Search results

Category:Article 97 GDPR Kühling, Raab, in Kühling, Buchner, GVO BDSG, Article 97 GDPR, margin numbers 1-3 (C. H. Beck 2020, 3rd edition). In the latter case

enforcement of the GDPR. → You can find all related decisions in Category:Article 59 GDPR Selmayr, in Ehmann, Selmayr, DS-GVO Kommentar, Article 59 GDPR, margin number

Regulation (GDPR), Article 68 GDPR, p. 1059 (Oxford University Press 2020); Brink, Wilhelm, in Wolff, Brink, DS-GVO, Article 69 GDPR, margin numbers 4-6 (C.H

edition). Körffer in Paal, Pauly, DS-GVO BDSG, Article 71 GDPR, margin numbers 4 (C.H. Beck 2021, 3rd edition). Dix in Kühling, Buchner, GDPR BDSG, Article

under the GDPR. → You can find all related decisions in Category:Article 94 GDPR Kühling, Raab, in Kühling, Buchner, GVO BDSG, Article 94 GDPR, margin numbers

all related decisions in Category:Article 31 GDPR Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 31 GDPR, margin numbers 1-4 (Beck 2020, 3rd edition)

as profiling (see also Article 4(4) GDPR); Restriction (marking for limited further processing, see also Article 4(3) GDPR), such as deactivation of information

Member State law under Article 6(4) GDPR; further processing based on the data subject's consent under Article 6(4) GDPR and further processing for a compatible

which violates the GDPR. Article 4(12) of the GDPR clarifies that the regulation applies specifically in cases of personal data breaches. In such breaches,

compatible with the eliminated purpose” under Article 6(4) GDPR. Art 6(4) GDPR establishes that, in order for the controller to determine whether processing

to Article 60 GDPR, Article 61 GDPR, Article 62 GDPR, Article 63 GDPR, Article 64 GDPR, Article 65 GDPR, Article 66 GDPR and Article 56 GDPR. The SA is also

Article 32 GDPR, margin numbers 23 (Manz 2022). Pollirer, in Knyrim, DatKomm, Article 32 GDPR, margin numbers 23 (Manz 2022). Pollirer, in Knyrim, DatKomm

(available here). Bygrave, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 25 GDPR, p. 576 (Oxford University

Regulation. National identification numbers (NIN) or identifiers of general application as understood in Article 87 GDPR are numbers used by public authorities

is intended to be, stored in a filing system. The term 'processing' is defined, and further discussed, in Article 4(2) GDPR. In general, processing includes

specialis in relation to the GDPR - usually in the form of a Restriction under Article 23 GDPR - these other rights exist in parallel to the GDPR. This means

(Article 15 GDPR), rectification (Article 16 GDPR), erasure (Article 17 GDPR), restriction (Article 18 GDPR), notification (Article 19 GDPR) or data portability

on Article 6(1)(e) and (f) GDPR, “including profiling based on those provisions.” Profiling is defined in Article 4(4) GDPR as a form of automated processing

80 sentence 5 GDPR. Ziebarth, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 204 (Nomos 2018). Klabunde, in Ehmann, Selmayr

toimisto in Finnish or Dataombudsmannens byrå in Swedish) is the national Data Protection Authority for Finland. It resides in Helsinki and is in charge

Article 6(1)(4) GDPR, as illustrated by the rules in Articles 4(11), 7 or 8 GDPR, as well as Recital 43. If consent is "freely given" under the GDPR requires

please refer to Article 51(1) GDPR and Article 52 GDPR in this Commentary. Article 54(1)(b) GDPR echoes Article 53(2) GDPR, which outlines the qualificatory

categories of data established in Article 9(2)(a) GDPR, Article 9(2)(c) GDPR, Article 9(2)(g) GDPR and Article 9(2)(i) GDPR directly correlate with a specific

related decisions in Category:Article 95 GDPR Costa de Oliveira in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 95 GDPR, p. 1296 (Oxford

exclude all sanctions mentioned in Chapter VIII GDPR, i.e. the damages under Article 82 GDPR and fines under Article 83 GDPR. In any case, should fines for

decisions in Category:Article 78 GDPR Tambou, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 78 GDPR, margin numbers 3 and 7 (C

n Recital 121 GDPR. Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 53 GDPR, p. 888 (Oxford

listed in Article 83(4), (5) and (6) GDPR. This specifically refers to violations of Articles 8, 11, 25 to 39, 41(4), 42, 43 of the GDPR (paragraph 4), Articles

of the GDPR enforcement across the Member States. → You can find all related decisions in Category:Article 64 GDPR Caspar in Kühling, Buchner, GDPR Article

requirements set forth in Article 12 GDPR. Dix in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 34 GDPR, margin numbers 8-9 (C.H. Beck 2019)

from any of the GDPR’s protections. → You can find all related decisions in Category:Article 39 GDPR Just as Article 38 GDPR, Article 39 GDPR also shows similarities

all related decisions in Category:Article 70 GDPR Schiedermair in Simitis et al., Data Protection Law, Article 70 GDPR, margin numbers 6-8 (C.H. Beck 2019

under Article 65(3)(1) GDPR and for consistency decisions in the urgency procedure under Article 66(4) GDPR is necessary, as these are in this respect backward

