Search results

CFR Art8 para 11 CFR Art11 para 1 ECHR Art10 para 1 GDPR Art4 no 2 GDPR Art4 no 7 GDPR Art85 para 1 GDPR Art85 para 2 Text GZ: DSB-D123.768/0004-DSB/2019

administrative fines provided for by Article 83, paragraphs 4 and 5, of the Regulation and Article 166, paragraph 1 of the Code. 4.4. On the publication of the data

fulfilled. The school breaches Article 6(1)(b) in combination with Article 6(4) and Article 6(1) Articles 24 and 25 GDPR Furthermore, as the school continued

and the free circulation of these data (hereinafter, GDPR); and in article 47 of the Law Organic 3/2018, of December 5, Protection of Personal Data and

gob.es Page 2 2/6THIRD: On October 30, 2019, in accordance with article 65.4 ofOrganic Law 3/2018, of December 5, on the Protection of Personal Data andguarantee

confidentiality. Second, the DPA found a violation of Article 32 GDPR. The DPA held Article 32 GDPR requires the controller to have a complete protocol that

Data in the External Referral Register. (…)” 3 Review 3.1 In an introductory application pursuant to Article 46 of the Personal Data Protection Act (Wbp)

Datatilsynet hold that the Municipality of Odense infringed Article 12(3) GDPR and Article 15 GDPR due to delayed answers to access requests. The Datatilsynet

answered in accordance with the requirements of Article 12 GDPR and within the time limit set in Article 12(3) GDPR. As the complainant continued to receive marketing

RETAIL S.L. for alleged infringement of Article 5.1 f) of the GDPR, in accordance with Article 83.5.a) of the GDPR- Initiate sanctioning procedure against

law to the GDPR, both regimes must be read in the same way. Second, identifiability is defined by Article 3(1) 2018/1725 (Article 4(1) GDPR). The use of

of rectification of Article 16 GDPR and Article 14 of LOPDGDD, the national data protection law, the DPA stated that Article 12(4) LOPDGDD obliges the

constitute of a breach of Article 5(1)(c) GDPR. Second, the AEPD recalled that, compliant with Article 13(1) and (2) GDPR, and Article 22(4) of the Law on the

Sub-Directorate ofData Inspection proceeded, in accordance with article 65.4 of Organic Law 3/2018,of 5/12, Protection of Personal Data and guarantee of digital

the part of the policyholder. 3. Legal basis 3.1. The concept of personal data The term personal data is defined in Article 4 (1) of the Data Protection Regulation

internal compliance and accountability according to Article 5(1) GDPR, Article 5(2) GDPR and Article 6(1) GDPR. Since the company had totally ignored the its

refer to ‘consent’ in the light of GDPR and thus the condition for a valid consent (Article 7 GDPR) must be met. 3° This consent relates to the purpose

found that there had been a “personal data breach” pursuant to Article 4 (12) of the GDPR as a result of the publication on the municipal website regarding

protocols. This therefore breached Article 5(1)(f) GDPR and Article 32 GDPR. The initial sanction for infringing Article 5(1)(f) was a fine of €5000 and the

out by the school). Article 9 GDPR, for having processed biometric data without any valid ground from Article 9(2). Article 13 GDPR, for not having informed

according to article 4.1 of the GDPR, are a Personal data and its protection, therefore, is the subject of said Regulation. In the article 4.2 of the GDPR defines

with article 4.1 of the RGPD. As for the fingerprint, it is also data that must be qualified. two as biometric data and in accordance with article 4.14 of

with Article 5 (1) (a) and Article 6 (1) (f) GDPR. Thus, the controller failed to comply with the accountability principle under Article 5 (2) GDPR. Second

reply. The AKI reminded the defendant of its obligation under Article 13 GDPR and Article 14 GDPR to inform the data subject in a concise, clear, comprehensible

with Article 4 WOG. 17. First, it is clear that the content of the disputed e-mail messages constitute personal data within the meaning of Article 4.1. AVG

expressed in Article 5 (1 ) (a)) f, and reflected in the obligations set out in Article 24 (1), Article 25 (1), Article 32 (1 ) (b ) and (d) and Article 32 (2)

therefore lack the implementation of such adequate safeguards and violate Article 32 GDPR. In this regard, the controller has not received any communications

be personal data per Article 4 GDPR. The CNIL then assessed whether the transfers of the data to the US comply with Article 44 GDPR. It considered whether

defendant) for the infringement of Article 6(1) of the GDPR, as the defendant agreed to an early voluntary payment of the corresponding part (48,000 €) of the

as per Article 37 GDPR and 34(1) LOPDGDD, as well as in relation to the need of registering such appointment at the AEPD website [Article 34(3) LOPDGDD]

power conferred by Article 58(2)(d) and (f) and Article 83(3) and (5) GDPR, imposed to Fastweb multiple corrective measures and a fine of € 4.501.868. Share

processing and confidentiality (article 5 par. 1 a) and f) GDPR) and constitutes an incident of infringement (Article 4 no. 12 GDPR) 21 b) incorrect handling

revision is admissible according to Article 133 (4) B-VG. The statement must be briefly justified. According to Art. 133 para. 4 B-VG, the appeal is not permissible

registered on the Robinson List in breach of Article 48(1)(b) LGT and Article 21 GDPR in conjunction with Article 23(4) LOPDGDD. Avilon Center SL made an voluntary

for a violation of Article 5.1.f) of the RGPD, in relation to ArticleC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es Page 3 3/55 of the LOPDGDD

market participants. Specifically, these are Sections 17(3), 3(5) ApBetrO, 43 AMG, 11(1) sentence 1 no. 3, no. 7 and no. 11 HWG, and Section 14(2) no. 1 BerufsO

for in Article 83, paragraph 5, of the Regulation applicable, pursuant to Article 58, paragraph 2, letter i), of the Regulation itself and Article 166, paragraph

infringement of Article 5.1.f) of the RGPD, Article 33 of the RGPD, Article 25 of the RGPD and Article 32 of the RGPD, typified in Article 83.5 of the RGPD

15(1)(a)-(h) GDPR. For these reasons, under Article 58 GDPR, the HDPA reprimanded the controller for violating Article 5(1)(c) GDPR and Article 15 GDPR. In addition

infringement of Article 12(3) GDPR, as explained above, under the provisions of Article 83 of the GDPR, I take into account the following mitigating (1-3) and aggravating

database. The request for erasure under Article 17(1) GDPR is not applicable, because under Article 17(3)(e) GDPR, the processing was necessary for the defence

processing was necessary according to Article 17(3)(e) GDPR. The controller stated that, according to Section 4 of the Finnish Act on the Expiry of Debts

fine are set out in Article 83 of the General Data Protection Regulation. contained in Article. In the event of a breach of Article 5 of the General Data

loss of control of personal data and a breach of Article 5(1)(f) GDPR, Article 6 GDPR and Article 32(2) GDPR. The first complainant is a company that is engaged

gaat. 15. In vaststellingen 3 en 4 neemt de Inspectiedienst de kwalificatie als verwerkingsverantwoordelijke, in de zin van art. 4, 7) AVG, van de verweerder

Criminal Procedure, in particular Article 9 thereof; Having regard to the Highway Code, in particular Article L. 130-9, paragraph 4 thereof; Having regard to Law

infringement of article 32.1 of the GDPR (LCEur 2016, 605), typified in the Article 83.4.a) of the GDPR, a warning sanction, in accordance with article 77 of the

her life. Her objection to processing follows from Article 21(1) GDPR. ING argues that Article 21(1) GDPR cannot be relied on in this case because it applies

infringement of Article 5.1.f) of the RGPD, typified in Article 83.5 of the RGPD, and Article 32 of the RGPD, typified in article 83.4 of the RGPD Once

the GDPR, as the data falls under Article 9 GDPR and awarded € 800 in emotional damages. The Austrian Business Code cannot override Article 9 GDPR. There

way of a finding under article 15 of the GDR instead of the provisions of article 15 of the GDR. 36, § 4 and § 5 as well as Article 38, § 1 of the Law of

ruling and the GDPR; breach of Article 28 GDPR (the choice of a the processor does not provide sufficient guarantees); breach of Article 32 GDPR (lack of appropriate

disproportionate to the claim pursued (4 Ob 221/06p [item 2.5] mwN; cf. recently also 6 Ob 140/18h [items 3.3 and 3.4]). Clause 27: "The contract can be terminated

the identification data of the parties be published directly. 3Ibid. Decision 57/2022 - 4/4 12. In accordance with its dismissal policy, the Disputes Chamber

personal data under Article 15 GDPR? The Spanish DPA held that the airline company had not complied with the right to access in Article 15 GDPR when it refused

prejudice to Articles 12(5) and 15(3) of the EU Regulation 2016/679 and in Article 13(3) and (4) of this Organic Law". FIFTH: Article 15 of the RGPD provides that

consent of the 10 complainant (article 6.1 a) of the GDPR combined with article 7 of the GDPR), (2) article 6.1 c) of the GDPR in that the publication results

with reference number E / 08183/2020. FIFTH: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee

the social and health authority of a city to have breached Article 6(1) GDPR and Article 10 GDPR by requesting data subjects to provide it with personal data

violated Article 33(1) GDPR by failing to inform the DPA of the data breach. Second, the DPA held that the controller violated Article 28(1), (3) and (9)

he assessment: violation of Article 57.4 AVG (third plea in law from X). X submits that the decision violates Article 57.4 of the AVG where this provision

data on the basis of Article 6.1.e GDPR ? - Did the administration sharing confidential data with a third party violates article 25 GDPR ? - Should the administration

