Search results | European Data Protection Board

Norwegian SA issues fine and orders to Norwegian Labour and Welfare Administration
4 November 2024
News
… Article 5 (Principles relating to processing of personal data), Article 32 (Security of processing), Article 24 … Key words: Principles relating to processing of personal data, Data security, Public administration, Sensitive data … is not satisfactory to ensure compliance with the data protection regulations, and that securing confidentiality …
Guidelines 07/2020 on the concepts of controller and processor in the GDPR
6 September 2020
Guidelines
… Type: Guidelines Topics: Controller Processor The European Data Protection Board welcomes comments on the Guidelines … 32). A processor must also designate a data protection officer under certain conditions (Article 37) and has a duty …
Guidelines 06/2020 on the interplay of the Second Payment Services Directive and the GDPR
22 July 2020
Guidelines
… Type: Guidelines Topics: Financial matters The European Data Protection Board welcomes comments on the Guidelines … set out in the Regulation and in accordance with applicable data protection rules. All legal details can be found in our …
The Norwegian SA issues fine to the Municipality of Østre Toten for flawed information security
7 July 2022
News
… Cyber attack, Ransomware, Dark Web, Special Categories of Data Summary of the Decision Origin of the case The … most of the municipality’s IT systems, the municipality’s data was encrypted, and back-ups were erased. Ransom … flawed. These flaws include logs and log analytics, backup protection and lack of two-factor authentication or similar …
Commercial prospecting: French SA fined CEGEDIM SANTÉ EUR 800 000
17 September 2024
News
… Article 5 (Principles relating to processing of personal data) Decision: Administrative fine Key words: Health … had processed, without authorisation, non-anonymous health data, transmitted to its customers in order to carry out … French SA to use them (Article 66.III of the French Data Protection Act). To assess whether or not the data processed …
Clubhouse fined EUR 2 million by the Italian SA
20 January 2023
News
… Reference: Principles relating to processing of personal data (Article 5(1)(a)(e); Lawfulness of processing (Article … and modalities for the exercise of the rights of the data subject (Article 12); Information to be provided where … controllers not established in the Union (Article 27); Data protection impact assessment (Article 35) …
Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation 2016/679
30 May 2018
Guidelines
… - version adopted after public consultation The European Data Protection Board welcomes comments on the Guidelines 1/2018 … circumstances (including the appointment of Data Protection Officers and carrying out data protection impact …
Hungarian SA’s decision: failure by an airline company to comply with an erasure request concerning an email address used for direct marketing
2 February 2024
News
… and modalities for the exercise of the rights of the data subject), Article 17 (Right to erasure (‘right to be forgotten’)), Article 25 (Data protection by design and by default) Decision: reprimand Key …
IMY issues an administrative fine against Spotify for shortcomings regarding transparency
12 June 2023
News
… case: Cross-border case LSA: Swedish Authority for Privacy Protection (IMY) CSAs: All other SAs Controller: Spotify … Legal references: Article 15 (Right to access by the data subject), Article 12.1, Article 12.3, Article 58, … the complainants request for access Key words: Exercise of data subject rights, Transparency, Administrative fine …
Croatian SA imposed an administrative fine on debt collection agency B2 Kapital
16 May 2023
News
… Article 13 (Information to be provided where personal data are collected from the data subject), Article 28 (Processor) Decision: … provision of Article 13, paragraph 1 of the General Data Protection Regulation. This resulted in non-transparent …
French SA: Cookies placed without consent: SHEIN fined 150 000 000 EUR by the CNIL
4 September 2025
News
… STYLES SERVICES CO. LIMITED Legal Reference: The French Data Protection Act (Article 82): failure to obtain user consent … withdrawing consent Decision: Infringement of the French Data Protection Act, Administrative fine Key words: Cookies …
French SA: Cookies and advertisements inserted between emails: GOOGLE fined 325 000 000 EUR by the CNIL
4 September 2025
News
… without free and informed consent (Article 82 of the French Data Protection Act) Decision: Infringement of the French Post … Electronic Communications Code, Infringement of the French Data Protection Act, Administrative fine and injunction Key …
Hungarian SA’s decision: failure by an airline company to comply with an erasure request concerning an email address used for direct marketing
7 December 2023
News
… and modalities for the exercise of the rights of the data subject), Article 17 (Right to erasure (‘right to be forgotten’)), Article 25 (Data protection by design and by default) Decision: Warning Key …
Monitoring employees and broadcasting CCTV footage: Slovenian SA fines DODO PIZZA
4 November 2024
News
… Decision: Compliance order, Definitive limitation data processing, Administrative fine Key words: CCTV, … people or property (violation of Article 78 of the national Data Protection Act). And second, these CCTV footages were …
Norwegian Supervisory Authority with final decision to fine NAV
21 June 2022
News
… (Art. 6) and principles relating to processing of personal data (Art. 5) Decision: Infringement of the GDPR and fine … process had no legal basis according to the General Data Protection Regulation. Publication of a CV has been a …
Ministry of Migration and Asylum receives administrative fine and GDPR compliance order following an own-initiative investigation by the Greek SA
15 April 2024
News
… fine Keywords: own-initiative investigation, biometric data, Data Protection Impact Assessments Summary of the Decision …
Romanian SA fines UiPath SRL for breaching Articles 25 and 32 GDPR
18 July 2023
News
… Controller: UiPath SRL Legal references: Article 25 (Data protection by design and by default), Article 32 (Security … Decision: Administrative fine, Compliance order Key words: Data protection by design and by default, Personal data …
Guidelines 08/2020 on the targeting of social media users
7 September 2020
Guidelines
… New Technology Automated decision & profiling The European Data Protection Board welcomes comments on the Guidelines 8/2020 … according to Article 35 GDPR, and whether a data protection officer must be appointed under Article 37 GDPR. In the …
Norwegian Supervisory Authority issues fine to the Norwegian parliament
4 March 2022
News
… (Art. 32) and Principles relating to processing of personal data (Art. 5) Decision: Infringement of the GDPR and fine … of the case The Norwegian parliament – the Storting – had a data breach in late 2020. In January 2022, the Norwegian … similar effective security measures to achieve satisfactory protection. Decision The Norwegian SA have issued a EUR …
Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679
12 February 2019
Guidelines
… Monitoring Bodies under Regulation 2016/679 The European Data Protection Board welcomes comments on the Guidelines 1/2019 … and monitoring body. Similar to a data protection officer, the monitoring body should be able to act free from …