Belisario, GDPR e normativa privacy – Commentario, Article 90 GDPR, p. 662 (Wolters Kluwer 2018). Piltz in Gola DS-GVO, Article 90 GDPR, margin numbers 6-7 (C

controller (as defined under Article 4(7) GDPR) and a processor (as defined under Article 4(8) GDPR). As noted above, Article 79 GDPR imposes a two-stage cumulative

activity in question. → You can find all related decisions in Category:Article 80 GDPR Leupold, Schrems in Knyrim, Der Datkomm, Article 80 GDPR, margin

(Article 52(4)(5)(6) GDPR). Elements of SAs' complete independence are also addressed in Article 53 GDPR and Article 54 GDPR. The CJEU in the Case of Commission

response under Article 12(4) GDPR. There is no definition of the term “manifestly ... excessive” in the GDPR. The example in the law “in particular because of

19 GDPR. → You can find all related decisions in Category:Article 18 GDPR The right to restriction of processing was introduced in 2016 by the GDPR although

decisions in Category:Article 55 GDPR Hijmans, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, p

established in 2001. It resides in Riga and is in charge of enforcing GDPR in Latvia.  The DVI is functionally independent institution. Besides GDPR, the regulation

BDSG, Article 75 GDPR, margin number 6 (C.H. Beck 2020, 3rd edition). Brink, Wilhelm, in BeckOK DatenschutzR, Article 75 GDPR, margin numbers 8-9 (C.H. Beck

of the GDPR. Article 10 GDPR is intended to extend the protection of the GDPR to the processing of certain criminal data that is not included in the scope

66(1)-(2) GDPR is the CSA within the meaning of Article 4(22) GDPR. In contrast, Article 66(3) refers to “any supervisory authority” (Article 4(21) GDPR) and

decisions in Category:Article 93 GDPR Herbst in Kühling, Buchner, DS-GVO BDSG, Article 93 GDPR, margin number 1 (C.H. Beck 2020, 3rd Edition). Ehmann, in Ehman

of Article 4(7) and (8) GDPR can be liable for compensation. A claim for damages first requires an infringement of the GDPR. Article 82 GDPR does not contain

to damage referred to in Article 62(4) GDPR. According to Article 62(7) GDPR, if the lead SA does not invite the SA to take part in the joint operations

is subject, under Article 6(1)(c) GDPR. In line with the general objectives of the GDPR, as outlined in Article 1 GDPR Article 16 TFEU, SAs are also required

as listed in Articles 13 GDPR. In certain cases, Article 23 GDPR may be used by Member States to exempt certain duties under Article 13 GDPR in certain situations

Article 14 GDPR gives expression to the principle of transparency enshrined in Article 5(1)(a) GDPR and further defined in Article 12 GDPR. While Article

business 'in accordance with community law' - not in violation of community law (such as the GDPR). While there is no general balancing test, the GDPR foresees

guidance on Article 85 GDPR can be found in the case-law of the ECtHR. See, Tinnefeld in Kühling, Buchner, GDPR BDSG, Article 85 GDPR, margin number 9 (C

access (Article 15 GDPR), rectification (Article 16 GDPR), erasure (Article 17 GDPR), restriction of processing (Article 18 GDPR), notification obligation

mentioned in paragraph 1. In other words, the examples provided in paragraph 3 are helpful in understanding the relevant risk indicators for the GDPR, which

Article 4(7) GDPR (definition of controller), Article 4(8) GDPR (definition of processor), Article 4(16) GDPR (definition of main establishment), Article

carried out in compliance with the GDPR. Article 28(3)(h) GDPR enables such a task in case processors are used. According to Article 28(3)(h) GDPR, the processor

controller qualifies as controller (Article 4(7) GDPR) and Google LLC as processor (Article 4(8) GDPR) for data processing in connection with Google Analytics. Furthermore

Lit a GDPR or Article 6 GDPR or GDPR Article 6, Sec 1(a) Recitals are also not shortened. Example: Recital 47 Example: Not R 47 or Recital 47 GDPR Other

protection authorities (Art. 78.1 GDPR), as well as by the possibility to bring actions directly in court (Art. 79 GDPR). Against the decisions that put

