Search results
From GDPRhub
- AEPD (Spain) - EXP202310910 (category Article 5(1)(c) GDPR)RGPD and other violation of article 13 of the GDPR. III Article 5.1 c) of the GDPR Article 5 of the GDPR “Principles relating to processing” refers to44 KB (6,808 words) - 14:36, 21 May 2024
- APD/GBA (Belgium) - 161/2022 (category Article 3(1) GDPR)territorial scope of the GDPR, Article 3 of the GDPR assumes of two different cases. In the first case (Article 3.1 of the GDPR), the data processing carried19 KB (2,689 words) - 15:30, 23 November 2022
- ICO (UK) - Colour Car Sales Limited (category Article 4(11) GDPR)her". 8. Recital 32 of the GDPR materially states that "When the processing has multiple purposes, consent should be given for all of them". Recital 42 materiallyprovides22 KB (2,764 words) - 16:07, 19 September 2021
- OLG Koblenz - 5 U 2141/21 (category Article 82 GDPR)Article 81 of the GDPR, but not the actually relevant Article 82 of the GDPR. The claims asserted in the counterclaim under Article 82 of the GDPR were confirmed81 KB (13,639 words) - 18:14, 7 June 2022
- APD/GBA (Belgium) - 137/2023 (category Article 12(1) GDPR)under Article 12(1) GDPR and Article 14 GDPR, as the controller had failed to fulfill the informational obligations under Article 14 GDPR. The municipality52 KB (7,789 words) - 11:38, 11 October 2023
- BVwG - W256 2227693-1 (category Article 6(1)(a) GDPR)processing in accordance with Article 6 (4) GDPR. The legal basis of Article 6 (1) (f) GDPR and Article 6 (4) GDPR are out of the question because it contradicts51 KB (8,327 words) - 14:04, 14 December 2023
- Garante per la protezione dei dati personali (Italy) - 9808698 (category Article 5(2) GDPR)Article 46(2) GDPR. For these violations, the DPA reprimanded the controller and ordered it to comply with the GDPR (specifically Article 46 GDPR) within 9091 KB (15,011 words) - 09:00, 5 October 2022
- ICO (UK) - Enforcement Notice and Warning Letter - Home Office (category Article 5(2) GDPR)accountability pursuant to Article 5(2) UK GDPR because it failed to demonstrate compliance with Article 5(1)(a) and (c) UK GDPR principles of lawfulness, fairness129 KB (17,281 words) - 14:57, 10 April 2024
- ICO (UK) - The Money Hive Limited (category Article 4(11) GDPR)her". 7. Recital 32 of the GDPR materiallstates that "When the processing has multiple purposes, consent should be given for all of them". Recital 42 materiallyprovides63 KB (8,280 words) - 14:53, 2 March 2022
- APD/GBA (Belgium) - 71/2022 (category Article 5(1)(c) GDPR)view to a powerful enforcement of the rules of the GDPR. As is clear from Recital 148 GDPR, the GDPR states after all, it is important to note that for69 KB (10,468 words) - 07:37, 9 June 2022
- VGH München - 5 BV 20.2104 (category Article 2(2)(d) GDPR)the GDPR pursuant to Article 2(2)(d). Article 79 GDPR does not explicitly limit judicial remedies to the rights enshrined in Chapter III of the GDPR. Following61 KB (10,218 words) - 12:31, 13 June 2023
- DSB (Austria) - 2020-0.436.002 (category Article 4(1) GDPR)the meaning of Article 4(4) GDPR. Taking into account recital 71 GDPR and WP 251 rev.01, the DSB emphasized that the GDPR differentiates between profiling28 KB (4,091 words) - 05:23, 14 August 2021
- Tietosuojavaltuutetun toimisto (Finland) - 10587/161/21 (category Article 15 GDPR)controller's inaction on the request. On 23 July 2021, the DPA exercised its power under Article 58(2)(c) GDPR and ordered the controller to comply with24 KB (3,719 words) - 15:57, 1 June 2022
- DVI (Latvia) - LocateFamily administrācija (category Article 5(1)(b) GDPR)Latvian DPA disregarded the argument that the GDPR did not apply to the controller. As a matter of fact, the GDPR applies also to controllers that do not have25 KB (3,679 words) - 11:30, 2 August 2023
- OGH - 6Ob87/21v (category Article 5(1)(c) GDPR)violation of Article 5(1)(c)(e) GDPR and a prevailing legitimate interest of the defendant according to Article 6(f) GDPR. It must be noted that the judgment38 KB (6,129 words) - 10:12, 10 September 2021
- AEPD (Spain) - PS-00587-2021 (category Article 4 GDPR)processing activities. compliance with the GDPR, including the effectiveness of the measures (GDPR recital 74). In summary, this principle requires a conscious79 KB (12,131 words) - 15:30, 17 January 2024
- CNPD (Luxembourg) - Délibération n° 21FR/2021 (category Article 5(1)(c) GDPR)not compliant with Article 13 GDPR. The CNPD held that the controller infringed Article 5(1)(c) GDPR and Article 13 GDPR and decided to: - impose an administrative52 KB (7,520 words) - 13:13, 20 July 2021
- AEPD (Spain) - PS/00587/2021 (category Article 5(1)(f) GDPR)infringement of article 5.1.f) of the GDPR and article 32 of the GDPR, typified in articles 83.5 and 83.4 of the GDPR, respectively. The startup agreement81 KB (12,762 words) - 12:51, 29 November 2022
- BVerwG - 10 C 4.20 (category Article 23(1)(e) GDPR)Information Acts and the GDPR. Due to the questions of EU law raised by the case with regard to Article 23(1)(e) GDPR and Article 23(1)(j) GDPR, the BVerwG had37 KB (6,075 words) - 08:46, 20 July 2022
- AG Hamburg-Bergedorf - 410d C 197/20 (category Article 6(1) GDPR)violated Article 6(1) GDPR. However, this violation alone was not sufficient to justify a claim for damages. Pursuant to Article 82(1) GDPR, a claim for damages19 KB (3,009 words) - 12:26, 2 February 2022
- Garante per la protezione dei dati personali (Italy) - 9960948 (category Article 5(1)(f) GDPR)personal data securely, in violation of Articles 5(1)(f) GDPR and Article 32(1)(b) and (d) GDPR. Two aspects of the decisions are interesting. First, the86 KB (13,819 words) - 21:32, 8 February 2024
- IMY (Sweden) - DI-2019-11737 (category Article 4(4) GDPR)various marketing purposes did not have a legal basis under Article 6(1) GDPR. Bonnier News AB was fined 13,000,000 SEK (approx. € 1.90 million) for the103 KB (15,684 words) - 07:17, 12 July 2023
- Datatilsynet (Denmark) - 2021-31-5282 (category Article 4(1) GDPR)found, among other things, that the consent solution did not comply with the GDPR, as the consent was not sufficiently informed. Leadwise’s website letfinans16 KB (2,345 words) - 10:17, 16 June 2023
- AEPD (Spain) - EXP202206735 (category Article 6 GDPR)article 4.1 of the GDPR, is data personnel and their protection, therefore, is the subject of said Regulation. In article 4.2 of the GDPR defines the concept75 KB (12,421 words) - 13:23, 13 December 2023
- APD/GBA (Belgium) - 07/2024 (category Article 5(1)(c) GDPR)DPA considered the infringement of Article 5 GDPR, Article 24(1) GDPR, as well as Articles 25(1) and (2) GDPR. Secondly, the DPA addressed the access request350 KB (51,369 words) - 09:25, 31 January 2024
- Garante per la protezione dei dati personali (Italy) - 9891673 (category Article 5(1)(a) GDPR)without prejudice to what has already been reported on the provision of Recital 63 GDPR, of explicit protection of industrial and corporate secrets and intellectual78 KB (12,604 words) - 09:01, 7 June 2023
- EDPB - Binding Decision 1/2020 - 'Twitter' (category Article 4(24) GDPR)(Article 5(2) GDPR), of engagement of a processor (Article 28 GDPR), and in respect of the security of processing of personal data (Article 32 GDPR). However183 KB (30,819 words) - 09:50, 20 January 2023
- her”. 8. Recital 32 of the GDPR materially states that “When the processing has multiple purposes, consent should be given for all of them”. Recital 43 materially32 KB (5,066 words) - 09:04, 14 February 2022
- OLG München - 18 U 2822/19 Pre (category Article 4 GDPR)Protection Regulation (GDPR): The protection of the free movement of data within the European Union. Recital 10(f) of the GDPR emphasises that the rules59 KB (9,846 words) - 14:03, 20 September 2021
- AEPD (Spain) - PS/00003/2021 (category Article 4(16) GDPR)definition of Article 4(16) GDPR, and therefore declared its competency to act as the lead supervisory authority under Article 56(1) GDPR. The AEPD then investigated115 KB (18,312 words) - 11:58, 16 March 2022
- BVwG - W298 2266986 -1/20E (category Article 5(1)(c) GDPR)Paragraph 4 GDPR Art4 Z1 GDPR Art5 Paragraph 1 litc GDPR Art51 Paragraph 1 GDPR Art57 Paragraph 1 litf GDPR Art6 Paragraph 1 litf GDPR Art77 GDPR Art9 B-VG63 KB (10,365 words) - 12:54, 31 January 2024
- OLG München - 18 U 1697/21 Pre (category Article 6(1)(f) GDPR)17(1) GDPR supported no indemnification claim – the court rejected her demand of compensation. The court decided further that Article 17(1) GDPR is not22 KB (3,418 words) - 10:28, 14 November 2022
- VwGH - Ro 2019/04/0229 (category Article 4(7) GDPR)VwGH, this is because the fines under the GDPR and the BWG are "real administrative penalties" (see recital 150 GDPR), whereas the fines imposed by the European59 KB (8,848 words) - 12:41, 16 September 2021
- UODO (Poland) - DKN.5130.3114.2020 (category Article 24(1) GDPR)initiation of administrative proceedings, he referred to recital 87 of Regulation 2016/679 and not to recital 85 of Regulation 2016/679, as indicated by the Company105 KB (16,833 words) - 13:48, 15 November 2021
- APD/GBA (Belgium) - 125/2021 (category Article 5(1)(b) GDPR)shared with a Third Party to solve a payment issue. By referring to Recital 47 of the GDPR and to the CJEU judgment in case C-708/18 TK v Asociaţia de Proprietari22 KB (3,222 words) - 09:51, 29 November 2021
- CNPD (Portugal) - Deliberaçao 2024/137 (category Article 5(1)(a) GDPR)pursuant to Article 56 GDPR. It concluded that the controller violated Articles 5(1)(a), 7(3), 9(1), and 13(2)(c), and 17(1) GDPR. It imposed a temporary49 KB (7,923 words) - 14:36, 3 April 2024
- AEPD (Spain) - E/03882/2020 (category Article 4(1) GDPR)according to Article 6(1)(c) GDPR would be a valid legal basis, related to the exception provided by Article 9(2)(h) GDPR: the employer has the obligation56 KB (8,548 words) - 10:54, 4 June 2021
- Datainspektionen - DI-2019-3839 (category Article 5(1)(f) GDPR)for the decision Current rules GDPR the primary source of law The General Data Protection Regulation, often abbreviated GDPR, was introduced on 25 May 201860 KB (9,524 words) - 11:43, 7 April 2022
- Court of Appeal - (2021) IECA 53 (category Article 4(11) GDPR)to the properties, defending the baseless claims of B. as well as A". GDPR' Recital 111 provides that provisions should be made where the transfer is occasional136 KB (23,256 words) - 13:47, 29 April 2021
- OGH - 6Ob129/21w (category Article 4(1) GDPR)85 GDPR, so that Chapter II (including Art 6 GDPR) to VII and IX of the GDPR do not apply. The regulation of § 9 DSG, which is based on Art 85 GDPR, is60 KB (9,555 words) - 14:13, 2 March 2022
- DSB (Austria) - DPA 2021-0.415.529 (category Article 5 GDPR)processing under Article 6 GDPR, but also to comply with the principles of processing under Article 5 GDPR. Under Article 5(2) GDPR, the controller is not28 KB (4,424 words) - 09:15, 29 May 2024