Móviles España, S.A.U. (the defendant) for the infringement of Article 6(1) of the GDPR, as the defendant agreed to an early and guilty voluntary payment

other legal basis for processing under Article 6 GDPR, the controller had violated Article 5(1)(a) and Article 6(1) GDPR. Taking into account the low income

§ 51 (1) 3) and 7) of the Public Information Act (AVTS), administrative proceedings on the basis of clause 85 2) of the HMS Act and § 75 1 (3) of the Government

subjects, according to Article 33(1) GDPR and Article 34(1) GDPR? The PUODO held that the insurance company infringed the GDPR provisions, failing to notify

of a Commission decision on adequacy , or in Article 46, Article 47 or the second subparagraph of Article 49 (1) (a) the period for which the personal

or by a third party. The court used Article 9(2)(f) GDPR to interpret legitimate interests under Article 6(1)(f) GDPR as including the establishment, exercise

of his right to rectification, as referred to in Article 16 of the GDPR. 5. Pursuant to Article 12.3 GDPR, the controller must inform the data subject without

states that the party concerned violated Article 83(4)(a) GDPR in conjunction with [Article 32(1) GDPR. Article 32 (1) GDPRby failing, at least with gross

( *** POSITION 1) for an infraction of Article 6.1.f) of the GDPR, in accordance with Article 83.5 of the GDPR ”. In the face of it, no allegations have

that: 1) The telephone number constitutes personal data according to Article 4(1) GDPR as the owner can be indirectly identified. 2) In both cases above,

for the alleged violation of Article 5.1.f) of the GDPR and Article 32 of the GDPR, typified in Article 83.5 of the GDPR. FIFTH: Notified of the aforementioned

provided for in Article 9 of the GDPR or Article 51 of the ZZLD. 30 Under Article 27 of the ZMVR, data recorded by the police pursuant to Article 68 of that

on the basis of Article 9 (2) (B) GDPR in conjunction with Article 32 GDPR" (see note cited, p. 4) (see footnote cit., p. 5-8). 1.6. On 4.8.2020, at the

data had taken place, meaning GDPR obligations did not apply. Are these magnetic cards personal data within Article 4(1) GDPR? If so, did the MCP infringe

aviolation of article 6 of the RGPD, typified in article 83.5 of the RGPD, in relation towith article 72.1 b) of the LOPDGDD, a fine of € 4,000 (four thousand

data of article 6.1 LOPD It necessarily derives from the improper or erroneous treatment thereof (Art 4.3). Therefore, the aforementioned article 4.4 of the

Agency in accordance with the provisions of article 35.4 of the RGPD. Applying the aforementioned article 35.3 to the specific case that is the object of

requests for information according to Article 15(1) GDPR. The ‘Business secrecy’ exception only applied to Article 15(4) GDPR, where a data subject would request

of identified personal data as defined in Article 4(1) and (2) of the General Data Protection Regulations (GDPR). 1 Hof van beroep Brussel, sectie Marktenhof

unequivocal consent to the processing of his personal data according to Article 4(11) GDPR. The AEPD noted that to determine whether FEDA, having regard to the

infringement of article 5.1(b), as defined in Article 83(5)(a) and considered for the purposes of the statute of limitations in Article 72(1)(a), a fine

«Guidelines 3/2019 on processing of personal data through video devices» points 3.1.1 to 3.1.3. The audit indicates that the camera in zone 3 films the area

of which are typified in article 83.4.a). V The violation of articles 32, 33 and 34 of the RGPD are criminalized in Article 83.4(a) of the said GPRS in the

lack of valid consent under Article 6(1)(a) GDPR. Thus, it imposed VODAFONE a fine of EUR 75,000 under Article 83(5) GDPR, being indecisive whether there

violation of Article 5(1)(f) GDPR and a fine of €100,000 for the violation of Article 37 GDPR. The DPA issued a reprimand for the violations of Article 5(1)(e)

articles 12.5 and 15.3 of the Regulation (EU)2016/679 and in the paragraphs 3 and 4 of article 13 of this organic law " FIFTH: Article 17 of the RGPD states

Articles 5(1)(a) GDPR and 13 GDPR. On the other hand, they disagreed with the infringement of Article 5(1)(a) GDPR in relation to Article 9(1) GDPR with regard

surveillance of Rognan center, cf. Article 6 of the Privacy Ordinance. 4.3. Assessment of the principle of legality in Article 5 (1) (a) The requirement that

paragraph 3 of the same article that the controller provides a copy of the personal data being processed. Finally, article 12.4 of the GDPR provides that

articles 12.5 and 15.3 of the Regulation (EU) 2016/679 and in sections 3 and 4 of article 13 of this organic law. " FIFTH: Article 17 of the RGPD provides

pursuant to Article 4(2) of the GDPR, and the applicant operating and managing the Facebook page is a controller pursuant to Article 4(7) of the GDPR, given

2019, GDPR Art. 37, para. 1; Döpfler , EU-GDPR and BDSG, 2nd edition 2020, GDPR Art. 37, marginal 1; Paal / Pauly, DS-GVO BDSG, 2nd ed. 2018, GDPR Art.

considered a violation pursuant to Article 72(1)(m) of the LOPDGDD, which would be sanctioned according to Article 58(2) GDPR. Share your comments here! Share

S.A.U., with NIF A80907397, for the alleged violation of article 6.1. GDPR typified in article 83.5.a) of the aforementioned RGPD. 1. APPOINT Mr. D.D.D

of the respondent a violation of the GDPR? The AEPD held that the actions of the company violated Article 6 GDPR. According to the decision, acting as

information correctly published at the time. The DPA noted that under Article 17(3)(b) GDPR, personal data shall not be erased if their processing is necessary

should comply with the criteria set out in Article 6. (4) General Regulations. The application of Article 6 (4) of the General Regulation to a change in

in tort within the meaning of the above under 3.3. mentioned article. 3.5. The question is whether in this case the place where the harmful event occurred

allegations. THIRD: On October 16, 2019, in accordance with article 65.4 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee

for the alleged violation of Article 5.1.f) of the GDPR and Article 32 of the GDPR, typified in Article 83.5 of the GDPR. FIFTH: Notified of the aforementioned

employee of the entity - infringes Article 32. 2 and 32.4 of the RGPD, an infringement punishable under Article 83.4.a of the GDPR. Assessing the circumstances

provisions in article 13 of the RGPD, despite the fact that personal data is collected through various forms. SECOND: In accordance with article 65.4 of Organic

for the violation of Article 6 GDPR and € 4 000 for the violation of article 13, under the power conferred by Article 83(5) GDPR. Share your comments here

violation of the Article 12 of the GDPR, in conjunction with Article 17 of the GDPR. V Classification of the infringement of article 12 of the GDPR The aforementioned

company was not compliant with Article 13 GDPR. The CNPD held that the controller infringed Article 5(1)(c) GDPR and Article 13 GDPR and decided to: - impose

valid consent under Article 4(11) GDPR and Article 6(1) LOPDGDD (National data protection law aimed at the implementation of the GDPR). In both articles

section 22, subsection 1 of the Authorization Act. 4, § 23, para. 3, § 24, para. 2, § 25, para. 3 and 4, have laid down more detailed rules on record keeping

protection on the website *** URL.1. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee

images, in violation of Article 5(1)(a) GDPR? The Spanish DPA (AEPD) found that the defendant's conduct violated Article 5(1)(a) GDPR, as a broader principle

instruction, under Article 28(1) GDPR. Thus, it has not been decided on whether or not MaCom could process information in accordance with Article 6(3)(a), (1)(a)

each person and thus falls under the definition of personal data in Article 4(1)GDPR. Furthermore, a voice can reveal identifiers like age, sex, state of

required by Article 12 GDPR. The DPA clarified that the right of information and the right of access are distinct. An access request under Article 15 GDPR is not

complainant's computer was accessed (16.5.2018) (note 1.3.2019, p. 4-5). 1.4. On 17 May 2019, pursuant to Article 166, paragraph 5, of the Code, the Office notified

third party, breach Article 6(1) GDPR? The Spanish DPA (AEPD) referred to the principle of lawfulness, fairness and transparency (Article 5(1)(a)), as well

the Law: "Article 36. Taxpayers 1. They are taxpayers, as taxpayers, natural or legal persons, and the entities referred to in article 35.4 of Law 58/2003

fined a municipality €409,768 (NOK 4,000,000) for breaches of Article 5(1)(f) GDPR, Article 24 GDPR and Article 32 GDPR after a serious ransomware attack

- Madrid sedeagpd.gob.es 3/13 2.- Contract dated 07/03/2019 Vodafone Fibra 100Mb (portability from Telefónica *** PHONE. 3) 3.- Contract dated 08/21/2019

the whole claim under CPR 3.4(2)(b) under the Jameel jurisdiction; and (c) strike out of the claim in negligence under CPR 3.4(2)(a). 
 