In the opinion of AG Bobek, data such as phone number and car chassis number must be considered as personal data in the sense of Article 4(1) GDPR when

(i.e. the differentiation of the numbers existed, in these cases, in the last two digits of the calling numbers). In one case, the complaint concerned

meaning of Article 4(7) GDPR. Furthermore, the erasure or destruction of personal data is a form of processing based on Article 4(2) GDPR. The DPA has the

GCP in in combination with article 83 par. 5 of the GCC, and with article 21 par. 1 lit. b 'of Law 2472/1997, in combination with article 13 par. 4 of law

even pseudonymised data (Art. 4 Para. 5 GDPR) from the term personal data are recorded in accordance with Art. 4 Para. 1 GDPR. It is undeniable that the MB

protection of Art. 82 GDPR does not cover violations of Art. 13, 14, 15, 24, 25 and Art. 34 GDPR. In addition, there is no breach of the GDPR by the defendant

juris; Klar/Kühling: in: Kühling/Buchner, DS-GVO/BDSG, 2nd ed., Art. 4 DS-GVO marginal 8; Ernst, in: Paal/Pauly, DS-GVO/BDSG, 2nd ed., Art. 4 marginal 14). 39

the GEOPORTAL2 was not in line with the principle of lawfulness in Article 5(1)(a) GDPR, as none of the conditions of Article 6 GDPR were satisfied. The data

6(1)(a) and 4(11) GDPR in a case concerning the requirements of consent). Always use the most specific sub-paragraph (e.g. Article 6(1)(a) GDPR for consent

relative numbers were included in the Company's denial black list; e) in the black list used by the partner XX Srl there were almost 200,000 numbers that did

Article 28(1) GDPR by allowing 84 Danish municipalities to wrongfully gain access to the social security numbers and employment information of 4.2 million

Article 32 GDPR in ten cases. Meanwhile, Zitatel was found to be in violation of Article 5(1) GDPR and Article 32 GDPR in two cases. With regards to Teleraise

things. (6) In the situation in question, children's personal identification numbers are not intended to be used for the purposes listed in paragraph 38

referred to in Section 29.4 of the Data Protection Act, in which the personal identification number should not be entered unnecessarily. In addition to

account numbers. As a result, the DPA issued a reprimand to the controller in accordance with Article 58(2)(b) GDPR. Pursuant to Article 58(2)(d) GDPR, the

by e-mail. 1.4.4. With reference to the disputes referred to in points 4) and 5), in the initiation of the procedure it was noted that, in relation to the

checked whether the calling numbers indicated by the claimant in his claim are recorded in our database of telephone numbers that use our collaborators

calls to be made to the numbers included in the list of ADHD as well as in the internal Robinson List. In view of the above, my client understands that

awarded to an attorney at law salary. 4 The decision The court 4.1. Declares [the applicant]'s application inadmissible; 4.2. orders [the applicant] to pay

protection breach resulting in the need to notify the authority and the data subjects, according to Article 33(1) GDPR and Article 34(1) GDPR? The PUODO held that

November 2017 for complete numbers (i.e. for more than 13 months) and since 9 July 2014 for truncated numbers (i.e. for more than 4 years). However, the registration

of facts in a number of respects. In so far as relevant, the Court of Appeal will take this into account in the following. In this case - in so far as

persons responsible or in charge listed in paragraph 1 commit any of the offences referred to in Articles 72 to 74 of this Organic Law. In the present case,

personal data (health data under Article 4(15 GDPR) and consisted of the patients' names and social security numbers, excerpts from patient letters, medical

institutions) in this specific case outweigh the interests or the fundamental rights and freedoms of the data subject (recital 69 GDPR ). 4.4. This assessment

following sanctions, resulting in a record fine of € 8 125 000: - A € 4 000 000 fine for the infringement of Article 28 GDPR: due to the hiring of processors

obligation mentioned in the Art. 14 GDPR. 4) No, in the assessment of the President of UODO, sending out information related to Art. 14 GDPR by regular mail

obligations under Articles 24 and 32 of the GDPR which led to the personal data breach, as per Article 4(12) of the GDPR, including with regards to the complainant’s

purposes? 4) Is the data subjects’ consent valid? The HDPA found that: 1) The telephone number constitutes personal data according to Article 4(1) GDPR as the

complainant contained in a procedural document; in particular, a page of the procedural documents is taken up in which the claimant appears in a frontal position

Misdemeanor Court in Zagreb ruled that municipal wardens have a valid legal basis under Article 6 GDPR to collect and process vehicle registration numbers. The legal

mobile phone numbers of contacts who do not use the app. In order to do so, it must first assess whether the holders of the mobile phone numbers in the address

