulled the decision of the AEPD

compiled from an electronic database based on the path shown at the bottom. 6 The content of the reply letter did not provide the Applicant with an accurate

the certificate request and in the face of silence I request an appearance by requesting an appointment at the AEAT without having obtained a satisfactory

proceedings of an upcoming trial, and had used such data to send those members an individual letter requesting the extrajudicial payment of an amount of money

The AEPD fined a consultancy company €12,000 for sending an unsolicited commercial communication to the complainant, after they had been previously fined

financial advisor, suing through a collaborating company that will deposit an amount in an account in a bank. The respondent was notified of this circumstance

controller should provide an overview of distinct, well-defined purposes for which personal data is processed, along with an indication of the (categories

costs, declaring the requests for information and the request for an affirmation in lieu of an oath to have been dealt with. She submits and is of the opinion

proof of consent and legitimate interest An essential condition for the legality of data management is that it has an appropriate legal basis be. Article 6

they inform having suffered from a cyberattack. Thus, the AEPED carried out an investigation. Th AEPD found there was no evidence showing illegal access

The Croatian DPA imposed an administrative fine in the amount of EUR 5,470,000.00 on EOS Matrix as a data controller due to the multiple violations of

data subject's rights seriously and a request to exercise a right requires an immediate answer by the controller. Non-compliance can lead to administrative

judgment is based on an incorrect legal assessment. He requests the amendment in the sense of a statement of claim or, in the alternative, an application for

Graasvold, Ellen Økland Blinkenberg, Hans Marius Tessem) The case concerns an appeal from X Mission Assembly on the Data Inspectorate's decision of 19 March

until9July2021. In an e-mail message dated1June2021, the Respondent requested a new for an extension of the conclusion period until 1 September. 10. In an e-mail message

personal data. On 12 September 2019, the director of the AEPD agreed to initiate an investigation to clarify the facts that have not were not mentioned in the

interim measures under Article 21 GDPR because the appellant failed to prove an urgent interest. The complainant asked his bank (ING Bank N.V.) to remove

data as follows: "Any information about an identified or identifiable natural person (" the data subject "); an identifiable natural person is a person

indirectly, in particular by means of an identifier, such as a name, an identification number, data from location, an online identifier or one or more elements

the controller relies on an overall bundled consent to anything contained in the terms and the privacy policy. This represents an “all-or nothing” approach

month of receiving these requests for an extension to fulfil the contested right. Additionally, they did not provide an explanation for the delay. The DPA

Romanian DPA (ANSPDCP) fined SC Medicover SRL with €2,000 after completing an investigation concerning the operator and finding a violation of Article 32

The Romanian DPA (ANSPDCP) imposed an approximately €2000 fine on SC C&V Water Control SA for failing to provide information to the DPA during the investigation

parties reached an agreement before the Court of Appeal of Brussels (commercial section) had to render a judgement. The parties reached an agreement which

Authority (Επίτροπος Δεδομένων Προσωπικού Χαρακτήρα) found that consent is not an appropriate legal basis for processing employees' personal health data. In

15 GDPR, for failing to respond to an access request submitted by a participant in a telephone survey. In this case an individual, the data subject, who

subsequent period of 3 months. (2) The Tribunal may, on an application by the data subject, make an order requiring the Commissioner- (a) to take appropriate

with Article 123 of the LPACAP, the interested parties may, on an optional basis, file an appeal for replacement to the Director of the Spanish Data Protection

processing is implemented by the State, an administrative fine not exceeding 10 million euros or, in the case of an undertaking, 2% of the total annual worldwide

data is all information that relates to an identified or identifiable natural person ('data subject'), and, in an employment relationship, the employer inevitably

others, to the possibility of making an injunction and imposing a fine and to the right to file a case before issuing an administrative act in accordance with

who was not able to provide an explanation. After receiving the report, the AEPD also tried to contact the company for an analysis of the case, measures

cessations in such position); the claimant also attached such list in an Excel file as an evidence of its claim. According to the claimant, such information