- RvS - 201905087/1/A2 (category Article 6(1)(f) GDPR)violation of the GDPR by the local authorities considering the lack of prove of an actual damage caused by the lack of information under the GDPR. To be compensated33 KB (5,123 words) - 07:17, 15 September 2020
- DPC - C-19-X-XXX Ryanair DAC - November 2020 (category Article 4(22) GDPR)and (4) GDPR.” 32. Article 32 of the GDPR relates to the security of processing of personal data. More specifically, Article 32(1) of the GDPR states that35 KB (4,975 words) - 20:43, 5 May 2021
- HDPA (Greece) - 35/2023 (category Article 4(12) GDPR)by bank to the data subject's wife under Article 5 (1) (a) GDPR and Article 5 (1) (f) GDPR. An additional €50,000 was added for the violation of the obligation52 KB (8,460 words) - 10:54, 10 January 2024
- DPC - Health Service Executive - August 2020 (IN-19-9-1) (category Article 5(1)(f) GDPR)Regulation (“the GDPR”) has been contravened by the HSE in that context. 1.2 The HSE was provided with the Draft Decision on this Inquiry on 23 July 2020 to142 KB (23,134 words) - 15:51, 19 July 2021
- APD/GBA (Belgium) - 46/2022 (category Article 5(1)(a) GDPR)17 of the GDPR), the right to restriction (Article 18 GDPR), as well as the right of opposition (Article 21 GDPR) 91. Article 17 of the GDPR states: 186 KB (12,864 words) - 06:37, 23 February 2023
- DSB (Austria) - 2022-0.585.764 (category Article 2(2)(c) GDPR)transparency according to Art. 5 Para. 1 lit. a GDPR is specified in Art. 12, 13 and 14 GDPR (see also recital 39 and 58 GDPR). Accordingly, it must be clear to data77 KB (13,004 words) - 14:44, 9 May 2023
- AEPD (Spain) - PS/00080/2022 (category Article 5(1)(f) GDPR)Article 5(1)(f) GDPR. Furthermore, the controller was responsible for implementing appropriate security measures according to Article 32(1)(b) GDPR, for guaranteeing47 KB (7,265 words) - 10:05, 21 July 2022
- Garante per la protezione dei dati personali (Italy) - 9582723 (category Article 5 GDPR)9582723] Opinion on the request for civic access - 23 April 2021 Record of measures n. 157 of 23 April 2021 THE GUARANTOR FOR THE PROTECTION OF PERSONAL24 KB (3,805 words) - 13:05, 19 May 2021
- APD/GBA (Belgium) - 115/2022 (category Article 5(1)(c) GDPR)a basis of lawfulness own. Recital 50 of the GDPR 11 is explicit in this regard. These legal bases 9Recital 50 of the GDPR: [...] In order to establish42 KB (6,237 words) - 11:23, 5 August 2022
- procedural GDPR violation had occurred, arguing that the Austrian DPA transferred the complaint to the AEPD when pursuant to Article 60(8) GDPR, the Austrian31 KB (4,895 words) - 11:51, 2 May 2024
- AEPD (Spain) - PS/00259/2020 (category Article 6(1)(f) GDPR)imposed, has limited himself to transcribing the Recital 148 of the RGPD since the aforementioned recital takes into consideration only two elements: that158 KB (25,857 words) - 13:56, 14 July 2021
- OGH - 6Ob138/20t (category Article 23(1)(e) GDPR)permissible under Article 23 GDPR, or must the principle of chargeability remain inapplicable as a national law contrary to Article 23 GDPR? The Supreme Court43 KB (6,891 words) - 09:03, 24 February 2021
- EDPB - Binding Decision 2/2022 - 'Instagram' (category Article 5(1)(c) GDPR)performance of a contract (Article 6(1)(b) GDPR) and for legitimate interest (Article 6(1)(f) GDPR). Article 6(1)(b) GDPR In its original draft decision, the276 KB (38,206 words) - 09:46, 20 January 2023
- CNIL (France) - SAN-2023-024 (category Article 6(1) GDPR)in directive 95/46/EC, which was replaced by the GDPR. 90. Thus, since the entry into force of the GDPR, the "consent" provided for in the aforementioned76 KB (12,140 words) - 13:55, 28 February 2024
- CNPD (Luxembourg) - Délibération n° 13FR/2023 (category Article 5(1)(b) GDPR)employees. The DPA found a violation of Article 5(1)(b) GDPR, Article 5(1)(c) GDPR and Article 13 GDPR. Following a visit to the premises of two public bodies96 KB (13,984 words) - 16:57, 6 December 2023
- AEPD (Spain) - PS-00507-2022 (category Article 4(1) GDPR)Article 58 GDPR Supporting this they, amongst others, used the Case Versalis Spa v Commission, C-511/11, as well as the Recital 40 of the GDPR as basis of49 KB (7,832 words) - 10:54, 22 January 2024
- APD/GBA (Belgium) - 72/2021 (category Article 6(1)(e) GDPR)processing of their personal data (articles 5 and 6 of the GDPR and articles 12 to 14 of the GDPR), and on the other hand, the compliance of the response57 KB (8,330 words) - 11:53, 30 June 2021
- CNIL (France) - SAN-2023-021 (category Article 5(1)(c) GDPR)nature within the meaning of Article 4 (23) of the aforementioned GDPR. 47. In application of article 55.1 of the GDPR, the restricted committee considers115 KB (18,607 words) - 11:00, 6 February 2024
- Datainspektionen - DI-2019-7024 (category Article 5(1)(f) GDPR)identity. Did the Educational Board of Stockholm breach Articles 32(1) and 35 GDPR with its new IT system which suffered data breaches? After receiving many70 KB (11,103 words) - 11:43, 7 April 2022
- Garante per la protezione dei dati personali (Italy) - 9782890 (category Article 5(1)(a) GDPR)Article 46(2) GDPR. For these violations, the DPA reprimanded the controller and ordered it to comply with the GDPR (specifically Article 46 GDPR) within 9047 KB (7,604 words) - 07:01, 20 July 2022
- Rb. Amsterdam - C/13/702849 / HA ZA 21-526, C/13/706680 / HA ZA 21-789 and C/13/706842 / HA ZA 21-794 (category Article 79 GDPR) (section TikTok Ireland: jurisdiction under the GDPR)under the GDPR and how the jurisdiction regime of the GDPR compares to that in the Brussels I bis Regulation2. 5.2. Recital 145 of the GDPR states: 'For92 KB (15,064 words) - 12:26, 28 June 2023
- LfD (Lower Saxony) - 4.2 05475-02-0301/21 (category Article 6(1)(a) GDPR)are based on a different legal basis Art. 6 (1) GDPR than the consent pursuant to Art. 6 (1) lit. a GDPR was based. services on were used on the website35 KB (5,593 words) - 08:56, 9 January 2024
- BVwG - W256 2235360-1 (category Article 4 GDPR)Constitutional Court on the legal situation before the GDPR. Recital 41, second sentence, of the GDPR also states that a corresponding legal basis must be67 KB (10,431 words) - 08:39, 21 February 2024
- UODO (Poland) - DKN.5131.11.2020 (category Article 33(1) GDPR)Foundation. The DPA held that the Foundation violated Article 33(1), Article 34(1) GDPR by failing to notify the DPA of a personal data protection breach without51 KB (8,179 words) - 12:07, 11 August 2021
- Garante per la protezione dei dati personali (Italy) - 9988614 (category Article 9 GDPR)to the interested parties based on Article 13 GDPR and to non-contactable persons based on Article 14 GDPR. The information notice includes the right to115 KB (18,087 words) - 14:11, 17 April 2024
- LG Duisburg - 10 O 126/22 (category Article 82 GDPR)is also in line with recitals 146 and 75 of the GDPR. Recital 146 refers to the processing of personal data. Recital 75 describes, by way of example, risks63 KB (10,478 words) - 09:40, 15 February 2024
- BfDI (Germany) - 24-191 II (category Article 15 GDPR)Art. 15 (3) GDPR. According to Art. 95 GDPR, provisions of the ePrivacy Directive, which pursue the same goal as the provisions of the GDPR, take precedence24 KB (3,831 words) - 16:21, 23 March 2022
- Rb. Amsterdam - AWB - 20 1863 - AMS 20/1863 (category Article 4 GDPR)internal emails and messages regarding the data subject (Articles 12 and 15(1) GDPR). He also requested access to personal data which was processed by the controller's24 KB (3,724 words) - 09:21, 21 December 2022
- Garante per la protezione dei dati personali (Italy) - 9768387 (category Article 28(1) GDPR)violated Article 28(2) GDPR and Article 28(4) GDPR as a processor on behalf of the hospitals and Article 28(1) GDPR and Article 28(3) GDPR as controller delegating99 KB (16,015 words) - 16:16, 1 June 2022
- BVwG - W176 2265088-1 (category Article 5(1)(a) GDPR)the BVwG, claiming that a mere violation of Article 12 GDPR, Article 13 GDPR or Article 14 GDPR cannot imply unlawful processing activities and that an11 KB (1,495 words) - 15:09, 25 October 2023
- WSA Warsaw - II SA/Wa 1340/20 (category Article 6(1) GDPR)of Warsaw held that a car rental company could not rely on Article 6(1)(f) GDPR to process a customer's personal data with the view of defending itself against25 KB (4,078 words) - 09:32, 26 November 2021
- her”. 7. Recital 32 of the GDPR materially states that “When the processing has multiple purposes, consent should be given for all of them”. Recital 42 materially39 KB (5,404 words) - 11:56, 21 September 2021
- Rb. Midden-Nederland - C/16/526196/ HA RK / 21-01 (category Article 6 GDPR)(one of) the grounds for restriction of Articles 23 GDPR in conjunction with 41 UAVG. 4.3.7. Breaches of GDPR by ASR. It is not in dispute between the parties34 KB (5,483 words) - 11:58, 5 December 2022
- Tietosuojavaltuutetun toimisto (Finland) - 1150/161/2021 (category Article 1(2) GDPR)that the firm had violated Articles 33(1) GDPR (notification of data breaches to the DPA) and Article 34(1) GDPR (communication of data breaches to data153 KB (24,570 words) - 15:11, 26 March 2024
- FG Berlin-Brandenburg - 16 K 2059/21 (category Article 14(5)(b) GDPR)processing (Art. 18 GDPR), Right to data portability (Art. 20 GDPR) and Right to object (Art. 21 GDPR). The right of access under Art. 15 GDPR cannot be "detached"117 KB (19,778 words) - 14:27, 13 April 2022
- Datatilsynet (Norway) - 23-114365TVI-TOSL/08 and 23-114359TVI-TOSL/08 (category Article 6(1)(b) GDPR)in Ireland, cf. GDPR art. 4 (23) cf. art. 56. DPC processed the complaints in line with the cooperation mechanism that follows from GDPR art. 60, and sent113 KB (18,098 words) - 11:57, 13 September 2023
- AEPD (Spain) - PS/00178/2021 (category Article 5(1)(f) GDPR)Therefore, the AEPD fined the controller €2000 for a violation of Article 5(1)(f) GDPR. In order to determine the amount of the fine, the DPA took into account20 KB (3,078 words) - 14:26, 24 November 2022
- Garante per la protezione dei dati personali (Italy) - 9828901 (category Article 3(2)(a) GDPR)facilitator but, as specified in Recital 80 GDPR, the person who acts on behalf of the controller with regard to the GDPR obligations. The DPA held that91 KB (14,709 words) - 13:02, 14 December 2022
- RVS - 202004314/1/A3 (category Article 4(1) GDPR)invoke the rights set out in Chapter III of the GDPR. This is confirmed in recital 14 of the preamble to the GDPR, which reads: “The protection afforded by this46 KB (7,313 words) - 11:27, 3 March 2022
- Garante per la protezione dei dati personali (Italy) - 9870014 (category Article 5 GDPR)In practice, the supervisory authority identified numerous GDPR violations. Several GDPR infringements could also be found with regard to personal data169 KB (27,985 words) - 14:51, 25 April 2023
- Commissioner (Cyprus) - 11.17.001.010.045 (category Article 5(1)(c) GDPR)publication was in violation of Article 5(1)(c) GDPR, Article 6(1)(f) GDPR, when read in line with Article 85 GDPR. Article 5(1)(c) outlines the principle of74 KB (12,375 words) - 10:07, 4 October 2023
