CASES, SANCTIONS AND CLAIMS
- (2019, Dec) The Austrian DPA decided that it is excessive to ask for proof of identity in a case where a user requested the erasure of a profile which was created without any proof of real identity (article in English).
- 2019, Mar) German regional labour court decides that an employer unlawfully refused an employee’s Data Subject Access Request concerning information about the charges that led to his dismissal.
- (2019, Nov) Denmark: Automatic denial of access request is prohibited.
- (2019, Nov) Germany: The German Federal Commissioner for Data Protection and Freedom of Information (BfDI) fined a telecommunications company with 9,550,000 Euros for lack of appropriate measures to authenticate data subjects (article in English).
- (2020, Feb) Berlin DPA stated in a case that request for additional information to confirm the identity of data subject is not necessary if request to erase data was sent via the support area of the account management section after logging in using registration data.
- (2020, Jul) According to a decision of the Düsseldorf Court, a former employee received damages amounting to EUR 5,000 because he received delayed and incomplete information from his employer.
- (2020, Jul) The Dutch Data Protection Authority imposed a fine of €830,000 on an organization for charging data subjects a fee to access their personal data more than once a year.
- (2020, Aug) The Dutch Data Protection Authority imposed a fine of €830,000 against BKR (National Credit Register) for personal data access charges.
- (2020, Jan) The Luxembourg District Court refers several questions to the Court of justice of the EU for a preliminary ruling concerning the concepts of “exceptional circumstances”, “risk” and “disproportionate risk”.
REPORTS AND ARTICLES FROM OTHER ORGANISATIONS
- (2019, Dec) TLT Solicitors: 10 tips for responding to data subject access requests.
- (2019) Hasselt University: “Personal Information Leakage by Abusing the GDPR “Right of Access”. The article draws attention to GDPR related issues while also discussing themes like ‘Impersonation Techniques’ and how these can be used.
- (2019, Mar) In New Zealand, a law firm charged a client with $19,000 (New Zealand Dollars) to send him information following a personal data access request. The New Zealand Privacy Commissioner said a reasonable sum would be one that would cover the cost of purchasing the means through which the information would be transmitted to the client (e.g. a USB stick).
- (2019, Jul) Practical tips for managing data subject access requests, by Phil Lee.
- (2019, Nov) Dr. Carlo Pilz: The term “without undue delay” in context of the GDPR – 1 day, 1 week, 1 month?
- (2020, Feb) Fieldfisher: Subject Access Requests and the Search for Proportionality.
- (2019, Mar) HAL: On the open archive HAL has been published a document regarding the security analysis of subject access request procedures. How to authenticate data subjects safely when they request for their data.
- (2020, Jun) Dr. Carlo Piltz: German Data Protection Authority: when does the one-month period for GDPR requests start in cases of uncertainty about the identity of data subjects?
- (2020, Jul) Dr. Carlo Piltz: Berlin Data Protection Authority: Companies must accept requests from data subjects via any communication channel – even e-mails in spam folders.