The Spanish DPA (AEPD) imposed a fine of €3,000 to an online perfume shop for displaying personal data (including billing information and address) to a

files an appeal for reversal on 03/18/2021, appeal that is declared inadmissible for being filed out of time. The claimant on 06/30/2021 presents an extraordinary

observed. There was also no suspicious network traffic suggesting an external attack. An assessment of technical measures in terms of IT infrastructure,

instead of providing access to data after an access request by the data subject. The data subject submitted an access request Article 15 GDPR for his two

personnel delegates, whichit implies the realization of an electoral campaign and the publication of an electoral census.C / Jorge Juan, 6www.aepd.es28001 -

The Higher Regional Court of Köln held that an access request of an insurance holder aimed to verify the lawfulness of premium increases - and not the

on how to delete an account, Check out our Help Center. If you want to report an account that belongs to a minor, please, send us an email. In your email

disability status. In July 2020, an individual sent an e-mail to the Hellenic DPA reporting that when they attempted to submit an application on the tourism4all

violations in writing. This decision is an appeal of decision 24/2020, where a customer (the data subject) of an insureance company (the controller) claimed

person, to an undetermined number of people physical. 3. An approved certification mechanism may be used in accordance with the Article 42 as an element that

Regulation stipulates the imposition of an administrative fine in accordance with Article 83, paragraph 4, point a), that is, an administrative fine of up to EUR

Chamber, which requested an investigation by the Inspection Service. Should you forward e-mails to a new recipient, or display an automated response to say

with standardised icons allowing provide in an easily visible, intelligible and clearly legible manner an adequate overview of the planned treatment. The

necessity. The DPA also reprimanded the controller for failing to reply to an access request within one month. The data subject found out that the controller

notice of a traffic offense due to an improper parking of a professional car that, in that moment, was being driven by an employee of him (the claimant),

was uploaded to an online archive in 2010. In the document the complainant is identified by name and accused of unfair treatment of an employee. The Celle

Correctional Service (DCS) regarding their processing of personal data, specifically an overview of such processing (equivalent to Article 30 GDPR) for purposes related

new evidence revealing that the violation of the right to object was due to an isolated error and not to malicious intent. In a previous decision (hub: 13/2021)

appellant may challenge this decision within 30 days by submitting an appeal to an administrative court in accordance with the Code of Administrative Court

public interest. In a decision of 16 July 2019, the AP dismissed an objection made by an appellant against the decision to lift the order as unfounded as

2021 the French DPA (CNIL) carried out an online inspection of the website "facebook.com" in the context of an investigation into the processing of the

received an election propaganda letter dated 9 October 2018 from Mr. Y - a letter on the letterhead of the commune of ... the Mayor's office and in an envelope

Commissioner for Data Protection and Freedom of Information (HmbBfDI) issued an order under the GDPR's urgency procedure prohibiting Facebook Ireland Ltd

in Article 6 (1) and an additional criterion under Article 9 (2) of the GDPR apply. Article 9 (2) of the GDPR does not contain an exception that would

the Metropolitan Court in an administrative lawsuit 2subjectable. The emergency does not affect the time limit for bringing an action. The application to

the Administrative Court Rules - VwGO - an action for rescission is admissible, since the contested warning is an administrative act - at least a declaratory

basis of a request for an official procedure in parallel with an ongoing procedure Page 12 12there is also a civil action in which an interim measure is granted

the case of an arbitrary assumption of an "acte clair" or an "acte éclairé" by the specialised courts, the scope of assessment is exceeded in an unjustifiable

Google LLC was under a legal obligation to preserve search results relating to an employee selection process at a public body and rightfully rejected a data

The Spanish DPA dropped an investigation due to time limitation periods for infringments outlined in national law. The claimant became aware, in the course

to his report, when the patient makes an order, the registrar does not directly ask separately whether it is an order related to the right of inspection

the data subject had withdrawn a complaint, the Hellenic DPA continued with an ex officio investigation into the sending of unauthorized advertising messages

Adherence to an approved code of conduct pursuant to article 40 or to a certification mechanism approved under article 42 may serve as an element to demonstrate

indirectly, in particular through reference to an identifier such as a name, an identity number, location data, an online identifier or one or more factors that

