Search results | European Data Protection Board

EDPB adopted documents - 48th plenary
22 April 2021
News
… implementing decision pursuant to Regulation (EU) 2016/679 (GDPR) on the adequate protection of personal data in the … Kingdom Guidelines on the application of Article 65(1)(a) GDPR Guidelines on the targeting of social media users … implementing decision pursuant to Regulation (EU) 2016/679 (GDPR) on the adequate protection of personal data in the …
The Lithuanian SA adopted a decision on the actions of the organisation on the processing of children’s image data
26 January 2023
News
… a legal basis for the processing of data (Article 6(1)(a) GDPR), conditions for consent (Article 7 GDPR) Decision: The complaint was found to be well-founded … the corrective actions provided for in Article 58(2) of the GDPR have been taken Summary of the Decision Origin of …
Failure of an airline company to inform the data subject of completion of erasure request, failure of transparency obligations
12 March 2024
News
… SA founded that the data controller infringed Article 12(3) GDPR because it failed to inform the Data Subject of the … of transparent data processing according to Article 5(1)(a) GDPR as the Data Subject could not see what additional data, … data. The Hungarian SA has also found that Article 5(2) GDPR cannot be regarded as a provision requiring mandatory …
EDPB publishes new register containing One-Stop-Shop decisions
25 June 2020
News
… following the One-Stop-Shop cooperation procedure (Art. 60 GDPR) on its website. Under the GDPR, Supervisory Authorities have a duty to cooperate on … information showcasing how SAs work together to enforce the GDPR in practice. The information in the register has been …
Health data breach: Dedalus Biologie fined 1.5 million euros
4 May 2022
News
… the authority of the controller or processor (Article 29 GDPR), Security of processing (Article 32 GDPR), Processor (Article 28 GDPR) Decision: Administrative fine Key words: Health data …
Lithuanian SA: fine of € 2 385 276 on Vinted, UAB (company)
26 July 2024
News
… the company to applicants (infringements of Article 5(1)(a) GDPR (principles of fairness and transparency, Article 12(1) and (4) GDPR); processing in the context of a company’s ‘shadow … (infringements of lawfulness principle, Article 5(1)(a) GDPR and Article 6(1) GDPR); improper implementation of the …
Polish SA imposed a fine for processing without legal basis
30 November 2022
News
… case: National case Legal references: Article 6 (1) GDPR (Lawfulness of processing), Article 5 (1) (a) GDPR (Principles relating to processing of personal data), Article 9 (1) and (2) GDPR (Processing of special categories of personal data), …
Hungarian SA’s decision on the handling of access request by an airline company
7 December 2023
News
… can therefore be lawful only if it has a legal basis under GDPR Article 6(1). Where the processing also involves … the controller must have a legal basis under Article 6(1) GDPR or the processing must also comply with one of the situations set out in Article 9(2) GDPR. The reply of the Company to the request of access …
Employee monitoring: French SA fined Amazon France Logistique €32 million
23 January 2024
News
… Key Findings The French SA found several breaches of the GDPR regarding: Warehouse stock and order management: … with the principle of data minimisation (Article 5.1.c GDPR). Failure to ensure lawful processing (Article 6 GDPR) by using three indicators which are illegal: the "Stow …
Polish SA imposed a fine for lack of cooperation with the supervisory authority
23 March 2022
News
… national case: National case Legal references: Article 31 GDPR(Co-operation with the supervisory authority), Article 58 (1) (e) GDPR, Article 58 (2) (i) GDPR, Article 83 (1-3) and (5) (e) GDPR (General conditions …
Administrative fine for housing association for lack of personal data breach notification to the Polish SA
1 March 2023
News
… case Legal references: Article 83 (1), (2), (4) (a) GDPR (General conditions for imposing administrative fines), Article 57 (1) (a) and (h) GDPR, Article 58 (2) (e) and (i) GDPR, Article 33 (1) GDPR (Notification of a personal data …
Company offering electronic communication services – no complete information of the data subjects & no sufficient technical and organisational measures
22 January 2024
News
… order to verify the compliance with the provisions of the GDPR, and more precisely concerning the legal basis of the … that the data controller violated article 13.1.e) of the GDPR (no information about the recipients of the personal … the CNPD identified a violation of article 24.1 of the GDPR (responsibility of the data controller), as personal …
EDPB Statement : EDPB cooperation on the elaboration of guidelines
16 December 2021
Statements
… law. In seeking to ensure the consistent application of the GDPR, the process leading to consensus or majority positions … law and procedures. Within the framework provided by the GDPR, the Members of the Board work together in a respectful … that hold one position or another – it is simply the GDPR working as intended. In this regard, although not …
Belgian DPA imposed a fine of 1,000 EUR on an association that sent direct marketing messages to (former) donors for fundraising
26 June 2020
News
… on the basis of its legitimate interest (Article 6.1, f) GDPR), sent direct marketing messages to (former) donors for … subject to the data controller pursuant to Article 17.1 GDPR and its right to object pursuant to Article 21.2 GDPR. The Litigation Chamber decided that the data …
The Icelandic SA: The University of Iceland fined 1.500.000 ISK for the use of video surveillance
6 September 2023
News
… not complied with data protection principles in Article 5 GDPR and not informed the data subjects about processing in accordance with Article 12 and 13 GDPR. Key Findings Failure to comply with the obligation … fairly and in a transparent manner (Article 5(1)(a) GDPR) Failure to inform the data subjects about processing …
Hungarian SA’s decision: failure by an airline company to comply with an erasure request concerning an email address used for direct marketing
2 February 2024
News
… request, hence the Company breached Article 12(3) of GDPR when they failed to meet the Complainant’s erasure … right to erasure according to Article 17(1)(b) of GDPR. The Company also failed to meet the requirements of … database, so the Company breached Article 25(1) of GDPR. Decision The Authority established that the Company …
Belgian DPA imposes €20.000 fine on Proximus for several data protection infringements
20 August 2020
News
… the e-Privacy Directive forms lex specialis vis-à-vis the GDPR (as lex generalis), as stated in article 95 GDPR, the provisions with regard to consent of the GDPR remain applicable as preconditions for lawful …
EDPB adopts urgent binding decision: Irish SA not to take final measures but to carry out statutory investigation
15 July 2021
News
… its first urgent binding decision pursuant to Art. 66(2) GDPR following a request from the Hamburg supervisory … Ireland Ltd (Facebook IE) on the basis of Art. 66 (1) GDPR. The DE-HH SA ordered a ban on processing WhatsApp user … existence of urgency, the EDPB considered that Art. 61(8) GDPR was not applicable as the DE-HH SA did not demonstrate …
Boosting enforcement and cooperation - EDPB sets out priorities
22 February 2023
News
… by national DPAs via binding decisions under Art. 65 GDPR and to advise the EU legislator on data protection … further guidance and develop awareness-raising tools on the GDPR for a wider audience. Furthermore, the EDPB intends to … such as on the interplay between the AI Act and the GDPR and on the use of social media by public bodies. … The …
The Norwegian Data Protection Authority: Ferde AS fined
13 October 2021
News
… Controller: Ferde AS Legal Reference: Processor (ARTICLE 28 GDPR), Security of Processing (ARTICLE 32 GDPR), General principle for transfers (ARTICLE 44 GDPR) Decision: infringement declared and fine imposed Key …