GDPRhub newsletter 30 June 2022

CJEU ruling on firing your DPO, 137 complaints 🤯 rejected as excessive and yet another 101 NOYB complaints case against Google.

5 months ago   •   3 min read

By Rie Aleksandra Walle
🎙️
Listen to the audio recording here.

European Union

The CJEU held that Article 38(3) GDPR does not preclude national legislation mandating that a controller can only terminate employment of a DPO with “just cause” as long as the legislation does not undermine objectives of the GDPR. Read more or edit on GDPRhub...

Austria

The Federal Administrative Court of Austria held that the DSB only has the power to declare processing activities unlawful in proceedings following a complaint, and not when they where initiated by the DSB itself. Read more or edit on GDPRhub...

In another case, The Federal Administrative Court of Austria held that the DSB (Austria) was allowed to reject a complaint as excessive, because the data subject had already lodged 137 other complaints which partially focused on the same subject matter.Read more or edit on GDPRhub...

Belgium

The Belgian DPA fined a telecommunications provider €20,000 for exposing a customer's personal data to a third party by assigning their phone number to another customer and for not reporting the data breach. Read more or edit on GDPRhub...

Written with the support of Enzo Marquet

The Belgian DPA also held that a publisher (De Tijd) lawfully refused a data subject's request for erasure regarding a news article on the data subject in the publisher's online archive, based on it's right to freedom of expression and information. Read more or edit on GDPRhub...

Written with the support of Enzo Marquet

Denmark

The DPA recommended a €134,427 (DKK 1,000,000) fine against the Danish publisher Gyldendal for not deleting the personal data of its unsubscribed book club members. Read more or edit on GDPRhub...

Written with the support of Vadym Kublik

Finland

The Finnish DPA ordered a hospital to delete any historical data, location logs, and other employee personal data generated by the default save location feature in Windows 10 for Workstations. The setting violated the "data protection by default" principle under Article 25(2) GDPR. Read more or edit on GDPRhub...

Written with the support of Vadym Kublik

Germany

The Regional Court Cologne held that the SCHUFA is allowed to process information about the discharge of residual debt by an insolvency court for 3 years. Read more or edit on GDPRhub...

Written with the support of lacrosse

The DPA of Berlin (BInBDI) issued a reprimand to a controller for violating Article 17(1) GDPR by not erasing personal data after a request for ersaure was received, although there was no legal basis for further processing the data.Read more or edit on GDPRhub...

Written with the support of Marieta Gencheva

Hungary

The Hungarian DPA held that the Budapest Bar Association violated Article 15 and Article 12 GDPR by failing to reply to an access request within the time limit, which was held to start running regardless of the Association's closed offices. Read more or edit on GDPRhub...

Italy

Italy's DPA reprimanded a website operator for failing to provide appropriate safeguards for the transfer of personal data to the US through Google Analytics, ordering it to comply with Article 46 GDPR or suspend data transfers to Google LLC. Read more or edit on GDPRhub...

In another case, the Italian DPA fined a hospital €70,000 for putting the recipients of two medical newsletters in CC instead of BCC, revealing the personal data (including health data) to all recipients without legal basis. Read more or edit on GDPRhub...

Written with the support of Samuel Uzoigwe

Finally, the Italian DPA also ordered Facebook Italy and Meta Platforms Ireland Limited to remove revenge porn relating to a data subject from its platforms. Read more or edit on GDPRhub...

Written with the support of Carloc

Spain

The Spanish DPA held that the use of a doorbell camera did not constitute processing of neighbors' personal data, but it cautioned that the device must be used like a traditional peephole and not as video surveillance. Read more or edit on GDPRhub...

The Spanish DPA also fined a public broadcaster (Radiotelevision Española) €30,000 for failing to disguise the voice of a rape victim before publishing an audio recording of her testimony at trial. Read more or edit on GDPRhub...

Spread the word

Keep reading