Contact Tracing do not contain an obligation for restaurants to collect data on customers (under Article 6(1)(c) GDPR) but only an obligation provide certain

justify this, PSI mentioned that the contact form was not operational, so an email address was provided instead. The Spanish DPA encountered many errors

carried out, or with three carried out out, by an ultimate wrongdoer; (II) there should be the need for an order to be action to be against the time? and

employees have not had an official need for such access. The hospital says in its letter that the personal information "was in an area that was not natural

E-Mail-Adresse an Maichimp, die Gegenstand Ihrer Beschwerde ist - datenschutzrechtlich unzulässig, weil [...] nicht geprüft hatte, ob für die Übermittlung an Mailchimp

The attribution to the [complainant] of an assessment "overall in line with expectations" was not the result of an automated decision-making process without

the respective agency to submit an official notification of a positive PCR test. In the case in question, however, an official report was submitted on

Following an investigation the Spanish Data Protection Authority imposed a fine of EUR 60,000 on XFERA MÓVILES for violation of Article 6(1)(a) GDPR. Ms

with consumers], an elaborate model declaration of consent must be provided previously by the person responsible for the treatment with an intelligible formulation

Protection Office. On [...] - [...] April 2020, there was an exchange of correspondence between an employee of KSSiP, AM (as part of the activities ordered

indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more special

auditee "acting as trustee of the condominium Residence A […], sent an email to Mrs A and an email to Mr and Mrs B, all three co-owners of the residence, within

"personal data": any information about an identified natural person or identifiable ("the interested party"); An identifiable natural person shall be deemed

(hereinafter: "Plenary Session") had decided to open an Plenary Session") had decided to open an investigation at Company A on the basis of Article 37

such users to IP owners or to a third party for the purposes of initiating an action for damages. However, initiatives and requests in this regard must

of lawyer] ([name of lawyer]), lawyer, filed an application with the respondent on behalf of claimant for an addition in connection with a civil appeal procedure

and Article 13 GDPR and decided to: - impose an administrative fine of €7,600 on the controller, - issue an injunction to the controller to bring the processing

given an effective way to exercise his/her GDPR rights (as the email address provided refused each email received); (iii) the website offered an option

diseases and emergencies caused by them, the authority, during an epidemic threat or state of an epidemic announced due to COVID, may issue a decision entirely

processing of data for both identification and marketing purposes will be an active act, an active behavior.2.End the practice of restricting the e-mail addresses

law-friendly representative, while the complainant did not have an overriding could demonstrate an interest in secrecy. The same result can be reached on the

Following an investigation, the Spanish Data Protection Authority (AEPD) imposed a fine of 120,000 Eur on VODAFONE ESPAÑA SAU (Vodafone) for a serious

Regionalist Party of Aragon (PAR) violated Article 21 GDPR by continuing to send an individual unsolicited political canvassing materials after she had exercised

claimed party is considered responsible for an infringementtypified in article 83.5.a) of the RGPD , in an initial assessment, they are considered concurrentthe

on 16 May 2019. On 20 February 2019 the complainant received an email with an invoice for an alleged contracted telephone line from Vodafone España, S.A

indirectly, in particular by reference to an identifier, such as a name, an identification number, localisation data, an online identifier or one or more factors

on a data services company that refused to grant access to its premises for an on-site inspection, in breach of Article 58(1) GDPR. QUALITY-PROVIDER S.A

surveillance through a warning. The controller also submitted a certificate by an external company ensuring that the surveillance system only points to the

for the provision of an aid to a city patient, which has not been regarded in the case-law as an appealable decision equivalent to an administrative decision

a fine for an amount of 70,000 euros (seventy thousand euros). TENTH: Once the proposed resolution was notified, the defendant requested an extension term

risks. The Minister of Interior (the controller) requested the French DPA for an opinion on a draft decree made pursuant to Act No. 2023-380 of 19 May 2023

The HDPA issued an opinion requested by the Supreme Council For Civil Personnel Selection (ASEP) on the basis of Article 36 GDPR regarding the online publication

itself incompetent to assess which of the different legal grounds applicable to an access request is the most beneficial for the complainant, in a case where