 The Defendant

period. The IP clarified that under the GDPR consent does not have to be handwritten. According to Article 4(11) GDPR, "consent of the data subject means any

context of Articles 40 and 41 GDPR, in particular from Article 40 Paragraph 4 in conjunction with Article 41 Paragraph 2 lit. c) GDPR, namely further that a monitoring

violation of Article 5(1)(d) of the GPRS, in relation to Article 4(1) of the LOPDGDD, which governs the principle of accuracy of personal data. IV Article 72.1

data subject has exercised their right to object under Article 21 GDPR. In the same way, Article 48(1)(b) of the Spanish General Telecommunications Act

the controller according to Article 58(2)(c) and (d) GDPR and the fine of 14,420.4 lei, the equivalent of the amount of EUR 3,000. Share blogs or news articles

the processing is based on Article 6(1)(a) or on Article 9, (c) where the processing is based on Article 6(1)(a) or Article 9(2)(a), the existence of the

Norway, and not the GDPR. The DPA does, however, refer to corresponding Articles in the GDPR: Articles 5(1)(b) and (c), as well as Article 17. Share blogs

the GDPR. According to the defendant, this partner is thus not processor within the meaning of Article 4 (8) GDPR. Consequently, Article 28 (3) GDPR does

drawings". 3.1.3. The service technician will draw up a weekly timesheet of the work performed. Parties also refer to this as a 'weekly list'. 3.1.4. In a letter

right to object under Article 21(2) GDPR in conjunction with Article 12(1) GDPR, Article 12(2) GDPR, Article 13 GDPR and Article 14 GDPR. Telenet asked for

2 and par. 3, lett. b), of the GDPR; as well as art. 2-ter, paragraphs 1 and 3, of the Code (see also the provision contained in Article 15, paragraph

processing carried out is in violation of Article 5(1)(f) GDPR, Article 25(1) GDPR, Article 32 GDPR and Article 35 GDPR. Especially, the controller cannot exclude

the definitions of the legal concepts that the RGPD indicates in article 4: Article 4 GDPR. Definitions For the purposes of this Regulation, the following

is only determined by Article 5 et seqq. GDPR. A violation of Article 13 or 14 GDPR can be fined under Article 83(5) GDPR but it does not affect the lawfulness

to pay". Decision on the substance 39/2020- 8/23 ... 3. Justification 3.1. The controller (Article 4, point 7) AVG) 36. The Conciliation Chamber finds, first

legal professional practice according to article 4 paragraph 3 of Law 3471/2006 in conjunction with article 3 of Annex III of the Electricity Supply Code

gave its non-binding opinion on the data protection roles under Article 4(7) and (8) GDPR of the entities involved in clinical trials in Slovenia , holding

violation of article 5.1.f) of the GDPR, typified in article 83.5 of the GDPR, a warning sanction and for a violation of article 32 of the GDPR, typified

messages. Is this a violation of Article 6(1)(a) GDPR? The AEPD held that this behaviour was a violation of Article 6(1)(a) GDPR and fined Vodafone €100,000

obligations under Article 6, §2, al. 5 and Article 9 of the Camera Act 1 2. there is a serious indication that article 6, § 2, al. 4 of the aforementioned

the first question is answered in the affirmative: 3. Is the second sentence of Article 38(3) GDPR based on a sufficient enabling clause, in particular

the violation of Article 5(1)(f) GDPR and €30,000 for the violation of Article 32 GDPR. According to the national legislation (Article 76(2)(b) LOPDGDDon

according to article 4.1 of the RGPD, is a piece of information personal and their protection, therefore, is object of said Regulation. In Article 4.2 The RGPD

of these data (hereinafter, GDPR); and in article 47 of the LOPDGDD. SECOND: In accordance with the provisions of article 55 of the RGPD, the Agency Spanish

sanction to the party claimed for the violation of Article 13 of the GDPR typified in Article 83.5 of the GDPR. The sanction that must be imposed is an administrative

Art. 4 No. 1 GDPR, is processed and stored here by the defendant as the person responsible in accordance with Art. 4 No. 7 GDPR. According to Art. 4 No.

- Madrid sedeagpd.gob.es 4/4 The exposed facts suppose, on the part of the claimed, the commission of the infraction of article 22.2 of the LSSI. This offense

violation of the article6.1. of the RGPD, in relation to article 20 e) of the LOPDGDD, typifiedin article 83.5.a) of the aforementioned GDPR.2. TO appoint

processed in accordance with Article 32 (2) of the Regulation. 2nd 3.3. Article 33 (1) of the Data Protection Regulation 1 and Article 34 (1). 1 The Data Inspectorate

against the defendant for the alleged infringement of Article 6.1(a) of the RGPD, as defined in Article 83.4 of the RGPD. FOURTH: Upon notification of the above-mentioned

from MEDISALUD, dated February 28, 2019, in accordance with article 65.4 of Organic Law 3/2018, dated December 5, on the Protection of Personal Data and

States ”. The violation of article 32 of the RGPD is typified in article 83.4.a) of the aforementioned RGPD in the following terms: "4. Violations of the following

a violation of Article 12(3) in relation to Article 15 GDPR. The Garante hence applied an administrative fine as per Article 83(5) GDPR. The amount of

under Article 82 UK-GDPR and sections 168 and 169 of the Data Protection Act (DPA) 2018. The defendant applied for the claim to be struck out under 3.4(2)(a)

The Spanish DPA (AEPD) fined Borjamotor, S.A. for infringing Article 7 GDPR and Article Article 21(1) of the Spanish Law on Information Society Services (LSSI)

and Article 85 GDPR. In June 2019, the complainant requested erasure of her personal data from the respondent's website, claiming that an article on that

data of article 6.1 LOPD necessarily derives from the improper or erroneous treatment thereof (Art 4.3) .Therefore, the aforementioned article 4.4 of the

information under Article 13 GDPR is illegal. Consequently, the APED decided to issue a fine of €1.500 for the violation of Article 13 GDPR. Share your comments

months after the request was made. According to Article 12(3) GDPR the response has to be the latest within 3 months. The DPA considered that it had no competence

About the exceptions in article 17 no. 3 letters b and d, the ministry says in Prop. 56 LS (2017-2018) page 81: "Article 17 no. 3 letter d makes exceptions

to the provisions of articles 12.5 and 15.3 of Regulation (EU) 2016/679 and in the sections 3 and 4 of article 13 of this organic law. " FIFTH: In the case

determined in Article 6.1. GDPR. 36. To this end, the Disputes Chamber examines the extent to which the legal grounds as provided in Article 6.1. GDPR can be

Therefore, Article 5(1)(f) GDPR was considered violated by the community of owners as a whole and a fine according to Article 83(5) GDPR was imposed.

of thethe law establishes a series of limitations. Article 1 of the Organic Law4/1997, of August 4, which regulates the use of video cameras by theState

defined in the first paragraph. Article 4 of the Act, cf. Points 2 and 4 Article 3 of the Act and points 1 and 2. Article 4 of the Regulation. According to

authority. Under Article 60 GDPR, the following DPAs were identified as “concerned supervisory authorities” under Article 4(22) GDPR: the Netherlands,

and d) and article 83, paragraph 4, al. a), all documented regulation.-In addition, under the terms of article 83, paragraph 3 of the GDPR, the fine of

foundation was responsible for violating Article 33 GDPR, and issued it with a warning pursuant to Article 58(2)(b) GDPR. The AEPD did not find the former Secretary

same way as Article 12 (2) of the Directive. 4th 3.3.3. The Data Protection Authority's guidance on data protection in employment (2018) [3] shows the following

subjects adequate information, (3) without defining the roles of the external companies involved in the processing, (4) without defining the storage times

installing surveillance cameras in public spaces without a lawful basis under Article 6 GDPR. An individual lodged a complaint with the Spanish DPA (AEPD) arguing

6www.aepd.es28001 - Madridsedeagpd.gob.es Page 4 4/7with Article 6, paragraph 1, letter a), or Article 9, paragraph 2, letter a), and this is notbased

P3120800B, for the alleged violation of article 5.1.b) in relation to article 6.4 of the RGPD, in accordance with article 83.5.a) of the RGPD. SECOND: INITIATE

based comply with Article 13 of the GDPR? The Spanish DPA found that the facts constituted an infringement for violation of Article 13 of the RGPD, and

According to Article 94 of the GDPR "references to the repealed directive must be understood as references to the [GDPR]". 84. Under Article 4, paragraph

comes regulated in article 32 of the GDPR. II Article 5.1.f) of the GDPR Article 5.1.f) of the GDPR establishes the following: "Article 5 Principles relating

6www.aepd.es28001 - Madridsedeagpd.gob.es Page 4 4/7FOUNDATIONS OF LAWIBy virtue of the powers that article 58.2 of the RGPD recognizes to each authoritycontrol

the computer network: https://www.riigiteataja.ee/akt/128022019010 Page 3 3 (4) CLAIMER'S CLAIM AND EXPLANATION: On 19 December 2015, the applicant submitted

processing personal data, in line with the definition of Article 4(1) GDPR. In accordance with Article 5(3) GDPR, the controller had an obligation to demonstrate

confidentiality established by Article 5(1)(f) GDPR? Was there a personal data breach? The AEPD considered that there was an infringement of Article 5(1)(f), as there

place in accordance with Article 5 (1) of the Data Protection Regulation. 1, letter e, and Article 6, para. 1, cf. Article 4, point 11. The Danish Data

under Article 15 GDPR, in a timely manner as well as in clear and transparent form. Second, the DPA looked at the right to erasure under Article 17 GDPR

according to article 4.1 of the RGPD, is data personal protection and their protection, therefore, is the object of said Regulation. Article 4.2 of the RGPD

