Search results

of the GDPR has violated: iv. Article 4.11), Article 5.1.a) and 5.2, Article 6.1.a), as well as Article 7.1 and 7.3 GDPR; v. Article 5, Article 24.1, as

emphasized that the processing requires an adequate legal basis (under Article 6 and 9 GDPR) for the controller. According to the IP, the question to ask is

data within the meaning of Article 4(1) GDPR? Does a disclosure of personal data under the FOIA fall under Article 6(1)(f) GDPR? The ICO first held, that

the DPA18). 7. Consent in PECR is now defined, from 29 March 2019, by reference to the concept of consent in Regulation 2016/679 (“the GDPR”): regulation

for several persons involved. As such, no violation of Article 12(2)n Article 17(1) and Article 24. However, the private employment agency is reprimanded

areas pursuant to Article 58(2)(f) GDPR. The court held that the video surveillance was not lawful pursuant to Article 6(1)(a) GDPR as the data subjects

rely on legitimate interest (Article 6(1)(f) GDPR) and stated that the controller did not seem to comply with Article 6 GDPR. The controller was obliged

the data subject’s consent under Article 6(1)(a) GDPR but on compliance with legal obligations under Article 6(1)(c) GDPR and that the data subject did not

constitute a breach of Article 8 ECHR, as such interference in an individual's right to privacy is consistent with the requirements of Article 8 para. 2. The plaintiff

contract (Article 6 (1) (b) of the GDPR), when it is necessary to fulfill the legal obligation incumbent on the controller (Article 6 (1) (c) of the GDPR), when

erasure pursuant to Article 17(1) GDPR were not fulfilled. First, the processing was not unlawful pursuant to Article 17(1)(d) GDPR. As the processing was

all, that Article 4, paragraph 7, of the GDPR is applicable to this procedure because of the use of the concept of "data controller" in Article 82 of the

("the GDPR"): regulation 8(2) of the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. Article 4( 11)

that under Article 82 (1) and (2) GDPR, any person who has suffered material or non-material damage as a result of a violation of the GDPR is entitled

duties under Article 13 GDPR, as the information allegedly provided to the data subject lacked the requirements laid down in said Article, and the relevant

information obligations under Article 5(1)(a), Article 6(1), Article 12, Article 13, Article 24(1), Article 25(1) and Article 25(2). Share your comments here

copy under Article 15(3) GDPR, as interpreted by the CJEU in case C-487/21, is part of the right to access of data subjects under Article 15 GDPR, which is

from the GDPR under Article 2(2) of the GDPR. 165. Article 2(2) of the GDPR outlines certain types of processing of personal data to which the GDPR does not

data under Article 9 GDPR, which can only be lawful if one of the exceptions of Article 9(2) GDPR apply. With respect to Article 9(2)(h) GDPR, the DPC held

requirements for the legal bases in Article 9, GDPR are not specified. Article 9, paragraph 2, Litera g, GDPR as well as Article 6, paragraph one, Litera e, leg

controller status within the meaning of Article 4(7) Datenschutz-Grundverordnung (General Data Protection Regulation) (GDPR). Following the dismissal, the complainant

it should have under Article 60 GDPR - Article 61(8) GDPR applied, which meant that the urgent need to act under Article 66(1) GDPR was presumed to be met

data as part of the credit check is based on Article 6 Paragraph 1b GDPR and Article 6 Paragraph 1f GDPR. We basically have a legitimate interest in carrying

accordance with Article 6 (1) of the Data Protection Regulation. Article 9 (1) (c) and (f) 2, letters b and f, the Data Protection Act § 7, para. Article 9 (2) of

violation of Article 5(1)(a), Article 12(1) and (2), Article 13(1)(c) and (2)(a) of the GDPR. II.4. Article 5 GDPR, Article 24 (1) GDPR and Article 25 (1) and

processing (Article 4, opening paragraph 7, GDPR). and that the AP is the competent supervisory authority (Article 56, first paragraph, GDPR). 5.2 Obligation

