GDPRhub newsletter 19 May 2022

Spanish DPA fines a supermarket chain €170,000 for using AI to analyze callers' emotions 🤯

6 months ago   •   3 min read

By Rie Aleksandra Walle
🎙️
Listen to the audio recording here. Also check out the Grumpy GDPR podcast where we discuss this newsletter's top story: Banking on Emotions

Austria

The Austrian Federal Court held that the Austrian DPA was not allowed to reject a complaint as excessive. In particular, the DPA did not demonstrate that the specific complaint was similar to the other 86 filed by the same data subject. Read more or edit on GDPRhub...

Denmark

The Danish DPA reprimanded a municipality for violating Article 32(1) GDPR by not restricting terminated employee's access to its file system and not following up with control over the former employee's access rights. Read more or edit on GDPRhub...

Written with the support of Vadym Kublik

The Danish DPA also reported a government healthcare agency to the police with a proposal of a 50,000 DKK fine for violating the rules on consultation with a supervisory authority in cases of high risk processing of personal data. Read more or edit on GDPRhub...

Written with the support of Vadym Kublik

The Danish DPA also reprimanded the Danish Financial Supervisory Authority (FSA) for breaching Article 32(1) GDPR by passing on information about whistleblowers to a journalist. The disclosure resulted from an inadequate anonymisation technique when email addresses could still be revealed from redacted PDF documents. Read more or edit on GDPRhub...

Written with the support of Vadym Kublik

Lastly, the Danish DPA suggested to issue a fine of 100,000 DKK against an agency of the Danish Ministry of Justice. The DPA held that the agency violated security obligations under the GDPR by not encrypting a USB flash drive which contained personal data, and Article 33(1) GDPR by not reporting the data breach to the DPA after the USB flash drive was lost. Read more or edit on GDPRhub...

Written with the support of Vadym Kublik

European Union

The CJEU held that under Article 80(2) GDPR, national legislations may allow consumer protection associations to bring legal proceedings for GDPR violations. That is so even when they have not been specifically authorised for this purpose, and it is independent of the rights of data subjects. Read more or edit on GDPRHub...

Written with the support of Gauravpathak

Germany

The Labour Court of Cologne held that a controller whose employees work in care facilities was allowed to make copies of its employees' vaccination cards and compare them with publicly available resources in order to validate their authenticity. Read more or edit on GDPRhub...

Written with the support of Fabian Dechent

The Higher Regional Court Dresden held that an insurance company can reject a request to access as excessive if the request's purpose is not to be aware of or verify the lawfulness of the processing but to verify the validity of increases to insurance premiums. Read more or edit on GDPRhub...

Written with the support of lacrosse

Hungary

The Hungarian DPA imposed a fine of approximately €1,300 on a car repair shop. The DPA held that the shop violated Articles 5, 6 and 13 GDPR by failing to properly inform its employees about CCTV surveillance and for using it in areas intended for work breaks. Read more or edit on GDPRhub...

Written with the support of Abel Kaszian

Netherlands

The District Court Den Haag rejected a data subject’s claim that the city government had not provided all information within the scope of her access request under Article 15 GDPR, because the data subject did not make it plausible why this was the case. Read more or edit on GDPRhub...

Written with the support of Giel Ritzen

The District Court Midden-Nederland rejected a data subject’s claim to receive copies of emails containing his personal data because he did not specifically ask for them in his request. In addition, the court held that the controller did not have to provide documents in which the personal data were processed, provided that an overview of the data was sufficient for verifying the accurateness and lawfulness of processing. Read more or edit on GDPRhub...

Written with the support of Giel Ritzen

Norway

The Norwegian DPA intends to fine a company €29,376 for monitoring and accessing a prior employee's emails without a legal basis in Article 6(1)(f) GDPR, for lack of information as per Article 13, failure to assess their objection as per Article 21, and lack of technical and organisational measures as per Article 24. Read more or edit on GDPRhub...

Written with the support of Rie Aleksandra Walle

Romania

The Romanian DPA fined a gas station €1,000 for not implementing appropriate technical and organisational measures against unauthorised access to video footage captured by its surveillance cameras. Read more or edit on GDPRhub...

Written with the support of Diana Rosu

Spain

The Spanish DPA fined MERCADONA S.A. €170,000 for not replying to an access request and for deleting data without a legal basis. Read more or edit on GDPRhub...

Spread the word

Keep reading