6www.aepd.es28001 - Madridsedeagpd.gob.es Page 4 4/11FOUNDATIONS OF LAWIBy virtue of the powers that article 58.2 of the RGPD recognizes to each authoritycontrol

infringement of article 21.1 of the LSSI, typified in Article 38.4.d) of theLSSI, a sanction of warning.B) For an infringement of article 13 of the RGPD

processing is based on consent under Article 6(1)(a) GDPR, the consent must meet the requirements of, among others, Article 7 GDPR. The DPA observed deficiencies

Section 49 of the Wbp has been met. 4.1 The next question to be answered is whether the claimant has suffered damage. 4.2 With reference to Section 6:106(1)(b)

constitutes personal data according with Article 4(1) GDPR therefore its processing falls within the scope of GDPR. The DPA also analysed whether the controller

the registration. assessment framework 4.4 The assessment framework that the court used in paragraphs 4.1 to 4.4 of the decision of 24 June 2019 was not

data concerning you". According to Art. 7 Para. 4 GDPR and taking into account Art. 4 Z 11 and EG 43 GDPR, consent must be given voluntarily and may not

company "bieNNova" infringed Article 21 LSSI (Ley de Servicios de Sociedad de la Información y de Comercio Electronico). Article 21 establishes that it is

general data protectionArticle 5 (1) (a), Article 5 (2), Article 12 (1) and (4) ofArticle 14, Article 15 and Article 21 (4).1.3. The Authority condemns

violated Article 6(1)GDPR, for processing personal data without a legal basis. Hence, the AEPD decided to fine Telefónica for the violation of Article 6(1)GDPR

identify the data subject and it shall justify the reasons, as per Article 12(3) GDPR. AEPD stated that, with the documentation provided, the data subject

refers to older national laws, instead of GDPR. Does an non-updated privacy policy infringe Article 13 GDPR? Shoud the AEPD calculate the fine by taking

wife. According to Article 15 (4) of the General Data Protection Regulation, the right to obtain the copy referred to in Article 3 (3) must not adversely

therefore an infringement of Article 5 at the time of the facts. 1, a) GDPR, Article 6, Article 12.1 GDPR and Article 14.1 a) GDPR. 90. In addition, a controller

as by Article 28(2) and (3) The obligation to adopt technical and organizational measures to ensure the security of the processing as by Article 32. The

Chief Constable West Midlands Police (WMP), for violating Articles 34(3), 38(1)(3), 40 and 57(1)(2) of the UK Data Protection Act (DPA). ICO also recommended

RGPD, and for the violation of article 32 of the RGPD, classified in the article 83.4 of the GDPR. The aforementioned initiation agreement was notified

of these data (hereinafter, GDPR); and in article 47 of the LOPDGDD. SECOND: In accordance with the provisions of article 55 of the RGPD, the Agency Spanish

unsolicited commercial emails without a legal basis, connected to Article 6 of the GDPR—, as the defendant agreed to an early and guilty voluntary payment

Directive 95/46 / EC (GDPR), Art. 51, 52, 53.1, 53.3, 53.4 and 54.1 (a) - (e) The Self-Government Act for Åland, section 1, section 3, subsection 2. and section

with Article 5 paragraph 1 point c, Article 9 paragraph 1, Article 58 paragraph 2 point f, point g and point i and with Article 83 paragraph 2 and 3, Article

violation of data minimisation, Article 5(1)(c) GDPR. No fines can be imposed against the controller and Article 83(5) GDPR can therefore not be imposed.

envisaged as follows. 17. In paragraph 3.3. Legal Protection' of the AVG Implementation Act, Article 34 reads as follows: Article 34. Applicability of the General

according to Article 4, point 11, as well as the Restrictions according to Article 7 GDPR. (149) According to Article 5 (1) point b) of the GDPR, personal

specific enough and did not comply with Article 13 GDPR. Does the lack of precision enough to infrige Article 13 GDPR? The AEPD found that the information

whether the processing is automatic or not, cf. Number 4 Article 3 of the Act and point 2. Article 4 Regulation. This case concerns the processing of personal

accordance with the provisions of the article 84.3 of the LGT, and the offenses typified in articles 38.3 c), d) and i) and 38.4 d), g) and h) of Law 34/2002,

abusive multiple evaluations. 3.2.3. To an objection by the BF according to Art 21 GDPR According to Article 21 Paragraph 1 GDPR, every person concerned has

infringement of Article 5.1 b) in conjunction with Article 6.4. AVG, on article 5.1 a) in conjunction with article 6.1. AVG and on article 5.1 c) GDPR has been

and the free circulation of these data (hereinafter, GDPR); and in article 47 of the Law Organic 3/2018, of December 5, Protection of Personal Data and

accordance with Article 60(3) GDPR. Ten DPAs (AT, DE, ES, FI, FR, HU, IT, NL, NO, SE) raised objections, in accordance with Article 60(4) GDPR, to the Draft

NIF ***NIF.1, in accordance with article 58.2.d) of the GDPR, for a violation of article 13 of the GDPR typified in article 83.5.b) of the aforementioned

19 paragraph 3 of the Code (in force at the time of the facts and whose content is now reproduced in Article 2-ter, paragraphs 1 and 3, of the Code),

purposes and means of such activity, by virtue of article 4.7 of the GDPR. For its part, article 5.1.c) of the GDPR regulates the “principles relating to processing”

each control authority, and according to the provisions of article 47 of the Organic Law 3/2018, of December 5, on the Protection of Personal Data and

violation of Article 6, paragraph 1, letter c) and e), paragraph 2 and paragraph 3, letter b), of the Regulation and Article 19, paragraph 3, of the Code

of this act, as provided for in Article 46. Finally, it is noted that in accordance with the provisions of article 90.3 a) of the LPACAP, the final resolution

refers to Article2,member2,pointd)AVG.35. For the sake of completeness, it can be noted that in accordance with Article 55 (3) GDPR and Article4, §2, first

6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/11 SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data

right of access under Article 15 GDPR? By denying the complainant access, did the respondent infringe Articles 12(1) or 12(2) GDPR? The NAIH that the complainant's

request under Article 15 and with the one month deadline under Article 12(3). Was Google Ireland Ltd in breach of its obligations under GDPR Article 15(1) and

of Article 32(1) GDPR due to the scope of the data mishandling and the sensitivity of the subject. Moreover, the Family Court violated Article 28(3) with

transferred the defendant, in accordance with the provisions of article 65.4 of the Law Organic 3/2018, of December 5, Protection of Personal Data and guarantee

violation of Article 6(1) GDPR? AEPD considered that the documentation provided offers evidence that Vodafone violated Article 6(1) of the GDPR, by processing

SAW The violation of article 32 of the GDPR is typified in article 83.4.a) of the aforementioned GDPR in the following terms: "4. Violations of the following

advertises it on the internet, in accordance with the provisions of article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee

legal bases of contract (Article 6(1)(b) GDPR), legal obligation (Article 6(1)(c) GDPR) and legitimate interest (Article 6(1)(f) GDPR) and determined that

Spanish DPA (AEPD) fined XFERA MÓVILES, S.A. €40000 for violating Article 6(1) GDPR by illegally processing personal data of the claimants in a fraudulent

may be recorded of the data processing, in violation of Article 13 and Article 5 (1) (c) GDPR. The complainant lodged a complaint with the AEPD about the

written allegations.  On March 26, 2019, in accordance with article 65.4 of the Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee

communicated via e-mail. 3 4See recitals 75 and 76 of the Data Protection Regulation. See Article 87 of the Data Protection Ordinance and Chapter 3. Section 10 of

Protection Agency is competent to resolve this procedure. II Article 4.11 of Organic Law 3/2018, of 5 December, on the Protection of Personal Data and the

Page 4 4/14Taking into account the above, ESLORA PROYECTOS is not subsumed innone of the cases of compulsory designation included (i) in article 37.1RGPD

sanction is imposed for violation of Article 6.1.a) of the GDPR of 3,000 euros. VIII Infringement of Article 13 of the GDPR The facts claimed also provide evidence

that, in cases of video surveillance, Article 22.4 LOPDGDD provides that the duty of disclosure in Article 12 GDPR may be fulfilled by placing a sign near

and the free circulation of these data (hereinafter, GDPR); and in article 47 of the Law Organic 3/2018, of December 5, Protection of Personal Data and

imposed a fine of €60000 for the violating Article 5(1)(d) GDPR and €30000 for violating Article 5(1)(f) GDPR. In imposing the fine, the AEPD factored in

highly sensitive personal data exposed, thus breaching Article 32(1)(b) GDPR and Article 32(2), cf. Article 24. An employee in a municipal health care center

General Data Protection Regulation (EU) 2016/679 (AVG). According to Article 3(4) of the Data Protection Regulation, the processing of personal data by

act, as provided for in Article 46 (1) of the aforementioned Law. Finally, it should be noted that, in accordance with Article 90.3 (a) of the LPACAP, the

payment to be appropriate. 3. Findings 3.1 Findings prior to the on-site visit of 18 June 2018 Menzis sent documents to the AP on 3 and 29 May 2018 to demonstrate

principles are found under Article 5(1)(a) and Article 5(2) GDPR respectively]. The Spanish DPA even made reference to Recital 40 GDPR on the legality of processing

electronic format. 4. The right to obtain a copy referred to in paragraph 3 shall not affect the rights and freedoms of others. Article 2:3 of the Awb reads

controller under the GDPR. The data controller did not process personal data with an appropriate level of security, as required by article 32, read in conjunction

necessary according to Article 17(3)(b) GDPR and Article 17(3)(e) GDPR. The controller stated that, according to Chapter 8 Section 1(2)(4) of the Finnish Criminal

copy of 4 commercial SMS received on 12/10/2021, 12/17/2021 and 03/15/2021. The issuer is identified as YOIGO. SECOND: In accordance with article 65.4 of Organic

