rights - DPO Hub

EDPB press release: Right of access CEF 2024 report

members – 1 min read

30 DPAs participated in EDPB's 2024 CEF action on the Right of access, involving 1185 controllers. 7 identified challenges like lack of documented procedures and requesting excessive ID docs. More awareness needed!

Jan 20, 2025

EDPB Support Pool of Experts (SPE) projects

members – 3 min read

An overview of SPE project so far. Which ones (if any) should you spend time on? Maybe the OSS case digests. New one added on 17 Jan regarding the Right of access.

Jan 17, 2025

CJEU C-200/23 Agentsia po vpisvaniyata 4 Oct 2024

members – 6 min read

Tag, you're it! Got personal data --> you're a controller and can't shift accountability to the data subject. Temporary loss of control (e.g. public disclosure) can lead to damage, but harm must be proven. Handwritten signatures = personal data.

Dec 28, 2024

CJEU C-169/23 Masdi 28 Nov 2024

members – 4 min read

The Art. 14(5)(c) derogation applies to *all* data not collected from the data subject, including self-generated. DPAs can, as per Art. 14(5)(c), verify if national law has measures to protect data subjects' legitimate interests, but this doesn’t include assessing Art. 32 security measures.

Nov 28, 2024

Rights: Access (DSAR)

members – 3 min read

Added: From 🇩🇪 Berlin DPA's 2023 annual report: DSARs should include "TIA summary or result". Also see 🇩🇰 DPA: no fees allowed, and 🇫🇮 DPA: using a proxy is fine. Got a DSAR? Start here for all things right of access: Article 15 elements table, access request flowchart and key CJEU rulings!

Nov 9, 2024

EDPB CEF 2025 topic: right to erasure (right to be forgotten)

members – 1 min read

🧐 A key aim is to assess how you've implemented the right in practice. The EDPB also mentions that the 2024 CEF action on the right to access report will be adopted in early 2025.

Oct 10, 2024

Italy: bank fined €1m and rental company €250k for unclear DPAg and no legal basis

members – 4 min read

The 🇮🇹 Garante fined a bank €1 million for anti-fraud checks as a processor on behalf of a group company without a legal basis, breaching both Articles 28(3) and 5(1)(a). The rental company was separately fined €250,000, also for an insufficient privacy notice. Here are your key takeaways! 💡

Aug 21, 2024

CJEU C-154/21 RW v Österreichische Post (recipients) 12 Jan 2023

members – 3 min read

You have the right to know the actual identities of the recipients your personal data has been shared with.

Aug 16, 2024

EDPB Guidelines 1/2022 Right of access

members – 3 min read

A snapshot of the EDPB Guidelines dealing with DSARs: Brief overview, key points, and some advice for data protection pros.

Jul 19, 2024

Rights: Access (DSAR) - examples

members – 40 min read

Right of access examples from the EDPB and ICO.

Jul 17, 2024

CJEU C-461/22 MK (Professional guardian) 11 Jul 2024

members – 1 min read

A former legal guardian who acted in a professional capacity is a controller and must comply with the GDPR, including the right of access.

Jul 14, 2024

Right to object and right to erasure: insights from OSS decisions

members – 2 min read

EDPB SPE project: Article 60 One-Stop-Shop thematic case digest analysing Articles 17 and 21. Key takeaway: Create, document, implement and control policies and procedures, including complaints management. PS: The 'data subject journey' is your secret weapon!

Jul 9, 2024