Article 48(1) LGT, Article 21 GDPR in link with Article 23 LOPDGDD and Article 28 GDPR? The Spanish DPA (AEPD) held that the facts in question indicated a breach

000 under Article 58(2) GDPR and Article 83(4) GDPR for the breach of Article 32(2), Article 32(4) GDPR and Article 28(3) GDPR. As for the controller,

provider, was processing personal data, in line with the definition of Article 4(1) GDPR. In accordance with Article 5(3) GDPR, the controller had an obligation

control with reference number [...], in order to prevent its implementation in the scope indicated in points 1-5 and in point 6 (with regard to technical

04/25/2018 in which he makes these declarations: - That in a bank account of which he is the owner in the entity CAIXABANK, (number ended in the digits

[plaintiff] states - in brief - that, in view of the current facts, ABN AMRO's interests in maintaining the coding do not outweigh its interest in removing it.

privacy. In addition, the excel files contained social security numbers 4 which are considered to be particularly personal data. The information in e- the

which the agent contacted in a personal capacity the complainant does not belong to VODAFONE, i.e. it is not listed in the numbers assigned to the ATENTO

to secrecy in accordance with Section 1 Paragraph 1 of the GDPR by not observing the principles in accordance with Articles 5 and 6 of the GDPR. The complaint

the data breach within the time limits set out in Article 34 of the GDPR (Article 83(2)(h) of the GDPR). In view of the above, it is not considered that

exercising their right to access (Article 15 GDPR), not mentioning any of the elements of Article 14 GDPR regarding the processing of data, but only mentioning

a person's behavior can be obtained by profiling, as referred to in art. 4 pts 4 GDPR. However, as part of our activities, we do not conduct profiling

personal data in question was not covered by the Public Administration Act. As such, the municipality did not have a legal basis cf. Article 6 GDPR. In addition

collection of Tax Identification Numbers is neither necessary nor appropriate for determining the reliability of an entity, in terms of customs law, and the

document with a digital signature. In light of these facts, Italy’s DPA found Vodafone S.p.A in violation of the following GDPR provisions: Article 5(1) and

of up to 4 % of the total annual turnover of the previous financial year, whichever is greater, in accordance with Article 83.5 of the RGPD. In accordance

the same. c. That in those cases in which a high risk could be observed one or more exceptions from those contained in art. 3. 4 GDPR. In this sense, those

because there are more telephone numbers in Austria than residents and virtual telephone numbers can also be generated in the app for verification, then

Article 13 of the GDPR GDPR. The form used violated Article 13 of the GDPR conduct that is subsumi- ble under Article 83(5) of the GDPR, which provides:

35(7) GDPR, for not complying with the principle of transparency under Article 5(1) GDPR and for not anonymising the data under Article 25(1) GDPR, among

provisions mentioned in point 4, to giving its interpretation of the provisions of the regulation of 27 April 2016 mentioned in point 3 in as regards the modalities

to in paragraphs 4, 5 and 6 are, in each case, effective, proportionate and dissuasive", before specifying the elements to be taken into account in deciding

of “names and addresses” in Article 8(2)(a) Directive 2004/48 which is not defined in that directive and has been implemented in the § 101(3)(1) of the German

needed in such a case. Furthermore, some of the data subjects had submitted requests to the controller regarding exercising their rights under GDPR. The

under 6.3.2 (part 1, in marginal numbers 22.-24.), 6.4.2 (part 2, in marginal numbers 26.-32.), 6.5.2 (subpart 3.1, in marginal numbers 34.-39.) and 6.5.3

registered on the Robinson List in breach of Article 48(1)(b) LGT and Article 21 GDPR in conjunction with Article 23(4) LOPDGDD. Avilon Center SL made

with a finepublic, as indicated in article 77.1. c) and 2. 4. 5. and 6. of the LOPDDGG: “ 1. Theregime established in this article will be applicable to

reasonableness and fairness. In the given circumstances [applicant] is in this case admissible in his application. assessment framework 4.4. The right of access