Finnish DPA found a retail chain to have breached Article 5(1)(e) GDPR, Article 25(1) GDPR and Article 25(2) GDPR for its lengthy storage of purchase behaviour

data, recorded in copies Article 6 (1) of the GDPR and, in the case of health data, Article 9 of the GDPR. Article 1 (1); (3) did not provide clear and

anyway. In any case, suitable guarantees were required by Article 46(1) GDPR. Per Article 46(3)(b) GDPR, those guarantees could be provided for by provisions

criminal proceedings for the alleged violation of Article 32 of the GDPR, as defined in Article 83.4 of the GDPR. FOURTH:Notified of the abovementioned agreement

interests under Article 6(1)(f) GDPR. The data subject was heard on this statement and filed a submission, arguing that Article 6(1)(f) GDPR does not apply

Raise Marketing violated the data subject's right to object (Article 21 GDPR and Article 23 LOPDGDD). The DPA fined Raise Marketing €1500 for this violation

with the provisions of section 2 of article 56 in relation to section 1 f) of article 57, both of the GDPR; and in article 47 of the LOPDGDD. SECOND: In accordance

articles 12.5 and 15.3 of the Regulation (UE)2016/679 and in the paragraphs 3 and 4 of article 13 of this organic law "FIFTH: The article 17 of the RGPD establishes

exercising their rights in bad faith. The AEPD brought forward Article 12(5) GDPR, as well as Article 7 of the Spanish Civil Code, that states that rights must

directly on the basis of the GDPR, not the register assessed on the basis of Article 30(1) of the GDPR. II.3. Article 6(1)(f) of the GDPR 49. Above, the Disputes

there was a wrong application of Articles 12 and 15 GDPR. The DPA highlighted that Article 12 GDPR burdens the controller with the obligation to provide

their health status, without appropriate legal grounds, as required by art. 6 GDPR and art 2-ter and 2-septies of the Italian Privacy Code, and going against

protection policy at the University. In the remaining scope, i.e. in point 3.3.16, 3.3.19 above analysis, the University indicated that the analysis clearly

of data protection by its article 2.2, without prejudice to the provisions of sections 3 and 4 of this article. " And in article 19: ”Treatment of contact

infractions of article 48 of Law 9/2014, of May 9, General Telecommunications (hereinafter LGT), in accordance with the provisions of the article 84.3 of the LGT

from which more information can be obtained; 3) description of possible consequences of personal data breach; 4) description of measures taken or proposed

violated Article 12 GDPR, as it did not facilitate the data subject´s exercise of their rights, especially the right to erasure under Article 17 GDPR. In view

publication of the press release of 17 June 2020 infringed Article 54(2) GDPR and Article 48(1) and Article 64(3) WOG. This press release described that the DPA was

violation of article 13 of Regulation (EU) 2016/679, in accordance with article 58 par. 2 i' of the GDPR in combination with article 83 par. 5 of the GDPR. The

gob.es Page 4 11/4In this sense, Organic Law 3/2018, of December 5, on the Protection ofPersonal Data and guarantee of digital rights article 6.1 of the

Appeal considered that Article 96 GDPR does not provide a time limit for the validity of international agreements concluded prior GDPR and that a ban on some

person under article 4.1 of the RGPD is personal data and its protection, therefore, is the subject of said Regulation. Article 4.2 of the GDPR defines the

the principle in Article 25 of the Data Protection Regulation. 3.3. Precautions Article 5 (1) of the Data Protection Regulation Article 1 (1) (f) provides

transferred the claimed, in accordance with the provisions of article 65.4 the LawOrganic 3/2018, of December 5, Protection of Personal Data and guarantee

adequate information under Article 13 GDPR, and for the processing of personal data in a manner contrary to Article 5(1)(a) of the GDPR. A data subject submitted

measures to security of processing, in accordance with Article 32 GDPR, in connection with Article 24 GDPR, as the controller did not take into account the risks

several violations of the GDPR. Firstly, the USL had not documented its processing activities as required by Article 30 GDPR, despite the two years between

towards employees, cf. Articles 13 and 14 GDPR complied with the principle of transparency in Article 5 (2) (1) (a) GDPR, which according to the Authority's

sections 3.2, 3.3 and 3.4 of the DPIA, for clarity, the Commissioner also recommends that the Home Office links its purposes to both its Article 6(1)(e)

6www.aepd.es28001 - Madridsedeagpd.gob.es Page 4 4/8FOUNDATIONS OF LAWIBy virtue of the powers that article 58.2 of the RGPD recognizes to eachcontrol authority

provided for in Article 46(1) of the referred to Law. Finally, it is pointed out that in accordance with the provisions of Article 90.3 a) of the LPACAP

inform the affected parties as provided for in Article 12 GDPR and Article 13 GDPR. According to Article 30(1) GDPR a record must be kept by the responsible

Protection Officer (DPO) under Section 4 of Chapter 4 of the GDPR (see in particular Article 37 GDPR to Article 39 GDPR). One of these audit proceedings concerned

the existence or absence of a decision in accordance with Article 46, Article 47 or Article 49 (1). in the case of the transmission referred to in the

constitutes sensitive data within the meaning of Article 9 GDPR. The DPA alluded to Article 9(1) GDPR which prohibits the processing of these special categories

significant (Article 83(2)(b) GDPR). - basic personal identifiers were affected (name, identification number, the line identifier) (Article 83(2)(g) GDPR). The

accordance with Article 132, Article 168 23 of the Law on Administrative Responsibility first part, Article 172 and Article 173, first part, paragraph 4, Article

Madridsedeagpd.gob.es Page 3 3/5The exposed facts suppose the commission, on the part of the demanded entity, of aviolation of article 21.1 of the LSSI, which

infringement of the GDPR, articles: -12 of the GDPR, in accordance with article 83.5.b) of the GDPR and 72.1.k) of the LOPDGDD, and -5.1.c) of the GDPR, in accordance

aepd.es28001 - Madridsedeagpd.gob.es Page 4 4/11i) impose an administrative fine in accordance with article 83, in addition to or instead ofthe measures

2012 to 2019 that it was operating. Following Article 83(5)(a)GDPR, read in the lights of Recital (148) GDPR, the AEPD issued a reprimand to the owner of

legitimate basis a violation of GDPR? The Spanish DPA considered that the processing of personal data was in breach of Article 6(1) GDPR, as the worker had processed

company for faulty website security (article 32 GDPR) and violation of the storage limitation principle (article 5(1)(e) GDPR). After a complaint in 2018, the

regulated in article 6 of the GDPR. The assumptions that allow the processing of personal data to be considered lawful listed in article 6.1 of the GDPR: 1. Treatment

had a legal basis under Article 6(1) GDPR to publish the data subject’s personal data, and did not violate Article 5(1)(a) GDPR. In the decision, the Croatian

to the first controller. First, the DPA recalled that according to Article 4(1) GDPR the image of a person constitutes personal data because it reflects

processing. In accordance with Article 36 GDPR, the Garante must decide on the adequacy of the intended processing under the GDPR. After careful examination

connection with Article 31, Article 58(1)(e) and (f) in connection with Article 83(1-3) and Article 83(5)(e) of Regulation 2016/679 of the European Parliament

Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/7 3.- The events took place since May 2019. 4.- The vouchers include the charges made by the claimed

basis for the processing (Article 21(1) GDPR). Finally, the DPA fined the controller €12,000 for a violation of Article 6(1) GDPR due to the lack of a valid

under Article 36 GDPR) regarding the compliance of the envisaged processing with the GDPR. According to the Commission, the legal basis was Article 6(1)(e)

March 30, April 22, and May 7, 2021. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee

violating Article 15 GDPR; 3. there was no violation of Article 12(3) and 12(4) GDPR, as it has a procedure in place to handle these requests; and 4. the DPA

DPA (AEPD) imposed a €1000 fine on a beauty salon for breaching Article 17 GDPR and Article 21 LSSI. The salon sent a marketing SMS to a client months after

Member States ”. The violation of article 32 is classified in article 83.4.a) of the cited GDPR in the following terms: "4. Violations of the following provisions

the recorded images” (folio nº 1). SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, of Protection of Personal Data and guarantee

punishable under Article 83(4)(a) GDPR. Assessing the circumstances that modify the responsibility contemplated in Article 83(2) GDPR, in this case, the

rating without a legal basis under Article 6(1)(f) GDPR and for not adhering to the accountability principle as per Article 5(2). The DPA also requires that

information duty included in Article 13 GDPR. Is this a violation of Article 13 GDPR? The AEPD held that there had been a violation of Article 13. According to the

an alleged violation of article 6 of the GDPR typified as an infringement of basic principles for processing in article 83.5 GDPR. In determining the amount

section 3.3 >>.<< 3.3. Informed manifestation of willThe GDPR reinforces the requirement that consent must be informed. In accordance with theArticle 5 of

fact that the processing of the controller relied on Article (6)(1)(b) GDPR and Article 6(1)(c) GDPR as legal basis affects the holding of the DPA since

data laid down by Article 4(1) and (2) GDPR. The DPA then quotes ECJ, 11 December 2014, Ryneš, case C-212/13 (point 22), EDPB Guidelines 3/2019 on processing