- VG München - M 32 K 20.2879 (category Article 6(2) GDPR)half-sentence GDPR and Art. 86 GDPR. These regulations indicate a certain information accessibility of the GDPR. According to recital (EC) 154 to Art. 86 GDPR, the34 KB (5,661 words) - 13:40, 20 September 2021
- Garante per la protezione dei dati personali (Italy) - 9920977 (category Article 13 GDPR)with the data subject’s rights of information under Article 13 GDPR and Article 14 GDPR, the hospital should firstly make clear what the legal basis for92 KB (14,476 words) - 08:25, 19 September 2023
- VG Berlin - 2 K 98/20 (category Article 4(1) GDPR)4(1) GDPR are only living persons (Recital 27 GDPR) the data concerning already deceased persons does not constitute personal data under the GDPR. Secondly44 KB (7,148 words) - 14:45, 16 November 2022
- VerfGH Saarland - VerfGH Lv 15/20 (category Article 6(1)(a) GDPR)consent, Article 6 (1) (a) GDPR. In particular, Article 6 (1) (c) (legal obligation of the controller and Article 6 (1) (e) GDPR (public interest) do not66 KB (10,700 words) - 14:15, 20 September 2021
- Rb. Amsterdam - C/13/687315 / HA RK 20-207 (category Article 4(1) GDPR)pursuant to article 46 GDPR Uber (iv) the existence of automated decision-making, including those laid down in Articles 22(1) and 22(4) GDPR (at least meaningful82 KB (14,053 words) - 16:25, 25 March 2021
- DSB (Austria) - 2020-0.829.566 (category Article 15(3) GDPR)organisation are not excluded as such from the scope of the GDPR. To the contrary, Article 9(2)(d) GDPR explicitly states that special categories of data can41 KB (6,603 words) - 07:12, 1 August 2023
- Tietosuojavaltuutetun toimisto (Finland) - 2245/163/2019 (category Article 5(1)(c) GDPR)25 GDPR. In accordance with Article 58(2)(d) GDPR, the DPA ordered the controller to bring its processing operations into compliance with the GDPR. Hence20 KB (3,195 words) - 15:22, 2 March 2022
- BVwG - W274 2246166-1 (category Article 12(3) GDPR)have a past infringement of the GDPR determined by the data protection authority since § 24(1) BDSG and Article 77(1) GDPR refer to “infringes” in the present42 KB (6,630 words) - 17:08, 2 February 2022
- Datatilsynet (Denmark) - 2020-31-3586 (category Article 15 GDPR)one month of the access request, in accordance with Article 15 GDPR and Article 12(3) GDPR. By contrast, the insurance company argued that the right to access21 KB (3,182 words) - 10:18, 15 September 2021
- VG Gießen - 4 K 252/19.GI (category Article 4(10) GDPR)With regard to the 14th recital of the GDPR, it is clear that legal persons such as the insolvency debtor cannot rely on the GDPR. Via the detour of § 2a35 KB (5,815 words) - 15:51, 17 March 2022
- LG Hannover - 13 O 129/21 (category Article 82(1) GDPR)Article 82(1) GDPR, because the controller unlawfully disclosed the data to its customers. The court also held that under Article 82 GDPR the violation28 KB (4,506 words) - 11:20, 4 November 2022
- TA Luxembourg - 45717 (category Article 15 GDPR)Charter, as well as Article 78, paragraph (2) of the GDPR, read in the light of recital (143) of the GDPR, to conclude that any decision adopted by the CNPD58 KB (9,280 words) - 12:38, 28 June 2023
- ICO - Monetary Penalty on Marriott International Inc. (category Article 5(1)(f) GDPR)data and on the free movement of such data. 3 Recital 3. 4 Recital 5. § Recital 7. 7 See, i particular, Recitals 11, 148, 150, and Article 5, Chapter IV and241 KB (31,368 words) - 09:59, 9 May 2022
- Datatilsynet (Norway) - 20/01772 (category Article 6(1)(c) GDPR)with Article 17(1)(d) GDPR, the controller was obliged to delete data processed unlawfully, unless the exception of Article 17(3) GDPR (fulfillment of a task53 KB (7,945 words) - 10:46, 24 January 2023
- EWCA - Soriano v Forensic News LLC & Ors (category Article 3(1) GDPR)resembling Article 3(2) of the GDPR, on which no authority appears to exist so far; but Recitals (23) and (24) to the GDPR throw light on Articles 3(2)(a)122 KB (20,830 words) - 10:42, 12 January 2022
- NAIH (Hungary) - NAIH-3734-15/2023 (category Article 6(1)(f) GDPR)Based on Article 2 (1) of the GDPR, the GDPR must be applied to the data processing in this case. (31) Recital (47) GDPR: The data controller - including48 KB (7,721 words) - 11:09, 10 January 2024
- First-tier Tribunal - Clearview AI Inc. v ICO (category Article 3(2)(b) GDPR)persuasive weight. 82. Recital 24 of the GDPR is relevant to the construction of Article 3(2)(b) GDPR and Article 3(2)(b) UK GDPR, this reads as follows:99 KB (16,103 words) - 08:41, 25 October 2023
- Datainspektionen - DI-2019-3844 (category Article 5(1)(f) GDPR)all personal data in the patients' journal system in breach of Article 32 GDPR. The audit to Aleris Sjukvård AB from the Swedish DPA was initiated in May91 KB (11,182 words) - 11:43, 7 April 2022
- APD/GBA (Belgium) - 165/2023 (category Article 5(1)(f) GDPR)2 of the GDPR, Article 24.1 of the GDPR, Article 25.1 of the GDPR and Articles 32.1 and 32.2 GDPR; 2. Articles 35.1, 35.2, 35.3 and 35.7 GDPR; and 3. Article67 KB (9,908 words) - 11:09, 10 January 2024
- LG Köln - 28 O 221/21 (category Article 6(1)(f) GDPR)apply a EU provision, such as Article 6(1)(f) GDPR, without their being an escape clause like Article 23 GDPR. Third, the court held that the data subject30 KB (4,765 words) - 14:30, 29 June 2022
- AEPD (Spain) - EXP202202960 (category Article 13 GDPR)for the alleged violation of Article 35 of the GDPR, Article 32 of the GDPR and Article 13 of the GDPR, typified in Articles 83.5 of the RGPD and Article149 KB (22,597 words) - 12:34, 3 April 2024
- Garante per la protezione dei dati personali (Italy) - 9900808 (category Article 28 GDPR)through which it was identified as the processor, pursuant to Article 28 GDPR. After the investigations, the Italian DPA concluded that the AMA, originally157 KB (25,874 words) - 14:36, 27 June 2023
- DSB (Austria) - 2023-0.637.760 (category Article 31 GDPR)the GDPR). The DSB is a supervisory authority within the meaning of Article 51 GDPR Article 51, GDPR (see also Section 18 Paragraph 1 DSG). The GDPR grants82 KB (13,593 words) - 11:03, 24 January 2024
- CNPD (Luxembourg) - Délibération n°24FR/2021 (category Article 5(1)(c) GDPR)01"). 14 See in particular Articles 5.1.a) and 12 of the GDPR, see also recital (39) of the GDPR. _____________________________________________________________58 KB (8,226 words) - 07:35, 22 July 2021
- Garante per la protezione dei dati personali (Italy) - 9789037 (category Article 4(1) GDPR)provisions, pursuant to art. 58, par. 2, lett. b), of the GDPR (see also recital no.148 of the GDPR). Finally, it is believed that the conditions set out in75 KB (11,970 words) - 15:39, 3 December 2022
- AEPD (Spain) - PS/00239/2022 (category Article 15 GDPR)of Article 15 of the GDPR, typified in Article 83.5 of the GDPR, as well as for the alleged infringement of Article 17 of the GDPR, typified in the Article60 KB (9,630 words) - 12:34, 13 December 2023
- APD/GBA (Belgium) - 18/2020 (category Article 5 GDPR)(Article 31 GDPR); - failure to comply with both the accountability obligation (Article 5.2 of the GDPR) and the duty to cooperate (Article 31 of the GDPR) with55 KB (8,810 words) - 16:55, 12 December 2023
- DVI (Latvia) - SIA "Fitsypro" (category Article 58(1)(b) GDPR)previous year. 6.2. Recital 148 of the preamble of the GDPR explains that, in order to strengthen the enforcement of the provisions of the GDPR, in addition to29 KB (4,404 words) - 07:53, 23 August 2023
- Korkein hallinto-oikeus (Finland) - KHO:2024:34 (category Article 17(1) GDPR)not override the data subject's right to privacy. Pursuant to Article 17(1) GDPR, the data subject had requested Google LLC (the controller) to remove several60 KB (9,713 words) - 13:07, 26 March 2024
- APDCAT (Catalonia) - IAI 68/2021 - IAI 71/2021 (category Article 9 GDPR)One on hand, the APDCAT stated that under Article 2 GDPR, Article 4(1) GDPR and Recital 14 GDPR, any information regarding administrative procedures for42 KB (6,128 words) - 11:58, 20 January 2022
- OLG Frankfurt - 6 W 19/20 (category Article 6(1)(e) GDPR)association. Article 6(1)(f) GDPR does not permit such transmissions pursuant to Article 6(4) conjunction with Article 23(1) GDPR. Furthermore, the court ruled21 KB (3,379 words) - 15:57, 10 March 2022
- AEPD (Spain) - EXP202207199 (category Article 6 GDPR)subject. For violating Article 6 GDPR, the DPA fined the controller €4,000 and ordered, in accordance with Article 58(2) GDPR, the removal of the device in23 KB (3,550 words) - 10:03, 18 October 2023
- AEPD (Spain) - PS/00368/2021 (category Article 6(1) GDPR)required by Article 13 GDPR. Furthermore, the AEPD, highlighted that the RFEF did not provide the information required by Article 13(3) GDPR about further processing246 KB (41,139 words) - 14:25, 24 November 2022
- AEPD (Spain) - PS/00140/2022 (category Article 13 GDPR)on a large scale. Despite The GDPR does not define what is meant by large-scale processing, both the recital 91 of the GDPR as the Working Party of article151 KB (23,196 words) - 05:40, 9 May 2023
- Datainspektionen - DI-2019-3840 (category Article 5(1)(f) GDPR)The Swedish Data Protection Act (implementing the GDPR) provides that public bodies that violate the GDPR can be fined up to SEK 10 million. The DPA imposed87 KB (13,573 words) - 11:43, 7 April 2022
- AEPD (Spain) - PS/00281/2022 (category Article 4(1) GDPR)dissemination of sec- trade creds. For this purpose, it mentions recital 63 of the GDPR, as legitimate maker of "discriminating the information that can313 KB (53,033 words) - 10:20, 7 June 2023
- CNIL (France) - SAN-2024-003 (category Article 4(11) GDPR)Article 6 GDPR was constituted. Secondly, the CNIL also pointed out that a simple contractual commitment by a data broker to comply with the GDPR as well52 KB (8,208 words) - 10:44, 13 March 2024
- IMY (Sweden) - IMY-2022-1621 (category Article 9 GDPR)protection regulation and i.a. recital 10 to the regulation. 5 Cf. recital 1 to the data protection regulation. 6See recital 4 of the data protection regulation145 KB (16,497 words) - 08:54, 19 October 2022
- ICO (UK) - LTH Holdings Limited (category Article 4(11) GDPR)10. Recital 32 of the GDPR materially states that "When the processing has multiple purposes, consent should be given for all of them". Recital 42 materially54 KB (6,922 words) - 11:45, 16 June 2021
- NAIH (Hungary) - NAIH-5802-9/2022. (category Article 5(1)(a) GDPR)Article 14(1) and (2) GDPR. Because it failed to provide clear and transparent information, the controller also violated Article 12(1) GDPR. The DPA imposed120 KB (19,907 words) - 10:48, 9 November 2022
- APD/GBA (Belgium) - 117/2021 (category Article 9 GDPR)law.” 35. According to Article 9 of the GDPR, health data belongs to special personal data. Recital 51 of the GDPR defines that data as: ” Personal data35 KB (4,931 words) - 12:59, 9 November 2021
- BVwG - W252 2246581-1/6E (category Article 15(1)(h) GDPR)pursuant to Article 22 GDPR, but only 'light profiling' under Article 4(4) GDPR. Therefore, the controller claimed that Article 15(1)(h) GDPR did not apply in31 KB (4,838 words) - 09:11, 30 August 2023
