GDPRhub newsletter 28 July 2022

🧨 Danish DPA with most significant (?) decision since the Schrems II ruling - banning certain use of Google products and US transfers.

12 days ago   •   2 min read

By Rie Aleksandra Walle
🎙️
Listen to the audio recording here or in your favorite podcast player!

Austria

The Austrian DPA held that the exact method by which an insurer calculated a settlement offer was a trade secret covered by Articles 15(4) GDPR and 4(6) DSG; the controller's 200-page response to an access request was complete. Read more or edit on GDPRhub...

Croatia

The Croatian DPA fined a car dealership approximately €4,000 for processing of personal data by a video surveillance system without prior notice. Read more or edit on GDPRhub...

Written with the support of Presido Croatia

The Croatian DPA also fined a provider of telecommunications services approximately €283,000 for not taking appropriate technical and organisational security measures which exposed personal data of 100,000 data subjects to attackers. Read more or edit on GDPRhub...

Written with the support of Presido Croatia

Denmark

The Danish DPA reprimanded the Municipality of Helsingør for violating Articles 5(2), 24, 35(1) and 44 GDPR by its use of Google Chromebooks and Google Workspace for Education in primary schools. It banned such processing of personal data until it is brought in line with the GDPR and suspended any related data transfers to the United States. Read more or edit on GDPRhub...

🧨
Read about the two relevant decision in this case in this article, and make sure you check out our episode Google Got Schooled on the Grumpy GDPR podcast.

The Danish DPA reprimanded the Danish Health Data Authority for violating Article 32(1) GDPR by not testing its medication database for service architecture errors, which led to a data breach affecting 267 data subjects. Read more or edit on GDPRhub...

Written with the support of Vadym Kublik

The Danish DPAa also reprimanded a footwear distributor for violating Articles 24(1) and 32(1) GDPR by failing to implement appropriate security measures to prevent unauthorized access to the customers' payment information. Read more or edit on GDPRhub...

The Danish DPA a third company, an insurer, for violating Articles 25(1) and 32(1) GDPR by lacking sufficient security measures and not implementing privacy by design in the development stages of their customer portal. Read more or edit on GDPRhub...

Germany

The Financial Court of Munich held that documents in tax dossiers were not personal data. Consequently, Article 15(1) GDPR was not applicable. Read more or edit on GDPRhub...

Written with the support of lacrosse

Netherlands

The Administrative Division of the Council of State held that the exception to the "right to be forgotten" in Article 17(3)(e) AVG included retention for defence against legal claims even though the Dutch text did not explicitly use the word "defence." Read more or edit on GDPRhub...

The Court of Appeal of Arnhem-Leeuwarden held that in the context of the GDPR (legitimate interest of the controller) and criteria elaborated by the CJEU, an employee's reasonable expectations of privacy at work and the extent of surveillance must be considered when assessing a potential privacy violation by an employer. Read more or edit on GDPRhub...

Written with the support of Giel Ritzen

Slovenia

The Slovenian DPA found that a controller-processor arrangement was not an accurate description of the responsibilities shared by a cloud computing provider and its clients because both made determinations about the purposes and means of processing; the DPA ordered the cloud computing provider to establish joint-controller arrangements with its clients. Read more or edit on GDPRhub...

Written with the support of Primož Govekar

Keep reading