32 GDPR). In that respect, CNIL imposed a fine of 250,000 euros and called SPARTOO SAS to bring its processing activities in conformity with GDPR in a

the data controller to bring the processing operations in line with the provisions of the GDPR in accordance with Article 58 (2) (d). Share blogs or news

referred to in paragraphs 4, 5 and 6 of this Article are effective, proportionate and dissuasive in each individual case (paragraph 1). In accordance with

requirements of the GDPR; Because from Recital 171 Sentence 2 GDPR, from Art. 4 No. 2 GDPR and Art. 24 Para. 1, in particular Sentence 2 GDPR, the obligation

category of personal data covered by the breach in question, in the form of PESEL numbers, series and numbers of ID cards, names and surnames, address of residence

controller. In the case at issue, such processing should also be considered in violation of the GDPR. In particular, the DPA held that in any case, the

infringement; h) the way in which the supervisory authority learned of the infringement, in particular if the person in charge or the person in charge notified

of Article 32(1)(b) GDPR and Article 32(1)(d) GDPR and of the principle of accountability as foreseen in Article 5(2) GDPR read in conjunction with Article

whether the person who parked the vehicle in the parking lot was entitled to park the vehicle in the parking lot in question. The controller has considered

this possible. The vulnerability in Zoo's log-in allowed us to try to find a valid log-in (username and password), which in turn gave unauthorized access

personal data, approved by resolution no. 98 of 4/4/2019, published in G.U. no. 106 of 8/5/2019 and in www.gpdp.it, web doc. no. 9107633 (hereinafter "Regulation

February 4, 2019; Having regard to the written observations filed by the company SERGIC on March 4, 2019 ; Having regard to the observations in response

through a specialized cyber team, without any results in the deep neither in the dark web, and (4) due to the huge volume of affected subjects, the data

they comply with the provisionscurrent in the matter.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es Page 4 4/8Only the community of owners, once

provided for in Article 56(1), read in conjunction with Article 56(2), read in conjunction with Article 56(3), read in conjunction with Article 56(4), read in

concerning events in the city centre. As such, the DPA held that the recordings captured personal data pursuant to Article 4(1) GDPR. Since the controller

as evidence in court proceedings under Article 6(1)(f) GDPR as the legitimate interest in doing so outweighed the data subject's interest in keeping his

infringement; h) the way in which the supervisory authority learned of the infringement, in particular if the person in charge or the person in charge notified

Article 9(2) GDPR and the conditions for consent pursuant to Article 4(11) GDPR had to be assessed in light of the relevant circumstances in which the consent

emails sent in connection with messages in respectively. Krifa Box and Secure @ Mail. In the case of an advisory email about new e-mail in Secure @ Mail

first time in the e-mail of [...] February 2020 addressed by AM to e. In a similar case, as of [...] February 2020. He mentioned in it that in connection

78(2) GDPR defines the applicable time frame in line with Article 4:13(1) of the Dutch Administrative law. The reason for not putting a deadline in the law

registered (customers) pursuant to GDPR art. 34? It follows from GDPR art. 34 that Nemlig and Intervare as data controllers in case of security breach is obliged

Regulations on the Use of Citizen Service Numbers in Healthcare ('Regeling gebruik burgerservicenummer in de zorg') read in conjunction with the Act on Additional

from users of “*** APPLICATION.1”.m) In fact, certain numbers in the public numbering plan are included bydefect in said "black list" (091, 061, 112, 092

margin no. 50). According to Art. 4 No. 15 GDPR in conjunction with recital. 35, second sentence of the GDPR, also numbers, symbols or labels that have been

and surname and only four NIF numbers, the rest of the numbers were hidden with an asterisk in the random. In our case, in the same way, when publishing

is typified in article 83.4.a) of the aforementioned GDPR in the following terms: "4. Violations of the following provisions will be penalized, according

namely Article 5(1)(f) GDPR, and thus, it did not comply with Article 5(2) GDPR referred as the principle of "proactive responsibility". In addition, it claimed

controller relied on Article (6)(1)(b) GDPR and Article 6(1)(c) GDPR as legal basis affects the holding of the DPA since in PS/00126/2021 the Spanish DPA held:

the RGPD, typified in article 83.5 of the GDPR, with a warning. -For an infringement of Article 25 of the RGPD, typified in article 83.4 of the RGPD, with

also stated in the decision. [The equivalent GDPR Article to Article 48(3)(a) EU GDPR is Article 46(3)(a) GDPR, and Article 50(1)(d) EU GDPR is Article

of Booking is located in Amsterdam. 1 See section 3.4.2 in this respect. 3.2 Processing of personal data According to Article 4(1) of the AVG, personal

erase personal data in accordance with Article 17(1) of the GDPR, except for the exceptions referred to in Article 17(3) of the GDPR.In this case, the deletion

cards" showing masked numbers (except the last 4 digits) of a debit card. THIRD: In view of the facts denounced in the claim and the documents provided by

of the GDPR, articles: -12 of the GDPR, in accordance with article 83.5.b) of the GDPR and 72.1.k) of the LOPDGDD, and -5.1.c) of the GDPR, in accordance

affected provided for in articles 12 must be fulfilled and 13 of the GDPR, and 22 of the LOPDGDD, in the terms already indicated. 4.- Images of the public

party in administrative criminal proceedings before the data protection authority in connection with the above-mentioned preliminary proceedings. In any

