Belgium
The Belgian DPA fined a website provider €5,000 for listing personal data of lawyers on its website without a legal basis and without informing the data subjects. In addition, its privacy and cookie policy were not compliant with the GDPR. Read more or edit on GDPRhub...
Written with the support of Maria Anagnostou
In a second case, the Belgian DPA fined a large media company (Rossel & Cie) €50,000 for violations regarding its cookie policy and for the placement of not strictly necessary cookies without obtaining prior consent. Read more or edit on GDPRhub...
Germany
The Regional Court of Cologne ordered an online stockbroker to pay non-material damages of €1,200 because it did not delete or change the login details of a previous business partner to its database for several years, which were later used in a data breach by a third party. Read more or edit on GDPRhub...
The Federal Administrative Court held that in the context of a request for rectification under Article 16 GDPR the data subject must prove that the data designated to replace the currently processed data is accurate itself. Read more or edit on GDPRhub...
The Schleswig-Holstein Higher Regional Court (OLG Schleswig-Holstein) ruled that under current German law a credit rating agency may only lawfully process personal information from insolvency proceedings no later than six months after their termination. Read more or edit on GDPRhub...
Hungary
The Hungarian DPA imposed a fine of approximately €25,000 on a debt management company which, among others, violated Article 12(1) GDPR by failing to accept a verbal request for erasure. Read more or edit on GDPRhub...
Written with the support of Abel Kaszian
Italy
The municipality of Orte was fined €20,000 by the Italian DPA for operating photo-traps without adopting any compliance measures, for failing to provide information to the data subjects, and for failing to provide direct contact to their DPO. Read more or edit on GDPRhub...
Written with the support of Carloc
Norway
The Norwegian DPA has banned the use of "Shinigami Eyes" on Norwegian territory after determining violations of Article 6(1), Article 12(2) and Article 14 GDPR. The controversial browser addon allows users to highlight trans-friendly or transphobic social network pages and users. Read more or edit on GDPRhub...
Written with the support of Rie Aleksandra Walle
Romania
The Romanian DPA fined a building owners association €7,000 for keeping an extensive register of couriers entering the residential complex and for keeping video surveillance footage of the entrance longer than necessary for security purposes. Read more or edit on GDPRhub...
Written with the support of Diana Rosu
The Romanian DPA also fined a processor responsible for the implementation of a marketing campaign €1,000 for sending a marketing email to 27 data subjects without hiding the other recipients' email addresses, violating Article 32(1)(b) GDPR. Read more or edit on GDPRhub...
Written with the support of Diana Rosu
Slovenia
The Slovenian DPA held that a private entity offering SARS CoV-2 tests violated Article 13 GDPR by failing to inform data subjects about transferring their data to a third party. Read more or edit on GDPRhub...
Written with the support of Sara Horvat
Spain
The Spanish DPA fined a bank €48,000 for failing to implement adequate technical and organizational measures to prevent a personal data breach: The bank had mistakenly disclosed a landlord's account balance to a tenant depositing rent. Read more or edit on GDPRhub...
Written with the support of taisfblauth
In another case, the Spanish DPA fined the airline Vueling €18,000 for relying on pre-checked consent boxes that enabled non-essential cookies and for continuing to use non-essential cookies even after users clicked "reject all." Read more or edit on GDPRhub...
Written with the support of Samuel Uzoigwe