Inspection Access Rights and Cooperation Obligations

Recital 146

Article 82

Requests for access restrictions and cooperation with national courts

Article 82

Verzoeken om toegangsbeperkingen en samenwerking met nationale rechterlijke instanties

Article 86

Verwerking en recht van toegang van het publiek tot officiële documenten

Recital 63

Article 15

Right of access by the data subject

Recital 154

Woo. Keuze familienaam als bedrijfsnaam komt voor rekening personen. Dat is geen reden om te lakken bij Woo-verzoek.

Rechtbank

Wet Open overheid, bedrijfs- en fabricagegegevens, persoonlijke levenssfeer, veiligheid, horen in bezwaar, 6:22 Awb

Woo zaak. Art. 5.1(7) Woo vereist geen belangenafweging eerbiediging privéleven maar dat levert geen schending op art. 8 EVRM.

Raad van State

Bij besluiten van 4 mei 2023 heeft de minister van Landbouw, Visserij, Voedselzekerheid en Natuur naar aanleiding van een verzoek van journalisten van NRC, Follow the Money en Omroep Gelderland besloten tot openbaarmaking van informatie over - kortgezegd - boerenbedrijven. De journalisten hebben in drie afzonderlijke verzoeken uit december 2022 en januari 2023 de minister - verkort weergegeven - verzocht om openbaarmaking van gegevens uit de Basiskaart Agrarische Bedrijfssituatie 2021, de Gecombineerde Opgaven van alle agrarische ondernemingen in Nederland op 1 april 2010, 2015, 2020, 2021 en 2022 en een overzicht van alle agrarische ondernemingen in de provincie Gelderland waar onder andere rundvee, varkens, kippen, geiten en schapen worden gehouden. FDF en anderen, NMV, LTO en een aantal individuele veehouders hebben bezwaar gemaakt tegen de besluiten van de minister. Volgens hen mag de minister de gegevens niet zomaar openbaar maken, omdat de gegevens geen emissiegegevens zijn. Er had daarom een belangenafweging moeten plaatsvinden.

Inzageverzoek aan voldaan.

Raad van State

Op 17 juni 2021 heeft [appellant] de Commissie Bezwaarschriften gemeente Het Hogeland op grond van artikel 15 van de Algemene Verordening Gegevensbescherming (EU) 2016/679 (hierna: AVG) verzocht om inzage in de verwerking van haar persoonsgegevens. Op 16 juli 2021 heeft het college op dit verzoek gereageerd, omdat het stelt verwerkingsverantwoordelijke te zijn voor verwerking van persoonsgegevens door de Commissie. Daarbij heeft het college 95 documenten, waarin persoonsgegevens van [appellant] voorkomen, aan [appellant] verstrekt. In het besluit van 23 november 2021 heeft het college het hiertegen gemaakte bezwaar van [appellant] gedeeltelijk gegrond verklaard voor zover het college alleen zichzelf als verwerkingsverantwoordelijke had aangemerkt.

Österreichische Datenschutzbehörde v CRIF

C-487/21 (Österreichische Datenschutzbehörde)

Right of access includes obtaining a copy in commonly used electronic form.

Rechtbank Midden-Nederland - persoonsgegevens - 20/268

Rechtbank Midden-Nederland - Bestuursrecht

MK AVG, reikwijdt begrip 'persoonsgegevens'. Gegrond met instandlating rechtsgevolgen.

HvJ EU: Privacy Shield ongeldig verklaard (Schrems II)

Het Hof van Justitie verklaart het Privacy Shield-akkoord ongeldig wegens onvoldoende waarborgen voor Europese burgers tegen toegang door Amerikaanse inlichtingendiensten.

Bundesverband der Verbraucherzentralen v Planet49 GmbH

C-673/17 (Planet49)

Pre-ticked checkboxes do not constitute valid consent. Consent must be active.

Google LLC v CNIL

C-507/17 (Google Territorial Scope)

Right to delisting does not require global de-referencing under EU law.

GC and Others v CNIL

C-136/17 (GC and Others)

Conditions for delisting sensitive data from search results.

Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW eV

C-40/17 (Fashion ID)

Website operators using Facebook Like button are joint controllers for data collection.

Jehovah’s Witnesses

Jehovah’s Witnesses

Access: Exercise of the right to access cannot be systematically denied on the basis of privacy violations without analyzing the specific circumstances. (¶¶ 89-94)

Peter Nowak v Data Protection Commissioner

C-434/16 (Nowak)

Examination scripts constitute personal data of the candidate.