Mantz, in: Sydow, GDPR, 2nd ed. 3018, Art. 32 GDPR marginal 10. Likewise Piltz, in: Gola, DS-GVO, 2nd edition. 2018, Art. 32 DSGVO Rn. 3. 4Jandt, in: Kühling

circumstances mentioned in proportion and at the end of the Fine Policy, as applicable in the present case, further increase or decrease. 4.4 Conclusion The AP

defendant submitted its observations, which, in accordance with Article 54(1)(b), (3) and (4), (4) and (4), (5) and (5), (5) and (5), (5) and (5), (5)

defendant is defined in Articles 83.4.a) and 83.4.b) respectively. 83.5.a) of the RGPD, precepts that they establish: Article 83.4: "Violations of the following

tool. According to Art. 46 Para. 4 GDPR, the European Data Protection Board had to be involved. According to Art. 64 (2) GDPR, any supervisory authority can

establishment (Article 4(16) GDPR) in Norway and that its processing of the data subject’s personal data was cross-border processing (Article 4(23) GDPR). Therefore

data, the company considers that, in accordance with the provisions of recital 63 of the GDPR and Article 15(4) of the GDPR, it is not obliged to respond to

communications services in it meaning referred to in 50 US Code § 1881 (4)(b) and is thus subject to surveillance by US intelligence agencies in accordance with

data registered in the case file system. 4. Legal environment In this case, the complainant's request for certain information on searches in the National

nevertheless, in its opinion, result in a disproportionately high fine. 4.3 Level of the fine According to the AP, in this case the following factors, in particular

appeal). Article 6.4 of this car scheme reads: "6.4 GPS systems In many cases, the company car is equipped with a GPS system (blackbox). In order to have a

US, may thus not be in accordance with the GDPR, so that the defendant had to reject that tender, in accordance with the GDPR and in accordance with the

6 and 24 GDPR? Was the processing by Wind Tre in violation of Articles 5 and 6 GDPR? Was the information provided by Wind Tre to the users in breach of

14. The complaint procedure in accordance with Art. 77 GDPR is, in particular in the Austrian procedural design by § 24 GDPR, an adversarial multi-party

was a personal data breach pursuant to Article 4(12) GDPR. Moreover, it stated that Article 32(1) GDPR obliges controllers to take appropriate technical

enshrined in Article 25 GDPR. Additionally, the AEPD concluded that the controller had violated Article 5(1)(f) GDPR, noting that although the GDPR does not

of this Law except in the cases in which it authorizes it or violates the prohibition contained in the paragraph 4 of article 7 " In general, article 7

100,000 PLN for violating Article 5(1)(a) GDPR and Article 6(1) GDPR by publishing, on its website, numbers of land and mortgage registers without any

personal data on their website, in violation of Article 5 and Article 6 GDPR. The controller is a health clinic and has been in an ongoing legal dispute with

the criteria defined in article 83(5)(a) GDPR where a company can be fined up to €20000000, or in the case of an undertaking, up to 4 % of the total worldwide

stated in Section 4.5 of the Data Processor Agreement that, in accordance with the Data Protection Regulation, Schultz must assist municipalities in complying

(Article 21 GDPR) and the right to erasure (Article 17 GDPR) of data subjects. Therefore the controller was not found in breach of Article 25(2) GDPR. The DPA

mortgage register numbers on the controller’s website constituted a personal data breach within the meaning of Article 4(12) GDPR. Third, in considering the

is requested in the call referenced in the following point, at the time of said call, there was no contract in force since 2013, date in which the previous

context of Articles 40 and 41 GDPR, in particular from Article 40 Paragraph 4 in conjunction with Article 41 Paragraph 2 lit. c) GDPR, namely further that a monitoring

out in compliance with the processing principles set out in Art. 5 GDPR and on the basis of one of the grounds for permission set out in Art. 6 GDPR. Article

