GDPRhub newsletter 8 Aug 2022

πŸ’Έ €900,000 fine to a bank (and please contact me if you know how to get the full decision! πŸ“©)

6 days ago   •   2 min read

By Rie Aleksandra Walle
πŸŽ™οΈ
Listen to the audio recording here or in your favorite podcast player!

Austria

The Austrian Federal Administrative Court annulled a decision by the Austrian DPA and referred it back to investigate whether the data subject's right to file a complaint had actually expired as the controller claimed. Read more or edit on GDPRhub...

The Austrian Federal Administrative Court also partially reversed another decision by the Austrian DPA because it ordered a controller to provide more information than the data subject had requested. Read more or edit on GDPRhub...

In a third case, the Austrian Federal Administrative Court stayed proceedings in an appeal from an Austrian DPA decision pending an answer from the CJEU on whether an "undertaking" could be strictly liable for adminstrative infringements. Read more or edit on GDPRhub...

The Austrian DPA authorized the transfer of personal audit documents to the US Public Company Accounting Oversight Board following an application for approval by the Federal Minister of Finance. The transfer was based on an administive arrangement per Article 46(3)(b) GDPR. Read more or edit on GDPRhub...

The Austrian DPA also ordered a bank to delete a copy of a data subject's driver's license it had retained to comply with the Austrian Financial Markets Money Laundering Act; the bank was not required to verify the data subject's identity under the law. Read more or edit on GDPRhub...

Belgium

The Belgian DPA held that discussing a data subject's health-related personal data in a staff meeting where she was absent and consequently including the data in the minutes of the meeting was incompatible with the purpose of the original processing (personnel management) and did not have any other legal basis to rely on. Read more or edit on GDPRhub...

The Belgian DPA held that a controller can rely on legitimate interest as a legal basis to send former customers direct marketing if the relationship ended 'not that long ago' and the data subject did not object to this processing. Read more or edit on GDPRhub...

Written with the support of Enzo Marquet

Bulgaria

The Supreme Administrative Court of Bulgaria (BAC) affirmed a ruling by the Administrative Court of Sofia awarding approximately €128 (250 BGN) each to two data subjects after a heating company retained a copy of their mortgage and presented it in court without a legal basis. Read more or edit on GDPRhub...

Written with the support of Marieta Gencheva

Germany

The Regional Court of Ravensburg made a reference for a preliminary ruling to the CJEU. It asked whether the concept of non-material damage includes short-term loss of control over one's data or whether it requires that the data subject suffers a noticeable disadvantage and an objectively determinable impairment of their interests. Read more or edit on GDPRhub...

Written with the support of Sainey Belle

The Adminstrative Court of Frankfurt held that the German authorities were not obligated to use end-to-end encryption when communicating with an arms dealer; transport encryption was compatible with the state of the art. Read more or edit on GDPRhub...

Written with the support of Fabian Dechent

The DPA of Lower Saxony intends to fine a bank of €900,000 for creating customer profiles, enriched with third-party data, for advertising purposes, without consent. The DPA held that such processing cannot be based upon legitimate interest as per Article 6(1)(f). Read more or edit on GDPRhub...

Written with the support of lacrosse

Italy

The Italian DPA ordered Google LLC to de-index an article about a criminal investigation on the data subject, as there was no public interest regarding the news, regardless of the article being accurate and up to date. Read more or edit on GDPRhub...

Written with the support of carloc

Netherlands

The Court of Appeal of Arnhem-Leeuwarden held that the submission of an overview containing third parties’ personal data during court proceedings was not in violation of the GDPR, as the controller had to do so under Article 6(1)(c) GDPR. Read more or edit on GDPRhub...

Written with the support of Giel Ritzen

Keep reading