Articles 112 and 123 of the LPACAP, the interested parties may, on an optional basis, lodge an appeal for reconsideration with the Director of the Spanish Agency

The Spanish DPA (AEPD) held that the data controller must give an express answer which justifies by any means the receipt of a request for erasure, without

to sanction the unlawful processing of personal data relating to an employee. Ms. XX, an employee of TB s.r.l., claims a violation of her data protection

FURNISHYOURSPACE SL €3,000 for infringing the Spanish Law regulating cookies after an investigation launched due to a complaint referred by the Berlin DPA, for

alpen***.at. After rejecting an offer by the controller for a stay in one of the controller's hotels, the data subject received an email with advertisement

fundamental rights of an individual, which is the right to protection of his/her personal data, or more broadly, to protection of his/her privacy. An essential element

footage and sharing it without authorization. The data subject was a member of an a community of owners, the controller. They complained with the president

he is on the X portal published an article entitled "X" (URL: X) in which his personal information was published. As an attachment to his request, the applicant

that the defendant had an informational poster on the door of access to the rented premises as a home, informing that it was an area video-surveillance

the data subject is not entitled to the deletion of a search result about an interview he gave. Particular consideration was given to the lack of sensitivity

found that an attempt was being made unduly conceal the information held by the authorities and make the state opaque, which is not inherent in an open democracy

thus, figure one in the case of an individual dressed in a suit green, military with a background image of a hangar with an airplane (photo H hereinafter)

° request an investigation from the inspection service in accordance with Article 63, 2 ° ; 2° request the inspection service to carry out an additional

Every EU jurisdiction has different legal writing styles. We have tried to develop a common ground in our GDPRhub style guide. → Please consult the GDPRhub

regarding the collection and processing of data of an energy company, the Spanish DPA (AEPD) launched an investigation. In the first place, they found that

not compliant with Article 32 of the GDPR. It recommended the use of BCC as an alternative. The data subject complained to the Greek DPA (the HDPA) about

A housing cooperative had incorrectly judged that the use of an electric lock system did not process personal data. The Finnish DPA ruled that, as individuals

wife and I had an attack of anxiety and fear. These events occurred on 08/07/2019 01:50 AM and 08/08/2019 05:30 AM, which were testified in an appearance procedure

regarding the collection and processing of data of an energy company, the Spanish DPA (AEPD) launched an investigation. In the first place, they found that

(ANSPDCP) fined an apartment building owners association €500 for illegally processing the image of a data subject. The owners association of an apartment building

this body may be considered as an administrative offense in accordance with the provisions of the GDPR, classified as an infraction in its article 83.5

or indirectly, in particular throughreference to an ID, such as name, ID number, datalocation, on an online ID or on one or more agents thatspecific to

certification mechanism approved in accordance with Article 42 may serve as an element for demonstrating compliance with the requirements set out in paragraph

reprimanded Tarlun Limited for violating Article 12(3) GDPR by failing to respond to an access request within one month due to a misperception. The decision recognised

Appellant was sentenced in an accessory sanction of disqualification from driving for a period of 90 (ninety) days for the practice of an infraction to art. 27º

processing, is issued an official warning due to processing (publishing) personal data of prize winners on the official website page to an excessive extent

indirectly, in particular by means of an identifier such as a name, an identification number, location data, an online identifier or one or more elements

The object of the complaint is the distribution of the photo as an attachment to an e-mail. The complainant argues that there is Page 4 Substance decision

The Belgian DPA (APD/GBA) held that an environmental regulation enforcement agency violated Article 5 and 6 GDPR by disclosing the name of a complainant's

report in 2023 was a two-button form with an “I VALIDATE” button written in white on a red background and an “I REFUSE” button written in black on a grey

patients' consent for an additional blood sample to be taken to check for the presence of antibodies to COVID-19. It has been considered an important factor

such an application would have to be submitted to the public prosecutor's office. 8th 6. In a letter dated ... ...2019, the plaintiff brought an action

case. 11. This report proposed that the restricted panel impose an administrative fine and an injunction to bring the processing into compliance with the provisions