Article 83e(4) GDPR provides, inter alia, that infringements of the obligations imposed by Article 32 GDPR on the controller and processer will, in accordance

increase or decrease. 4.4 Conclusion The AP sets the total fine at €400,000. 8For the justification, see paragraphs 4.3.1 and 4.3.2. 24/25Date Unidentified

cf. Number 4 Article 3 of the Act and 2. tölul. Article 4 of the Regulation.This case relates to a security breach which resulted in ID numbers and figures

violated Article 32 GDPR for insufficient risk assessment and the lack of security measures in the app MyPostNord, which used phone numbers as the only means

record in the AEPD O00007128e2000007150) that are not listed in their systems registered calls from numbers *** PHONE. 8 or *** PHONE 4 to the numbers ***

reasons, under Article 58 GDPR, the HDPA reprimanded the controller for violating Article 5(1)(c) GDPR and Article 15 GDPR. In addition, the HDPA ordered

considered as processing of personal data under Article 4(2) GDPR, hence making the GDPR applicable. In third place, the DPA recalled the need for a legal basis

their ID number when purchasing tickets in violation of Article 5(1) GDPR, Article 5(2) GDPR and Article 6 GDPR. A data subject issued a complaint with

designed in a predefined way in order to signal and block in real time the attempts to load supply contracts obtained in an opaque manner or in any case

coming into force of the GDPR on 25. 5. 2018. Can a controller charge for access to historic account data under Article 15 GDPR? Is GDPR applicable to a case

winners prize games. In this regard, the Agency, in its statement, requested the company in question to in particular, it is evident in relation to the scope

and 13 GDPR? Is the information provided to data subjects throughout the subscription process in compliance with the provisions of Article 13 GDPR? Does

stored in a file system, without specific to refer to the exceptions in Art. 2 Para. 2 GDPR. In this regard, however, the provisions of the GDPR are opened

compatible with the GDPR? On the first point, the CJEU held that VINs constitute personal data within the meaning of Article 4(1) GDPR, in so far as the natural

from from receipt of the request. 9 3 4GDPR, Art. 4.7), 4.8), 24, 26, 28, 29; GDPR, recitals 74, 79 and 81. GDPR, art. 4, 2). 5EDPB, “Guidelines 07/2020 concerning

registration numbers, e-mail addresses, usernames and/or passwords, data on earnings and/or assets, series and numbers of ID cards, telephone numbers , information

registered (customers) pursuant to GDPR art. 34? It follows from GDPR art. 34 that Nemlig and Intervare as data controllers in case of security breach is obliged

authority to exercise its duties and powers, as set out in the GDPR properly. 4. Breaches of the GDPR 17EDPB Guideline on Examples regarding Data Breach Notification

points to the preamble to the GDPR in substantiation, in particular under numbers 122 and 128.3.2. Plaintiff also doubts whether in this case there is a legal

subjects. In relation to this, the DPA stated that the controller violated Article 5(1) GDPR, Article 5(2) GDPR, Article 6(1)(a) GDPR and Article 7 GDPR for

and therefore the media privilege according to Art. 85 GDPR in conjunction with Section 9 GDPR applies. 3. At the request of the data protection authority

by e-mail of 4 June 2018 that the complainant's data had been deleted Instead, by e-mail of 4 June 2018, he asked the complainant to fill in a form, providing

their valid consent. Leads Works Ltd has continued to send significant numbers of marketing texts to individuals throughout, and since, the course of the

83, par. 5 of the Regulation, in setting the statutory maximum in the sum of 20 million euros or, for companies, in 4% of the annual worldwide turnover

provided. Both in the GDPR itself (Art. 12 Para. 1 GDPR) and specifically in Section 32d Para. 1 AO, it is expressly stipulated that Art. 12-15 GDPR are regulations

records constitute 'data relating to health' in the sense of Article 4(15) GDPR. Pursuant to Article 9 GDPR, this special category of data can only be disclosed

the website in this way across. However, on 4 February 2020, the database was no longer available in this way. The Authority's NAIH / 2020/66/4. By order

12 GDPR and provide information under Article 13 GDPR and Article 14 GDPR when the data subjects declared themselves interested in its services. In light

Article 31 GDPR in conjunction with Article 58(1)(e) GDPR. The AEPD, therefore, agreed to impose a penalty of € 20000 under Article 83(5)(e) GDPR. The fact

Article 9 (1) GDPR, Article 6 (1) GDPR, Article 5 (1) in conjunction with Articles 12, 13 and/or Article 14 GDPR and/or Article 5 (1) (in particular lit

of security within the meaning of Article 4(12) GDPR. In such cases, Article 33(1) GDPR and Article 34(1) GDPR require controllers to, respectively, notify

purpose of the proceedings and in large numbers ('five files'). The complainant claimed that processing obligations in the sense of obligations to keep

compliance with the GDPR, since it had not checked if the third party from which it received its calling list was acting in a GDPR complaint manner. Therefore

