European Union
The CJEU held that Article 38(3) GDPR does not preclude national legislation mandating that a controller can only terminate employment of a DPO with βjust causeβ as long as the legislation does not undermine objectives of the GDPR. Read more or edit on GDPRhub...
Austria
The Federal Administrative Court of Austria held that the DSB only has the power to declare processing activities unlawful in proceedings following a complaint, and not when they where initiated by the DSB itself. Read more or edit on GDPRhub...
In another case, The Federal Administrative Court of Austria held that the DSB (Austria) was allowed to reject a complaint as excessive, because the data subject had already lodged 137 other complaints which partially focused on the same subject matter.Read more or edit on GDPRhub...
Belgium
The Belgian DPA fined a telecommunications provider β¬20,000 for exposing a customer's personal data to a third party by assigning their phone number to another customer and for not reporting the data breach. Read more or edit on GDPRhub...
Written with the support of Enzo Marquet
The Belgian DPA also held that a publisher (De Tijd) lawfully refused a data subject's request for erasure regarding a news article on the data subject in the publisher's online archive, based on it's right to freedom of expression and information. Read more or edit on GDPRhub...
Written with the support of Enzo Marquet
Denmark
The DPA recommended a β¬134,427 (DKK 1,000,000) fine against the Danish publisher Gyldendal for not deleting the personal data of its unsubscribed book club members. Read more or edit on GDPRhub...
Written with the support of Vadym Kublik
Finland
The Finnish DPA ordered a hospital to delete any historical data, location logs, and other employee personal data generated by the default save location feature in Windows 10 for Workstations. The setting violated the "data protection by default" principle under Article 25(2) GDPR. Read more or edit on GDPRhub...
Written with the support of Vadym Kublik
Germany
The Regional Court Cologne held that the SCHUFA is allowed to process information about the discharge of residual debt by an insolvency court for 3 years. Read more or edit on GDPRhub...
Written with the support of lacrosse
The DPA of Berlin (BInBDI) issued a reprimand to a controller for violating Article 17(1) GDPR by not erasing personal data after a request for ersaure was received, although there was no legal basis for further processing the data.Read more or edit on GDPRhub...
Written with the support of Marieta Gencheva
Hungary
The Hungarian DPA held that the Budapest Bar Association violated Article 15 and Article 12 GDPR by failing to reply to an access request within the time limit, which was held to start running regardless of the Association's closed offices. Read more or edit on GDPRhub...
Italy
Italy's DPA reprimanded a website operator for failing to provide appropriate safeguards for the transfer of personal data to the US through Google Analytics, ordering it to comply with Article 46 GDPR or suspend data transfers to Google LLC. Read more or edit on GDPRhub...
In another case, the Italian DPA fined a hospital β¬70,000 for putting the recipients of two medical newsletters in CC instead of BCC, revealing the personal data (including health data) to all recipients without legal basis. Read more or edit on GDPRhub...
Written with the support of Samuel Uzoigwe
Finally, the Italian DPA also ordered Facebook Italy and Meta Platforms Ireland Limited to remove revenge porn relating to a data subject from its platforms. Read more or edit on GDPRhub...
Written with the support of Carloc
Spain
The Spanish DPA held that the use of a doorbell camera did not constitute processing of neighbors' personal data, but it cautioned that the device must be used like a traditional peephole and not as video surveillance. Read more or edit on GDPRhub...
The Spanish DPA also fined a public broadcaster (Radiotelevision EspaΓ±ola) β¬30,000 for failing to disguise the voice of a rape victim before publishing an audio recording of her testimony at trial. Read more or edit on GDPRhub...