(“the GDPR”): regulation 8(2) of the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. Article 4(11)

addition to the violation of Article 32 GDPR, the Chamber found that the financial institution had violated: Article 25 GDPR on data protection by design

controller may refuse to comply with access requests under Article 15 GDPR pursuant to Article 12(5)(b) GDPR if they are aimed exclusively at achieving objectives

an immaterial damage pursuant to Article 82(1) GDPR. When assessing the amount of damages pursuant to Article 82(2) GDPR, the court considered as mitigating

within the meaning of Article 15, Article 4(1) and Article 7 of the Regulation. However, the defendant takes the view that Article 15(3) of the previous

purposes of Article 4(16) GDPR." Consequently, the DPA concluded that the cooperation mechanism and procedure set out in Article 56(1) GDPR and Article 60 GDPR

available”.   19.  The Data Protection Principles are set out in the GDPR.   Article 5(1) GDPR provides that personal data shall be “processed lawfully, fairly

were in violation of Article 5(1)(e) GDPR and Article 32 GDPR, but the DPA dismissed its previous finding of the Article 5(1)(b) GDPR violation. The DPA

and (4) GDPR.” 32. Article 32 of the GDPR relates to the security of processing of personal data. More specifically, Article 32(1) of the GDPR states that

Communications (Amendments etc) (EU Exit) Regulations 2019/419. Article 4(11) of the UK GDPR sets out the following definition: “‘consent’ of the data subject

of the GDPR, which is a condition for a reprimand pursuant to Article 58(2)(b) GDPR. Material scope of the GDPR According to the court, the GDPR applies

data. 7 Article 8, paragraph 1, of the Charter of Fundamental Rights of the European Union. 8 Preamble to the GDPR, No. 1. 9 Preamble of the GDPR, no. 39

provisions of Article 3o , Article 4(2) and Article 6(1)(b), all of the GDPR Implementing Law. 57. Under the terms of Article 55(1) of the GDPR, supervisory

legislator used the open clause of Article 6(1)(c) and (e) GDPR, in combination with Article 6(2) and Article 6(3) GDPR, to create a legal basis for the

failed to comply with the provisions of Article 32(1)(b) GDPR, Article 32(1)(d) GDPR and Article 5(1)(f) GDPR. Furthermore, InfoMentor did not ensure sufficient

not be deemed to be valid according to § 2(8) of the Cookie Law and Article 4(11) GDPR. First of all, Meta’s cookie banner did not allow its registered and

free copy (see below (b)) is neither by Article 15 (4) GDPR (see below (c)) nor by Article 12 (5) sentence 2 GDPR excluded (see below (d)). The claim is

pursuant to Article 14 - and not the right to information pursuant to Article 15 of the GDPR as alleged by the respondent - was alleged. However, Article 14 (1)

agreement to the processing of personal data relating to him or her". 7. Article 7(4) of the GDPR provides: "When assessing whether consent is freely given, utmost

such activity, by virtue of article 4.7 of the GDPR. Within the principles of processing provided for in article 5 of the GDPR, the integrity The quality

HmbKrebsRG Article 9 (1) GDPR, Article 6 (1) GDPR, Article 5 (1) in conjunction with Articles 12, 13 and/or Article 14 GDPR and/or Article 5 (1) (in particular

privacy, as it identifies the car and not the person (...)." Pursuant to Article 4(1) GDPR, personal data refers to information about natural persons, not vehicles

of Article 2(h) Directive 95/46/EC or an "informed and unambiguous indication of the data subject's wishes" within the meaning of Article 2(h) GDPR. Therefore

obligations under Article 21 of the GDPR. Fourthly, EDF breached its obligation to guarantee data security as prescribed in Article 32 of the GDPR. In particular

Therefore, the controller violated Articles 5(2), 24, 6 and 7 GDPR, as well as Article 130 of the code. Second, the DPA determined that the controller was

execution of a relevant contract of assignment, as provided for in article 28(3) of the GDPR.Furthermore , the Service did not conduct a prior consultation

is only authorised where it is freely given, specific and informed (Article 4(11) GDPR). As there is no evidence of individuals consenting to third party

determining the purpose and means of data management Article 4 (7) of the GDPR and Article 26 (1) of the GDPR considered by the Authority to be a joint controller