- HDPA (Greece) - 9/2024 (category Article 5(1)(a) GDPR)specifically regulated in Law 3471/2006, the GDPR applies (see also article 95 GDPR as well as the recital under No. 173, as well as Opinion 5/2019 of the102 KB (17,186 words) - 13:46, 26 April 2024
- DSG of any practical scope. According to the express provision in recital 160, the GDPR is also applicable to historical research in the field of genealogy32 KB (4,943 words) - 06:09, 23 August 2022
- BVwG - W256 2223741-1 (category Article 5 GDPR)Art. 5 GDPR - on the basis of one of the permissions specified in Art. 6 GDPR. to comply with the processing principles according to Art. 5 GDPR: According25 KB (3,742 words) - 07:49, 9 June 2022
- AEPD (Spain) - PS/00226/2020 (category Article 6 GDPR)of Article 7(4) GDPR. Based on these considerations, the AEPD issued a €2,000,000 fine against Caixabank for infringing Article 6 GDPR in relation to Article373 KB (61,959 words) - 14:17, 9 March 2022
- APD/GBA (Belgium) - 101/2022 (category Article 5(1)(f) GDPR)proactive measures in accordance with Article 5.2 GDPR in order to ensure compliance with the provisions of the GDPR -including the above under 1 measures mentioned88 KB (13,264 words) - 09:09, 29 June 2022
- VfGH - G 287/2022-16, G 288/2022-14 (category Article 85 GDPR)Reference to Art. 79 GDPR does not justify any jurisdiction, since Art. 79 GDPR (like Art. 77 GDPR) only refers to violations of the GDPR but not on national202 KB (29,013 words) - 13:35, 12 January 2023
- UODO (Poland) - DKN.5131.59.2022 (category Article 33(1) GDPR)have notified the DPA under Article 33(1) GDPR and the data subjects affected by the breach under Article 34(1) GDPR. Regarding the corrective measure taken108 KB (17,728 words) - 07:57, 25 April 2024
- AEPD (Spain) - PS/00131/2020 (category Article 13 GDPR)system. When the workers asked about the information listed under Article 13 GDPR, they only received a generic answer saying that the personal data were being45 KB (6,923 words) - 08:41, 16 June 2021
- CNIL (France) - Deliberation SAN-2022-024 of December 20, 2022 (category Article 4(11) GDPR)within the meaning of consent as defined in Article 4(11) GDPR. As explained by recital 42 GDPR, "[c]onsent should not be regarded as freely given if the73 KB (11,822 words) - 11:58, 11 January 2023
- BVwG - W214 2228346-1 (category Article 4(1) GDPR)of application of Article 58(2)(c) GDPR. On 19.02.2019, the data subject sent an access request under Article 15 GDPR to a controller (an Austrian municipality)65 KB (10,246 words) - 09:42, 10 September 2021
- APD/GBA (Belgium) - 14/2023 (category Article 5(1)(a) GDPR)and 6.1 GDPR) as well as the principle of minimization (article 5.1.c GDPR). II.1. Basis of lawfulness of processing (Article 5.1.a and 6.1 GDPR) 6. The33 KB (4,897 words) - 14:05, 1 March 2023
- Tietosuojavaltuutetun toimisto (Finland) - 4300/182/2019 (category Article 2(2)(d) GDPR)General Data Protection Regulation (abbreviated as GDPR, 2016/679) also applies to courts, as stated in recital 20. Article 10 of the Data Protection Regulation17 KB (2,394 words) - 16:11, 1 June 2022
- provision unconstitutional does not impede the full implementation of the GDPR, since GDPR is directly applicable and most of its provisions are directly effective91 KB (14,896 words) - 17:02, 7 March 2022
- BGH - I ZR 7/16 (category Article 4(11) GDPR)of 1 February 2020], Art. 4 GDPR marginal no. 125; Buchner/Kühling in Kühling/Buchner, DS-GVO BDSG, 2nd edition, Art. 4 GDPR marginal no. 8). In substance52 KB (8,575 words) - 15:55, 22 March 2022
- APD/GBA (Belgium) - 188/2022 (category Article 4(1) GDPR)1, f) GDPR. II.4. Violation of Article 12(1) and (4) of the GDPR, Article 17 of the GDPR, Article 24(1) of the GDPR and Article 25 (1) of the GDPR 55. The95 KB (14,325 words) - 14:27, 25 January 2023
- UOOU (Czech Republic) - UOOU-01025/20-121 (category Article 5 GDPR)basis under Article 6(1) GDPR and in violation of transparency obligations in the privacy policy under Article 5(1)(a) and 13 GDPR. The DPA in the first instance246 KB (39,598 words) - 09:26, 24 April 2024
- AEPD (Spain) - PS/00140/2020 (category Article 6(1)(a) GDPR)Article 58(2)(d) GDPR. First, the AEPD established that the GDPR was applicable under Article 3(1) GPDR or, if not, at least Article 3(2)(a) GDPR would apply390 KB (63,154 words) - 07:08, 9 June 2022
- APD/GBA (Belgium) - 104/2022 (category Article 17(1)(c) GDPR)of their authorizations. 23. It is therefore up to the Disputes Chamber to assess whether the defendant complies with the GDPR violated by refusing to comply39 KB (5,774 words) - 15:31, 29 June 2022
- BVwG - W245 2239715-1 (category Article 6 GDPR)6 (1) lit. f GDPR throughout. Other reasons (Art. 6 Para. 1 lit. a-e GDPR) were not shown by BF2 in the procedure. Art. 6 (1) (f) GDPR enables the processing62 KB (10,455 words) - 10:50, 7 September 2022
- KamR Stockholm - Case No. 5888-20 (category Article 5 GDPR)so, it also violated Article 36 GDPR. On the issue of consent, the DPA and the Court of Appeal elaborated that recitals 42 and 43 of the Data Protection62 KB (7,607 words) - 08:56, 7 October 2021
- Garante per la protezione dei dati personali (Italy) - 9991183 (category Article 5(1)(a) GDPR)company. Lastly, The DPA found a breach of Article 5(1)(a) GDPR and Article 12 GDPR and Article 13 GDPR regarding the sharing of patient clinical data through96 KB (15,258 words) - 16:36, 19 March 2024
- IMY (Sweden) - IMY-2022-9109 (category Article 12(2) GDPR)controller was in breach of Article 12(2) GDPR. The DPA found that the infringements were minor pursuant to Recital 148, because (1) the infringements found65 KB (7,759 words) - 10:10, 30 April 2024
- NAIH (Hungary) - NAIH – 6427-1/2023 (category Article 5(1)(b) GDPR)violation of Article 5(1)(e) GDPR and Article 32 GDPR, but the DPA dismissed its previous finding of the Article 5(1)(b) GDPR violation. The DPA found that87 KB (14,360 words) - 08:30, 27 September 2023
- AEPD (Spain) - PS/00078/2021 (category Article 5(1)(c) GDPR)process this data under Article 6(1)(b) GDPR for the performance of a contract, and as well as Article 6(1)(c) GDPR to comply with legal obligations for lodging118 KB (19,187 words) - 17:08, 9 March 2022
- AEPD (Spain) - PS/00388/2022 (category Article 32(1) GDPR)violated the article 15 of the GDPR, infringement typified in article 83.5 a) of the GDPR. IV. Secondly, article 32 of the GDPR "Security of treatment", states72 KB (11,730 words) - 08:54, 19 July 2023
- UODO (Poland) - DKN. 5131.27.2022 (category Article 33(1) GDPR)that the Polish Chief National Surveyor violated Articles 33(1) and 34(1) GDPR by not notifying the DPA and the data subjects after it had accidentally80 KB (13,127 words) - 07:57, 14 September 2022
- CE - 451423 (category Article 55(1) GDPR)mechanism of Article 56 GDPR. The luxembourg DPA started an investigation regarding Amazon's use of cookies and its compliance with the GDPR and the ePrivacy51 KB (8,228 words) - 17:33, 11 January 2023
- AEPD (Spain) - PS/00375/2022 (category Article 5(1)(b) GDPR)RGPD, it is taken into account Consider what is stated in Recital 39 of the aforementioned GDPR: “39. All processing of personal data must be lawful and55 KB (8,720 words) - 10:46, 18 January 2024
- APD/GBA (Belgium) - 39/2024 (category Article 80(1) GDPR)company incorporated by French law, thus breaching Article 80(1) GDPR. Article 80(1) GDPR states that the data subject has the right to mandate (i) a non-for-profit32 KB (4,640 words) - 14:07, 6 March 2024
- AEPD (Spain) - PS/00193/2021 (category Article 6(1) GDPR)on Data Protection and Guarantee of Digital Rights (LOPDGDD), in On April 23, 2021, the claim admission agreement is signed. FOURTH: When transferring27 KB (4,223 words) - 10:01, 22 September 2021
- CPDP (Bulgaria) - PNN-01-33/2022 (category Article 32 GDPR)information about his state of health' (Article 4(15) of the GDPR). According to Recital 35 of the GDPR, personal data concerning the health of a data subject71 KB (11,948 words) - 17:01, 8 February 2023
- EDPB - Urgent Binding Decision 01/2023 (category Article 6(1)(f) GDPR)6(1)(f) GDPR, Recital 47 GDPR and the CJEU’s settled case-law 171, three cumulative conditions must be met to be able to rely on Article 6(1)(f) GDPR, ‘namely346 KB (48,181 words) - 16:39, 12 December 2023
- OLG Celle - 8 U 165/22 (category Article 12(5) GDPR)4(1) GDPR. Moreover, OLG Celle also held that a singular access request can never be excessive for the purposes of Article 12(5) GDPR as the GDPR only62 KB (10,852 words) - 14:08, 7 January 2023
- GHSHE (Netherlands) - 200.274.447 01 (category Article 5 GDPR)reinstate the employer for the violation of his data protection rights under the GDPR. Share your comments here! Share blogs or news articles here! The decision60 KB (10,118 words) - 15:12, 5 October 2021
- WSA w Warszawie - II SA/Wa 809/20 (category Article 4(14) GDPR)processing of personal data (recital 38 of the GDPR preamble). Moreover, referring to the wording of recitals 10 and 45 of the GDPR, the supervisory authority82 KB (13,213 words) - 12:13, 10 May 2021
- Garante per la protezione dei dati personali (Italy) - 9685994 (category Article 5(1)(c) GDPR)as with the relevant company policies. Furthermore, during the GDPR training session of 23 May 2018, the legal meaning of "processing of personal data" was235 KB (38,572 words) - 10:19, 20 July 2022
- Rb. Amsterdam - ECLI:NL:RBAMS:2023:6456 (category Article 17 GDPR)data subject made an erasure request under Article 17 GDPR and an objection under Article 21 GDPR to have their negative registration no longer processed20 KB (3,126 words) - 09:13, 15 November 2023
- LG Leipzig - 03 O 1268/21 (category Article 15(3) GDPR)access pursuant to Article 15 GDPR, in particular to provide a copy of the personal data pursuant to Article 15(3) GDPR, as well as their right to receive19 KB (3,155 words) - 10:17, 21 April 2022
- VwGH - Ro 2021/04/0033 (category Article 6(1)(a) GDPR)requirements for consent pursuant to Art. 4 Z 11 GDPR and Art. 7 GDPR or that there is no other legal basis under Art. 6 GDPR for the previous processing of personal36 KB (5,727 words) - 11:02, 7 April 2022
- Datatilsynet (Denmark) - 2021-432-0070 (category Article 5(1)(b) GDPR)its information obligations under Article 14(1) and (4) GDPR with reference to Article 14(5)(b) GDPR. Following a citizen’s inquiry, the Danish DPA initiated39 KB (6,054 words) - 15:54, 10 May 2023
- BVwG - W214 2225733-1 (category Article 5 GDPR)B-VG Art133 Para.4 DSG §1 DSG §24 GDPR Art12 GDPR Art14 GDPR Art32 GDPR Art5 GDPR Art57 GDPR Art58 GDPR Art6 GDPR Art77 GDPR Art83 VwGVG §28 paragraph 2 saying140 KB (23,138 words) - 15:13, 19 August 2022
- CNIL (France) - SAN-2024-004 (category Article 4(11) GDPR)processing within the meaning of Article 4, paragraph 23, of the GDPR. 33. Pursuant to Article 60(3) of the GDPR, the draft decision adopted by the restricted69 KB (10,971 words) - 11:00, 17 April 2024
