Dealing with access requests in practice
members
–
3 min read
Recommendations on how to deal with the Right of access - DSARs - in practice (with grumpy DSARs checklist).
EDPB Support Pool of Experts (SPE) projects
members
–
4 min read
New additions: 'AI: Complex Algorithms and effective Data Protection Supervision' 23 Jan + 'OSS Case Digest: Right of access' 17 Jan. Post: An overview of SPE project so far. Which ones (if any) should you spend time on? Maybe the OSS case digests.
EDPB press release: Right of access CEF 2024 report
members
–
1 min read
30 DPAs participated in EDPB's 2024 CEF action on the Right of access, involving 1185 controllers. 7 identified challenges like lack of documented procedures and requesting excessive ID docs. And more awareness is needed.
CJEU C-200/23 Agentsia po vpisvaniyata 4 Oct 2024
members
–
6 min read
Tag, you're it! Got personal data --> you're a controller and can't shift accountability to the data subject. Temporary loss of control (e.g. public disclosure) can lead to damage, but harm must be proven. Handwritten signatures = personal data.
CJEU C-169/23 Masdi 28 Nov 2024
members
–
4 min read
The Art. 14(5)(c) derogation applies to *all* data not collected from the data subject, including self-generated. DPAs can, as per Art. 14(5)(c), verify if national law has measures to protect data subjects' legitimate interests, but this doesn’t include assessing Art. 32 security measures.
Rights: Access (DSAR, Right of access)
members
–
3 min read
Added: From 🇩🇪 Berlin DPA's 2023 annual report: DSARs should include "TIA summary or result". Also see 🇩🇰 DPA: no fees allowed, and 🇫🇮 DPA: using a proxy is fine. Got a DSAR? Start here for all things right of access: Article 15 elements table, access request flowchart and key CJEU rulings!
EDPB CEF 2025 topic: right to erasure (right to be forgotten)
members
–
1 min read
🧐 A key aim is to assess how you've implemented the right in practice. The EDPB also mentions that the 2024 CEF action on the right to access report will be adopted in early 2025.
Italy: bank fined €1m and rental company €250k for unclear DPAg and no legal basis
members
–
4 min read
The 🇮🇹 Garante fined a bank €1 million for anti-fraud checks as a processor on behalf of a group company without a legal basis, breaching both Articles 28(3) and 5(1)(a). The rental company was separately fined €250,000, also for an insufficient privacy notice. Here are your key takeaways! 💡
CJEU C-154/21 RW v Österreichische Post (recipients) 12 Jan 2023
members
–
3 min read
You have the right to know the actual identities of the recipients your personal data has been shared with.
EDPB Guidelines 1/2022 Right of access
members
–
3 min read
A snapshot of the EDPB Guidelines dealing with DSARs: Brief overview, key points, and some advice for data protection pros.
Rights: Access (DSAR) - examples
members
–
40 min read
Right of access examples from the EDPB and ICO.
CJEU C-461/22 MK (Professional guardian) 11 Jul 2024
members
–
1 min read
A former legal guardian who acted in a professional capacity is a controller and must comply with the GDPR, including the right of access.