From gdprhub.eu
1 2
A court rejected a data subject’s claim for non-material damages under Article 82(1) GDPR after the controller failed to prevent the scraping of personal data from its social network. The court held that a loss of control does not automatically lead to any damage.
on Thu, 10AM
From gdprhub.eu
0 1
The DPA fined a telecommunications company a total of €6,500,000 after a cyberattack affecting 13,000,000 people showed that the controller hadn't implemented adequate measures to protect the personal data of their customers, suppliers and employees.
on Thu, 8AM
From gdprhub.eu
ANSPDCP (Romania) - Fine against Untold SRL
0 1
The DPA fined a controller RON 74,611.50 (€15,000) for failing to act on an access and erasure request.
on Tue, 10AM
From gdprhub.eu
0 1
A court concluded that the interest of a journalist requesting information on the outcome of an interrogation of two police officers did outweigh the data protection interests of the officers.
on Mon, 11AM
From gdprhub.eu
0 1
The DPA fined a website provider €90,000 for setting unnecessary cookies without users’ consent and for not informing them about the existence and function of these cookies.
on Sun, 10AM
From gdprhub.eu
Garante per la protezione dei dati personali (Italy) - 10066287
0 1
The DPA fined a controller €4,000 after it did not act on an access request sent via email. The DPA held that the fact that the only person having access to that inbox was on holiday was no valid excuse not to act in a timely manner.
on Nov 8
From gdprhub.eu
0 0
The DPA found that a data subject’s consent to the processing of their health data by an insurance broker was not freely given since the consent was a condition for a discount on a mortgage’s interest rate.
on Nov 7
From gdprhub.eu
Tietosuojavaltuutetun toimisto (Finland) - TSV/12/2019
0 0
The DPA ordered a telecommunications operator to provide the data subject with access to their personal data in electronic form. The DPA considered mailing a printout insufficient since the data subject had made the access request electronically.
on Nov 5
From gdprhub.eu
Garante per la protezione dei dati personali (Italy) - 10063782
0 0
The DPA fined a subsidiary of Poste Italiane €900,000 after a data breach led to the disclosure of employees' data. The controller did not resolve two vulnerabilities in its IT system, even though they had been known for almost a year.
on Nov 4
From gdprhub.eu
ANSPDCP (Romania) - Fine against IA BILET SRL
0 0
The DPA fined an online shop RON 9,951.40 (€2,000) for the excessive deletion of the data subject's complete account after they had objected to the processing of their phone number for direct marketing purposes.
on Nov 3
From gdprhub.eu
Datatilsynet (Denmark) - 2023-31-0053
0 0
The DPA found that the CCTV installed for the purpose of crime prevention didn’t automatically exempted a data subject from having access to their data.
on Nov 2
From gdprhub.eu
ANSPDCP (Romania) - Fine against Profi Rom Food Srl
0 0
The DPA fined a supermarket RON 49,744 (€10,000) after it forwarded personal data of its employees to a third party without a legal basis.
on Nov 1
From gdprhub.eu
0 0
The DPA fined an energy provider €60,000, after its processor erroneously assigned the data subject to a different company and therefore unlawfully disclosed personal data to that company.
on Oct 31
From gdprhub.eu
DSB (Austria) - D124.0507/24 2024-0.633.166
0 0
The DPA ordered a public broadcaster to adjust its website’s cookie banner since the graphic emphasis of the "accept all cookies" option invalidates the data subject’s consent under Article 6(1)(a) GDPR.
on Oct 31
From gdprhub.eu
IP (Slovenia) - 0603 30 2023 12
0 0
The DPA fined a controller €25,000 for the unlawful recording of its employees’ workspaces and for unlawfully making these recordings available online.
on Oct 29
From gdprhub.eu
0 0
A court held that the phone number of a company’s CEO, used by a business partner as the company’s contact data, constituted data relating to a legal person and therefore fell outside the scope of the GDPR.
on Oct 28
From gdprhub.eu
0 0
A court held that if a controller does not comply with the legal obligations regarding cold calling this fact has to be taken into account for the balancing test under Article 6(1)(f) GDPR. The court confirmed that this balancing test turned out against the controller, thus the processing was unlawful.