Data Protection Regulation. Pursuant to Article 8 (3) no. 2 UWG in conjunction with § Article 8 (1) and Article 3a UWG authorise competition associations

the purposes of the GDPR and the DPA, because it determines the purposes and means of processing of personal data (GDPR Article 4(7)). 7. 'Personal data'

controller violated Article 6 GDPR because it had no legal basis to disclose the email addresses. It reasoned that Article 6(1)(a) GDPR was not applicable

fulfill its information obligations under Article 14(1) and (4) GDPR with reference to Article 14(5)(b) GDPR. Following a citizen’s inquiry, the Danish

that there was no breach of Article 32 GDPR. Thus, the CNIL imposed a €310,000 fine on the controller for breaching Article 6 GDPR. To grasp the notion of

information necessary for the performance of the DPA's tasks, in violation of Article 31 GDPR. The DPA received a complaint from a data subject, regarding irregularities

with Articles 5, 6, 7 and 9; b) the rights of the data subjects in Articles 12–22. in accordance with article Pursuant to Article 83 (7) of the General Data

to receive calls. The ICO highlighted that consent, as defined by Article 4(11) GDPR, must be "freely given", meaning an organisation must be able to demonstrate

analogously, Section 823 (1) and (2) BGB in conjunction with Article 6 (1) GDPR and Article 17 GDPR. Claims under data protection law could be asserted by way

consent provided for in the aforementioned Article 82 must be understood within the meaning of Article 4(11) GDPR. The provider did not dispute that it read

of the obligation to inform individuals pursuant to Article 13 of the GDPR 38. Article 13 of the GDPR requires the data controller to provide, at the time

the UK GDPR and the DPA. They are obliged by Article 5(2) to adhere to the data processing principles set out in Article 5(1) of the UK GDPR. Article 5(2)

Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/13 On the other hand, the first section of article 7 of the LOPDGDD specifies how it has if this consent

pursuant to Article 58 (2) (b) GDPR condemns the Applicant as data controller for violating Article 12 of the GDPR. and Article 15 (1) and (3) of the GDPR. The

requirements of Article 28(3) GDPR. The processor did not dispute this violation. However, it claimed that it was not solely responsible as Article 28(3) GDPR imposes

provisions of the GDPR under national law implementing Article 85 GDPR. Processing can be based on legitimate interests under Article 6(1)(f) GDPR. In 2019, the

violated Article 5(1)(a) GDPR by using not one, but two consent management platforms that did not obtain valid consent under Article 4(11) GDPR. Moreover

processing to be unlawful. The processing violated Article 7(2) GDPR, Article 7(4) GDPR and Article 6(1)(a) GDPR. The controller was fined 2,000,000 HUF (approx

6(1)(b), 5(1)(b) and 5(1)(c) GDPR? The Spanish DPA (AEPD) deemed itself competent under Article 58(2) GDPR in conjunction with Article 47 of the Spanish Data

breach of the principle of accountability under Article 5(2) GDPR and Article 33(5) GDPR. Article 5(2) GDPR establishes the principle of accountability which

the data subject requested his personal information (Article 15 (1) GDPR and Article 15 (3) GDPR) from the controller. On the same day, the data subject

investigation relates to Article 38.1 of the GDPR so that the explanations of the agent of the controlled under Article 37.2 of the GDPR are not relevant in

the violation (article 83.2.a) of the GDPR), the Restricted Training notes that with regard to the breach of Article 5.1.c) of the GDPR, it constitutes

obligation to inform the persons concerned pursuant to Article 14 of the GDPR 71. Article 14 of the GDPR provides that when personal data have not been collected

rely on Article 9(2)(b) GDPR. The LArbG Berlin-Brandenburg also confirmed that the processing was not necessary in light of Article 9(2)(b) GDPR, and emphasised

purposes of prescription in article 72 of the LOPDGDD and both are typified in article 83.5 of the GDPR. In this regard, article 29.5 of Law 40/2015, of October

employer violated their Article 15 GDPR obligations as a data controller. The plaintiff requested information under Article 15 GDPR from its former employer

accordance with Article 1 (1) (f) and (2) of the GDPR, Article 24 (1) of the GDPR, Article 25, paragraph 1 of the GDPR and article 32 of the GDPR. Please also

names did not require the consent of the users pursuant to Article 6(1)(a) GDPR and Article 7 GDPR, therefore there was no violation of these provisions. If

personal data under Article 15 GDPR. It found the claim to be inadmissible because it used terms which are not included in Article 15(1) GDPR, and which are