6www.aepd.es28001 - Madridsedeagpd.gob.es Page 4 4/11THIRD: The result of the transfer process initiated in the previous Event does notallowed to understand

data under Article 15 GDPR? The Spanish DPA held that the airline company had not complied with the right to access in Article 15 GDPR when it refused to

its processing in line with the GDPR. Since it had come to the attention of the DPA that the controller had already adjusted in services in such a way that

social security numbers and names. In this connection, Hovedstadens Beredskab I/S has stated that the social security numbers are anonymised in the search results

that the notified fee is accepted. 4. The requirements of the regulations 4.1. Responsible for processing Article 4 (7) of the Privacy Regulation defines

implementing a double opt-in process for user registrations, the respondent violated Article 5 GDPR, Article 6 GDPR, and Article 32 GDPR, and § 1 para 1 DSG

controller had violated Article 5(1)(f) GDPR, Article 17(1) GDPR, Article 25(1) GDPR, Article 32(1) GDPR and Article 32(2) GDPR. As a result, the DPA issued a reprimand

the Austrian Armed Forces in order to asses the member in the context of an "extended reliability check" which is foreseen in national law. The Respondent

the processing of personal data is not covered by the GDPR, according to Article 2(2)(c) of the GDPR. However, the DPA concluded that Orienteringsret.dk

13, 14 GDPR), also the defendant clearly and in ease language pointed to the default settings, so no breach of Article 25 GDPR or Article 32 GDPR either

under Art. 34 GDPR or the supervisory authority under Art. 33 GDPR, since the requirements of the legal definition in Art. 4 No. 12 GDPR were not met.

which consists in saving the telephone numbers of individuals in the company's telephone number database. All persons who agree to participate in a survey by

referred to in paragraphs 4, 9 and 6 is in each individual case effective, proportionate and dissuasive. "Administrative fines shall be imposed in addition

infringement. Thus, in the area of application of the GDPR - as applied in the present case - the absorption principle of Art. 83 (3) GDPR applies. 4. In relation

(Art. 6 Para. 1 lit. f GDPR). In this context, Art. 6 Para. 1 lit. c GDPR in conjunction with the PMG and Art. 6 Para. 1 lit. f GDPR relevant: The Respondent

Article 33 GDPR, it is the controller's duty to report breaches, while processors may assist as outlined in Article 28(3)(f) GDPR. In fact, the GDPR does not

of the main establishment of the respondent (Art. 4(16)(a) GDPR) in Austria, whereby the complaint in question was lodged directly with the Austrian Data

camera system, in a multi-locked location. After processing, the data was stored in tabular (.csv) format in The paper sheets are stored in a multi-locked

information in the manner and in the form specified in the request (paragraph 1). If public information cannot be made available in the manner or in the form

28(9) GDPR requires the agreement to be in writing, including in electronic form. Second, the DPA clarified the roles of the entities involved in processing

processing according to Article 4(2) GDPR and thus requires a legal basis according to Article 6(1) GDPR and comply with Article 5 GDPR. The controller did not

the calling numbers as its own numbers. 3) Similarly, the controller presented several arguments in relation to telephone directories. In general, it stated

available data as referred to in Article 4, opening words and under 2 of the GDPR, and thus as processing within the meaning of the GDPR. Because submission is

foundation in its capacity of controller. In October 2019 the foundation notified the AEPD for the data breach. Which provisions of the GDPR did the AEPD

under Article 82(1) GDPR were awarded for the web-scraping of publicly accessible personal data as the mere infringement of the GDPR is not sufficient to

including health data, recorded in copies Article 6 (1) of the GDPR and, in the case of health data, Article 9 of the GDPR. Article 1 (1); (3) did not provide

council had violated Article 13 GDPR and Article 25(1) GDPR. However, since the deficiencies regarding Article 13 GDPR were corrected before the end of

meaning of Article 4.9. of the GDPR, but this quality does not exclude that in turn, it has intervened in the capacity of treatment. 4.1. As regards the

2016/679, as defined in the first paragraph. Article 4 of the Act, cf. Points 2 and 4 Article 3 of the Act and points 1 and 2. Article 4 of the Regulation

communications services in it meaning referred to in 50 US Code § 1881 (4)(b) and is thus subject to surveillance by US intelligence agencies in accordance with

the scope of Art. 82 GDPR, since this is not a processing of personal data i. s.d. Art. 4 No. 2 GDPR. According to Art. 4 No. 2 GDPR, processing is any process

infringement; h) the way in which the supervisory authority learned of the infringement, in in particular if the person in charge or the person in charge notified

CFR Art8 para 11 CFR Art11 para 1 ECHR Art10 para 1 GDPR Art4 no 2 GDPR Art4 no 7 GDPR Art85 para 1 GDPR Art85 para 2 Text GZ: DSB-D123.768/0004-DSB/2019

breach in connection with the company testing a new scanning tool. The tool was set to search for social security numbers and credit card numbers. The scan