- BVwG - W211 2227144-1 (category Article 2 GDPR)fundamentally comprehensive in the GDPR: Neither Art. 55 GDPR (competence of the supervisory authority) nor Art. 77 GDPR (right of appeal to a supervisory38 KB (5,801 words) - 10:08, 10 September 2021
- CNPD (Luxembourg) - Délibération n° 17FR/2021 (category Article 5(1)(c) GDPR)requirements of Article 5.1.c) of the GDPR and non-compliance with the requirements of article 5.1.e) of the GDPR. 10. On February 28, 2020, the inspected44 KB (6,212 words) - 08:28, 16 June 2021
- DVI (Latvia) - SIA "TET" (category Article 5(1)(a) GDPR)5(1)(a), (b), (d) and (e) GDPR. Furthermore, there was no legal basis for these processing operations under Article 6(1) GDPR. The DPA took into account114 KB (17,942 words) - 15:46, 2 November 2022
- DSB (Austria) - 2021-0.518.795 (category Article 4(2) GDPR)under Article 9(2) GDPR for sending the medical assessment, which contained health data under Article 14 GDPR#15Article 4(15) GDPR, to the municipality29 KB (4,581 words) - 10:13, 10 March 2022
- DSB (Austria) - DSB-D130.217 (category Article 3 GDPR)the territorial scope of the GDPR (Article 3 GDPR) as it was based exclusively in the USA and under US law, and thus the GDPR is not applicable. It also77 KB (12,447 words) - 08:22, 4 April 2024
- APD/GBA (Belgium) - 52/2024 (category Article 5(1)(a) GDPR)collected. Taking the criteria into account included in article 6.4 GDPR and recital 50 GDPR, it must be determined whether the further processing, in this21 KB (3,024 words) - 09:26, 17 April 2024
- Garante per la protezione dei dati personali (Italy) - 9980617 (category Article 5(1)(f) GDPR)Article 4(15) GDPR. For the reasons stated above, the DPA found the controller in violation of Article 5 GDPR, Article 9 GDPR and Article 32 GDPR and imposed105 KB (17,072 words) - 13:27, 28 February 2024
- NAIH (Hungary) - NAIH-2857-20/2021 (category Article 5(1) GDPR)satisfaction surveys, because the necessary prerequisites explained in Recital (47) of the GDPR regarding reasonable expectations and other guarantees have not79 KB (12,495 words) - 11:03, 21 January 2022
- VG Schwerin - 1 A 1254/20 SN (category Article 4(7) GDPR)Article 78(1) of the GDPR in conjunction with Article 57 of the GDPR. Article 57 of the GDPR. The scope of Article 57 of the GDPR is indeed open. Pursuant37 KB (6,156 words) - 10:12, 26 May 2021
- AEPD (Spain) - EXP202102529 (category Article 4(15) GDPR)investigative actions. In light of provisions (Article 4 (15) GDPR, Article 9 GDPR, Article 6 GDPR) the vaccination of a person against Covid-19 implies the42 KB (6,246 words) - 16:36, 9 January 2024
- BVwG - W274 2224363-1 (category Article 1 GDPR)exceptional provisions of § 9 of the Data Protection Act and Art. 85 of the GDPR are not applicable. The Facebook posting disclosed personal data of a public51 KB (8,570 words) - 13:17, 28 July 2021
- Datainspektionen - DI-2019-3841 (category Article 5(1)(f) GDPR)the primary source of law The Data Protection Regulation, often abbreviated GDPR, was introduced on 25 May 2018 and is the primary legal regulation in the91 KB (11,084 words) - 11:43, 7 April 2022
- UODO (Poland) - DKN.5131.42.2022 (category Article 33 GDPR)authority to verify compliance with GDPR by the controller (the court) involved in the incident. Referencing Article 4(12) GDPR, the DPA found that the event95 KB (15,337 words) - 16:38, 19 March 2024
- UODO (Poland) - DKN.5112.5.2021 (category Article 5(1)(a) GDPR)with GDPR provisions, this includes obtaining proof of consent in line with Article 7(1) GDPR. Especially in the context of Article 9(2)(a) GDPR, the explicit82 KB (13,363 words) - 14:11, 18 January 2023
- UODO (Poland) - DKN.5131.43.2022 (category Article 5(2) GDPR)controller was in breach of Article 33(1) GDPR, Article 33(3) GDPR, Articles 34(1) and 34(2) GDPR, and Article 5(2) GDPR, Firstly, the Polish DPA held that the57 KB (9,261 words) - 08:13, 25 October 2023
- Rb. Zeeland-West-Brabant - C/02/387229 (category Article 32 GDPR)pursuant to Recital 146. Furthermore, the importance of control over personal data and enforcement of the violated rule follows from the GDPR. The Court55 KB (9,226 words) - 08:11, 6 October 2022
- VwGH - 2021/04/0030-4 (category Article 5 GDPR)regard to the modalities in Article 12 GDPR. Recital 58 of the GDPR states that information under Article 14 GDPR can be provided in electronic form, for92 KB (15,328 words) - 09:18, 14 May 2024
- Garante per la protezione dei dati personali (Italy) - 9996609 (category Article 4(11) GDPR)policy, resulted in violations of Articles 24, 25 and 28 GDPR. It emphasized that Articles 24and 25 GDPR impose a responsibility on the controller to oversee41 KB (6,369 words) - 15:47, 27 March 2024
- DPC (Ireland) - WhatsApp Ireland Limited - IN-18-12-2 (category Article 4(1) GDPR) (section WhatsApp’s transparency obligations in the context of non-users under Articles 14 and 12(1) GDPR)4(1) of the GDPR. I further note that the text of the accompanying recital (Recital 26 of the Directive) is very similar to the text of Recital 26 of the830 KB (115,261 words) - 15:37, 22 February 2022
- OLG Karlsruhe - 12 U 305/21 (category Article 12 GDPR)adjustment on Art. 15 (1) and (3) GDPR. 53 aa) According to Art. 15 (1) GDPR, the person responsible (Art. 4 No. 7 GDPR), i.e. the person who decides on38 KB (6,239 words) - 10:47, 15 February 2023
- Garante per la protezione dei dati personali (Italy) - 9921184 (category Article 5(2) GDPR)[Article 5(1)(f) GDPR]; b) apply the principles of data minimization [Article 5(1)(c) GDPR], purpose limitation [Article 5(1)(b) GDPR] and storage limitation167 KB (26,302 words) - 08:34, 30 August 2023
- RvS - 202001436/1/A2 (category Article 15(3) GDPR)This case is built around the Article 35 of the Dutch GDPR Implementation act, which allows data subjects to request courts to order controllers grant21 KB (3,368 words) - 20:43, 26 July 2020
- BVwG - W274 2225135-1/3E (category Article 4 GDPR)explicit provisions like the GDPR, which generally clarify the roles of the data controller. However, the terms of the GDPR ("controller", "processor")34 KB (5,240 words) - 13:22, 15 September 2021
- VGH München - BeckRS 2021, 36742 (category Article 9(2)(i) GDPR)9(2)(i) GDPR could not be applied in the present case. Rejecting the application, the Higher Administrative Court of Bavaria held that Art. 9(2)(i) GDPR applies33 KB (5,353 words) - 12:40, 26 January 2022
- AEPD (Spain) - PS/00188/2021 (category Article 6(1) GDPR)processing personal data without a legal basis, in breach of Article 6(1) GDPR: €70,000 and; not complying with their obligation to erase the data subject's33 KB (5,242 words) - 11:42, 11 August 2021
- AEPD (Spain) - PS/00120/2021 (category Article 5(1)(c) GDPR) (section On Articles 6, 9 and 5(1)(c) GDPR)alleged violation of Article 5.1.c) of the GDPR, Article 6 of the GDPR, Article 9 of the GDPR, Article 12 of the GDPR, Article 35 of the RGPD, Article 13 of337 KB (50,591 words) - 15:29, 5 August 2021
- IMY (Sweden) - DI-2020-10696 (category Article 12(3) GDPR)In an Article 60 GDPR procedure, the Swedish DPA reprimanded Nordax Bank for violations of Articles 12(3), 12(6), 15 and 17 GDPR. The bank had not complied57 KB (6,743 words) - 13:54, 1 February 2023
- AEPD (Spain) - EXP202104896 (category Article 9(2) GDPR)the alleged violation of the articles: -6.1 of the GDPR, in accordance with article 83.5.a) of the GDPR and article 72.1.b) of the LOPDGDD. C/ Jorge Juan103 KB (17,238 words) - 13:27, 3 April 2023
- DSB (Austria) - DSB-D213.1759 (category Article 5(1)(c) GDPR)out in Art. 5 GDPR and on the basis of one of the grounds for permission set out in Art. 6 GDPR. Article 6, Paragraph 1, Letter f, GDPR (legitimate interest72 KB (11,993 words) - 14:21, 10 April 2024
- CNPD (Luxembourg) - Délibération n°13FR/2021 (category Article 12 GDPR)1.). 4 See in particular Articles 5.1.a) and 12 of the GDPR, see also recital (39) of the GDPR. 5 See EDPS Endorsement 1/2018 decision of 25 May 2018,30 KB (4,164 words) - 11:12, 16 June 2021
- AEPD (Spain) - EXP202207494 (category Article 5(1)(f) GDPR)(“integrity and confidentiality"). In relation to this principle, Recital 39 of the aforementioned GDPR states that “(…) Personal data must be processed in a way26 KB (3,952 words) - 09:44, 14 February 2024
- Garante per la protezione dei dati personali (Italy) - 9868646 (category Article 5(1)(a) GDPR)Article 9 GDPR. Therefore, the DPA concluded that the circumstances of the infringement qualified it as a minor violation as defined in Recital 148 GDPR and66 KB (10,477 words) - 10:09, 29 March 2023
- ICO (UK) - Tuckers Solicitors LLP (category Article 5(1)(f) GDPR)Article 51 of the GDPR. 17. By Article 57(1) of the GDPR, it is the Commissioner's task to monitor and enforce the application of the GDPR. 18. By Article87 KB (10,588 words) - 14:32, 16 March 2022
- AEPD (Spain) - PS/00475/2021 (category Article 13 GDPR)Article 6 GDPR, nor of Article 8 GDPR. There was also no violation of Article 9 GDPR, since the exception for explicit consent from Article 9(2)(a) GDPR applied64 KB (10,187 words) - 14:26, 24 November 2022
- Datatilsynet (Norway) - 0/02422 (category Article 5(1)(e) GDPR)Article 12(3) GDPR and Article 15 GDPR due to a failure to respond to an access request that was submitted around a month after the GDPR became applicable162 KB (24,007 words) - 19:41, 15 February 2023
- AEPD (Spain) - EXP202213792 (category Article 5(1)(c) GDPR)requirements are made. The first of 02-17-23, is answered dated 03-10-23 (WrittenLaliga1). The second was carried out on 07-06-23, LALIGA requesting an extension178 KB (27,656 words) - 12:28, 7 May 2024
- AEPD (Spain) - EXP202213323 (category Article 5(1)(c) GDPR)requirements are made. The first of 02-17-23, is answered dated 03-10-23 (WrittenLaliga1). The second was carried out on 07-06-23, LALIGA requesting an extension176 KB (27,432 words) - 07:43, 10 May 2024
- NAIH (Hungary) - NAIH-7058-5/2022 (category Article 6(1) GDPR)to be unlawful. The processing violated Article 7(2) GDPR, Article 7(4) GDPR and Article 6(1)(a) GDPR. The controller was fined 2,000,000 HUF (approx. €566 KB (10,499 words) - 08:55, 10 February 2023
- APD/GBA (Belgium) - 60/2023 (category Article 5(1)(a) GDPR)6(1) of the GDPR; Decision on the substance 60/2023 – 3/13 2. a breach of Article 5(2), Article 24(1) and Article 25(1) and (2) of the GDPR; and 3. an infringement39 KB (5,541 words) - 08:17, 6 June 2023
- VG Wiesbaden - 6 L 738/21.WI (category Article 4(7) GDPR)to Art. 79 GDPR, is not an exhaustive list of further available remedies. This also does not follow from recitals 9, 11 and 13 of the GDPR, which speak35 KB (5,925 words) - 09:07, 22 December 2021
- CNPD (Portugal) - Deliberação 2022/140 (category Article 5(1)(e) GDPR)5(1)(f) GDPR and a fine of €100,000 for the violation of Article 37 GDPR. The DPA issued a reprimand for the violations of Article 5(1)(e) GDPR and Article75 KB (12,306 words) - 10:02, 21 December 2022
