GDPRhub newsletter 02 June 2022

🎙️
Listen to the audio recording here.

Austria

The Federal Administrative Court held that a credit reference agency is allowed to collect data from the national public insolvency registry and process it for at least five years after the clearance of the underlying debts. Read more or edit on GDPRhub...

Belgium

The Belgian DPA held, among others, that a controller is not obliged to report a data breach which results from listing the recipients of an email in CC instead of BCC if the email is only received by a small group (16 people). Read more or edit on GDPRhub...

Written with the support of Enzo Marquet

The Belgian DPA also fined the Belgian National Railway €10,000 because it sent an unsolicited advertisement email with no opt-out option to customers. Read more or edit on GDPRhub...

Written with the support of Enzo Marquet

Denmark

The Danish DPA issued a reprimand against the Danish Trade Union and Unemployment Fund for breaching Articles 5(1)(d) and 32 GDPR by accidentally disclosing a data subject's new name to her violent former partner. Read more or edit on GDPRhub...

Written with the support of lou_schda

The Danish DPA also issued a reprimand against the Syddansk Universitet for violating security requirements under Article 32 GDPR by accidentally making 400 personal files accessible to more than 7,000 employees for a period of two weeks. The university also had no access log to check who accessed the information during that time period. Read more or edit on GDPRhub...

Written with the support of lou_schda

Finland

The Finnish DPA fined a telemarketing company €8,300 for not giving the data subject access to the sales call recording even after the DPA ordered it to do so. Read more or edit on GDPRhub...

Written with the support of Vadym Kublik

The Finnish DPA also held, among the others, that it lacked competence under Article 55(3) GDPR to supervise the Supreme Court's criminal case disclosure policies because the court acted in its judicial capacity. Read more or edit on GDPRhub...

Written with the support of Vadym Kublik

Ireland

The Irish Court of Appeal, in an appeal brought by the Irish DPC, ruled that personal data that was collected through CCTV for the purpose of crime prevention, could not be lawfully used for staff monitoring and disciplinary proceedings. This subsequent, secondary purpose, was incompatible with its original purpose. Read more or edit on GDPRhub...

Written with the support of czapla

Italy

The Italian DPA fined a processor €40,000 for violating Article 28(2) GDPR by engaging a sub-processor without specific authorisation from the controller. Read more or edit on GDPRhub...

Written with the support of Francesco Vigna

Netherlands

The District Court of First Instance of Gelderland held that a cinema was entitled to accepting only debit cards and website iDeal payments for tickets and snacks and drinks as it was necessary for the performance of contract and for ensuring the safety of its employees under Article 6 GDPR. Read more or edit on GDPRhub...

Written with the support of Eva Lu

The District Court Midden-Nederland held that a data subject had the right to a copy of personal data being processed and not the actual documents in which his data was processed pursuant to Article 15 GDPR. It also held that the overview provided has to be in a clear and comprehensible form. Read more or edit on GDPRhub...

Written with the support of Eva Lu

Norway

The Norwegian DPA fined a company €9,775 for unlawfully enabling automatic forwarding of an employee's emails in violation of Article 6(1)(f), for lack of information as per Article 13, failure to assess their objection as per Article 21, and required them to improve internal controls for employee emails as per Article 24 GDPR. Read more or edit on GDPRhub...

Written with the support of Rie Aleksandra Walle

The Norwegian DPA also intends to fine the Labour and Welfare Administration €486,700 for publishing CVs and confidential personal data of 1,800,000 data subjects online without a legal basis, in breach of Articles 6(1), (3) and Article 5(1)(a), and 5(1)(f) GDPR. Read more or edit on GDPRhub...

Written with the support of Rie Aleksandra Walle

Spain

The Spanish DPA issued a fine of €10,000,000 against Google LLC for unlawfully transferring personal data to a third party and for impeding the exercise of the right to erasure. Read more or edit on GDPRhub...