State ruled that compensation claims for non-material damage under Article 82 GDPR require proper substantiation. To be compensated, claimant must be able

of Article 12 GDPR, Article 13 GDPR, Article 14 GDPR, Article 15 GDPR, Article 28 GDPR, Article 32 GDPR and Article 33 GDPR, as well as of Article L. 34-5

first paragraph may be pointed out. in Article 2.7. in Creditinfo's current opescoring license, cf. the same article in the opescoring license that was in

controller (“verlängerter Arm”) (cmp. Article 29 GDPR). If the processing of data is in accordance with Article 6 GDPR, the controller is free to deploy a

further argues that Bravis also acted in violation of Article 7:457 of the Dutch Civil Code (joint article 7:462 of the Dutch Civil Code), because only the practitioners

for by Article 51 of the GDPR. 13. By Article 57(1) of the GDPR, it is the Commissioner's task to monitor and enforce the application of the GDPR. 14. By

responsibility under Article 83 GDPR? On the duration of data retention The CNIL found that the company had violated Article 5(1)(e) GDPR and several domestic

Hungarian Forints (around €7,80) for the breach of Articles 5(1)(b)(c) GDPR, 6(1) GDPR, 12(1) GDPR, 7(2) GDPR, 9(1) GDPR, 13 GDPR and 14 GDPR. Independent of any

grounds for processing under Article 6(1) GDPR. Finally, the NAIH held that the controller was in breach of Article 12(2) GDPR for mis-registering the data

Administrative Court's application of Article 16 GDPR. The Administrative Court had correctly assumed that, while Article 16 GDPR was applicable, it could not be

and (2) GDPR; b. a breach of Article 12(1) and (6) GDPR, Article 13(1) and (2) GDPR and Article 14(1) and (2) GDPR, Article 5(2) GDPR, Article 24(1) GDPR

plaintiff was entitled to damages under Article 82(2), first sentence, of the General Data Protection Regulation (GDPR). In this case, processing had taken

proportionate, and dissuasive per Article 83(1) GDPR, and so the EDPB adopted a binding resolution in accordance with Article 65 GDPR to settle the dispute. The

preserved in the website of origin. Regarding the right to erasure under Article 17 GDPR, the DPA reaffirmed that once the data subject has submitted its request

Maps and Google Earth because Google had a legitimate interest under Article 6(1)(f) GDPR. Google (the controller), offers the services Google Maps and Google

violation of Article 12(3) GDPR and Article 15 GDPR due to a failure to respond to an access request that was submitted around a month after the GDPR became

the principles of purpose limitation under Article 5(1)(b) GDPR and data minimisation under Article 5(1)(c) GDPR, the controller must change the angles of

minimization (Article 5(1)(c) GDPR). The investigation also revealed other breaches with respect to the principle of storage limitation (Article 5(1)(e) GDPR). Indeed

("the GDPR"): regulation 8(2) of the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. Article 4(11)

violation of Article 7(1) GDPR. D. On the breach of the obligations of information and transparency 81. Article 12, paragraph 1, of the GDPR provides that:

regarding the controllership, the CNIL noted that Article 4(7) GDPR applied due to the reference made by Article 2 of the ePrivacy directive. The CNIL considered

and accountability in connection with Article 28(1) GDPR, Article 28(3) GDPR, Article 28(10) GDPR and Article 29 GDPR, with regard to the processing of data

in the GDPR and the DPA. They are obliged by Article 5(2) to adhere to the data processing principles set out in Article 5(1) of the GDPR. Article 5(2) makes

regarding Article 6(1) GDPR and consent requirements regulated previously to GDPR. The fact that the infringements related to Article 25 GDPR did not include

there was a breach of Article 14 GDPR. Finally, regarding the security of processing, the CNIL indicated that under Article 32 GDPR, the controller must

12(5)(1) GDPR as an independent claim. The broad concept of personal data underlying the GDPR (Article 4(1) GDPR), the wording and purpose of Article 15(3)(1)

of GDPR Article 5(1)(a) (processing must be fair, lawful and satisfy a condition under Article 6), Article 5(1)(d) (data must be accurate), Article 10

legal basis under Article 6(1) GDPR, and special category personal data without a valid exemption from the prohibition in Article 9(1) GDPR. Grindr has until

the defendant. II.3. Right of access (Article 15 GDPR) 43. In accordance with Article 58(2)(c) of the GDPR and Article 95(1)(5) WOG, the Litigation Chamber

agreement between the third party and A. S.à.r.l. in implementation Article 28 GDPR allowed A. S.à.r.l. to disclose personal data processed on behalf of

legal basis under Article 6(1) GDPR and in violation of transparency obligations in the privacy policy under Article 5(1)(a) and 13 GDPR. The DPA in the

