Zpět na hlavní stranu

Novinky ze světa GDPR

Novinky ze světa GDPR

 

 

V červencovém ohlédnutí za hlavními událostmi minulého měsíce ze světa GDPR bychom chtěli zdůraznit zejména rozhodnutí rakouského federálního správního soudu, který potvrdil, že zpracování osobních údajů správcem za účelem sledování kreditního rizika je v souladu s výkladem článků 5(1)(c), 5(1)(e) a 6(1)(f) Obecného nařízení o ochraně osobních údajů.

 

Finanční data potom může správce uchovávat po dobu 5 let.

 

Dále jsou na webu GDPRHub publikována další zajímavá rozhodnutí a některé sankce, udělené na základě GDPR v jednotlivých členských zemích EU.

 

Austria

The Federal Administrative Court of Austria (BVwG) confirmed the standards for processing data for credit scoring purposes in light of Articles 5(1)(c), 5(1)(e) and 6(1)(f) GDPR and held that financial data may be stored for more than 5 years.

Belgium

The Belgian DPA issued a reprimand against a public authority that shared an audit report including personal data to third parties without a proper legal basis. In addition, the controller was found in violation of the GDPR for not answering the access request in due time.

 

Italy

The Italian DPA (Garante) fined the Municipality of Bolzano €84,000 for indiscriminate monitoring of employees in violation of Articles 5 (1)(a) and (c), 6, 9,13, 88, and 35 GDPR.

The Italian DPA also fined the Mayor of Messina €50,000 for publishing images of minors and disadvantaged individuals on social media in violation of Article 5(1)(a) and (b) GDPR.

 

Netherlands

The Court of Appeal of Amsterdam ruled that the Covid19 pandemic constituted a special situation that allowed the University of Amsterdam to introduce mandatory electronic surveillance during online exams. Neither the student council nor the faculty council had the right to be involved in the decision-making processes.

 

Spain

The Spanish DPA (AEPD) ordered a processor (Amazon Web Services) to answer an erasure request from a data subject that had not been completed by the controller (a news website).

The Spanish DPA also fined an energy company €12,000 for calling a data subject that had signed up to a Robinson List for commercial purposes.

Finally, the Spanish DPA (AEPD) fined a controller €10,000 for issuing an invoice containing incorrect data in violation of the accuracy principle.

 

Sweden

The Swedish DPA fined the company Medhelp €1,1 million (SEK 12 million). Medhelp was contracted by three Swedish regions to answer calls from the medical advice hotline 1177. Medhelp violated the GDPR by exposing an unprotected server with patient data to the internet, failing to provide enough information about the transfer of data to a third country, and failing to continuously back up patient data. In addition, Medhelp employed a subcontractor to process data in Thailand contrary to Swedish healthcare law.

 

The Swedish DPA fined a school €20,000 (SEK 200,000) for using facial recognition technology to register student attendance. The Court of Appeal in Stockholm upheld the decision.