Telefónica Móviles España, S.A.U. with a fine of €75,000 for violating Article 6(1) GDPR. The complainant had five telephone lines contracted with Telefónica

common use. 4. The right to obtain a copy referred to in paragraph 3 shall not affect negatively to the rights and freedoms of others." FIFTH: Article 13 of

executed. Legal basis: Article 4 lines 1, 2 and 5, Article 11 paragraphs 1 and 2, Article 12 paragraph 2, Article 17 paragraph 1 and Article 58 paragraph 2 lit

with the provisions of section 2 of article 56 in relation to section 1 f) of article 57, both of the GDPR; and in article 47 of the LOPDGDD. SECOND: In accordance

over the right to access Article 15 GDPR. A citizen requested a copy of his personal data from a controller under Article 15 GDPR. The controller requested

authorities an infringement of Article 5 (1) (d) GDPR? The AEPD agreed to impose a penalty for infringement of Article 5 (1) (d) for lack of accuracy in

that the Application be struck out pursuant to rule 8(3)(c) of the 2009 Rules. As required by rule 8(4) of the 2009 Rules the Applicant was informed of the

the alert on the SIS system under Article 17(1)(d) GDPR. The reason for the data subject invoking the GDPR is that Article 53(1) Regulation (EU) 2018/1861

data breach (Article 32 GDPR). Does the plaintiff have a right to compensation according to Article 82(1) GDPR and does Article 82(3) GDPR stipulate a reversal

minimisation principle related, as per Article 5(1)(c) GDPR, and the lack of transparent information, as per Article 12 GDPR. The decision is the consequence

common use. 4. The right to obtain a copy referred to in paragraph 3 shall not affect negatively to the rights and freedoms of others." FIFTH: Article 13 of

that motivates the presentation of the claim. SECOND: In accordance with article 65.4 of the LOPGDD, which has provided for a mechanism prior to the admission

commit a breach of Article 12(3) GDPR? Did the controller fail to uphold its responsibilities under Article 24 GDPR? No lawful basis for processing: The

lawfulness, fairness and transparency under Article 5(1)(a) GDPR, and the principle of accountability under Article 5(2) GDPR. Additionally, the HDPA held that the

(Considering 40 GDPR), Article 6.1 of the GDPR is therefore applicable and not RD 1720/2007 used by the defendant. Thus, the aforementioned article 6.1 GDPR establishes

complainant as per Article 17 GDPR, as well as his/her right as a consumer to refuse unsolicited commercial phone calls, as per Article 21 GDPR in connection

constitute a breach of Article 5(1)(c) GDPR? The AEPD held, that the actions of the defendant constitute an infringement of Article 5(1)(c) GDPR " Data Minimisation

against the controller for the alleged infringement of Article 21 LSSI, as defined in Article 38(4)(d) LSSI. The controller reacted to the allegations with

rule 8(4) of the 2009 Rules Mr Miles was notified of the Commissioner's application to seek a strike out of the Application. He was given until 3 October

assistance under Article 2.3 of the Youth Act and that deletion would violate the Archives Act (Archiefwet) and Article 17(3)(b) GDPR. The mother objected

of his personal data would be based 5. 1, a) GDPR, Article 6, Article 12.1 GDPR and Article 14.1 a) GDPR. 67. Moreover, a controller, in this case defendant

the lack of security routines, thus breaching Article 32(1)(b) cf. Article 5 GDPR, Article 35 and Article 24(1), respectively. Teachers at two junior high

proceedings. The merits limb engages article 3 of the GDPR, the Defendants confining their objection to this provision alone. Article 3 provides: "Territorial Scope

street a violation of Article 5 (1) (c) GDPR? The Spanish DPA has found that the facts of the present proceedings show that 2 of the 3 cameras installed by

activity has been declared. 3. Art 32.3 of Law 10/2010 of April 28 states that: “By virtue of the provisions of the Article 24.1, and in relation to the

envisaged as follows. 22. In paragraph 3.3. Legal Protection' of the AVG Implementation Act, Article 34 reads as follows: Article 34. Applicability of the General

by definition, personal data within the meaning of Article 2(a) Directive 95/46, now Article 4(1) GDPR since they must enable Constantin Film Verleih to

format. 4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others. FIFTH: Article 13 of the

negligent action (Article 83(2)(b) GDPR) and that basic identifiers such as name, surname, and address are affected (Article 83(2)(g) GDPR), including also

format. 4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others. FIFTH: Article 13 of the

and the free circulation of these data (hereinafter, GDPR); and in article 47 of the Law Organic 3/2018, of December 5, Protection of Personal Data and

Regulation) Article 1, paragraph 2, Article 5, Article 6, paragraph 1, subparagraph f, Article 17(1)(a), (c) and (d), Article 17(3)(a), Article 21(1) Judgments

sedeagpd.gob.es 4/7 Article 22 section 4 LOPDGDD (LO 3/2018, December 5) provides the following: “The duty of information provided for in article 12 of Regulation

approved appeal of Article 5(1)(a), Article 12(1), Article 13(1) and Article 13(2). The appeal for Article 5(1)(c), Article 6(1) and Article 8 GDPR was not approved

person's behavior can be obtained by profiling, as referred to in art. 4 pts 4 GDPR. However, as part of our activities, we do not conduct profiling, and

and obligations of the partners". SECOND: In accordance with article 65.4 of the Organic Law 3/2018, of 5 December, on Personal Data Protection and guarantee

"private life" in Article 8.1 ECHR (Wittwer in Schwimann, ABGB-Takom4 § 1328a Rz 3; Danzl in KBB5 § 1328a ABGB Rz 3; RV 173 BlgNR 22nd GP 17). 1.4 'Personal rights'

L. for the infringement of Article 13 GDPR (data privacy policy) and a warning penalty for the infringement of Article 7 GDPR regarding the collection of

regards to a violation of Article 7 GDPR, for gathering consent in a generic way. To fine the controller €3000 for infringing Article 22(2) LSSI, for installing

provided for in Article 18 GDPR. As explained by the Court, Article 18(1) GDPR, in particular in paragraph (d), is linked to Article 21(1) GDPR, which guarantees

(hereinafter GPRD), an offense under Article 83(5)(a) of the GPRD and described as very serious in article 72.1. a) of Organic Law 3/2018 of 5 December, on Protection

that are not technical or necessary: - 4 Performance Cookies: _ga; _gid; _ga_DZD8C8RYLW and _ga_G4RJW5CDC3 - 3 Targeting Cookies: _gat_gtag_UA_40838799_5;

sanction Vodafone in accordance with Article 83(5)(e) GDPR, for the non-compliance with an order pursuant to Article 58(1) GDPR. For this infringement, the AEPD

2 of 04/01/2018, with identical data 3.- *** INVOICE. 4, from 01/05/2018, with identical data 4.- *** INVOICE. 3, from 06/01/2018, with identical data

Fundamental Rights (Article 8 (1) in conjunction with Article 8 (3) CFR) is protected by Article 77 (1) GDPR in conjunction with Article 77 (1) CFR. Art.

protected (Article 32, Article 24 (1) and (2) of Regulation 2016/679). Has the Chief Surveyor of the country appointed a data protection officer (Article 37 of

hereinafter, LPACAP), for the alleged infringement of Article 6.1 of the GDPR, typified in Article 83.5 of the GDPR. FIFTH: Notified of the aforementioned start-up

Articles 6 and 13 GDPR? The AEPD decided to impose, for infringement of Article 6 GDPR, a fine of € 10000 and, for infringement of Article 13 GDPR, a fine of

legitimate and explicit purpose. Therefore, it was contrary to Article 5(1)(b) GDPR and Article 6 GDPR. In addition, the DPA found that the controller did not

other GDPR provisions, such as those related to the transfer of personal data to third countries. The IMY took into account Recital 75 and 76 GDPR in order

11-1-01-01-� L _JCourt of appeal Brussels-2021/AR/282- p. 3 ° - pursuant to Article 83 GDPR and Articles 100, 13 and 101 WOG, an administrative to impose

circulation of these data (hereinafter GDPR); and in article 47 of the LOPDGDD. SECOND: In accordance with the provisions of article 55 of the RGPD, the Agency Spanish

required by Article 13 of the GDPR GDPR. The form used violated Article 13 of the GDPR conduct that is subsumi- ble under Article 83(5) of the GDPR, which provides:

violation of article 6 of the RGPD, typified in article 83.5 of the RGPD. C / Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 3/8 FOURTH: Once

Kühling/Buchner, DS-GVO/BDSG , Article 4 GDPR, paragraph 8; Ernst in Paal/Pauly, GDPR/BDSG, 3rd edition 2021, Article 4, paragraph 14; Cologne Higher Regional

derogant rule, based on the interpretation of Article 95 GDPR in the line of the Rec (173) GDPR and Article 1(2) and 15a of the ePrivacy Directive. The CNIL

Ordinance Article 6 No. 1 letter f, for failure to assess protests, cf. Article 21, and for lack of information, cf. Article 13. 2. Pursuant to Article 58 (2)

(thirty thousand euros), for violation of article 22.2) of the LawLSSI, typified as “slight” in article 38.4.g) of the aforementioned Law.SECOND: REQUIRING

violation of article 6.1 of the RGPD, typified in article 83.5.a) of the GDPR. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/9 The proposed

infringement of Article 5.1.f) of the RGPD, as defined in Article 83.5 of the RGPD, following the application of Article 85(1) and (3) of LPACAP, a fine

organisation contravene Article 5(1)(f) GDPR? The AEPD found that the disclosure of her personal data to the 400 members violated Article 5(1)(f) GDPR. The AEPD stressed

transparency, cf. Article 5(1)(a), and accuracy, cf. Article (5)(1)(d), they hadn't recorded the processing activity as required in Article 30, hadn't conducted

for an infringement of article 14 of the RGPD, typified in article 83.5 of the RGPD, a warning sanction, in in relation to article 74.a) of the LOPDGDD.

