News

|Initial_Contributor=lde|Initial_Contributor=lde || }}}}The DPA found that the food delivery company Wolt failed to respond properly and in time to a customer’s access request after their account was blocked. The DPA found that Wolt violated [[Article 12 GDPR|Article 12 GDPR]] by failing to respond properly and in time to a data subject’s access request, thus failing to facilitate the exercise of rights or provide a timely refusal. == English Summary ==== English Summary ==

}}}} The DPA partially upheld a complaint and issued a reprimand against a travel company for unlawful direct marketing, excessive passport copy collection, inaccuracies in travel documents, lack of transparency, and an incomplete access response.The DPA partially upheld a complaint and issued a reprimand against a travel company for unlawful direct marketing, excessive passport copy collection, inaccuracies in travel documents, lack of transparency, and an incomplete response to an access reque

}}}} A court held that a former employee cannot receive access to their work email correspondence and files based on an access request when the emails and files only contain the employee’s identification information.A court held that a former employee cannot request access to their work email correspondence and other work-related files when the emails and files only contain the employee’s identification information. == English Summary ==== English Summary == Following his dismissal, the data sub

Fixed a link. }}}} A court held that a public authority violated Article 12(3) and [[Article 15 GDPR#1|Article 15(1) GDPR]] by failing to respond within one month to an access request and by wrongly requiring a reference date.A court held that a public authority violated [[Article 12 GDPR|Article 12(3)]] and [[Article 15 GDPR#1|Article 15(1) GDPR]] by failing to respond within one month to an access request and by wrongly requiring a reference date. == English Summary ==== English Summary == The

Facts }}}} The court held that under [[Article 15 GDPR#3|Article 15(3) GDPR]] controllers may lawfully redact third-party data as long as the data subject’s information remains complete and understandable.A court held that under [[Article 15 GDPR#3|Article 15(3) GDPR]] controllers may lawfully redact third-party data as long as the data subject’s information remains complete and understandable. == English Summary ==== English Summary == The data subject was subject to a home visit by the public

|Initial_Contributor=xz|Initial_Contributor=xz || }}}}The DPA held that the daughter of a deceased patient could not request access under Article 15 GDPR from a hospital regarding her deceased father’s cause of death, as the information refers to her father and the right of access is a strictly personal and non-transferable right. The DPA held that a hospital did not violate [[Article 15 GDPR]] by not providing information on the medical cause of death, as the request did not concern the data su

}}}} The DPA held that under [[Article 15 GDPR|Article 15 GDPR]], a data subject has the right to access personal data concerning themselves, but this does not extend to entire documents containing information about third parties. Confidential communications and legal opinions within disciplinary proceedings are exempt.The DPA held that under [[Article 15 GDPR]], a data subject has the right to access personal data concerning themselves, but this does not extend to entire documents containing in

}}}} De gegevensbeschermingsautoriteit (DPA) heeft vastgesteld dat volgens [[Artikel 15 AVG|Artikel 15 AVG]], een betrokkene het recht heeft om toegang te krijgen tot persoonsgegevens die betrekking hebben op die betrokkene, maar dit recht strekt zich niet uit tot volledige documenten die informatie over derden bevatten. Vertrouwelijke communicatie en juridische adviezen binnen tuchtrechtelijke procedures zijn uitgesloten. De gegevensbeschermingsautoriteit (DPA) heeft vastgesteld dat volgens [[Artikel 15 AVG]], een betrokkene het recht heeft om toegang te krijgen tot persoonsgegevens die betrekking hebben op die betrokkene, maar dit recht strekt zich niet uit tot volledige documenten die bevatt

|Case_Number_Name=6Ob189/24y|Case_Number_Name=6Ob189/24y |ECLI=|ECLI=ECLI:AT:OGH0002:2025:0060OB00189.24Y.1126.000 |Original_Source_Name_1=RIS|Original_Source_Name_1=RIS === Holding ====== Holding === The Austrian Supreme Court (OGH) ruled that Meta must provide data subject and any data subject requesting it, full access to all personal data processed about them. This includes information about the sources of the data, recipients, and the purposes for which each piece of data was processed. All

|Case Number=6Ob189/24y|Case Number=6Ob189/24y |ECLI=|ECLI=ECLI:AT:OGH0002:2025:0060OB00189.24Y.1126.000 |Source=RIS|Source=RIS === Key Decision ====== Key Decision === The Austrian Supreme Court (OGH) has ruled that Meta must grant all individuals concerned, and anyone who requests it, full access to all personal data processed about them. This includes information about the sources of the data, the recipients, and the purposes for which each part of the data is processed. All.