Society Services (LSSI). Borjamotor, S.A., recognizing its responsibility, made an early payment of €4.800 (reduced from the original €8.000 fine). In 2016,

The Austrian Federal Administrative Court rejected an appeal against a decision by the Austrian DPA: the failure to inform a data subject under Article

Administration Act states: "When it is stipulated by law that an administrative sanction may be imposed on an enterprise, the sanction can be imposed even if no individual

infringing Article 58(2) GDPR due to an alleged infraction of the right of access by a data subject. The defendant agreed to an early and guilty voluntary payment

not responding to an access request. The data subject also approached LEXER, the credit recovery company for ABANCA, requesting for an immediate cessation

The Danish DPA (Datatilsynet) held that an electronic ticketing system for public transport violated the principles of lawfulness, fairness, and transparency

be properly documented. A data subject made an access request to an educational institution, asking for course programs, statistical data of the grades and

Administration Act states: "When it is stipulated by law that an administrative sanction may be imposed on an enterprise, the sanction can be imposed even if no individual

reprimanded Barclays for an excessive retention of the complainants’ personal data in a credit information system (CIS) recognising that it was an isolated and bona

documents). These Russian citizens - allegedly part of an Eastern European Immigrants' Association (EDINSTVO), an organisation for the support of eastern European

ID documents. A data subject was asked by AirBnb (the controller) to submit an ID card together with a newly taken photograph for identity verification when

house with an angle of vision”. Their operation is varied, with multiple possibilities depending on the model and brand, sometimes allowing an image to be

had been successfully deleted. However, 6 months later the claimant received an SMS from the salon again and therefore lodged a complaint before the Spanish

pursuant to Article 32(1) GDPR, which led to a personal data breach caused by an employee's error. The controller is the Danish Agency for Digitisation. As

1 and your address at Spain. A copy of an Ibercheck report according to which, linked to your NIE, there is an annotation of non-payment in the BADEXCUG

83(5)(a) GDPR where a company can be fined up to €20000000, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding

University Hospital (AUH). Based on this, on 19 December 2022, the DPA initiated an investigation against the Central Denmark Region (the controller). During

must be able to prove without difficulty that they have carried out an identification, an assessment and a framework of the risks in terms of protection of

replaced by Article 1-9 § 5. 1Article 1-9 § 5: Correction of an error made in an act, an extract of an act, a decision or a document published in the Annexes

Bundesgerichtshof asks for an answer to the question whether, in the case of a request for a listing against the person responsible for an internet search service

their DPO who independently monitored decisions made in their capacity as an executive of the company. The Data Protection Officer (“DPO”) of a Berlin

has been given to [applicant under 1]: “Client is portrayed as an important player in an alleged fraud in connection with broadcasting rights of football

The Romanian DPA (ANSPDCP) conducted an investigation into ING Bank N.V. Amsterdam – Bucharest Branch, following a personal data breach notification, and

The Romanian DPA fined the President of an Association of Owners €300 for not providing the information requested by the DPA by the legal deadline. The

to all cookies. Is publishing illegal recordings of a witness on a website an infringement of Article 6(1)(a) GDPR? Is placing cookies without consent when

plaintiff's assets, so that the plaintiff has an even greater interest in the deletion of the negative entries compared to an insolvency debtor who has completed

indirectly, in particular by means of an identifier, such as a name, an identification number, location data, an online identifier or one or more elements

including by e-mail and via a file transfer link. Also, they were given (an unencrypted) USB stick which they dropped into the controller's letterbox

jurisdiction in 2019. Based on this notification, the Swedish DPA initiated an investigation into the medical data which the Uppsala Regional Council emailed

the supervisory authorities in Article 57 (1) of the GDPR.Thus, on 31/10/18, an information injunction was sent to the entity in question. THIRD:By letter

which constitutes an aggravating circumstance in this case (the nature, gravity and duration of the infringement); 3. The Company made an informed decision

data accessible to an unlimited number of people, or if it extends, even partially, to the public sphere and is thereby directed to an area outside the private

the AB0086485 credit note had not been paid because it was offset against an existing debt that was outstanding. It adds that a credit note corresponding

