Austria
The Federal Administrative Court held that a credit reference agency is allowed to collect data from the national public insolvency registry and process it for at least five years after the clearance of the underlying debts. Read more or edit on GDPRhub...
Belgium
The Belgian DPA held, among others, that a controller is not obliged to report a data breach which results from listing the recipients of an email in CC instead of BCC if the email is only received by a small group (16 people). Read more or edit on GDPRhub...
Written with the support of Enzo Marquet
The Belgian DPA also fined the Belgian National Railway €10,000 because it sent an unsolicited advertisement email with no opt-out option to customers. Read more or edit on GDPRhub...
Written with the support of Enzo Marquet
Denmark
The Danish DPA issued a reprimand against the Danish Trade Union and Unemployment Fund for breaching Articles 5(1)(d) and 32 GDPR by accidentally disclosing a data subject's new name to her violent former partner. Read more or edit on GDPRhub...
Written with the support of lou_schda
The Danish DPA also issued a reprimand against the Syddansk Universitet for violating security requirements under Article 32 GDPR by accidentally making 400 personal files accessible to more than 7,000 employees for a period of two weeks. The university also had no access log to check who accessed the information during that time period. Read more or edit on GDPRhub...
Written with the support of lou_schda
Finland
The Finnish DPA fined a telemarketing company €8,300 for not giving the data subject access to the sales call recording even after the DPA ordered it to do so. Read more or edit on GDPRhub...
Written with the support of Vadym Kublik
The Finnish DPA also held, among the others, that it lacked competence under Article 55(3) GDPR to supervise the Supreme Court's criminal case disclosure policies because the court acted in its judicial capacity. Read more or edit on GDPRhub...
Written with the support of Vadym Kublik
Ireland
The Irish Court of Appeal, in an appeal brought by the Irish DPC, ruled that personal data that was collected through CCTV for the purpose of crime prevention, could not be lawfully used for staff monitoring and disciplinary proceedings. This subsequent, secondary purpose, was incompatible with its original purpose. Read more or edit on GDPRhub...
Written with the support of czapla
Italy
The Italian DPA fined a processor €40,000 for violating Article 28(2) GDPR by engaging a sub-processor without specific authorisation from the controller. Read more or edit on GDPRhub...
Written with the support of Francesco Vigna
Netherlands
The District Court of First Instance of Gelderland held that a cinema was entitled to accepting only debit cards and website iDeal payments for tickets and snacks and drinks as it was necessary for the performance of contract and for ensuring the safety of its employees under Article 6 GDPR. Read more or edit on GDPRhub...
Written with the support of Eva Lu
The District Court Midden-Nederland held that a data subject had the right to a copy of personal data being processed and not the actual documents in which his data was processed pursuant to Article 15 GDPR. It also held that the overview provided has to be in a clear and comprehensible form. Read more or edit on GDPRhub...
Written with the support of Eva Lu
Norway
The Norwegian DPA fined a company €9,775 for unlawfully enabling automatic forwarding of an employee's emails in violation of Article 6(1)(f), for lack of information as per Article 13, failure to assess their objection as per Article 21, and required them to improve internal controls for employee emails as per Article 24 GDPR. Read more or edit on GDPRhub...
Written with the support of Rie Aleksandra Walle
The Norwegian DPA also intends to fine the Labour and Welfare Administration €486,700 for publishing CVs and confidential personal data of 1,800,000 data subjects online without a legal basis, in breach of Articles 6(1), (3) and Article 5(1)(a), and 5(1)(f) GDPR. Read more or edit on GDPRhub...
Written with the support of Rie Aleksandra Walle
Spain
The Spanish DPA issued a fine of €10,000,000 against Google LLC for unlawfully transferring personal data to a third party and for impeding the exercise of the right to erasure. Read more or edit on GDPRhub...