infringement of Article 38.3 of the GDPR, but no infringement on Article 38. 1, 38.2 and 38.6 of the GDPR and no infringement of Article 39 of the GDPR. 5. On February

are obliged by Article 5(2) of the GDPR to adhere to the data processing principle set out in Article 5(1). 8. Article 5(1)(f) of the GDPR provides that

violation of Article 6 GDPR, nor of Article 8 GDPR. There was also no violation of Article 9 GDPR, since the exception for explicit consent from Article 9(2)(a)

constitute perosnal data under Article 4(1) GDPR, since the individuals are identifiable and also because under Article 11 GDPR, it is not mandatory that individuals

part of its own motion Article 5 (1) (d), Article 6 (1), Article 12 (2), (3) and (4) of that Regulation, and a violation of Article 17 (1) (d) in respect

accordance with Article 13 and 14 of the GDPR and the mechanisms to obtain its acceptance. In addition, the AEPD requested evidence of Article 30 record of

case law of the highest courts on Article 6(1)(e) of the GDPR, Article 9(2)(g) of the GDPR and Article 22 of the GDPR in connection with profiling. It was

the GDPR or General Article 5 (1) (a) and (b) of the Data Protection Regulation, - Article 5 (2) of the GDPR, - Article 6 (1) of the GDPR, - Article 12

consent provided for in Article 4.10) of the GDPR, as well as the conditions applicable to consent provided for in Article 7 of the GDPR. 25 Guidelines 5/2020

14 GDPR, in Article 15 GDPR to Article 22 GDPR, and in Article 34 GDPR. The information has to be provided in a concise, transparent, intelligible manner

redress. Therefore, the DPA declared an infringement of Article 12(3) GDPR and Article 12(4) GDPR. Additionally, the DPA held that the controller, whether

B-VG Art133 Para.4 DSG §1 DSG §24 GDPR Art12 GDPR Art14 GDPR Art32 GDPR Art5 GDPR Art57 GDPR Art58 GDPR Art6 GDPR Art77 GDPR Art83 VwGVG §28 paragraph 2 saying

legitimate interest. Based on Article 2 (1) of the GDPR, the GDPR must be applied to the data management in this case. GDPR Article 4, point 1: "personal data":

processing. Same principles concerning fair data processing exist in the GDPR Article 5 and Recital 39 and the Irish DPA 2018. Share blogs or news articles

subject falls outside of the scope of Article 20 GDPR. The data that falls under Article 20 is less than under Article 15 GDPR. The court also considered that

required under Article 13 GDPR, as well as the fact of data transfer abroad, were completely missing. The DPA stated that Article 13 GDPR only provides

prevent it. The Spanish DPA concluded that the controller had violated Article 6 GDPR, as it had processed the personal data of the data subject without their

requirements of Article 85 GDPR. § 9(1) DSG provides - in implementation of the obligation under EU law pursuant to Article 85(1) GDPR - that the provisions

uncovered that there were 7,753 overdue access requests. As such, the ICO held that the controller contravened Article 15 GDPR by failing to inform the

erasure (Article 17 of the GDPR), the right to restriction (Article 18 GDPR), as well as the right of opposition (Article 21 GDPR) 91. Article 17 of the

arising from Article 5.2 and Article 24 GDPR whereby it is up to the defendant to demonstrate that it also acts in accordance with Article 5.1.f GDPR namely:

violated the principles of accuracy of Article 5(1)(d) GDPR and data protection by design of Article 25(1) GDPR. In addition, the DPA held that the controller

A) The Controller has not respected Article 32, paragraph (1), point (a) and(b) and paragraph (2) of that article of Regulation (EU) 2016/679, the protection

data are part of a filing system, in line with Article 2(1) GDPR. Article 4(6) GDPR defines a filing system as "any structured set of personal data, which

