News

Created page with "{{DPAdecisionBOX |Jurisdiction=Finland |DPA-BG-Color= |DPAlogo=LogoFI.png |DPA_Abbrevation=Tietosuojavaltuutetun toimisto |DPA_With_Country=Tietosuojavaltuutetun toimisto (Finland) |Case_Number_Name=TSV/112/2022 (9079/152/22) |ECLI= |Original_Source_Name_1=Finlex |Original_Source_Link_1=https://www.finlex.fi/fi/viranomaiset/tietosuojavaltuutettu/2025/2487#OT0_OT0 |Original_Source_Language_1=Finnish |Original_Source_Language__Code_1=FI |Original_Source_Name_2= |Origina..." New

Corrected and added some links, removed duplicate in short summary. }}}} An DPA denied a complaint against a public body under Articles 9 and 77 GDPR, holding that publication of a data subject’s political donation did not violate the GDPR because the controller had a lawful basis.An DPA denied a complaint against a public body under [[Article 9 GDPR|Articles 9]] and [[Article 77 GDPR|77 GDPR]], holding that publication of a data subject’s political donation did not violate them because the cont

Created page with "{{DPAdecisionBOX |Jurisdiction=Austria |DPA-BG-Color= |DPAlogo=LogoAT.png |DPA_Abbrevation=DSB |DPA_With_Country=DSB (Austria) |Case_Number_Name=2024-0.199.724 |ECLI=ECLI:AT:DSB:2024:2024.0.199.724 |Original_Source_Name_1=RIS |Original_Source_Link_1=https://www.ris.bka.gv.at/Dokument.wxe?Abfrage=Dsk&Entscheidungsart=Undefined&Organ=Undefined&SucheNachRechtssatz=True&SucheNachText=True&GZ=&VonDatum=01.01.1990&BisDatum=&Norm=&ImRisSeitVonDatum

Created page with "{{DPAdecisionBOX |Jurisdiction=Belgium |DPA-BG-Color= |DPAlogo=LogoBE.png |DPA_Abbrevation=APD/GBA |DPA_With_Country=APD/GBA (Belgium) |Case_Number_Name=28/2026 |ECLI= |Original_Source_Name_1=APD |Original_Source_Link_1=https://www.gegevensbeschermingsautoriteit.be/publications/bevel-nr.-28-2026.pdf |Original_Source_Language_1=French |Original_Source_Language__Code_1=FR |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Lan..." New

|Appeal_From_Case_Number_Name=16.07.2025|Appeal_From_Case_Number_Name=16.07.2025 |Appeal_From_Status=|Appeal_From_Status= |Appeal_From_Link=https://www.dataprotection.ro/?page=Comunicat_Presa_16.07.2025|Appeal_From_Link=https://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_Fine_against_a_Romanian_politician |Appeal_To_Body=|Appeal_To_Body= |Appeal_To_Case_Number_Name=|Appeal_To_Case_Number_Name= A politician, the operator of a website (the controller), appealed a DPA decision sanctioning him fo

Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=EXP202410843 |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https://www.aepd.es/documento/ps-00476-2024.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Code..." Show

Created page with "{{DPAdecisionBOX |Jurisdiction=Italy |DPA-BG-Color=background-color:#095d7e; |DPAlogo=LogoIT.png |DPA_Abbrevation=Garante per la protezione dei dati personali |DPA_With_Country=Garante per la protezione dei dati personali (Italy) |Case_Number_Name=10213894 |ECLI= |Original_Source_Name_1=Garante per la protezione dei dati personali |Original_Source_Link_1=https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/10213894 |Original_Source_Language_1=I..." New p

Created page with "{{DPAdecisionBOX |Jurisdiction=United Kingdom |DPA-BG-Color=background-color:#023868; |DPAlogo=LogoUK.png |DPA_Abbrevation=ICO |DPA_With_Country=ICO (UK) |Case_Number_Name=Allay Claims Ltd |ECLI= |Original_Source_Name_1=ICO |Original_Source_Link_1=https://ico.org.uk/media2/mrwhxwoe/monetary-penalty-notice-allay-claims-ltd.pdf |Original_Source_Language_1=Estonian |Original_Source_Language__Code_1=ET |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Lan..." New

Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP |DPA_With_Country=ANSPDCP (Romania) |Case_Number_Name=03.02.2026 |ECLI= |Original_Source_Name_1=ANSPDCP |Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_03_02_2026&lang=ro |Original_Source_Language_1=Romanian |Original_Source_Language__Code_1=RO |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language..."

Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=EXP202408793 |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https://www.aepd.es/documento/ps-00279-2024.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Code..." Show

Created page with "{{DPAdecisionBOX |Jurisdiction=Estonia |DPA-BG-Color= |DPAlogo=LogoEE.png |DPA_Abbrevation=AKI |DPA_With_Country=AKI (Estonia) |Case_Number_Name=2.1.-4/25/1239-2660-6 |ECLI= |Original_Source_Name_1=AKI |Original_Source_Link_1=https://www.aki.ee/sites/default/files/documents/2026-01/Ettekirjutus-hoiatus%20isikuandmete%20kaitse%20asjas%20nr%202.1.-4%2025%201239-2660-6%20Zu%20Disain%20O%C3%9C.pdf |Original_Source_Language_1=Estonian |Original_Source_Language__Code_1=ET |..." New

Brussels, 18 February - The European Data Protection Board (EDPB) has adopted a report on its Coordinated Enforcement Framework (CEF) action on the right to be forgotten (Art.17 GDPR). The Board selected this topic as it is one of the most frequently exercised GDPR rights and one about which DPAs frequently receive complaints from individuals. The main objectives of this coordinated action are to ensure that the right to erasure is effectively exercised by individuals in Europe and understand ho

}}}} A court annulled a DPA decision imposing a €150,000 fine on a news programme diffusing personal data of a minister for information purposes. The court concluded that public interest was overriding the right to privacy.A court annulled a DPA’s decision imposing a €150,000 fine on a public broadcaster after airing a private former Minister’s private conversation. The court concluded that public interest in airing the conversation overrode the former Minister’s right to privacy. == English Sum

}}}} The DPA issued a warning to the Federal Public Service for Finances to ensure compliance with security of personal data processing after an employee accessed the address of an individual and visited her at her home.The DPA issued a warning to the Federal Public Service for Finances after an employee unlawfully accessed the address of an individual in the controller’s database and visited her at her home. == English Summary ==== English Summary ==

|Initial_Contributor=lde|Initial_Contributor=lde || }}}}The DPA found that the food delivery company Wolt failed to respond properly and in time to a customer’s access request after their account was blocked. The DPA found that Wolt violated [[Article 12 GDPR|Article 12 GDPR]] by failing to respond properly and in time to a data subject’s access request, thus failing to facilitate the exercise of rights or provide a timely refusal. == English Summary ==== English Summary ==

}}}} The DPA ordered a company to erase the data provided by potential tenants after not entering into a lease agreement with them.The DPA ordered a landlord to erase the data provided by potential tenants after not entering into a lease agreement with them. == English Summary ==== English Summary == In 2023 the data subjects intended to enter into a lease agreement with a company (the controller). The controller requested various information from the data subjects, including identity documents,

}}}} The DPA partially upheld a complaint and issued a reprimand against a travel company for unlawful direct marketing, excessive passport copy collection, inaccuracies in travel documents, lack of transparency, and an incomplete access response.The DPA partially upheld a complaint and issued a reprimand against a travel company for unlawful direct marketing, excessive passport copy collection, inaccuracies in travel documents, lack of transparency, and an incomplete response to an access reque

|Initial_Contributor=lde|Initial_Contributor=lde || }}}}A court held that the DPA insufficiently justified its rejection of a complaint against a cinema that no longer accepted cash payments. According to the court, the DPA failed to assess whether the mandatory card payments pursued a sufficiently concrete and justified purpose under the GDPR. A court held that the DPA insufficiently justified its refusal to act against a cinema that no longer accepted cash payments, failing to demonstrate that

Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP |DPA_With_Country=ANSPDCP (Romania) |Case_Number_Name=04.02.2026 |ECLI= |Original_Source_Name_1=ANSPDCP |Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_04_02_2026&lang=ro |Original_Source_Language_1=Romanian |Original_Source_Language__Code_1=RO |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language..."