provided for in Article 15 GDPR and Article 13 LOPDGDD was exercised. Secondly, the DPA noted that a valid legal basis under Article 6(1) GDPR is required

AEPD concluded that the defendant could have breached Article 13 GDPR, Article 7 GDPR and Article 22(2) LSSI: there was no identification of the data controller

rejected. 3. Secondly, under Article 83 of the GDPR: "1. Each supervisory authority shall ensure that administrative fines imposed under this article for violations

violation of Article 5 (1) (f) GDPR? The Spanish DPA held that were clear indications that the defendant infringed Article 5 (1) (f) GDPR, principles relating

claim asserted here and based on Article 82 of the GDPR, appears questionable in view of sentence 3 of recital 146 of the GDPR. In the case in dispute, however

- Madridsedeagpd.gob.es Page 4 4/5EUR 000 000 maximum or, in the case of a company, an equivalent amountat a maximum of 4% of the total global annual turnover

EDREAMS, S.L. was ordered for a violation of the Article 44 of the GDPR, typified in Article 83.5 of the GDPR, adapt the activity of data processing carried

a penalty of 3,000 euros (threethousand euros), for violation of article 22.2) of the LSSI Law, typified as “slight” in theArticle 38.4.g) of the aforementioned

Thus, the AEPD understood that the defendant has infringed Article 7 of the GDPR and Article 6(3) of the Spanish Law on Data Protection and Digital Rights

of Article 6(1)(e) GDPR -public interest and exercise of official authority vested in it, which falls within the exception of Article 9(2)(j) GDPR. It

AEPD held that the telecoms company 's actions were a breach of Article 6(1) GDPR. Article 6(1) does not apply here because they failed to prove that they

infringement of article 32.1 of the RGPD, typified in article 83.4.a) of the RGPD, a fine of € 3,000 (three thousand euros), in accordance with article 73.g) of

Klarna violate Article 15 of the GDPR? The DPA considered that Klarna failed to process the request within the timeframe required by Article 12(3) and without

Articles 57(1) and 58(2) GDPR for the processing of personal data without the consent of the data subject, as foreseen in Article 6 GDPR. Firstly, the DPA found

the defendant, for violation of Article 6.1, of the RGPD, which states that: "in accordance with the provisions of Article 4.11 of Regulation (EU) 2016/679

hereinafter, LPACAP), for the alleged infringement of Article 6.1 of the GDPR, typified in Article 83.5 of the GDPR. SIXTH: On October 13, 2022, DIGI requests the

incorrect as until 9/3/2019 the Pec of the company was tbsrls@pec.it, therefore he [has] never heard of this request. I also specify that from 9/3/2019 to today

for the alleged violation of article 5.1f) of the RGPD in relation to the Article 5 of the LOPDGDD, typified in article 83.5 a) of the RGPD. C / Jorge

the processing of personal data is not covered by the GDPR, according to Article 2(2)(c) of the GDPR. However, the DPA concluded that Orienteringsret.dk

as per Article 22(2) of the Spanish Law on Information Society Services (LSSI) — amongst others, the Spanish law regulating cookies — and Article 13 of

the general rule of Article 15 (1) (a), c) and d) of the GDPR by not giving substantive, specific answers to the request under Article 15 and by sharing

and Pension Funds, of 10/20/2021. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, of Protection of Personal Data and guarantee

their employees. The DPA found a violation of Article 5(1)(b) GDPR, Article 5(1)(c) GDPR and Article 13 GDPR. Following a visit to the premises of two public

breach Article 13 GDPR even if the contact form is not operational? The Spanish DPA (AEPD) held that the defendant, PSI, violated Article 13 GDPR by failing

processing is in the public interest arising from article 6.1.e) of the GDPR, authorized by article 46.3 of the LOU. v. The corresponding weighting judgment

to article 4.1 of the RGPD, is a piece of information personal and their protection, is therefore the subject of the said Regulation. In Article 4(2) of

in line with the principle of lawfulness in Article 5(1)(a) GDPR, as none of the conditions of Article 6 GDPR were satisfied. The data disclosed in the land

aepd.es 28001 – Madrid sedeagpd.gob.es 4/6 The physical image of a person, in accordance with article 4.1 of the GDPR, is data personnel and their protection

code ending in 092, vehicle delivery date 12/4/217 to 12/5/2017, and a handwritten signature that is two Page 3 JURISPRUDENCE dissimilar to that of the contract

to the claimed, by the alleged violation of article 5.1.f) of the RGPD, typified in article 83.5 of the GDPR. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid

for infringing the following provisions: -Article 17 GDPR – Right to Erasure - €50000 fine -Article 32 GDPR – Failure to implement appropriate technical

violation of article 17 in combination with article 21 par. 3 and article 12 paragraph 3 of the GDPR and article 25 paragraph 1 of the GDPR. For its judgment

the LPACAP, for the alleged infringement of Article 6.1 of the GDPR, typified in Article 83.5 of the GDPR. SIXTH: On January 23, 2023, DIGI requests a

dl, DSG § 4, Note 3), so that based on Art. 2 para. 2 lit . c GDPR processing operations excluded from the scope of application of the GDPR are also not

a penalty of 3,000 euros (three thousand euros), for in-fraction of article 22.2) of the LSSI Law, typified as “slight” in article 38.4.g)of the aforementioned

meaning of Article 4. The Dispute Resolution Chamber notes that consulting personal data does constitute processing within the meaning of Article 4(2) of the

gob.es 4/9 This infraction is typified in Article 83.5.e) of the RGPD, which considers such as: 'failure to provide access in breach of Article 58(1)'

security . That Krifa - in accordance with Article 5 (1) of the Data Protection Regulation. 2, cf. Article 32 (1) (f), cf. 1 and 2 - has demonstrated that

according to Article 21 paragraph 2 , d) the personal data were processed unlawfully…”. 3. In addition, according to article 4 par. 2 of the GDPR as processing

of Article 6(1) GDPR? The Spanish DPA held that the documentation in the file provides evidence that G.L.P. Instalaciones 86, S.L violated Article 6(1)

entities, as indicated in article 77.1. c) and 2. 3. 4. 5. and 6. of the LOPDDGG: “1. The regime established in this article will apply to the treatments

that the right to freely request inspection is infringed. 5.3. The argument fails. 5.4. 5.4. [appellant under 1] has also requested compensation for exceeding

processing [...]" (Article 6(1)(c) and (e)). 2, RGPD), with the consequence that the provision contained in Article 19, paragraph 3, of the Code, in force

authority (cf. Article 36 (2) no. 7 lit. a DPA) for the purposes of military self-protection (cf. Article 36 (1) DPA in conjunction with Article 2 (1) no. 2

records. Article 5 paragraph 3 of the cited Ordinance stipulates 4 is how records of workers can be kept in written or electronic form, while in Article 8 of

Ms. A.A.A., herein the data controller, violated Article 6 GDPR and Article 13 GDPR, as well as Article 22.2 LSSI (Spanish national law). The data subject

arising from Article 15 of the GDPR. 3. On the breach relating to the obligation to respect the right of opposition (article 21 of the GDPR) 45. The rapporteur

correspond would be for the infringement of article 6.1 of the GDPR, typified in article 83.5 a) of the GDPR, the sanction that would correspond would be

had fulfilled its obligation to provide information pursuant to Article 12(3) and Article 4(7) of the Basic Law (Voriger SuchbegriffDSGVONächster Suchbegriff)

URL: ***URL. SECOND: Dated May 20, 2019, in accordance with Article 65.4 of the Organic Law 3/2018 of December 5, Protection of Personal Data and Guarantee

Ministry of National Defense violated Article 5(1)(c) GDPR. For the corresponding decision of the same day see HDPA (Greece) - 3/2022. Share blogs or news articles

significant negligent action (Article 83(2)(b) GDPR) and that basic personal identifiers were affected (Article 83(2)(g) GDPR). The economic volume of the

breach of Article 5(1)(f) GDPR ("integrity and confidentiality"). Therefore, the Spanish DPA held that there was an infringement of the GDPR. It imposed

that Article 36(1) GDPR provides for a duty to consult if two conditions are met. First, a data protection impact assessment under Article 35 GDPR must

Vodafone on December 3 of the same year, for alleged infringement of Article 5.1.f) of the GDPR, typified in article 83.5 of the GDPR, proposing a fine of

of 25,000 euros (Article 83, paragraph 2 GDPR; Article 100, §1, 13 ° WOG and Article 101 WOG). 18 55. Taking into account article 83 GDPR and the case law

the principle of confidentiality, namely Article 5(1)(f) GDPR, and thus, it did not comply with Article 5(2) GDPR referred as the principle of "proactive

art. 25 sec. 1, art. 28 sec. 1 and 3 and article. 32 sec. 1 and 2, as well as art. 83 sec. 1 - 3, art. 83 sec. 4 lit. a) and art. 83 sec. 5 lit. a) Regulation