A rundown of the fine on IAPP: https://iapp.org/news/a/a-rundown-of-the-greek-dpas-clearview-ai-fine-findings

Een overzicht van de boete die aan IAPP is opgelegd: https://iapp.org/news/a/a-rundown-of-the-greek-dpas-clearview-ai-fine-findings

> GDPR RISK ASSESSMENT is intended to assist controllers and processors to identify the risk factors for the rights and freedoms of data subjects whose data are present in the processing, to make an initial assessment of the intrinsic risk, including the need to perform a DPIA, and to estimate the residual risk if measures and safeguards are used to mitigate the specific risk factors.

> The U.K. Information Commissioner’s Office issued reprimands and practice recommendations for seven public and private entities for failure to respond to subject access requests. The entities included the Ministry of Defence, the Home Office, Kent police and Virgin Media. The ICO found the organizations “repeatedly failed" to meet the deadline to respond to SAR requests of one to three months. For instance, the MoD has a backlog 9,000 SAR requests dating back to March 2020.Full Story

Het Britse Information Commissioner's Office heeft zeven overheids- en private organisaties berispt en aanbevelingen gedaan over hun werkwijze, vanwege het niet tijdig reageren op verzoeken van burgers om toegang tot hun persoonlijke gegevens. De organisaties omvatten onder meer het Ministerie van Defensie, het Ministerie van Binnenlandse Zaken, de politie van Kent en Virgin Media. De ICO constateerde dat de organisaties "herhaaldelijk" tekortschoten in het halen van de deadline om binnen één tot drie maanden te reageren op deze verzoeken. Zo heeft het Ministerie van Defensie bijvoorbeeld een achterstand van 9.000 verzoeken die al dateren van maart 2020. Volledig artikel.

The GDPR incorporates the RBA for all obligations of the controller in the GDPR. Where the transfer rules are stated as obligations of the controller (rather than as absolute principles), the RBA of Article 24 therefore applies. Other than the DPAs assume, this is not contradicted by the ECJ in Schrems II nor by the EDPB recommendations on additional measures following the Schrems II judgment, according to Lokke Moerel, Professor of Global ICT Law at Tilburg University and a Dutch Cyber Security

De Europese Toezichthouder op de Bescherming van Persoonsgegevens heeft Europol opgedragen om persoonlijke gegevens over te dragen aan de Nederlandse activist Frank van der Linde. Dit besluit is het resultaat van een onderzoek van twee jaar naar de manier waarop Europol de persoonlijke gegevens van Van der Linde bewaart en verwerkt.

The European Data Protection Supervisor ordered Europol to hand over personal data to Dutch activist Frank van der Linde. The decision is the result of a two-year investigation into Europol's possession and storage of van der Linde's personal data.

> The current version of the Bill seeks to maintain the majority of key principles that underpin the UK data protection law framework, while at the same time modifying certain key provisions in relation to accountability, lawful grounds for processing, data subject access requests and cookies, amongst others. A [consolidated redline version of the UK GDPR by Hogan Lovells](https://www.engage.hoganlovells.com/knowledgeservices/attachment_dw.action?attkey=FRbANEucS95NMLRN47z%2BeeOgEFCt8EGQJsWJiCH

It is part of the exercise of judicial functions by a court within the meaning of the AVG to make documents originating from a judicial proceeding -in which personal data are included- temporarily available to journalists in order to enable them to better report on the course of that proceeding. This is the EU Court's answer to preliminary questions from the Dutch court.

> DeFine is a translation into a calculator of part of the methodology proposed by the European Data Protection Board to calculate GDPR fines (see EDPB, Guidelines 04/2022 on the calculation of administrative fines under the GDPR, 12 May 2022, available online; it was subject to a public consultation until 27 June 2022).