SMARANDA BARA ET AL. V. PRESEDINTELE CASEI NATIONALE DE ASIGURARI DE SANATATE (CNAS) ET AL., 1.10.2015 (“BARA”)

Bara

Right to be informed: National law that does not require the specific transfer involved in the case cannot constitute “prior information” under Article 10 of Directive 95/46 (information requirement where data is collected from the data subject), enabling the controller to dispense with his obligation to inform the data subject of the recipients of the data. (¶¶ 34–38). Article 11 (information requirement where data is not collected from data subject) requires that specified information be provi

DENNEKAMP V. EUROPEAN PARLIAMENT (15.7.2015) (“DENNEKAMP II”)

Dennekamp II

Necessity: An applicant for access to documents containing personal data must establish necessity (i.e. the transfer must be the most appropriate of the possible measures and it is proportionate to the goal) (¶¶ 60–61)

RYNES V. ÚŘAD PRO OCHRANU OSOBNICH ÚDAJŮ, 11.12.2014 (“RYNES”)

Rynes

Personal data: The image of a person recorded by a camera constitutes personal data because it makes it possible to identify the person concerned. (¶ 22)

MINISTER VOOR IMMIGRATIE V. M, 17.7.2014 (“Minister v. M”)

Minister v. M

Right to access: The right of access is a per-requisite to obtain rectification, erasure or blocking of personal data (¶¶ 44-46). To comply with the right of access it is sufficient for the applicant to be provided with a full summary of those data in an intelligible form, that is, a form which allows him to become aware of those data and to check that they are accurate and processed in compliance with the Directive. He need not be given a copy of the documents. (¶¶ 59-60)

X, 12.12.2013 (“X”)

X

Access: Directive 95/46 does not require Member States to levy fees when the right of access to personal data is exercised, nor does it prohibit the levying of such fees as long as they are not excessive. (¶¶ 22, 25, 28–30)

DENNEKAMP V. EUROPEAN PARLIAMENT, 23.11.2011 (“DENNEKAMPI”)

Dennekamp I

Balancing fundamental rights: Regulation 1049/2001 (access to documents) and Regulation 45/2001 (data protection) do not contain any provisions granting one primacy over the other, therefore full application of both should, in principle, be ensured. (¶¶ 23-24)

COMMISSION V. BAVARIAN LAGER CO., 29.Jun.2010 (“BAVARIAN LAGER”)

Bavarian Lager

Processing: Communication of personal data in response to a request for access to documents constitutes processing. (¶69)

COLLEGE VAN BURGEMEESTER EN WETHOUDERS VAN ROTTERDAM V. RIJKEBOER, 7.5.2009 (“RIJKEBOER”)

Rijkeboer

Right of Access: Rules limiting the storage of information on the recipients or categories of recipient of personal data and on the content of the data disclosed to a period of one year and correspondingly limiting access to that information, while basic data is stored for a much longer period, do not constitute a fair balance of the interest and obligation at issue, unless it can be shown that longer storage of that information would constitute an excessive burden on the controller (determinati

Richtsnoeren 01/2020 inzake de verwerking van persoonsgegevens in het kader van verbonden voertuigen en mobiliteitsgerelateerde toepassingen

guidelines connected vehicles

Versiegeschiedenis

guidelines doorgifte van persoonsgegevens tussen overheidsinstanties en -organen binnen en buiten de EER

Richtsnoeren 3/2022 betreffende het herkennen en vermijden van misleidende ontwerppatronen in de interfaces van socialemediaplatforms

guidelines misleidende ontwerppatronen

Deze richtsnoeren bieden praktische aanbevelingen aan aanbieders van sociale media als verwerkingsverantwoordelijken van sociale media, ontwerpers en gebruikers van socialemediaplatforms, over het beoordelen en vermijden van zogenaamde 'misleidende ontwerp patronen' in de interfaces van sociale media die inbreuk maken op de vereisten van de AVG. Daartoe beveelt de EDPB aan dat verwerkingsverantwoordelijken gebruikmaken van interdisciplinaire teams, bestaande uit onder meer ontwerpers, func...

Richtsnoeren 3/2018 over het territoriale toepassingsgebied van de AVG (artikel 3)

guidelines territoriaal toepassingsgebied AVG

GROEP GEGEVENSBESCHERMING ARTIKEL 29

guidelines transparantie

Guidelines 03/2022 on Deceptive design patterns in social media platform interfaces: how to recognise and avoid them

Guidelines on deceptive design patterns in social media platform interfaces: how to recognise and avoid them

These Guidelines offer practical recommendations to social media providers as controllers of social media, designers and users of social media platforms on how to assess and avoid so-called 'deceptive design patterns' in social media interfaces that infringe on GDPR requirements. To this end, the EDPB recommends that controllers make use of interdisciplinary teams, consisting, among others, of designers, data protection officers and decision-makers. It is important to note ...