The Spanish DPA ordered a processor (Amazon Web Services) to answer an erasure request from a data subject that had not been completed by the controller

indirectly, in particular by means of an identifier, such as a name, an identification number, location data, an online identifier or one or more elements

000,000 Eur or, in the case of an undertaking, an amount not exceeding 20,000,000 or, in the case of an undertaking, an amount equivalent to a maximum

to comply with a DPA's request for access to information in the course of an investigation, conduct sanctioned in Article 83(5)(e) GDPR. The company has

This infringement is punishable by a fine of up to or, in the case of an enterprise, an amount equivalent to a maximum of 4% of the total annual turnover for

find any contact information of the DPO. There was only an online form available. They wrote an email to the controller and asked to reveal the contact

the dispute amicably. In an email of August 12, 2020 (2:48 p.m.), Mr. De Haan stated that the parties were unable to reach an amicable settlement. 1.4

with standardized icons allowing provide in an easily visible, intelligible, and clearly legible manner an adequate overview of the planned treatment.

of personal data to a third country or to an international organization, and the existence or absence of an adequacy decision issued by the Commission

for parties to be represented by an attorney, which included the sharing of personal data. The data subject filed an appeal with the Federal Administrative

For example, if as an alternative to sending unencrypted e-mails the written submission of documents is offered, no compulsion due to an unreasonable measured

registered [the applicant] in the CKI on 12 December 2015 with an A-coding (for the creation of an unauthorised arrears) and a 2-coding (for making the claim

obligation of transparency,regardless of its size as an organization.Article 13 GDPR establishes an exhaustive list of the information that must bebe provided

Council of State (RvS) held that if there are easier methods of verifying an identity, it is disproportionate to ask the data subject requesting access

The Croatian DPA stated in an advisory opinion that the scanning of employees' identity and bank cards may not be based on compliance with a legal obligation

responded to the data subject, although not in an adequate manner. Thus the Spanish DPA imposed a fine of €10,000 and an order to comply within 30 days. Right of

accidentally or unlawfully. 3. Adherence to an approved code of conduct as referred to in Article 40 or an approved one certification mechanism as referred

provide an interactive map to our website – Google Privacy Policy C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/31 Lawyers: As an object

although they complied with an erasure request, they did not subsequently notify the data subject. A data subject made an erasure request at MAG Interactive

proposed that the restricted committee of the Commission impose an administrative fine and an injunction to bring the processing into compliance with the provisions

indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more specific

server is protected against unauthorized access with a password. Following an ex officio administrative proceedings, the President of the UODO has established

addresses are in BCC must be placed when sending an email in bulk. In addition, the default value to unsend an email, which is initially 5 seconds was now set

the GDPR, any supervisory authority can submit complaints by an involved person or by an organism. It makes sense then 3 Published on the GBA website.

children of families who regularly live in a rented apartment or are looking for an apartment. The Supreme Administrative Court considered that the data controller

to the Spanish far-right political party VOX. The data controller had sent an email without blind copying, to the members of that political party, infringing

internet search service operator. Judgment C-131/12 states that an internet search engine is an independent controller of the processing of personal data carried

2005). The mere commission of an administrative offense — objective type — is not sufficient time to proceed to impose an administrative sanction. Guilt

Sector (Responsibility), which requires that only parties responsible for an adiminstrative infraction by way of fraud or negligence be subject to sanction

payment. The Spanish Data Protection Authority gave an example of what measures would have constituted an adequate remedy and mitigation to the breach according

the first plaintiff - the data controller - has an independent obligation to process personal date with an appropriate level of security. In the case at

technical unit managing the evaluation procedure). "This The change is an advantage and an improvement over the statistical analysis carried out after the The

vice versa in such a way that the data subject receives it in an easy and comprehensible form an overview of the processing of personal data by the controller

and 32 GDPR. The Romanian DPA (ANSPDCP) started an investigation after receiving a complaint against an individual who held the office of Secretary-General

former employer €3000 for debiting the bank-account of a former employee for an external service. The DPA held that the controller had processed the personal

commercial authority of an address publishing and direct marketing company. On January 12, 2019, the co-participant submitted an application to the complainant

indirectly, in particular by means of an identifier, such as a name, an identification number, data from location, an online identifier or one or more elements

indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier or one or more factors