- BVwG - W101 2213581-1 (category Article 4 GDPR)Para.4 DSG §1 DSG §24 paragraph 1 DSG §24 paragraph 5 GDPR Art17 GDPR Art4 GDPR Art5 GDPR Art58 GDPR Art6 VwGVG §28 paragraph 2 saying W101 2213581-1/5E48 KB (7,650 words) - 09:31, 23 February 2022
- Rb. Noord-Nederland - 8187989 (category Article 82(1) GDPR)same day the claimant reported the data breach to the municipality under GDPR, telling the municipality to remove his data and mentioning non-material46 KB (7,541 words) - 15:36, 29 November 2021
- UODO (Poland) - DKN.5131.33.2021 (category Article 34(1) GDPR)breach, pursuant to the obligation expressed in Article 34 GDPR, in conjunction with Article 12 GDPR. Based on this assessment, the DPA issued an administrative81 KB (13,351 words) - 14:48, 2 March 2022
- LG Köln - 33 O 376/22 (category Article 6(1)(b) GDPR)the meaning of Article 45 of the GDPR and without appropriate safeguards within the meaning of Article 46 of the GDPR. Furthermore, the plaintiff claims66 KB (9,990 words) - 12:30, 29 January 2024
- VG Köln - 6 K 3228/19 (category Article 6(1)(f) GDPR)found that GDPR does not prevent the claimant from exercising their basic right. In this regard the court referred to Article 6(1)(f) GDPR to highlight68 KB (11,146 words) - 17:16, 9 March 2022
- Garante per la protezione dei dati personali (Italy) - 9977020 (category Article 5(1)(a) GDPR)valid legal basis in line with Article 6(1)(e) GDPR, Article 6(2) and (3) GDPR nor with Article 9(2)(g) GDPR. Making reference to case law of the CJEU and315 KB (49,768 words) - 14:24, 8 February 2024
- APD/GBA (Belgium) - 147/2022 (category Article 2(1) GDPR)legal grounds for the processing: Article 6(1)(b) GDPR and Article 6(1)(f) GDPR. Article 6(1)(f) GDPR, however, was only recently added as a legal ground28 KB (4,311 words) - 15:09, 25 October 2022
- APD/GBA (Belgium) - 103/2023 (category Article 5(2) GDPR)a warning to a hospital group for non-compliance of Article 32 GDPR and Article 24 GDPR, as the hospital group had failed to implement the appropriate31 KB (4,549 words) - 11:50, 10 August 2023
- LG Köln - 28 O 328/21 (category Article 5(1)(f) GDPR)the defendant violated its obligation under Art. 32 GDPR and Art. 5 GDPR. According to Art. 32 GDPR, the person responsible and the processor have appropriate27 KB (4,134 words) - 09:28, 5 July 2022
- Court of Appeal of Brussels - 2020/AR/582 (category Article 58(2)(a) GDPR)right to an effective remedy (read: appeal), according to recital 143 of the preamble of the GDPR. The court states that a warning (with publication) constitutes26 KB (3,871 words) - 07:59, 24 August 2023
- AEPD (Spain) - PS/00140/2021 (category Article 5 GDPR)The Spanish DPA concluded that the controller had violated Article 6(1) GDPR as they could not rely in any of its legal basis for the processing. Given28 KB (4,254 words) - 11:30, 16 June 2021
- AEPD (Spain) - PS/00505/2021 (category Article 6(1) GDPR)The Spanish authority held that the defendant had infringed Article 6(1) GDPR by disclosing the video without the consent of those appearing in it. The28 KB (4,283 words) - 09:43, 24 March 2022
- BVwG - W298 2269087-1 (category Article 83 GDPR)Article 9 GDPR, as they unlawfully processed health data of the data subject. The DPA imposed a €3,500 fine for the violation of Article 9 GDPR. The fact52 KB (8,464 words) - 11:50, 26 July 2023
- AEPD (Spain) - EXP202204501 (category Article 5(1)(f) GDPR)access to said data.” III Violation of article 5.1 f) of the GDPR Article 5.1.f) of the GDPR, Principles relating to processing, states the following: "157 KB (8,604 words) - 15:40, 20 March 2024
- Tietosuojavaltuutetun toimisto (Finland) - 2206/171/20 (category Article 5(1)(c) GDPR)Article 5(1)(c) and (e), Article 25(2), Article 32(1)(d) and Article 32(2) GDPR. Share your comments here! Share blogs or news articles here! The decision51 KB (7,788 words) - 07:42, 29 March 2023
- BVwG - W101 2218962-2 (category Article 4 GDPR)4 DSG §1 DSG §24 DSG §24 paragraph 1 DSG §24 paragraph 5 DSG §7 GDPR Art4 GDPR Art5 GDPR Art6 VwGVG §28 paragraph 2 B-VG Art. 133 today B-VG Art. 133 valid49 KB (7,872 words) - 08:40, 10 March 2023
- UODO (Poland) - DKN.5131.22.2021 (category Article 5(1)(f) GDPR)Article 24(1), Article 25(1), Article 32(1)(b) and (d), and Article 32(2) GDPR due to a lack of a reliably conducted risk analysis, combined with the lack68 KB (10,909 words) - 14:47, 25 October 2021
- UODO (Poland) - DKN.5131.31.2022 (category Article 5(1) GDPR)400 for infringements of Articles 5(1)(f) and 5(2) GDPR as well as Article 25(1) and Article 32(1) GDPR. First, the controller did not ensure adequate security71 KB (11,306 words) - 10:51, 22 January 2024
- LG Frankfurt am Main - 2-24 O 156/21 (category Article 6(1)(b) GDPR)under Article 80(1) GDPR and Article 80(2) GDPR. Also, the court clarified, making reference to CJEU case C-319/20, that Article 80(2) GDPR does not presuppose70 KB (11,309 words) - 14:37, 21 December 2023
- NAIH (Hungary) - NAIH-5114-35/2022 (category Article 5(1)(e) GDPR)interest. Based on Article 2 (1) of the GDPR, the GDPR must be applied to the data management in this case. GDPR Article 4, point 1: "personal data": for146 KB (22,679 words) - 15:52, 3 May 2023
- BVerwG - 6 C 7.20 (category Article 5(1)(d) GDPR)Administrative Court's application of Article 16 GDPR. The Administrative Court had correctly assumed that, while Article 16 GDPR was applicable, it could not be established64 KB (10,816 words) - 15:44, 22 June 2022
- VGH Baden-Württemberg - 1 S 1739/20 (category Article 5 GDPR)purpose to process special categories of data according to Article 9 (1) GDPR is not proportional and necessary, as there are less restrictive measures66 KB (10,911 words) - 08:49, 21 June 2022
- LG Frankfurt am Main - 2-03 O 48/19 (category Article 16 GDPR)expressly agreed to the updated conditions on 24.04.2018 (Annex B 41). On 23.12.2018 at 19.03 hrs, the following article (Annex B 41) was posted on page66 KB (10,899 words) - 08:33, 8 September 2021
- UODO (Poland) - DKN.5131.16.2021 (category Article 33(1) GDPR)controller did not notify the DPA, it violated Article 33(1) GDPR. Moreover, it violated Article 34(1) GDPR since it did not provide the data subjects with the88 KB (14,432 words) - 10:31, 24 November 2021
- NAIH (Hungary) - NAIH-2501-10/2022 (category Article 5(1)(a) GDPR)required under Article 13 GDPR, as well as the fact of data transfer abroad, were completely missing. The DPA stated that Article 13 GDPR only provides the bare90 KB (14,299 words) - 13:52, 2 February 2023
- NAIH (Hungary) - NAIH-4447-6/2021 (category Article 5(1)(c) GDPR)the mayoral office of a district in Budapest under Article 17(1)(d) of the GDPR. Previously, the data subject registered to ask a question from the elected88 KB (14,152 words) - 10:07, 28 September 2021
- Garante per la protezione dei dati personali (Italy) - 9972788 (category Article 5(1)(a) GDPR)controller in violation of Article 5(1)(a) GDPR, Article 6 GDPR, and Article 13 GDPR. To begin with, in terms of Article 6 GDPR, the DPA rejected the controller's31 KB (4,724 words) - 11:01, 31 January 2024
- VG Mainz - 1 K 473/19.MZ (category Article 15(1) GDPR)Informationsfreiheit Rheinland-Pfalz – LFDI). He had made requests under Art 15 GDPR to a number of regional public authorities - several courts, attorney general’s31 KB (4,898 words) - 11:49, 19 April 2021
- DSB (Austria) - 2021-0.432.224 (category Article 4(11) GDPR)Art. 7 GDPR violates. 2.) The data protection authority has already stated that the rights of data subjects in Chapter III GDPR (Art. 12 to 23) are listed33 KB (5,026 words) - 12:07, 2 March 2022
- AEPD (Spain) - PS/00362/2021 (category Article 5(1)(f) GDPR)according to Article 5(1)(f) GDPR and the necessity to implement technical and organizational safeguards from Article 32 GDPR. Accordingly, only asking for31 KB (4,769 words) - 08:00, 8 September 2021
- AEPD (Spain) - PS-00446-2023 (category Article 6(1) GDPR)authorities in the exercise of their functions.” Likewise, Recital 40 of the aforementioned GDPR provides that "In order for processing is lawful, personal34 KB (5,141 words) - 09:28, 8 March 2024
- WSA Warszawa - II SA/Wa 2826/19 (category Article 5(1)(e) GDPR)[Article 5 GDPR#1f|Article 5(1)(f)]] in conjunction with Article 5(2), i.e. the principles of integrity and confidentiality, and Article 32 GDPR by failing75 KB (12,225 words) - 23:47, 7 December 2021
- CE - N° 434684 (category Article 7 GDPR)Council of State considered that by deducting this general prohibition from the GDPR, the CNIL had gone beyond what is legally possible with guidelines, which32 KB (5,281 words) - 09:50, 10 September 2021
- UODO (Poland) - DKN.5130.2215.2020 (category Article 5(1)(f) GDPR)to modification, which constitutes a breach of Article 32(1) GDPR and Article 32(2) GDPR. Both Fortum and PIKA failed to implement appropriate technical110 KB (17,650 words) - 12:27, 29 April 2022
- AEPD (Spain) - PS/00331/2022 (category Article 25 GDPR)article 4.7 of the GDPR. The GDPR provides, in its article 56.1, for cases of cross-border processing, provided for in its article 4.23), in relation to240 KB (38,122 words) - 13:54, 28 February 2024
- GHSHE - 200.297.497 01 (category Article 16 GDPR)article 79 GDPR. Pursuant to Article 79 GDPR, the data subject has the right to an effective remedy if he considers that his rights under the GDPR have been54 KB (9,028 words) - 11:38, 23 February 2022
- CNIL (France) - SAN-2021-012 (category Article 14 GDPR)of their others rights guaranteed under the GDPR. The DPA found that the company had violated Article 28 GDPR. As a controller, Monsanto had to lead by a55 KB (8,897 words) - 13:56, 21 November 2023
- AEPD (Spain) - PS/00499/2022 (category Article 5(1)(c) GDPR)c) of the GDPR, typified in article 83.5 of the GDPR, and for the alleged infringement of article 13, typified in article 83.5.b) of the GDPR. SIXTH: The55 KB (8,912 words) - 13:18, 16 May 2023
- AEPD (Spain) - EXP202205932 (category Article 6(1) GDPR)under Article 6(1) GDPR. In light of this, the DPA issued a fine of €70,000 to másLUZ Energía (SIE) by virtue of Article 83(5) GDPR for unlawful processing32 KB (4,952 words) - 13:11, 13 December 2023
- UODO (Poland) - DKN.5131.8.2022 (category Article 5(1)(f) GDPR)laptop theft, in breach of Article 32(1) GDPR. Moreover, the DPA found a violation of Articles 24(1) and 25(1) GDPR because the controller failed to apply48 KB (7,609 words) - 12:24, 23 November 2022
- AEPD (Spain) - EXP202205206 (category Article 5(1)(f) GDPR)1.f) of the RGPD and Article 32 of the GDPR, typified in Article 83.5 of the GDPR and Article 83.4 of the GDPR. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid263 KB (41,516 words) - 09:29, 24 April 2024
- regarding Article 6(1) GDPR and consent requirements regulated previously to GDPR. The fact that the infringements related to Article 25 GDPR did not include440 KB (73,154 words) - 09:44, 12 May 2021
