Search results | European Data Protection Board

Greek SA: fine imposed on employer for failure to satisfy the right to object and unlawful processing of employee’s personal data
28 March 2022
News
… Foreign languages private school Legal Reference: GDPR: Article 5(1)(a): Principle of lawfulness, fairness and … Article 21: Right to object Decision: Infringement of the GDPR, Administrative fine Key words: Right to object, … the provisions of Articles 5(1)(f)(a), 5(2) and 13 of the GDPR and in any case without clearly specifying the legal …
EDPBI:CZ:OSS:D:2019:28
11 July 2019
… a. Privacy Policy, 15 sheets, b. Compliance with the GDPR — FAQ, 5 sheets; 15. Supplemental statement of the … party failed to comply with Articles 5(2) and 24(1) GDPR, which was interpreted as the obligation to take into … to properly show compliance with Articles 5(2) and 24(1) GDPR was provided. The last objection was partially …
EDPB clarifies rules for data sharing with third country authorities and approves EU Data Protection Seal certification
3 December 2024
News
… Data Protection Board (EDPB) published guidelines on Art.48 GDPR about data transfers to third country authorities and … it must comply with the General Data Protection Regulation (GDPR). In its guidelines, the EDPB zooms in on Art. 48 GDPR and clarifies how organisations can best assess under …
EDPBI:UK:OSS:D:2019:32
3 August 2019
… general-data-protection-regulation-gdpr/individual-rights/right-of-access/ In the absence of … controller did not comply with its obligations under the GDPR as it did not take sufficient action to assure itself …
EDPB publishes OSS case digest on Security of Processing and Data Breach Notification
18 January 2024
News
… case digest on Security of Processing (Art. 32 GDPR) and Data Breach Notification (Art. 33 & 34 GDPR) . Since the entry into force of the GDPR, data protection authorities (DPAs) have closely …
Geolocalisation data: the French SA fines UBEEQO International €175 000
25 July 2022
News
… Legal Reference: Data minimisation (Article 5.1.c GDPR), Retention period (Article 5.1.e GDPR), Information of individuals (Article 12 GDPR) Decision: Administrative fine Key words: Geolocation …
Belgian DPA fines controller for sending a direct marketing message to the wrong person and for not responding adequately to the subsequent request for access
19 June 2020
News
… answer to the request of the plaintiff (Article 15 GDPR), did not respond within the deadline set by the GDPR (Article 12.3 GDPR) and was not sufficiently transparent (Article 12.1 …
Investigation regarding access to and inspection by the employer of an employee’s emails on a company server, illegal installation and operation of a closed-circuit video-surveillance system and infringement of the right of access
14 January 2020
News
… as a controller had complied with the requirements of the GDPR and that its internal policies and regulations provided … had a legal right under Articles 5(1) and 6(1)(f) of the GDPR to carry out an internal investigation searching and … in his corporate PC. Following the finding that the GDPR had been infringed, the Authority decided in this …
Icelandic SA: the municipality of Garðabær fined EUR 16 590 for the use of Google Workspace for Education
26 April 2024
News
… municipality of Garðabær infringed multiple Articles of the GDPR with its use of Google’s educational system i.e.: … accordance with the Regulation (Articles 5, 24(1) & 28(1) GDPR) Data processing agreement did not meet the minimum requirements (Article 28(3)(a) GDPR) Failure to ensure that data is not further processed …
EDPB publishes Binding Decision concerning WhatsApp
24 January 2023
News
… instructed the IE DPA to add an infringement of Art. 6(1) GDPR. Additionally, the EDPB instructed the IE DPA to … of the principle of fairness under Art. 5(1)(a) GDPR. The EDPB further decided that the IE DPA must carry … it processes special categories of personal data (Art. 9 GDPR); whether it processes data for the purposes of …
Romanian Supervisory Authority issues two fines each of 23,893 lei (EUR 5,000) against Entirely Shipping & Trading S.R.L.
13 December 2019
News
… 12 and 13 of the General Data Protection Regulation (GDPR); the infringement of Article 5 paragraph (1) letter c), Article 6 and Article 7 of GDPR; the infringement of Article 5 paragraph (1) letter c), Article 9 and Article 7 of GDPR; the infringement of Article 5 paragraph (1) letters …
Romanian Supervisory Authority fine of 2,389.05 lei (EUR 500) against an Association of Owners
29 November 2019
News
… mentioned in Article 83 paragraph (5) letter a) of GDPR – fine in the amount of 2389.05 lei, the equivalent of … mentioned in Article 83 paragraph (5) letter b) of GDPR – reprimand; for the contravention found pursuant to … mentioned in Article 83 paragraph (4) letter a) of GDPR – reprimand. The sanctions were imposed following a …
EDPB annual report 2024: protecting personal data in a changing landscape
23 April 2025
Press releases
… application of the General Data Protection Regulation (GDPR) across Europe. To support understanding and … across Europe, ensure consistent enforcement of the GDPR, and address emerging challenges, including … The number of consistency opinions adopted under Art. 64(2) GDPR significantly increased. In 2024, the Board adopted …
Record fine for Instagram following EDPB intervention
15 September 2022
News
… Ireland Limited (Meta IE)) and has issued a record GDPR fine of €405 million. The LSA’s final decision follows … second highest fine since the entry into application of the GDPR - it is also the first EU-wide decision on children’s … EDPB’s binding decision was adopted on the basis of Art. 65 GDPR, after the Irish DPA as lead supervisory authority …
EDPB adopts pseudonymisation guidelines and paves the way to improve cooperation with competition authorities
17 January 2025
Press releases
… protection . EDPB clarifies the use of pseudonymisation for GDPR compliance The GDPR introduces the term ‘pseudonymisation’* and refers to … to use legitimate interests as a legal basis (Art. 6(1)(f) GDPR), as long as all other GDPR requirements are met. …
The Lithuanian SA adopted a decision on the processing of employee’s personal correspondence
26 January 2023
News
… The principle of accountability (Article 5(2) of the GDPR), lawfulness of processing (Article 6(1) of the GDPR) Summary of the Decision Origin of the case The … of such measures must comply with the requirements of the GDPR. In the light of the principle of accountability …
The French SA fines Clearview AI EUR 20 million
20 October 2022
News
… Lawfulness of processing of personal data (article 6 of the GDPR), Rights of individuals (articles 12, 15 and 17 of the GDPR), Cooperation with supervisory authority (article 31 of the GDPR) Decision: Infringement of the GDPR, Administrative …
Personalised advertising: French SA fined CRITEO EUR 40,000,000
15 June 2023
News
… Key Findings The French SA found five breaches of the GDPR: Failure to demonstrate that the person has given consent (Article 7.1 GDPR) Failure to comply with the obligation of information and transparency (Articles 12 and 13 GDPR) Failure to respect the right of access (Article 15.1 …
Irish Supervisory Authority fines TikTok €530 million and orders corrective measures following Inquiry into transfers of EEA User Data to China
4 July 2025
News
… met TikTok’s transparency requirements as required by the GDPR. Key Findings The Irish SA found that that TikTok’s transfers to China infringed Article 46(1) GDPR because it failed to verify, guarantee and demonstrate … to that guaranteed within the EU. Article 13(1)(f) GDPR requires data controllers to provide data subjects with …
Endorsed WP29 Guidelines
… meeting the European Data Protection Board endorsed the GDPR related WP29 Guidelines: Guidelines on consent under … 9/2022 on personal data breach notification under GDPR Guidelines on the right to data portability under … records of processing activities pursuant to Article 30(5) GDPR Working Document Setting Forth a Co-Operation Procedure …