Commission also stated that it would carry out a proportionality assessment and an additional DPIA under Article 35 GDPR, in order to guarantee the adherence

Legislative Decree no. 150/2011, an objection to this provision may be lodged with the ordinary judicial authority, by lodging an appeal with the ordinary court

but it is an isolated fact, produced by a human error. FUNDAMENTOS DE DERECHOI In the present case the defendant is accused of committing an infringement

the access request constituted an abuse of rights (Section 242 of the German Civil Code). According to this principle, an exercise of a right is not permitted

constitute a violation of the GDPR. It also held that Article 77 GDPR grants an independent right to lodge a complaint with a DPA, irrespective of Member

that it had an interest in secrecy that justified its refusal to provide a copy under Article 15(4) GDPR. Unsatisfied, the data subject brought an action with

personal data consists of obtaining:  An increase in the contracting of its services;  Greater customer acquisition;  An increase in visibility in the competitive

Disputes Chamber concludes that this case does not concern an assessment of a data processing by an authority in accordance with article 10/1, §1 of the decree

did not show any CV to the Administrator, nor did they ask for an explanation of why an entity other than SHANA, has such documents.4)In the CVs provided

request after the one-month deadline. On 23 March 2023, an employee of the controller consulted an extract of the data subject's personal data stored in

to the report, an alternative way would be to change the service so that the user must identify himself to the service before booking an appointment, either

documents public. It is illegal to do an act prohibited by the legislature solely on the basis of the fact that ever such an act was permissible. The Data State

Although this practice was carried out at least since 2012, and up until 2021 (as an internal database of the Municipality showed), the decision focuses on cases

condition”. In this context, the nurse's conduct indeed caused an explicit correlation, by an unauthorised third party, between the data subject and a specific

registration on the Robinson List. Furthermore they provided a screenshot of an SMS received as evidence. The complaint was transferred to the controller

personal data are all data relating to an identified or identifiable individual, and an identifiable individual is an identifiable person. directly or indirectly

Nules S. Coop. Credit of the Valencian Community, with NIF F12013140, for an infringement of Article 5.1.f) of the RGPD, typified in Article 83.5 of the

respondent. In the course of this, an employee of the respondent requested that the complainant be presented with an ID, which was also presented by the

's lawyer is also listed as a creditor, with an acknowledged claim of € 881.03. - x) [appellant] saved an amount of approximately € 16,000 during the debt

of the LOPDGDD is configured as an optional procedure in the opinion of the Agency Spanish Data Protection Agency in an attempt to inform the responsible

order to solve an issue of an inheritance. In carrying out this management, the BANKIA office has informed you that being a client, with an internal number

transferred several tens of thousands of personal data of club members to an external service provider between 2016 and 2017. This included data of underage

of the Austrian Armed Forces in order to asses the member in the context of an "extended reliability check" which is foreseen in national law. The Respondent

Articles 112 and 123 of the LPACAP, the interested parties may, on an optional basis, lodge an appeal for reconsideration with the Director of the Spanish Agency

the person responsible for thesystem, an aspect verified by the acting force displaced to the scene.Third. It is an established fact that there is no information

sending a letter to require an end consumer of an energy distributor to get in touch with regards to a unpaid invoice when an intermediary was set up communicate

for not responding to an access request for 5 months following complaints filed with DPAs in Germany and Austria. The DPA opened an investigation into Klarna

The extracts of the assignment answers are stored in an electronic copy, which is stored on an independent and closed medium, which does not have access

decision on an administrative remedy may be suspended as a precautionary measure if the person concerned indicates his intention to bring an administrative