Created page with "{{DPAdecisionBOX |Jurisdiction=Belgium |DPA-BG-Color= |DPAlogo=LogoBE.png |DPA_Abbrevation=APD/GBA |DPA_With_Country=APD/GBA (Belgium) |Case_Number_Name=25/2026 |ECLI= |Original_Source_Name_1=APD |Original_Source_Link_1=https://www.gegevensbeschermingsautoriteit.be/publications/waarschuwing-en-berisping-nr.-25-2026.pdf |Original_Source_Language_1=French |Original_Source_Language__Code_1=FR |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2=..." New p

Created page with "{{DPAdecisionBOX |Jurisdiction=Lithuania |DPA-BG-Color= |DPAlogo= |DPA_Abbrevation=VDAI |DPA_With_Country=VDAI (Lithuania) |Case_Number_Name=Nr. 3R-219 (2.13-1.E) |ECLI= |Original_Source_Name_1=VDAI |Original_Source_Link_1=https://vdai.lrv.lt/public/canonical/1770722929/1274/2026-02-06%20Sprendimas%20Nr.%203R-219%20(2.13-1.E).pdf |Original_Source_Language_1=Lithuanian |Original_Source_Language__Code_1=LT |Original_Source_Name_2= |Original_Source_Link_2= |Original_Sour..." Show

Created page with "{{DPAdecisionBOX |Jurisdiction=Finland |DPA-BG-Color= |DPAlogo=LogoFI.png |DPA_Abbrevation=Tietosuojavaltuutetun toimisto |DPA_With_Country=Tietosuojavaltuutetun toimisto (Finland) |Case_Number_Name=TSV/258/2022 |ECLI= |Original_Source_Name_1=Finlex |Original_Source_Link_1=https://www.finlex.fi/fi/viranomaiset/tietosuojavaltuutettu/2026/2 |Original_Source_Language_1=Finnish |Original_Source_Language__Code_1=FI |Original_Source_Name_2= |Original_Source_Link_2= |Origina..." New

Created page with "{{DPAdecisionBOX |Jurisdiction=Belgium |DPA-BG-Color= |DPAlogo=LogoBE.png |DPA_Abbrevation=APD/GBA |DPA_With_Country=APD/GBA (Belgium) |Case_Number_Name=23/2026 |ECLI= |Original_Source_Name_1=APD |Original_Source_Link_1=https://www.gegevensbeschermingsautoriteit.be/publications/bevel-nr.-23-2026.pdf |Original_Source_Language_1=French |Original_Source_Language__Code_1=FR |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Lan..." New

Facts: typo The Local Territorial Agency for Residential Housing (Azienda territoriale per l’edilizia residenziale) submitted a complaint to the DPA regarding the installation of security cameras by the business “Macelleria La Costata s.r.l.s.”, a local butcher . The Local Territorial Agency for Residential Housing (Azienda territoriale per l’edilizia residenziale) submitted a complaint to the DPA regarding the installation of security cameras by the business “Macelleria La Costata s.r.l.s.”, a

Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=EXP202406574 |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https://www.aepd.es/documento/ps-00255-2024.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Code..." Show

Facts }}}} The DPA fined a business support company with 80,000 euros for transferring personal data from its employees to a third party without the proper legal basis, in violation of Art. 6 (1) GDPR.The DPA fined a customer support provider €80,000 for unlawfully transferring its employees’ private phone numbers to its business customer without a valid legal basis. == English Summary ==== English Summary == === Facts ====== Facts === MAJOREL SP SOLUTIONS, S.A. (the controller) entered into an

added links to GDPR articles === Holding ====== Holding === The DPA found that, since the membership form did not contain information on the transmission of members' data to the social media platform, or even on targeted advertising, the consent was not informed nor specific. Therefore, it found the processing to be unlawful, violating Article 6(1)(a) GDPR. The DPA found that, since the membership form did not contain information on the transmission of members' data to the social media

English Summary }}}} The DPA fined the Polish national postal operator €232k for a DPO conflict of interest. The DPO concurrently served as a Security Director and company proxy, effectively monitoring their own decisions regarding the means of data processing.The DPA fined the national postal operator €232,000 for appointing a DPO with a conflict of interest. The DPO concurrently served as a Security Director and representative of the controller, effectively monitoring their own decisions regar

The independent authrotities reject many of the European Commission's proposals in the Digital Omnibus

}}}} The DPA issued a reprimand to 51 municipalities and simultaneously warned them regarding their use of Google’s products in primary and lower secondary schools. In particular, the DPA found that the municipalities had not adequately demonstrated how personal data processed outside the EU is provided with an adequate level of protection.The DPA issued a reprimand to 51 municipalities and simultaneously warned them regarding their use of Google’s products in primary and lower secondary schools

Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=EXP202306354 (PS/00312/2024) |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https://www.aepd.es/documento/ps-00312-2024.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Sourc..." Show

|Initial_Contributor=xz|Initial_Contributor=xz || }}}}The DPA held that the daughter of a deceased patient could not request access under Article 15 GDPR from a hospital regarding her deceased father’s cause of death, as the information refers to her father and the right of access is a strictly personal and non-transferable right. The DPA held that a hospital did not violate [[Article 15 GDPR]] by not providing information on the medical cause of death, as the request did not concern the data su

Holding === Holding ====== Holding === The DPA upheld the complaint and found an infringement of [[Article 6 GDPR#1|Article 6(1) GDPR]]. The Authority clarified that the necessity for the performance of a contract must be interpreted strictly and covers only processing that is objectively necessary, not merely useful or convenient.The DPA upheld the complaint and found an infringement of [[Article 6 GDPR#1|Article 6(1) GDPR]]. The DPA clarified that the necessity for the performance of a contrac

}}}} The DPA held that an event organiser’s use of a data subject’s email address, provided for ticket purchase, to send a marketing email without consent and to disclose the address via an open CC field violated the subject’s right to secrecyThe DPA held that an event organiser violated a customer’s right to privacy when it submitted them marketing emails without their prior consent and by sending them those emails in CC, disclosing their address to a large group of third parties. == English Su

De Autoriteit Persoonsgegevens (AP) presenteert vandaag de visie van de AP op generatieve artificiële intelligentie (AI). Daarin schetst de toezichthouder hoe generatieve AI veilig, verantwoord en in lijn met grondrechten kan worden ingezet. De AP kijkt vooruit en ziet mogelijkheden, maar waarschuwt tegelijk voor reële maatschappelijke risico’s.

Watch the video on online data protection risks for kids Brussels, 28 January - Every day, the European Data Protection Authorities (DPAs) that make up the EDPB work together to ensure the protection of individuals’ personal data. When it comes to children's data, extra vigilance is essential, particularly in today's fast-evolving digital environment where new risks emerge constantly. Children are more at risk online than adults because they do not easily recognise dangers, tend to trust strange

Brussels, 19 January - During its latest plenary, the EDPB adopted a report to support the European Commission’s evaluation of the Law Enforcement Directive (LED). The Commission has to submit its public report* on the evaluation and review of this Directive to the European Parliament and to the Council by 6 May 2026. Ahead of this, the Commission gathered the views of the European Data Protection Authorities (DPAs) on the application and functioning of the LED over the period from January 2022

The data protection authority has fined a subcontractor €1 million for failing to delete user personal data, processing this data for purposes that conflict with contractual agreements, and failing to maintain a register of processing activities. The data protection authority has also fined a data processor €1 million for the same reasons: failing to delete user personal data, processing this data for purposes that conflict with contractual agreements, and failing to maintain a register of processing activities. == Summary in English == == Summary in English ==

The data protection authority (DPA) has imposed a fine of 1 million euros on a data processor for failing to delete user personal data, processing that data for purposes that conflict with contractual agreements, and failing to maintain a record of processing activities. The data protection authority (DPA) has imposed a fine of €1,000,000 on a data processor for failing to delete user personal data, processing that data for purposes that conflict with contractual agreements, and failing to maintain a record of processing activities. Finally, the DPA found that...

Vaste link: "Over de eerlijkheid van de procedure:" "Over de eerlijkheid van de procedure:" In eerste instantie wees de gegevensbeschermingsautoriteit (DPA) het argument van de hand op basis van een schending van artikel 6 van het Europees Verdrag voor de Rechten van de Mens (EVRM). De DPA wees erop dat het recht om niet te worden belast met het bewijs van iemands schuld niet in strijd is met het delen van interne rapporten van de klager, zelfs niet onder dwangmaatregelen. Bovendien vormen de openbaar gemaakte rapporten bewijs waarop de DPA haar argumentatie kan baseren. In eerste instantie,

Fixed Link The controller did not respond adequately, providing unclear information or referring the data subject to third parties. As a result, the data subject lodged a complaint with the DPA.The controller did not respond adequately, providing unclear information or referring the data subject to third parties. As a result, the data subject lodged a complaint with the DPA. The DPA issued a final decision warning the controller for violating [[Article 6(1) GDPR|Article 6(1)]] and [[Article 5(1)