Guidelines 01/2022 on data subject rights - Right of access

Guidelines on data subject rights - Right of access

The right of access of data subjects is enshrined in Art. 8 of the EU Charter of Fundamental Rights. It has been a part of the European data protection legal framework since its beginning and is now further developed by more specified and precise rules in Art. 15 GDPR.

Guidelines 1/2020 on processing personal data in the context of connected vehicles and mobility related applications

Guidelines on processing of personal data through video devices

Richtsnoeren 02/2022 voor de toepassing van artikel 60 AVG

guidelines voor de toepassing van artikel 60 AVG

Een van de belangrijkste innovaties bij de invoering van de AVG was de introductie van het concept 'één-loketmechanisme'. In gevallen van grensoverschrijdende verwerking is de toezichthoudende autoriteit in de lidstaat van de hoofdvestiging van de verwerkingsverantwoordelijke of verwerker de autoriteit die leidinggeeft aan de handhaving van de AVG met betrekking tot de grensoverschrijdende verwerkingsactiviteiten in kwestie. Daarbij wordt samengewerkt met alle autoriteiten die de gevolge...

Guidelines 4/2019 on Article 25 Data Protection by Design and by Default Version 2.0 Adopted on 20 October 2020

Guidelines on data protection by design and by default

Version history

Guidelines on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies

Guidelines 03/2021 on the application of Article 65(1)(a) GDPR

Guidelines on the application of Article 60 GDPR

Richtsnoeren 03/2021 voor de toepassing van artikel 65, lid 1, punt a), AVG

guidelines voor de toepassing van artikel 60 AVG

Guidelines 10/2020 on restrictions under Article 23 GDPR

Guidelines on restrictions under Article 23 GDPR

Guidelines 02/2022 on the application of Article 60 GDPR

Guidelines on the application of Article 60 GDPR

With the introduction of the GDPR, the concept of the one-stop shop was established as one of the main innovations. In cross-border processing cases, the supervisory authority in the Member State of the controller's or processor's main establishment is the authority leading the enforcement of the GDPR for the respective cross-border processing activities, in cooperation with all the authorities which may face the effects of the processing activities at stake: be it through the establishments ...

Guidelines 04/2022 on the calculation of administrative fines under the GDPR

Guidelines on the calculation of administrative fines under the GDPR

The European Data Protection Board (EDPB) has adopted these guidelines to harmonise the methodology supervisory authorities use when calculating of the amount of the fine. These Guidelines complement the previously adopted Guidelines on the application and setting of administrative fines for the purpose of the Regulation 2016/679 (WP253), which focus on the circumstances in which to impose a fine. The calculation of the amount of the fine is at the discretion of the supervisory authority, ...

Guidelines 06/2022 on the practical implementation of amicable settlements

Guidelines on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects

Guidelines 8/2020 on the targeting of social media users

Guidelines on the targeting of social media users

Guidelines 05/2022 on the use of facial recognition technology in the area of law enforcement

Guidelines on the use of facial recognition technology in the area of law enforcement

More and more law enforcement authorities (LEAs) apply or intend to apply facial recognition technology (FRT). It may be used to authenticate or to identify a person and can be applied on videos (e.g. CCTV) or photographs. It may be used for various purposes, including to search for persons in police watch lists or to monitor a person's movements in the public space. FRT is built on the processing of biometric data , therefore, it encompasses the processing of special categories ...

ARTICLE 29 DATA PROTECTION WORKING PARTY

Guidelines on transparency

NN Greek Single-Member Anonymous Life Insurance Company: Insufficient fulfilment of data subjects rights

€20,000 fine - Hellenic Data Protection Authority (HDPA)

The Greek DPA has imposed a fine of EUR 20,000 on NN Greek Single-Member Anonymous Life Insurance Company. The controller failed to provide the data subject with the personal data they had requested, thereby infringing the data subject's right of access.