Article 14 GDPR? The CNIL orders PERFORMECLIC to pay an administrative fine of €7300. It also issued an injunction to bring the processing into compliance

do not always reflect an actual risk condition (false "positives"); - Allow users to temporarily deactivate the app it through an easily accessible function;

decision, there is no place for an administrative appeal, but within 30 days of the notification, it can be challenged in an administrative lawsuit by a petition

of an incident. related to personal data- them. report the situation internally without delay, communicating it to the management team tive. 2.- An internal

Adherence to an approved code of conduct pursuant to article 40 or to a certification mechanism approved under article 42 may serve as an element to demonstrate

The Hellenic DPA imposed an administrative fine of €10,000 on Bank for failing to comply with a data subject access request, violating GDPR Article 12(3)

Religious Affairs for not conducting a Data Protection Impact Assessment (DPIA) in an appropriate manner before implementing a method of distance learning after

form containing personal data to the data subject's neighbour, resulting in an unauthorized disclosure of personal data to a third party. The Cyprus electricity

authority, and Article 56(2) GDPR offering an exception to this rule, in cases where "the subject matter relates only to an establishment in its Member State or

foreign controller, an entity within the jurisdiction on which the GDPR could bite with legal force to ensure data subjects have an effective remedy for

OP Financial Group (OP Ryhmä) from an applicant requesting comprehensive access to OP bonus account information in an account held by his wife. The Tietosuojavaltuutetun

Public Administrations, the The corresponding sanction would be an administrative fine for an amount of € 60,000 (sixty thousand euros) without prejudice to

considered that the claimant had a video surveillance system with an excessive orientation to an area out of its property, and without due cause: two of the

surveillance cameras in public spaces without a lawful basis under Article 6 GDPR. An individual lodged a complaint with the Spanish DPA (AEPD) arguing that the

The data subject submitted an access request and the controller did not comply with it. The DPA ordered the controller to provide the requested data or

after an examination of the submitted insights cases, the authority has found that in five of the cases the citizens have been the subject of an automatic

in the National Register dated May 11, 2018 by an employee of the respondent. On June 27, 2019, she sent an email to the Helpdesk Belpic (Inner SPF – Directorate-General

this case - no more than a simple subsidiaryor an establishment of GOOGLE LLC.An administrative fine, an injunction and publicity are coercive measures

administration but if I had not gone to court, this matter would be involved in an unresolved drawer, and my personal and professional dignity questioned in

the requester sent a letter with an explanation of why the signatures were not matching together with the copies of an ID card and a bank card. The Municipality

DPA (AEPD) sent a request to the Town Hall to remove such lists or to offer an explanation why the lists were published, but it was not answered. If there

camera and the presence of an informative poster where the information about the presence of it. Examining the photographs provided, an excessive uptake of public

The Romanian DPA (ANSPDCP) fined an energy company EUR 3,000 for violation of the security and confidentiality of personal data. The energy company Enel

the illegal sharing of her data with other telephone directories. Following an appeal by the telecom operator, the Court of Appeal of Brussels referred several

corrective measures different, as well as to impose on the controlled an administrative fine of an amount of 3,700 euros. The ability to submit written observations

not take into account the context in which persons were at the time an exposure to an infected person was recorded. For example, a health professional or

indirectly, in particular by means of an identifier, such as a name, an identification number, location data, an online identifier or one or more elements

legality, requires that the fact that allegedly has an illegal character is expressly found foreseen as an infraction in some precept of the legal system administrative

holder requests a duplicate SIM card in a store due to theft or loss, opening an incident number the claimed The claimant provides the following with her claim

are dealing with an unintentional but significant negligent action identified (section 83.2b). - Basic personal identifiers (name, an identification number

matters, in an intelligible and easily accessible way and using clear and simple language. Any part of the declaration that constitutes an infringement

Spanish DPA holds that the refusal by an airline to send the telephone recordings to a customer infringes the right of access provided for in Article 15

Appeals Board for an assessment. In its decision, the Norwegian Privacy Appeals Board clarified that Article 17(3)(b) GDPR makes an exception to the right

obligation, gal, informs an administrative body of the existence of a certain fact that could justify the ex officio initiation of an administrative procedure