CASES, SANCTIONS AND CLAIMS
- Drivers in the UK sue Uber for allegations of refusing Data Subject Access Requests for GPS and other app usage data.
- Danish DPA decides that public transportation travel cards system must respect the right to rectification; a system which only permits adding information instead of correcting it does not comply with the GDPR.
- UK High Court of Justice: data subjects are entitled to information about the sources from which an organisation received their personal data (Case of Rudd v Bridle  EWHC 893 (QB)).
- German high court decides that the scope of the right to a copy of the personal data includes copies of performance and behavioral data. See here a comment on this case in English.
- The Cologne Regional Court, in a recent decision, has answered questions on the extent of “personal data” covered by the right of access, as well as what it means to provide a copy of the personal data.
- Italian DPA issues Decision on the right to be forgotten in a case concerning de-listing from Google search results.
- Regional Court of Frankfurt: refraining to process personal data in the future is also part of right to erasure (read this article for further reference).
- The regional Courts of Bonn and Wuppertal released judgments regarding GDPR which stated that physicians can assert their right to erasure (“Right to be forgotten”).
- A Romanian court of first instance fines a state-owned company for publishing personal data on its website – judgement not final, subject to appeal.
- There is a new request for a preliminary ruling originating from Verwaltungsgericht Wiesbaden (Germany) on the issue of the right to access and public bodies.
- The Austrian DPA considered that a controller could identify the data subject using his/her e-mail address and the information already stored by the controller (read here a summary in English).
- According to the Regional Court of Heidelberg’s decision, the right of access is not observed if access can only be provided by the data controller with “unreasonable effort”.
- France’s highest court struck out a decision by CNIL to fine Google for limiting the right to be forgotten to Europe.
- As shown by the EDPS newsletter, EDPS issued a decision on a complaint submitted against the European Parliament, concerning the access by a complainant’s to their evaluation results in an intelligible form.
- The local court of Seligenstadt (Hesse) decided that right of access according to the GDPR does not include information on data storage devices, cloud storage or already deleted data.
- A new GDPR fine was applied on an online retailer in Latvia (7000 euros) for not complying with an erasure request.
- Poland: Company fined for obstructing withdrawal of consent by data subjects.
- France: Futura Internationale has been fined with 500,000 EUR by the France DPA (CNIL) for lack of compliance with the minimization principle and certain data subject rights (to be informed, to object) and, also, for not signing agreements for international data transfer.
- The Swedish DPA imposes a fine of EUR 7 million on Google for failure to fulfill its obligations in respect of the right to request delisting.
- The Belgian DPA’s Litigation Chamber imposed a fine of 50.000 EUR based on the findings of lack of transparency and inappropriately documented and justified legal grounds.
- The Belgian DPA has issued an administrative fine of €20,000 against the telecoms company Proximus after the company refused a client request to delete her personal details from the phone book.
REPORTS AND ARTICLES FROM OTHER ORGANISATIONS
- Read this post by Greet Gysen: Getting data subject rights right.
- MIT Technology Review: Why an internet that never forgets is especially bad for young people.
CNIL: The right to de-listing in questions.
- Eduardo Ustaran: A forgotten right gets into action in UK A-Level controversy (see the article here).
OFFICIAL GUIDELINES, REPORTS AND STATEMENTS
- Irish DPC: complex definition to the ‘right to be forgotten’ or the right to erasure as stated in arts. 17 and art. 19 of the GDPR.
- ICO(UK): modifies its guidance on calculating the timescales for responding to data subject access requests.
- Irish DPC has updated its DSAR FAQ (Data Subject Access Requests).
- Bavarian DPA for the Private Sector: list of don’ts when handling data subject requests (see here an article in English).
- Centre for Information Policy Leadership: white paper on Data Subject Rights under the GDPR in a Global Data Driven and Connected World.
- EDPB: Guidelines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR (part 1).
- NautaDutilh: New Belgian DPA decision: broader “controller” concept & extensive access rights?