2-7 b, which implement Article 5 (3) of the Communication Protection Directive, are lex specialis for the Privacy Regulation. Article 95 of the Privacy Regulation

and the free circulation of these data (hereinafter GDPR); and in article 47 of the Law Organic 3/2018, of December 5, on the Protection of Personal Data

accordance with Article 33 GDPR to the Belgian DPA. Nonetheless, there were suspicions that the controller did not comply with Article 32 GDPR. Especially

violation of article 6.1. f) of the RGPD, in relation with article 20.1 c) of the LOPDGDD, typified in article 83.5.a) of the cited GDPR That by writing

Protection, pursuant to Article 83(3) and Article 83(4)(a) and Article 83(5)(e) of Regulation 2016/679, in conjunction with Article 103 of the Personal Data

found that the El Maestro Cerrajero SL’s privacy policy complied with Article 13 GDPR, after the page was updated by the controller during the procedure.

publication of the judgment breach the GDPR? The AEPD held that the respondent’s actions violated the GDPR Article 5(1)(a) requirement that processing must

violation of Article 13 GDPR and issued a warning to the controller. The AEPD took into account the following aggravating factors (Article 83 (2) GDPR) to determine

Policy on their website (Article 13 GDPR) and for the absence of a reject button on the second layer of their Cookie Policy (Article 22(2) LSSI). The claimant

Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es Page 3 3/8IBy virtue of the powers that article 58.2 of the RGPD recognizes to eachcontrol authority,

information to be retained by the defendant any longer. 4. Pursuant to Article 17 (1) of the GDPR , a data subject has the right to obtain erasure of personal

reputation or rights of others, 4 to prevent disclosure of confidential information or to preserve authority (Article 3, paragraph 3 of the Media Act). Also,

LPACAP), for the alleged infringement of Article 58.1 of the GDPR, typified in the Article 83.5 of the GDPR Regulation (EU) 2016/679 (General Regulation

decision under Article 66 GDPR when the lead SA fails to respond to provide mutual assistance within a month as per Article 61(8) GDPR. The CJEU adopted

to the description requirement in Article 33, para. 3. 3.3. Article 34 of the Data Protection Regulation and Article 5 (1) 1, letter a. Assessment of the

to the legal provisions established in article 22.2 LSSI. This Infraction is classified as "minor" in Article 38.4 g) of the aforementioned Law, and may

the decision of April 4, 2019 of the board to be well-founded. This decision qualifies for annulment due to violation of article 4: 5, first paragraph,

are subject to the GDPR pursuant to Article 3(2)(a) of this Regulation. B. On the competence of the CNIL 22. Article 55(1) of the GDPR provides that "each

es Page 4 4/5IIIThis infraction is typified in article 83.5.e) of the RGPD, which considers as such: “ nofacilitate access in breach of article 58, paragraph

interpretation given by the court to Article 15 of the GDPR is incorrect. According to [appellant], Article 15(3) of the GDPR gives the right to a copy of all

the lack of a privacy and cookie policy on a website infringe Article 13 GDPR and Article 22(2) LSSI? The AEPD decided to impose a fine to the clinic: €

according to Article 12 GDPR and Article 13 GDPR and to maintain a record of the processing activities under its responsibility according to Article 30(1) GDPR

infractions of article 48 of Law 9/2014, of May 9, General of Telecommunications (hereinafter LGT), in accordance with the provisions of the article 84.3 of the

the defendant for an infringement of Article 5(1)(a) GDPR a warning penalty in accordance with Article 58(2)(b) GDPR. Share your comments here! Share blogs

unclear, cf. the preparations for the act, Prop. 56 LS (2017-2018) points 4.4.7 and 4.5.7. The question has not previously been put to the fore, and there is

criteria stated in Article 83(5)(a) GDPR. In imposing the fine, the AEPD factored in accordance with Article 83(2) GDPR and Article 76 LOPDGDD the following

ruling under Article 267 TFEU on the requirements of awarding damages for GDPR violations and the assessment of such damage under Article 82 GDPR. For the

be a possibility to withdraw consent at any time, as required also by Article 7 GDPR. Moreover, a cookie banner should inform the user of a website about

limitation under Article 5(1)(a) of the GDPR. 1(b) and the obligation (principle) of accountability under Article 5(1)(b). 2 of the GDPR, that is to say

down in Article 28 of the GDPR. The Commission wonders about such a qualification in the light of the definition of a subcontractor given in Article 4.8 of

union enshrined in Article 7 of the Spanish Constitution. Therefore, such processing would be lawful in accordance with Article 6(1) GDPR. Share your comments

meaning of Article 4 No. 7 GDPR. However, the defendant cannot be accused of violating an obligation to provide information under Art. 15, 12 GDPR. Paragraph

paragraph k) of Article 83.2 of the RGPD, the LOPDGDD, Article 76, "Sanctions and corrective measures", it provides: "In accordance with Article 83(2)(k) of

under Article 15 GDPR and demanded free access to the historic bank transaction data. The bank argued that this would be a misuse of Article 15 GDPR and

information provided was in breach of Article 13 GDPR. Therefore, the authority warned the controller (Article 83(5) GDPR) and requested to complete the notice

for a possible personal data breach affecting confidentiality, as per Article 32 GDPR. The decision is the consequence of the notification of a possible personal

data subject’s consent under Article 6(1)(a) GDPR, which in turn meets the conditions for consent laid out in Article 7 GDPR. The AEPD highlighted that this

the cameras and a video (Annex YO). SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, of Protection of Personal Data and guarantee

Consequently, based on Article 83(5)(a) GDPR, the hospital was fined to pay a fine of EUR 30.000,00 for violation of Article 5(1)(f) GDPR. Corrective measures

cookies, as per Article 22(2) Spanish Law on Information Society Services (LSSI). This law regulates cookies, connected to Article 13 GDPR. The decision

controller had violated Article 6(1) GDPR since the legitimate interest assessment on which the processing was based (Article 6(1)(f) GDPR) was understood as

typified in article 83.4 of the RGPD and is qualified as serious in article 73.1 g) of the LOPDPGDD for prescription purposes.III Article 58.Article 58.2 of

gather valid consent in line with the GDPR? In building its argumentation, the DPA also relied on Recital 32 GDPR, as well as paragraph 62 of the CJEU Planet49

60 of the GDPR does not apply the GDPR and, therefore, in accordance with the provisions of articles 55 para. 1, 2 para. 1 and 3 para. 2 GDPR and 13 para

personal data (Article 9 GDPR)? Does the data controller have a legitimate interest to process credit card data of recurring purchasers under Article 6(1)(f)

sanctioning procedure, under Article 83(5)(a) of the GDPR, against AAA on 21 December 2022, due to a infringement of Article 6. AAA was the father of the

of these data (hereinafter, GDPR); and in article 47 of the LOPDGDD. SECOND: In accordance with the provisions of article 55 of the RGPD, the Agency Spanish

the social and health authority of a city to had breached Article 6 GDPR and Article 10 GDPR by requesting data subjects to provide it with personal data

unanimously considers that in accordance with Article 17 in in conjunction with Article 21 para. 3 of the GCP and Article 25 para. 1 of the GCP the conditions for

of Bologna for violation of Articles 5(2)(f) and 9 GDPR. On the basis of Articles 58(2)(i) and 83 GDPR, the Garante imposed a fine of € 18 000 on the Local

this the AZOP held that the controller acted contrary to Article 5(1)(a) GDPR and Article 6 GDPR. Moreover, the AZOP reiterated the fact that the pictures

its compliance with the obligation of information as provided for in Article 13 GDPR. It found that there was no new evidence or legal arguments to prove

pursuant to Article 13 GDPR. In the present case, the controller omitted this obligation. The DPA therefore held that the controller violated Article 13 GDPR

violation of Articles 13 and 14 of the GDPR, and a fine of €4 million for a violation of Article 6 of the GDPR, and ordered CaixaBank, to conduct a review

Articles 5 and 6 GDPR? The AEPD held that publishing personal data on Twitter without the consent of the claimant is a violation of Article 6 GDPR, due to the

request information, of in accordance with the provisions of article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee

DPA held that the controller had violated Article 5(1)(a) GDPR, Article 5(1)(c) GDPR, Article 6 GDPR and Section 3 of the Finnish Act on the Protection of

basis under Article 6 GDPR to collect and process vehicle registration numbers. The legal basis is a statutory obligation prescribed by Article 229 of the

corresponding to the month of January 2021. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, of Protection of Personal Data and guarantee

complied with the requirements of Article 32 (2) of the Data Protection Regulation. 1 and Article 5 (1). 2, cf. Article 32 (1) (f), cf. 1 and 2. It is clear

(Datenschutzbehörde - DSB) held that the doctor had violated Article 5(1)(a) GDPR and Article 9(1) and (2) GDPR as the patients had not given their ecplicit consent

space. The DPA found a violation of Article 6(1) GDPR and ordered the controller, pursuant to Article 58(2)(d) GDPR, to adjust the location of the cameras

infringement of Article 6(1) GDPR. Furthermore, he argued the infringement of Article 26 GDPR (joint responsibility) and Article 44 GDPR (third country

with the principle of transparency under Article 5(1) GDPR and for not anonymising the data under Article 25(1) GDPR, among others. The second for failing

infringement of Article 31 GDPR in conjunction with Article 58(1)(e) GDPR. The AEPD, therefore, agreed to impose a penalty of € 20000 under Article 83(5)(e) GDPR

controller violated Article 5(1)(d) GDPR ("accuracy"), but a more natural conclusion would be to find a violation of Article 32(1)(d) GDPR ("adoption of adequate

infractions of article 48 of Law 9/2014, of May 9, General Telecommunications (hereinafter LGT), in accordance with the provisions of the article 84.3 of the LGT