Hospital: Insufficient technical and organisational measures to ensure information security

€20,000 fine - Croatian Data Protection Authority (azop)

The Croatian DPA (AZOP) imposed a fine of EUR 20,000 on a hospital for failing to implement adequate technical and organizational measures to protect personal data in line with Art. 32 (1) (b) and (d), and Art. 32 (2) GDPR. Following a cyberattack, it was revealed that over a period of seven days, at least 3 GB of personal data had been unlawfully copied from the system. The attacker allegedly gained access through social engineering and a VPN connection, exploited an outdated operating system,

Vinted: Insufficient fulfilment of data subjects rights

€2,385,276 fine - Lithuanian Data Protection Authority (VDAI)

The Lithuanian DPA has imposed a fine of EUR 2,385,276 on the second-hand online store 'Vinted'. The DPA initiated an investigation after the Polish and French DPAs forwarded complaints against the company. During its investigation, the DPA found that the company had not adequately processed deletion requests from data subjects as they had not provided specific reasons for their deletion request. It was also revealed that the company was unlawfully using 'shadow blocking' to remove users from th

FRANCE DPA: Insufficient fulfilment of data subjects rights

French Data Protection Authority (CNIL)

The French DPA has imposed a fine on a controller for not sufficiently respecting data subjects' rights (exercising the right of access to a medical file).

Clearview AI Inc.: Non-compliance with general data processing principles

€30,500,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has fined Clearview Al Inc. EUR 30,500,000. Clearview, a company offering facial recognition services, holds a database of over 30 billion images, including those of Dutch citizens. These images are scraped from publicly available online platforms, such as social media. Clearview uses these images to create biometric profiles, allowing individuals to be identified. During its investigation the DPA found that the personal data contained in the company's database had been processed u

Azienda ospedale università di Padova: Non-compliance with general data processing principles

€75,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 75,000 on Azienda ospedale università di Padova. During its investigation, the DPA found that employees had accessed patient files without authorization and that the controller did not have appropriate access restrictions in place. This allowed employees to access patient files that were not necessary for their work, e.g. because they were not treating the patients in question.

Dentist: Insufficient fulfilment of data subjects rights

€5,000 fine - French Data Protection Authority (CNIL)

The French DPA has imposed a fine of EUR 5,000 on a dentist due to a lack of data security and a failure to respect the right of access of a data subject.

Black Tiger Belgium: Insufficient fulfilment of information obligations

€174,640 fine - Belgian Data Protection Authority (APD)

The Belgian DPA has imposed a fine of EUR 174,640 on Black Tiger Belgium. An individual had filed a complaint with the DPA due to the controller's failure to properly comply with their request to exercise their right of access. During its investigation, the DPA further found that the controller had processed personal data in various databases without sufficiently informing the data subjects. The DPA also found that the data retention period of 15 years was excessively long and not necessary. Fin

Club Náutico el Estacio: Insufficient technical and organisational measures to ensure information security

€6,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA (AEPD) has imposed a fine of EUR 6,000 on Club Náutico el Estacio. A data subject filed a complaint against the controller with the AEPD. The complaint is based on the fact that the controller has published the announcement and the record of the club's ordinary meeting on its website, disclosing personal data without access restrictions.

Telecommunications company: Insufficient technical and organisational measures to ensure information security

€285,000 fine - Croatian Data Protection Authority (azop)

The Croatian DPA has fined a telecommunications company EUR 285,000. The company had suffered a data breach. Attackers had managed to access data from about 100,000 data subjects. During its investigation, the DPA found that such a breach was facilitated by the company's failure to implement adequate technical and organizational security measures for the processing of personal data. For example, the processing systems lacked access restrictions. In assessing the fine, it was taken into aggravati

Unicredit S.p.A.: Insufficient fulfilment of data subjects rights

€70,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has fined Unicredit S.p.A. EUR 70,000. An employee had filed a complaint with the DPA claiming that their right to access their personal data had not been sufficiently respected. The company required a specific form to be filled out in order to gain access to personal data. During its investigation, the DPA found that the requirement to fill out the form made it disproportionately difficult to exercise the right of access.

Clearview Al Inc.: Non-compliance with general data processing principles

€9,000,000 fine - Information Commissioner (ICO)

The UK DPA has fined Clearview AI Inc. EUR 9 million. The company holds a database of more than 20 billion facial images (including those of UK residents and nationals) from around the world. The data is collected online from publicly accessible platforms such as social networks. The company offers a search service that allows individuals be identified based on the biometric data extracted from the images. Individuals' profiles can be enriched with information associated with those images, such

Il Sole 24 Ore S.p.a.: Insufficient fulfilment of data subjects rights

€40,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has fined the newspaper Il Sole 24 Ore S.p.a. EUR 40,000. The newspaper had published an article on the recognition by the Italian authorities of a U.S. judge's decision on the adoption of a child by a same-sex couple. By mistake, the newspaper also published personal data on the couple and the adopted child. The couple then demanded the deletion of the personal data and access to information about the processing of the personal data. The newspaper deleted the personal data, but

Kaufland România SCS: Insufficient fulfilment of data subjects rights

€3,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)