=== Holding ====== Holding === The dispute related to the processor’s responsibility for implementing adequate security measures, under article 32 GDPR. The dispute related to the processor’s responsibility for implementing adequate security measures, under Article 32 GDPR. '''On the fairness of the procedure:''' '''On the fairness of the procedure:''' '''About responsibilities:''' '''About r

=== Facts ====== Facts === DEEZER (the data controller) has informed the French data protection authority (CNIL) about a data breach that affected 21,574,775 users, of whom 9,849,354 were located in France. DEEZER has identified Mobius Solutions Ltd (the data processor) as the likely source of the data breach. The data protection authority has launched an investigation into the data processor. DEEZER (the data controller) has informed the French data protection authority (CNIL) about a data breach that affected approximately 46,900,000 users worldwide, of whom 21,574,775 were located in France.

Permanent link: The responsible party did not respond adequately and provided unclear information or referred the individual to third parties. As a result, the individual filed a complaint with the Data Protection Authority. The responsible party did not respond adequately and provided unclear information or referred the individual to third parties. As a result, the individual filed a complaint with the Data Protection Authority. The Data Protection Authority has issued a final decision in which the responsible party is warned for violating Article 6(1) of the GDPR and Article 5(1).

Feiten: De gegevensbeschermingsautoriteit (DPA) heeft een bank een boete van 500.000 euro opgelegd nadat documenten van een klant, verzonden via een koerier, verloren waren gegaan. De autoriteit oordeelde dat de bank er niet voor had gezorgd dat er voldoende beveiliging was en dat er een goede controle was op de dienstverlener, in overeenstemming met artikel 32 van de AVG. De DPA heeft een bank een boete van 500.000 euro opgelegd omdat documenten van een klant verloren waren gegaan tijdens het transport via een koerier. De DPA oordeelde dat de bank niet had gezorgd voor voldoende beveiliging en een goede controle op de dienstverlener, in overeenstemming met artikel 32 van de AVG. == Samenvatting in het Engels

The Italian data protection authority (DPA) has fined Verisure Italy €400,000 for unlawful marketing communications. The company lacked a valid legal basis for its marketing activities, which targeted both existing and potential customers. Furthermore, it failed to adequately inform data subjects, applied unreasonably long or undefined data retention periods, and responded too late to requests from data subjects regarding their rights. The DPA imposed a fine of €400,000 on Verisure Italy, a provider of alarm systems, for unlawful marketing communications. The company...

Facts: Two individuals, one a former customer and the other a potential customer, have filed complaints with the data protection authority (DPA) regarding repeated marketing calls and messages from Verisure Italy, despite having explicitly requested that such communication be stopped. Two individuals, one a former customer and the other a potential customer, have filed complaints with the DPA because they repeatedly received marketing calls and messages from Verisure Italy, despite having explicitly requested that such communication be stopped.

}}}} The DPA fined a subcontractor €1 million for failing to delete the personal data of users, processing it for purposes contrary to contract stipulations and for failing to keep a record of its processing activities.The DPA fined a processor €1 million for failing to delete the personal data of users, processing it for purposes contrary to contract stipulations and for failing to keep a record of its processing activities. == English Summary ==== English Summary ==

=== Facts ====== Facts === DEEZER (the controller) notified the French DPA (CNIL) of a data breach affecting 21,574,775 users, out of which 9,849,354 users were located in France. The controller identified Mobius Solutions Ltd (the processor) as the likely source of the data breach. The DPA launched an investigation into the processor.DEEZER (the controller) notified the French DPA (CNIL) of a data breach affecting approximately 46,900,000 users worldwide, out if which 21,574,775 users located i

Maakt een nieuwe pagina aan met de volgende inhoud: "{{DPAdecisionBOX |Jurisdiction=Italië |DPA-BG-Color=background-color:#095d7e; |DPAlogo=LogoIT.png |DPA_Abbrevation=Garante per la protezione dei dati personali |DPA_With_Country=Garante per la protezione dei dati personali (Italië) |Case_Number_Name=10201989 |ECLI= |Original_Source_Name_1=GPDP |Original_Source_Link_1=https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/10201989 |Original_Source_Language_1=Italiaans |Original_Source_Language__Code_1=..." Toon