12 and 13 of the GDPR constitute breaches of key principles of the GDPR likely to be subject to, under Article 83 of the GDPR. GDPR, an administrative

satisfoactory answers. Thus, Article 15 GDPR was not violated. Furthermore, the judge ruled that the e-screener did not infringed Article 22 GDPR. Indeed, the judge

carry out an interest test and therefore breached Article 6(1) GDPR. Article 13(1) GDPR and Article 13(2) GDPR set out the processing circumstances and information

the GDPR pursuant to Article 2(2)(d). Article 79 GDPR does not explicitly limit judicial remedies to the rights enshrined in Chapter III of the GDPR. Following

contained in Article 15(1)(h) only relates to the form of automated decision making referred to in Article 22(1) to (4). This implied that under Article 15(1)(h)

regarding Article 6(1) GDPR and consent requirements regulated previously to GDPR. The fact that the infringements related to Article 25 GDPR did not include

data under Article 17 GDPR, restriction of processing concerning the data subject under Article 18 GDPR, the right to object under Article 20 GDPR as well

arising from Article 25 of the GDPR. 5. The breach relating to the obligation to ensure the security of personal data 97. Article 32 of the GDPR provides that:

Chapters 122-123 See Article 29 Working Party Opinion 6/2014 on the concept of the controller's legitimate interests in Article 7 of directive 95/46/EC

healthcare, in accordance with Article 5 (1) (f) and Article 32.1 and 32.2 of the Data Protection Ordinance, Chapter 4 § 2 and ch. 6 § 7 the Patient Data Act and

by default, under Article 5(1)(c) GDPR and Article 5(1)(e) GDPR, Article 5(2) GDPR together with Article 24 GDPR and Article 25 GDPR. The DPA stated that

data subject (Article 9 (2) (a) of the GDPR) GDPR). As a consequence of a significant violation of the above-mentioned provisions of the GDPR, the President

the GDPR introduces a prohibition on their processing (Article 9(1) GDPR), while allowing for explicit and limitative exceptions (Article 9(2) GDPR). In

protection per Article 5 GDPR. It also had to guarantee and be able to demonstrate that the processing was carried out in accordance with the GDPR, and in particular

parties under Article 26 GDPR. 3.5. The principle of accountability The GDPR contains a general principle of accountability in Article 5(2) GDPR. It follows

decision on compliance or general data protection Article 46, Article 47 or the second subparagraph of Article 49 (1) of this Regulation appropriate and suitable

access under Article 15 GDPR and for violating the principles of data minimisation (Article 5(1)(c) GDPR), confidentiality (Article 5(1)(f) GDPR) and the controller’s

transparency obligations from Article 12 GDPR. II.4.1. Article 17 of the GDPR, Article 24 (1) of the GDPR and Article 25 (1) of the GDPR 56. The Disputes Chamber

examined Article 81 of the GDPR, but not the actually relevant Article 82 of the GDPR. The claims asserted in the counterclaim under Article 82 of the

providing transparent information under Article 12 GDPR. However, NAIH held that issuing a reprimand under Article 58(2) was sufficient, without the need

result of the violations of article 5.1 a), article 5.2, article 6.1, article 12.1, article 13.1 c) and d) and article 13.2 b) GDPR. 21. On 17 June 2020, the

accordance with Article 6(2) GDPR and Article 6(3) GDPR for adaptation to the application of Article 6(1)(c) GDPR and Article 6(1)(e) GDPR. The court stressed

2018”), Article 4(7) of the General Data Protection Regulation (“the GDPR”), and Article 4(7) of the UK General Data Protection Regulation (“the UK GDPR”).

in violation of Article 6 GDPR. Thirdly, it was claimed that Meta unlawfully processed special categories of personal data (Article 9 GDPR). Fourth, and

freedom (Article 2.2 sentence 2 of the Basic Law) and her general right of personality (Article 2.1 of the Basic Law in conjunction with Article 1.1 of the

violated Article 34(2) GDPR, because he only informed the data subject of the alleged data loss. However, the information obligations of Article 34 GDPR provide

paragraph 1 Article 5, Article 25 and points b and d of paragraph 1. Article 32 of regulation (EU) 2016/679, cf. Number 6. Paragraph 1 Article 8, Article 24 and

not meet the conditions for consent according to Article 7, paragraph 2 and Article 7, paragraph 4, GDPR. Such a clause would also be immoral or void according

intention of the GDPR and therefore a restrictive interpretation of Article 15 (1) GDPR is required. cc. Even if Article 15 (1) GDPR were to be interpreted

according to its faculties under Article 58(2)(a), Article 58(2)(b) and Article 58(2)(d), as well as Article 83(5) GDPR, Share your comments here! Share

the relevant provisions of the GDPR are Article 14, read in conjunction with Article 12(1). 28. Article 14 of the GDPR concerns transparency in the context

required by Article 13 GDPR. Furthermore, the AEPD, highlighted that the RFEF did not provide the information required by Article 13(3) GDPR about further