on Oct 27
From gdprhub.eu
ANSPDCP (Romania) - Fine against Your Consulting SRL
0 0
The DPA fined a controller RON 14.929,20 (€3,000) after inadequate technical measures led to a data breach.
on Oct 26
From gdprhub.eu
Garante per la protezione dei dati personali (Italy) - 10064226
0 0
The DPA fined a professional association of nurses €8,000 after it shared the data subject’s personal data with his employer in order to make him cease sending access to documents requests.
on Oct 25
From gdprhub.eu
0 0
The DPA’s appeal board confirmed that a controller does not have to provide a data subject with access to information on the specific employees who accessed their data.
on Oct 24
From gdprhub.eu
Rb. Den Haag - C/09/662309 / HA RK 24-104
0 0
A court ruled that national law allowed a bank to restrict the data subject's right to access regarding the logic involved in flagging suspicious transactions.
on Oct 22
From gdprhub.eu
Datatilsynet (Denmark) - 2023-32-0023
0 0
The DPA held that, following a data breach, a data subject was entitled to receive information on the specific recipient who erroneously received their personal data.
on Oct 21
From gdprhub.eu
NAIH (Hungary) - NAIH-5461-2/2024
0 0
The DPA reprimanded a media company for a failure to provide the data subject, a politician, with the information listed in Articles 13 and 14 GDPR. On the other hand, the DPA found that using a drone to take pictures of the data subject's house was lawful under Article 6(1)(f) GDPR.
on Oct 20
From gdprhub.eu
0 0
The DPA reprimanded a media company for failing to implement an option to reject cookies on the first layer of the cookie banner on one of its websites. Also, the option to accept all cookies was unlawfully highlighted in a catchy colour.
on Oct 19
From gdprhub.eu
0 0
A court held that the bad feeling about contributing to the business model of a social media platform does not constitute a non-material damage under Article 82 GDPR.
on Oct 18
From gdprhub.eu
CJEU - C-446/21 - Maximilian Schrems v Meta Platforms Ireland Limited
0 0
The CJEU stated that public disclosure of a data subject’s sexual orientation does not allow a social media platform to process other data relating to that orientation. Also, the CJEU held that personal data must not be processed for targeted advertising without restricting the duration and type of data.
on Oct 17
From gdprhub.eu
Datatilsynet (Denmark) - 2023-431-0013
0 0
The DPA ordered a controller to bring the data processing of its app into compliance with the GDPR. In violation of the privacy by design principle, the controller implemented third-party solutions that processed more data than necessary.
on Oct 17
From gdprhub.eu
CJEU - C‑21/23 - Lindenapotheke
0 0
The CJEU held that information entered by customers when ordering pharmacy-only medical products constitutes health data, even when the products are prescription-free. The Court further found that the GDPR does not preclude national law enabling a controller’s competitors to challenge GDPR...
on Oct 17
From gdprhub.eu
CJEU - C-768/21 - TR v Land Hessen
0 0
The CJEU held that when a data breach has been established, DPAs are not required to exercise a corrective power under Article 58(2) GDPR, where it is not appropriate, necessary or proportionate to remedy the shortcoming found.  
on Oct 8
From gdprhub.eu
0 0
A court rejected a claim for immaterial damages under Article 82 GDPR for the disclosure of information on the conclusion of a telecommunications contract to a credit rating agency.
on Oct 6
From gdprhub.eu
0 0
The DPA fined a municipality €15,000 for a lack of technical and organizational security measures that led to the unauthorised availability of personal data on the municipality’s website. The municipality’s processor was fined €5,000.
on Oct 5
From gdprhub.eu
0 0
The DPA fined Meta €91,000,000 for a personal data breach involving the storage of Meta users’ passwords in plaintext without cryptographic protection or encryption.
on Oct 4
From gdprhub.eu
ANSPDCP (Romania) - Fine against Vodafone Romania SA
0 0
The DPA fined Vodafone Romania RON 14,930 (€3,000) after it failed to act on an access and deletion request.
on Oct 3
From gdprhub.eu
0 0
The Supreme Administrative Court held that sending a letter to the registered address of an individual does not violate the rights of another individual residing at the same address. For the purpose of the mailing the address is personal data only regarding the intended recipient, not of other residents.