- Rb. Rotterdam - ROT 19/3036 (category Article 4(1) GDPR)with the conditions set out in Article 6 of the GDPR . In his view, on the basis of Article 5(2) GDPR the controller has an accountability obligation and33 KB (5,288 words) - 12:58, 16 September 2021
- AEPD (Spain) - PS/00261/2021 (category Article 6(1) GDPR)83.5.a) of the aforementioned Regulation 2016/679. In this sense, Recital 40 of the GDPR states: “(40) For the processing to be lawful, the personal data34 KB (5,536 words) - 19:04, 16 May 2022
- BVwG - W214 2224204-1 (category Article 4(1) GDPR)13 and 14 GDPR, objected to the processing pursuant to Article 21 GDPR and requested the restriction of the processing under Article 18 GDPR. The controller96 KB (15,762 words) - 11:58, 21 April 2022
- CNIL (France) - SAN-2022-017 (category Article 12(1) GDPR)60(3) of the GDPR. 23. On May 28, 2021, the Polish data protection authority raised three objections, in accordance with Article 60(4) of the GDPR. 24. By deliberation59 KB (8,323 words) - 11:51, 31 August 2022
- ICO (UK) - AMEX (category Article 4(11) GDPR)that is not necessary for the performance of that contract." 8. Recital 43 of the GDPR states: "Consent is presumed not to be freely given ... if the performance72 KB (8,623 words) - 10:38, 26 May 2021
- IMY (Sweden) - DI-2019-6696 (category Article 12(1) GDPR)access requests comply with the GDPR. After 3 years of inactivity from the DPA, noyb sought remedy under Article 78(2) GDPR from the Stockholm Administrative157 KB (18,556 words) - 12:00, 28 June 2023
- AEPD (Spain) - PS/00500/2020 (category Article 4(4) GDPR)consent was not valid as a legitimate basis from Article 6(1) GDPR, in relation to Article 7 GDPR, and thus processing was unlawful. On these grounds, the AEPD408 KB (64,616 words) - 14:28, 24 November 2022
- IMY (Sweden) - DI-2018-22697 (category Article 5(1)(a) GDPR)fairness and transparency under Article 5(1)(a) GDPR. The DPA referred to the preparatory work of the Swedish GDPR Implementation Act when it noted that the85 KB (9,808 words) - 12:01, 15 September 2021
- NAIH (Hungary) - NAIH-4667-10/2022 (category Article 10 GDPR)modifications of the grades in the system could not be tracked was compliant with the GDPR. A minor student (the data subject) alleged that his grade had been amended62 KB (9,999 words) - 10:21, 7 December 2022
- AEPD (Spain) - PS/00372/2021 (category Article 12 GDPR)Article 12 GDPR, read in conjunction with Article 17 GDPR. VI Sanction of the infringement of Article 12 GDPR The infringement of Article 12 of the GDPR entails81 KB (13,337 words) - 14:55, 22 February 2023
- APD/GBA (Belgium) - 124/2021 (category Article 6(3) GDPR)of the GDPR. Moreover, according to the Inspectorate, the GDPR has already entered into force on 24 May 2016, pursuant to Article 99(1) of the GDPR, whereby38 KB (5,625 words) - 10:37, 7 December 2021
- Persónuvernd (Iceland) - Case no. 2021101924 (category Article 6(1)(a) GDPR)appropriate and far beyond what is necessary (see the GDPR principles in Articles 5(1)(a) and (5)(1)(b) GDPR). Additionally, the controller had not complied36 KB (5,751 words) - 15:12, 25 January 2023
- AEPD (Spain) - EXP202104693 (category Article 6(1) GDPR)by article 9 of the GDPR -with- recital 51 of the GDPR- and, in addition, many other data not regulated in that precept- to. Recital 75 mentions in detail143 KB (23,267 words) - 08:54, 16 May 2023
- Garante per la protezione dei dati personali (Italy) - 9675440 (category Article 5(1)(c) GDPR)(AEPD) under the terms of the GDPR to shed light on the operation of the digital platform owned by the holding company, GlovoApp23. Of concern to the Garante180 KB (29,599 words) - 13:51, 28 July 2021
- Garante per la protezione dei dati personali (Italy) - 9856345 (category Article 5(1)(a) GDPR)compliance with the GDPR, since it had not checked if the third party from which it received its calling list was acting in a GDPR complaint manner. Therefore133 KB (21,637 words) - 07:03, 7 March 2023
- Garante per la protezione dei dati personali (Italy) - 10002324 (category Article 5(1)(f) GDPR)those envisaged by Article 42 GDPR. The certification can be used as an element to demonstrate compliance with the GDPR obligations and show that an organization129 KB (20,678 words) - 08:25, 8 May 2024
- EDPB - Urgent Binding Decision 1/2021 - 'WhatsApp' (category Article 5(1)(a) GDPR)Articles 63 to 66 GDPR. The GDPR also established a cooperation mechanism between the supervisory authorities. It follows from Article 60 GDPR that the lead188 KB (31,298 words) - 12:31, 20 January 2023
- AEPD (Spain) - PS/00443/2021 (category Article 12 GDPR)the GDPR. SAW Classification of the infringement of article 12 of the GDPR If confirmed, the aforementioned infringement of article 12 of the GDPR could40 KB (6,231 words) - 08:51, 16 March 2023
- Rb. Amsterdam - C/13/693399 / HA RK 20-337 (category Article 6(1)(e) GDPR)to the processing of his personal data under Article 6(1)(e) GDPR and Article 6(1)(f) GDPR. The court stated that if a data subject objects to data processing42 KB (6,332 words) - 15:00, 14 July 2021
- AEPD (Spain) - PS/00250/2021 (category Article 5(1)(f) GDPR)unauthorized access to said data (The underlining is from the AEPD). Recital 75 of the GDPR lists a series of factors or assumptions associated with Risks to40 KB (6,262 words) - 10:43, 7 July 2021
- WSA Warsaw (Poland) - II SA/Wa 2559/19 (category Article 5(1)(f) GDPR)resolution of the case referred to in Art. 78 sec. 1 of the GDPR and in recital (143) of the GDPR preamble, in a situation where the proceedings before the90 KB (14,642 words) - 11:12, 18 November 2020
- Garante per la protezione dei dati personali (Italy) - 0007060 (category Article 5(1)(e) GDPR)these purposes under Article 21(2) GDPR. Additionally, the data subject filed an access request under Article 15 GDPR. The data subject did not receive94 KB (14,814 words) - 14:42, 30 April 2024
- Same principles concerning fair data processing exist in the GDPR Article 5 and Recital 39 and the Irish DPA 2018. Share blogs or news articles here!64 KB (9,589 words) - 16:15, 1 June 2022
- regarding Article 6(1) GDPR and consent requirements regulated previously to GDPR. The fact that the infringements related to Article 25 GDPR did not include457 KB (75,575 words) - 09:36, 12 May 2021
- Garante per la protezione dei dati personali (Italy) - 9827119 (category Article 12(1) GDPR)the foreseen deadlines, under Article 12(1) GDPR, Article 12(2) GDPR, Article 12(3) GDPR and Article 12(4) GDPR. The DPA further stated that regarding the42 KB (6,583 words) - 10:13, 13 October 2023
- IMY (Sweden) - DI-2021-1905 (category Article 5(1)(f) GDPR)Trygg-Hansa SEK 35 million (around €3 million) for breaching Article 5(1) GDPR and Article 32 GDPR. In April 2022, Moderna Försäkringar was acquired by Trygg-Hansa60 KB (7,023 words) - 08:49, 15 September 2023
- Tietosuojavaltuutetun toimisto (Finland) - 8896/152/2019 (category Article 4(1) GDPR)personal data under Article 4(1) GDPR. Nevertheless, this information may also include non-personal data to which the GDPR does not apply. Finally, the vehicle43 KB (6,896 words) - 13:20, 15 June 2022
- CNIL (France) - SAN-2023-009 (category Article 7(1) GDPR)26 GDPR. The agreements between Criteo and its commercial partners did not contain specific obligations in relation to the requirements of the GDPR, such78 KB (12,701 words) - 10:11, 28 June 2023
- CNPD (Luxembourg) - Délibération n° 35FR/2021 (category Article 5(1)(c) GDPR)over 15See in particular Articles 5.1.a) and 12 of the GDPR, see also recital (39) of the GDPR. _____________________________________________________________81 KB (11,748 words) - 10:59, 17 November 2021
- Administrative court Luxembourg - 45128 (category Article 6(1)(e) GDPR)reference the GDPR on its own, without any of the involved parties bringing this up. The court referred to Article 6(1)(e) GDPR and recital 45, and reiterated44 KB (6,803 words) - 08:33, 21 November 2022
- AEPD (Spain) - PS/00052/2021 (category Article 9 GDPR)personal data under Article 9 GDPR, the AEPD held that a Data Protection Impact Assessment (DPIA) under Article 35 GDPR should have been carried out in79 KB (12,680 words) - 17:31, 8 February 2022
- such an additional request must not be so demanding so as to impede on the GDPR right. In this decision, this was not considered to be the case. The data19 KB (3,135 words) - 12:38, 16 September 2021
- OLG Stuttgart - 4 U 484/20 (category Article 16 GDPR)in: Plath, GDPR/BDSG, 3rd edition 2018, Article 82 GDPR, para. 4c). In particular, the reference to "full and effective compensation" in recital 146 of the75 KB (12,567 words) - 10:37, 14 November 2022
- the determination of Art. 6 (1) lit. f previous search term GDPR next search term, recital (47) specifically states: "The lawfulness of processing may46 KB (7,140 words) - 13:24, 13 March 2023
- CNIL (France) - SAN-2023-015 (category Article 7(1) GDPR)breaches of Article 12 GDPR, Article 13 GDPR, Article 14 GDPR, Article 15 GDPR, Article 28 GDPR, Article 32 GDPR and Article 33 GDPR, as well as of Article67 KB (10,546 words) - 13:55, 25 October 2023
- CNPD (Luxembourg) - Délibération n°16FR/2021 (category Article 5(1)(c) GDPR)over 14See in particular Articles 5.1.a) and 12 of the GDPR, see also recital (39) of the GDPR. _____________________________________________________________51 KB (7,338 words) - 11:33, 16 June 2021
- UODO (Poland) - DKN.5131.29.2022 (category Article 28(1) GDPR)requirements of Article 28 GDPR. The DPA concluded that the controller failed to comply with Article 28(1)(3) and (9) GDPR by not concluding a written48 KB (7,612 words) - 09:46, 25 April 2024
- Treaty on European Union and c) the General Data Protection Regulation ( GDPR ) and, after answering these questions, award the primary claim in a final46 KB (7,547 words) - 10:47, 24 March 2021
- Tietosuojavaltuutetun toimisto (Finland) - 6097/161/21 (category Article 5(1)(c) GDPR)erasure under Article 17 GDPR. The rest reported that the controller did not respond to their subject access requests under Article 15 GDPR that were sent via139 KB (22,397 words) - 21:48, 13 July 2022
- AEPD (Spain) - EXP202304633 (category Article 5(1)(f) GDPR)obligation of article 5.1 f) of the GDPR C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 19/33 Article 5.1 of the GDPR establishes the principles regarding106 KB (15,486 words) - 14:32, 15 May 2024
- AEPD (Spain) - EXP202305587 (category Article 5(1)(f) GDPR)and 32 GDPR in this case would constitute a double violation of the GDPR, when in fact Article 5(1)(f) GDPR is merely a concretion of Article 32 GDPR. The285 KB (44,507 words) - 11:21, 30 April 2024
- Garante per la protezione dei dati personali (Italy) - 9832979 (category Article 5(1)(d) GDPR)Article 5(1)(d) GDPR. In addition, the DPA also contested the controller's inadequate data retention time (breach of Article 5(1)(e) GDPR); the migration69 KB (11,278 words) - 16:03, 22 February 2023