13 and 14 GDPR, objected to the processing pursuant to Article 21 GDPR and requested the restriction of the processing under Article 18 GDPR. The controller

data processing [Article 83 (2) (d) GDPR]; the personal data collected are also special categories of personal data [Article 83 GDPR. Article 2 (2) (g)]; -

personal data breach to comply with Article 32 GDPR and by reference to the principle set down in Article 5(1)(f) GDPR. In particular, this request concerned

obliged to comply with the GDPR provisions as a processor, while the controller could invoke the exemption of Article 2(2)(c) GDPR. The court then refers to

violated Article 14(1) and (2) GDPR. Because it failed to provide clear and transparent information, the controller also violated Article 12(1) GDPR. The DPA

what is established in the article 6 of the RGPD, already mentioned, and in articles 7 of the RGPD and 7 of the LOPDGDD. Article 7 “Conditions for consent”

GDPR obliges the controller to demonstrate compliance with GDPR provisions, this includes obtaining proof of consent in line with Article 7(1) GDPR. Especially

about one party to a proceeding with another party, in violation of Article 32(1) GDPR. The Agency of Family Law (the controller) is a public authority that

(1) GDPR declares that the GDPR is applicable in addition to the GDPR, without referring to the exceptions in Article 2 (2), (3) and (4) of the GDPR. In

tried to base the processing on contract (Article 6(1)(b) GDPR) or legitimate interest (Article 6(1)(f) GDPR), the requirement of necessity was not met

constitute a valid legal basis in line with Article 6(1)(e) GDPR, Article 6(2) and (3) GDPR nor with Article 9(2)(g) GDPR. Making reference to case law of the

provisions of Article 5(1)(f) GDPR, Article 5(2) GDPR, Article 24(1) GDPR, Article 25(1) GDPR, Article 32(1) GDPR and Article 32(2) GDPR by: (a) failing

highly intrusive and therefore could not be based on Article 6(1)(f) GDPR. Secondly, Article 5(1)(c) GDPR indicates that personal data should be adequate,

regarded as processing personal data as referred to in the GDPR. Article 6 (1) of the GDPR sets out which conditions form a ground for the lawful processing

The Regional Court of Berlin held that a right to information under Article 15 GDPR cannot be enforced by way of an interim injunction, since there is no

to the GDPR pursuant to Article 3(1) of the GDPR, so no EU representative is required in accordance with compliance with article 27 of the GDPR.” It does

violation of Article 35 of the GDPR, Article 32 of the GDPR and Article 13 of the GDPR, typified in Articles 83.5 of the RGPD and Article 83.4 of the RGPD

portability, thereby violating Article 13(2)(b) GDPR. In light of the above, in accordance with Article 58(2)(i) GDPR and Article 83 GPDR, the AP considered

with the GDPR. In the context of the extended ex officio investigation, the DPA also found a violation of Article 12(6) GDPR and Article 12(2) GDPR on facilitating

sanction for both Article 5(1)(f) and 32 GDPR in this case would constitute a double violation of the GDPR, when in fact Article 5(1)(f) GDPR is merely a concretion

finding likely violations of Article 5(1)(c), 8, 9, 13 and 35 GDPR. The AEPD found a likely violation of Article 35 GDPR. Article 35 GPDR requires that a data

to erasure under Article 17(1)(a), (c) or (d) GDPR, because the controller was processing the data lawfully under Article 6(1)(f) GDPR and the processing

violation of article 35, typified in article 83.4 of the RGPD - For the alleged violation of article 9 of the RGPD, typified in article 83.5.a) of the GDPR. - For

Garante found a violation of the processing principle under Article 5(1)(f) GDPR and Article 32 GDPR related to the security of processing which was compromised

all the details required by Article 13 GDPR. As for the appointment of a DPO, the controller argued that Article 37(1) GDPR was not applicable since the

according to Article 22, Paragraphs 1 and 4 GDPR, i.e. the exception provision of Article 22, Paragraph 2, GDPR does not apply (see Article 22, GDPR), the data

involve a breach of the provisions of Article 6 of the GDPR, in relation to Article 22 of the LOPDGDD. Article 6 of the GDPR has four paragraphs, which in turn

implied a violation of Article 15 GDPR. The AEPD decided to fine the controller a total of €60,000: €30,000 for the violation of Article 6, and €30,000 for