The Romanian DPA (ANSPDCP) has imposed a fine of EUR 3,000 on Kaufland Romania SCS. The DPA initiated an investigation based on a complaint from an individual stating that the controller had not provided them with a complete copy of the video recordings for a certain period of time when they had been in the store premises. The DPA stated that the controller is obliged to disclose the video images of the data subject after they excercise their right of access, and that the controller may disclose

Midtjylland Region: Insufficient technical and organisational measures to ensure information security

€53,800 fine - Danish Data Protection Authority (Datatilsynet)

The Danish DPA has imposed a fine of EUR 53,800 on Midtjylland Region. On June 12, 2020, the DPA received a notification from the region regarding a personal data security breach pursuant to Art. 33 GDPR. According to the notification, all patients and staff at a lifestyle center were able to access a building where up to 100,000 physical patient records were stored, including health information and personal identity number details. The reason for this was that both staff and patients had been g

Club Náutico el Estacio: Insufficient technical and organisational measures to ensure information security

€3,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA (AEPD) has imposed a fine of EUR 3,000 on Club Náutico el Estacio. A data subject filed a complaint against the controller with the AEPD. The complaint is based on the fact that the controller has published the announcement and the record of the club's ordinary meeting on its website, disclosing personal data without access restrictions.

Cypriot Real Estate Registration Authority: Insufficient fulfilment of information obligations

€10,000 fine - Cypriot Data Protection Commissioner

The Cypriot DPA imposed a fine of EUR 10,000 on the Cypriot Real Estate Registration Authority. The data subject submitted a written request to the controller requesting various information relating to him personally, exercising the right of access granted to him under Art. 15 GDPR. After the controller failed to respond to the request for information, the data subject filed a complaint with the DPA. In the course of the subsequent investigation by the DPA, the controller also failed to respond

Cosmetic Medical Limited: Insufficient cooperation with supervisory authority

€3,250 fine - Information Commissioner of Isle of Man

The DPA of Isle of Man has imposed a fine of EUR 3,250 on Cosmetic Medical Limited. A data subject had filed a complaint with the DPA regarding the controller's failure to comply with her request to exercise her right of access to personal data. As part of its investigation, the DPA sent the controller a request for information in order to clarify the facts of the case. However, the controller had not responded to this request in due time. The DPA concluded that as the controller did not properl

American College of Greece: Insufficient fulfilment of information obligations

€1,000 fine - Hellenic Data Protection Authority (HDPA)

The Hellenic DPA (HDPA) imposed a fine of EUR 1,000 against the American College of Greece for violations of the right of access and the right to erasure of personal data.

Department of Home Affairs: Insufficient fulfilment of data subjects rights

€13,500 fine - Information Commissioner of Isle of Man

Fines for failure to comply with the right of access to personal data under Articles 12 and 15 GDPR. The Isle of Man has declared the GDPR - although it is not an EU state - to be applicable.

DSB (Austria) - 2025-0.789.117

|Initial_Contributor=xz|Initial_Contributor=xz || }}}}The DPA held that the daughter of a deceased patient could not request access under Article 15 GDPR from a hospital regarding her deceased father’s cause of death, as the information refers to her father and the right of access is a strictly personal and non-transferable right. The DPA held that a hospital did not violate [[Article 15 GDPR]] by not providing information on the medical cause of death, as the request did not concern the data su

Greek SA fines Clearview AI for EUR 20M

A rundown of the fine on IAPP: https://iapp.org/news/a/a-rundown-of-the-greek-dpas-clearview-ai-fine-findings

De Autoriteit Persoonsgegevens publiceert een rapport over de risicoanalyse van de AVG (Algemene Verordening Gegevensbescherming).

De GDPR-risicoanalyse is bedoeld om controllers en verwerkers te helpen bij het identificeren van de risicofactoren voor de rechten en vrijheden van de betrokkenen, wiens gegevens worden verwerkt. Het doel is om een eerste inschatting te maken van het inherente risico, inclusief de noodzaak om een Privacy Impact Assessment (DIA) uit te voeren, en om het resterende risico te schatten als maatregelen en beveiligingsmechanismen worden gebruikt om specifieke risicofactoren te verminderen.

AEPD publishes GDPR Risk Assessment

> GDPR RISK ASSESSMENT is intended to assist controllers and processors to identify the risk factors for the rights and freedoms of data subjects whose data are present in the processing, to make an initial assessment of the intrinsic risk, including the need to perform a DPIA, and to estimate the residual risk if measures and safeguards are used to mitigate the specific risk factors.

Europol told to hand over personal data to Dutch activist

The European Data Protection Supervisor ordered Europol to hand over personal data to Dutch activist Frank van der Linde. The decision is the result of a two-year investigation into Europol's possession and storage of van der Linde's personal data.