- AEPD (Spain) - EXP202300944 (category Article 4(11) GDPR)response to the LPBCFT before the TGSS. III Article 6.1 of the GDPR According to article 6 of the GDPR “Legitimacy of processing: 1. Treatment will only be legal76 KB (11,351 words) - 09:28, 24 April 2024
- AEPD (Spain) - EXP202207521 (category Article 6(1) GDPR)LPACAP), for the alleged infringement of article 6.1 of the GDPR, typified in Article 83.5 of the GDPR. The startup agreement was sent, in accordance with the54 KB (8,747 words) - 08:36, 30 August 2023
- EWHC (UK)- QB- Soriano v Forensic News LLC (category Article 3(1) GDPR)the Union." The Recitals to the GDPR do not assist on the meaning of "established" and "establishment" in the Union. However, recitals (23) and (24) throw108 KB (18,178 words) - 11:57, 29 November 2021
- OGH - 6Ob48/21h (category Article 80 GDPR)infringement of Article 22 GDPR in connection with consumer credit ratings could in fact allow the association to take legal action under the GDPR. The court decided50 KB (8,140 words) - 12:09, 1 October 2021
- AEPD (Spain) - PS/00267/2021 (category Article 6 GDPR)expressly stated in the GDPR, that supervisory authorities should monitor and enforce the GDPR, and with the provision in the GDPR that 'breaches' of data193 KB (32,580 words) - 11:16, 15 June 2022
- LAG Düsseldorf - 12 Sa 186/19 (category Article 9 GDPR)/ Weichert / Sommer, EU-GDPR and BDSG, 2nd edition 2020, Art. 9 GDPR marginal 3).9 GDPR does not allow recourse to Art. 6 GDPR (Albers / Veit in Wolff120 KB (20,753 words) - 17:06, 7 March 2022
- UODO (Poland) - DKN.5131.3.2021 (category Article 33(1) GDPR)authority (i.e. Article 33 (1 ) of the GDPR) and to notify the data subjects of breach of (Article 34 (1-2) of the GDPR), it would be necessary to state that129 KB (20,850 words) - 12:13, 7 July 2021
- BVwG - W211 2231475-1 (category Article 4(2) GDPR)controller (“verlängerter Arm”) (cmp. Article 29 GDPR). If the processing of data is in accordance with Article 6 GDPR, the controller is free to deploy a processor60 KB (9,653 words) - 17:28, 2 February 2022
- AEPD (Spain) - PS/00267/2020 (category Article 6(1) GDPR)data transfers would not be valid in accordance with Article 49(1) GDPR and Article 7 GDPR, given that consent was required within the contract without an208 KB (33,882 words) - 14:25, 24 November 2022
- AEPD (Spain) - PS/00261/2020 (category Article 5(1)(c) GDPR)publication and the entry into force of the GDPR, and that therefore the controller had violated Article 12 GDPR, by not fulfilling their information obligations54 KB (8,837 words) - 13:34, 16 June 2021
- Tietosuojavaltuutetun toimisto (Finland) - 8492/163/20 (category Article 5(1)(d) GDPR)5(1)(d) GDPR and data protection by design of Article 25(1) GDPR. In addition, the DPA held that the controller violated Articles 5(1)(a) and 13 GDPR by not149 KB (24,224 words) - 12:20, 2 January 2023
- APD/GBA (Belgium) - 105/2023 (category Article 5(1)(a) GDPR)((articles 5. 1, a) GDPR , 12.1 GDPR and 14.1 a) and c) GDPR) and how the accountability obligation was fulfilled (art 5.2 GDPR and 24 GDPR). The parties are102 KB (15,787 words) - 07:39, 6 September 2023
- Datatilsynet (Norway) - 20/03046 (category Article 32 GDPR)they did not have to. Consequently, they did not adhere to Article 33(5) GDPR, nor Article 33(1). The Norwegian DPA held that Trumf had breached Article87 KB (13,389 words) - 08:08, 24 June 2022
- NAIH (Hungary) - NAIH-85-3/2022 (category Article 5(1)(a) GDPR) (section Fine and order to comply with GDPR)within the meaning of Article 9(1) GDPR in certain cases. However, the NAIH held that in this specific case Article 9(1) GDPR did not apply to the processing147 KB (23,028 words) - 13:36, 28 February 2023
- AEPD (Spain) - PS/00016/2022 (category Article 15 GDPR)article 15 of the GDPR. V Classification of the infringement of article 15 of the GDPR The aforementioned infringement of article 15 of the GDPR supposes the62 KB (9,829 words) - 14:09, 14 March 2023
- TA Luxembourg - N° 46416 (category Article 96 GDPR)data subject within the meaning of the GDPR, i.e. a person identified or identifiable physical. Since the GDPR limits the circle of beneficiaries of RGPD64 KB (10,128 words) - 08:51, 24 November 2021
- UODO (Poland) - DKN.5131.49.2021 (category Article 33(1) GDPR)accordance with Article 34 GDPR. Therefore, the DPA found that the controller violated Article 33(1) and Article 34(1) GDPR and imposed a fine of 51,87663 KB (10,380 words) - 08:26, 17 October 2023
- EDPS - 2020-1013 (category Article 6 GDPR)the notices referred instead to the GDPR and in particular mention legitimate interest under Article 6(1)(f) GDPR as the legal basis for the processing66 KB (10,349 words) - 08:54, 19 January 2022
- WSA Warsaw - II SA/Wa 2378/20 (category Article 5(1)(a) GDPR)5 sec. 1 lit. a) GDPR, art. 6 sec. 1 GDPR, Art. 7 sec. 3 GDPR, Art. 12 sec. 2 GDPR, Art. 17 sec. 1 lit. b) GDPR and art. 24 sec. 1 GDPR, by not specifying92 KB (15,312 words) - 09:57, 10 September 2021
- OLG Köln - 6 U 80/23 (category Article 4(11) GDPR)However, the latter does not result from the Regulations of the GDPR from the recitals. Rather be Different designs are conceivable that meet the requirements24 KB (3,719 words) - 10:09, 15 February 2024
- Rb. Amsterdam - C/13/683377 / HA ZA 20-468 (category Article 5(1)(a) GDPR)predecessor of the GDPR) was applicable. From May 25, 2018, the GDPR applies. This distinction between the application of the Wbp and the GDPR is not relevant243 KB (40,160 words) - 11:54, 5 April 2023
- BVwG - W211 2210458-1/10 (category Article 2(1) GDPR)enactment of §§ 12 f DSG on Art 6 Paragraphs 2 and 3 and Art 23 GDPR and Chapter IX GDPR in conjunction with ErwGr 10. It should only be noted at this92 KB (15,435 words) - 16:00, 22 March 2022
- LG Rostock - 3 O 762/19 (category Article 4(2) GDPR)under Article 6(1) GDPR: A user's consent under Article 6(1)(a) GDPR could not be considered valid under Articles 4(11) and 7 GDPR, especially since the103 KB (16,959 words) - 13:58, 20 September 2021
- AEPD (Spain) - EXP202202309 (category Article 5(1)(f) GDPR)1.f) of the RGPD and Article 32 of the GDPR, typified in Article 83.5 of the GDPR and Article 83.4 of the GDPR respectively. SIXTH: The aforementioned106 KB (16,925 words) - 12:14, 3 April 2024
- Hoge Raad - 20/02950 (category Article 10 GDPR)7 April 2020 and 23 June 2020. [the person concerned] lodged an appeal in cassation against the decision of the Court of Appeal of 23 June 2020. The application16 KB (2,553 words) - 11:36, 2 March 2022
- LG Bielefeld - 19 O 147/22 (category Article 24 GDPR)(1) GDPR. 64According to the recitals of the European Charter of Fundamental Rights, the concept of damage is to be interpreted broadly (see Recital No37 KB (5,986 words) - 14:50, 9 May 2023
- OLG München - 18 U 5493/19 Pre (category Article 99(2) GDPR)under the GDPR. Literature and data protection authorities therefore agree that Section 13 (6) TMG expired with the introduction of the GDPR. Even if one58 KB (9,657 words) - 14:01, 20 September 2021
- Rb. Limburg - AWB-20 1431 (category Article 15 GDPR)assessed under Article 15 GDPR, the Court considered that this request to access documents was not made under Article 15 GDPR but under another administrative11 KB (1,771 words) - 10:42, 23 September 2020
- IDPC (Malta) - CPD/COMP/280/2023 (category Article 5(1)(f) GDPR)Article 4(1) GDPR. Therefore, the controller is subject to Article 5(2) GDPR and has to demonstrate and be responsible for compliance with GDPR provisions15 KB (1,805 words) - 10:08, 13 November 2023
- Rb. Amsterdam - AMS 22/5458 (category Article 12(2) GDPR)interpreted "facilitation" in the context of Article 12(2) GDPR, in connection with Recitals 59 to 64 GDPR, concluding that data controllers must provide an accessible27 KB (4,200 words) - 11:57, 13 September 2023
- Garante per la protezione dei dati personali (Italy) - 9815665 (category Article 5(1)(a) GDPR)definition of "personal data" in Article 4(1) GDPR. The DPA reminded the controller that, as defined in Recital 26 GDPR, pseudonymisation is a mere technical measure59 KB (9,359 words) - 08:38, 16 November 2022
- Rb. Midden-Nederland - C/16/531572 / KG ZA 21-672 (category Article 23(1)(d) GDPR)consulted before processing, pursuant to Article 36 GDPR. Fourth, the Court noted that, pursuant to Article 10 GDPR and Article 31 Implementation Act, the IP addresses59 KB (9,649 words) - 08:09, 20 October 2022
- Circuit Court - 2019/04546 (category Article 5(1)(a) GDPR)“non-material damage” is not defined in the GDPR, the recitals are informative, although not binding. Recital 146 of the GDPR provides that the “concept of damage60 KB (9,004 words) - 09:39, 15 February 2024
- Datainspektionen - DI-2019-3845 (category Article 5(1)(f) GDPR)the primary source of law The Data Protection Regulation, often abbreviated GDPR, was introduced on 25 May 2018 and is the primary legal regulation in the93 KB (11,610 words) - 11:43, 7 April 2022
- Garante per la protezione dei dati personali (Italy) - 9735672 (category Article 5(1)(d) GDPR)appropriate assessment by the Authority. Violation of Article 5(2) GDPR and Article 25(1) GDPR, for not having taken effective action against undue promotional380 KB (62,114 words) - 15:20, 26 January 2022
- LG Augsburg - 022 O 2669/22 (category Article 5(1)(f) GDPR)13, 14 GDPR), also the defendant clearly and in ease language pointed to the default settings, so no breach of Article 25 GDPR or Article 32 GDPR either26 KB (4,101 words) - 10:24, 13 March 2024
- APD/GBA (Belgium) - 110/2023 (category Article 5(2) GDPR)of the principle of accountability under Article 5(2) GDPR and Article 33(5) GDPR. Article 5(2) GDPR establishes the principle of accountability which obliges66 KB (9,820 words) - 10:13, 13 September 2023
- AEPD (Spain) - PS/00459/2020 (category Article 5 GDPR)processed personal data without consent, therefore violating Article 6(1) GDPR. While the initial processing of the personal data was justified for the40 KB (6,380 words) - 08:15, 28 July 2021
- BVwG - W274 2214412-1 (category Article 5(1)(d) GDPR)matter before a court (Art. 78 GDPR) and before the supervisory authority (Art. 77 GDPR) could not be inferred from the GDPR from a systematic point of view40 KB (6,634 words) - 10:07, 10 September 2021
- AEPD (Spain) - PS/00050/2021 (category Article 35 GDPR)restrictions shall be interpreted restrictively. The DPA remarked that Article 9 GDPR establishes an exception when processing is necessary to carry out obligations81 KB (13,036 words) - 14:28, 24 November 2022
- BVwG - W274 2243598-1 (category Article 5(1)(c) GDPR)standard B-VG Art 133 Paragraph 4 DSG §1 DSG §9 GDPR Art4 Z1 GDPR Art4 Z2 GDPR Art4 Z7 GDPR Art5 Paragraph 1 GDPR Art6 Paragraph 1 B-VG Art. 133 today B-VG Art122 KB (20,266 words) - 16:25, 31 October 2023
- Rb. Den Haag - C/09/550982/HA ZA 18/388 (category Article 5(1)(b) GDPR)and the GDPR go beyond the ECHR in some respect, the ECHR have to be interpreted in the lights of the general principles of the Charter and the GDPR. Regarding128 KB (21,722 words) - 16:14, 10 March 2022