on Oct 1
From gdprhub.eu
0 0
The Advocate General opined that under Article 16 GDPR a transgender data subject has the right to rectification of their inaccurately recorded gender in the asylum register. While the authority can ask the data subject to prove the inaccuracy, it cannot ask them to prove they have undergone...
on Sep 30
From gdprhub.eu
CJEU - C‑383/23 - Anklagemyndigheden v ILVA A/S
0 0
The Advocate General opined that an undertaking under Article 83 GDPR encompasses the entity engaged in an economic activity, within the meaning of Articles 101 and 102 TFEU. While the undertaking’s turnover sets the maximum amount of the fine, the actual fine should reflect all relevant facts...
on Sep 29
From gdprhub.eu
0 0
The Data Protection Board dismissed a data subject’s appeal against the DPA’s decision to reprimand the Church of Norway. The Appeals Board held that the data subject had no right to appeal against corrective measures they consider too lenient.
on Sep 28
From gdprhub.eu
0 0
The DPA reprimanded Bolt for failing to enable the rectification of a data subject’s phone number. However, the controller implemented the respective possibility in the course of the procedure.
on Sep 27
From gdprhub.eu
0 0
The DPA fined a controller €100,000 for failing to answer a data subject’s access request in a timely manner. However, the DPA rejected the data subjects request to receive information on the specific employees who accessed their data.
on Sep 26
From gdprhub.eu
Garante per la protezione dei dati personali (Italy) - 10037849
0 0
The DPA issued a reprimand to the Ministry of Infrastructure and Transport after it unlawfully transferred data about an alleged mental illness of an employee to another Ministry in order to inquire if he had a gun licence.
on Sep 24
From gdprhub.eu
0 0
The DPA fined a controller €8,000 for sending an unsolicited commercial e-mail to a data subject without providing them with information on the right to object in accordance with Article 21 GDPR. The controller also failed to respond to an access request by the data subject.
on Sep 23
From gdprhub.eu
CNPD (Portugal) - Deliberação 2019/207
0 0
The DPA fined a controller €2,000 for failing to inform data subjects about the presence of video surveillance by installing signs in the monitored area. Thus, the controller violated Article 13 GDPR.
on Sep 22
From gdprhub.eu
0 0
A court upheld the DPA’s decision that a cookie banner’s first layer needs to contain a visually equivalent option to reject cookies.
on Sep 21
From gdprhub.eu
CJEU - C‑203/22 - Dun & Bradstreet Austria
0 0
The Advocate General opined that in case information about the logic involved in automated decision-making (Article 15(1)(h) GDPR) is regarded a trade secret, the information must be disclosed to the DPA which can determine the extent of information that must be provided to the data subject.
on Sep 20
From gdprhub.eu
CJEU - Joined Cases C‑17/22 and C‑18/22 - HTB Neunte Immobilien Portfolio
0 0
The CJEU ruled that not only a legislative act but also national case-law could stipulate a legal obligation in accordance with Article 6(1)(c) GDPR to disclose to a shareholder the identity of all other shareholders.
on Sep 19
From gdprhub.eu
CJEU - C‑416/23 - Österreichische Datenschutzbehörde
0 0
AG De La Tour opined that a DPA cannot refuse to act on a complaint characterising it as "excessive" under Article 57(4) GDPR simply because the data subject has filed several complaints with the same DPA.
on Sep 17
From gdprhub.eu
0 0
The DPA fined Glovo (a food delivery company) €15,000 after it failed to act on an access request. The DPA considered the fact irrelevant that the request was not sent to the DPO email address but to a different contact point of the controller.
on Sep 16
From gdprhub.eu
0 0
The DPA ordered a controller to bring the websites’ cookie banners into compliance with the GDPR by adding the reject button within its first layer and changing the colours used.
on Sep 15
From gdprhub.eu
CNPD (Portugal) - Deliberação 2019/297
0 0
The DPA fined a controller €107,000 for repeatedly sending unsolicited marketing communications without the data subject's consent. The controller bore liability even though it was a third-party who sent the communications using their own database.  
on Sep 14
From gdprhub.eu
UODO (Poland) - DKN.5131.33.2023
0 0
The National Public Prosecutor's Office, acting as a controller, committed a data breach unlawfully disclosing data subject’s personal data during the press conference. The DPA fined the controller PLN 85,000 (€20,000) and ordered to inform data subject about the breach.
on Sep 13