This is inferred from Article 6.1.f) of the RGPD in connection with Article 21.3 and Recitals 47, 69 and 70 of the GDPR, Article 21 of the RGPD regulates

access to his personal data pursuant to Article 15 GDPR and to receive a copy of his data under Article 15(3) GDPR. The controller did not fulfil the request

virtue of article 4.7 of the GDPR. The GDPR provides, in its article 56.1, for cases of cross-border processing, provided for in its article 4.23), in

accountability (Article 5 (2) and 24 (1), (2) GDPR), privacy by design (Article 25 (1) GDPR) and as controller towards its data processors (Article 28 GDPR). Consequently

violation of Article 7(4) GDPR. Based on these considerations, the AEPD issued a €2,000,000 fine against Caixabank for infringing Article 6 GDPR in relation

violation of Article 5.1.c) of the GDPR, Article 6 of the GDPR, Article 9 of the GDPR, Article 12 of the GDPR, Article 35 of the RGPD, Article 13 of the RGPD

alleged violation of Article 5.1.f) of the RGPD and Article 32 of the GDPR, typified in Article 83.5 of the GDPR and Article 83.4 of the GDPR. C/ Jorge Juan

data under Article 4(1) GDPR. Moreover the court found that the controller can refuse to act on the request according to Article 12(5)(b) GDPR, because the

guaranteed by Article 1 and 2 of the German basic law as well as the legal basis for the processing of personal data of Article 6(1)(f) GDPR (the legitimate

Therefore, consent was not valid as a legitimate basis from Article 6(1) GDPR, in relation to Article 7 GDPR, and thus processing was unlawful. On these grounds

confidentiality of data pursuant to Article 5(1)(f) GDPR and violated the principle of privacy by default and by design (Article 24 GDPR). The controller was aware

claim was Article 16 GDPR, as § 12 Bundesmeldegesetz (BMG - Federal Registration Act) clarifies. Then, it held that the legal requirements of Article 16 GDPR

according to Article 58(2)(d) GDPR. First, the AEPD established that the GDPR was applicable under Article 3(1) GPDR or, if not, at least Article 3(2)(a) GDPR

did not assess the case under Article 9 GDPR but only under Article 6(1)(c) GDPR. In particular, Article 9(2)(g) and Article 9(2)(i) in conjunction with

of €10,000 under Article 82(1) GDPR for a violation of Articles 15 GDPR and 12(3) GDPR. The LAG held that a mere violation of the GDPR does not give rise

and Section 2 of the German Civil Code in conjunction with Article 6 (1) GDPR and Article 17 GDPR, the plaintiff is also not entitled to an injunctive relief

principle of Fairness (Article 5(1)(a) GDPR), purpose limitation (Article 5(1)(b) GDPR) and data minimisation (Article 5(1)(c) GDPR) would not prevent the

5(2), 6, 7, 13, 28, 29, and 30 GDPR; SESTA IMPRESA was fined €300,000 for violating Articles 5(1)(a), 6, 7, 28, 29, and 32 GDPR as well as Art. 2-quaterdecies

found that GDPR does not prevent the claimant from exercising their basic right. In this regard the court referred to Article 6(1)(f) GDPR to highlight

this respect. Hence, the controller argued that it did not violate Article 33(1) GDPR. The DPA held that the data breach entailed a risk of violating the

Art. 4 No. I GDPR, para. 18- processed without a legal basis, Art. 6, 7 GDPR, and sufficient information within the meaning of Art. 13, 14 GDPR, Art. 4 No

personal data within the meaning of Article 4(1) GDPR and thus cannot be object of an access request under Article 15(3) GDPR. Making reference to CJEU case

damages either under Article 82 (1) GDPR or on any other basis for the claim. 32aa. The scope of application of Article 82 Para. 1 GDPR is open in terms of

within the meaning of Article 58(2)(c) of the GDPR. c of the GDPR. Recital52 Rights within the meaning of Article 58(2)(c) of the GDPR are, first and foremost

interfering with court decisions. The DPA found a breach of Article 33 GDPR and Article 34(1) and (2) GDPR resulting in a fine of €2,324. Share your comments here

2022, Article 82 GDPR, paragraph 20; Nemitz, in: Ehmann/Selmayr, GDPR, 2nd edition 2018, Article 82, paragraph 20; Gola/Piltz, in: Gola/Heckmann, GDPR/ BDSG