rights - DPO Hub

Rights: Access (DSAR)

members – 3 min read

Added: From 🇩🇪 Berlin DPA's 2023 annual report: DSARs should include "TIA summary or result". Also see 🇩🇰 DPA: no fees allowed, and 🇫🇮 DPA: using a proxy is fine. Got a DSAR? Start here for all things right of access: Article 15 elements table, access request flowchart and key CJEU rulings!

Nov 9, 2024

EDPB CEF 2025 topic: right to erasure (right to be forgotten)

members – 1 min read

🧐 A key aim is to assess how you've implemented the right in practice. The EDPB also mentions that the 2024 CEF action on the right to access report will be adopted in early 2025.

Oct 10, 2024

C-200/23 Agentsia po vpisvaniyata

members – 3 min read

An authority of a commercial register = both recipient and controller. Handwritten signatures = personal data. Temporary loss of control (e.g. public disclosure) can lead to damage, but harm must be proven. And a few more points in today's CJEU ruling!

Oct 4, 2024

Italy: bank fined €1m and rental company €250k for unclear DPAg and no legal basis

members – 4 min read

The 🇮🇹 Garante fined a bank €1 million for anti-fraud checks as a processor on behalf of a group company without a legal basis, breaching both Articles 28(3) and 5(1)(a). The rental company was separately fined €250,000, also for an insufficient privacy notice. Here are your key takeaways! 💡

Aug 21, 2024

CJEU C-154/21 RW v Österreichische Post (recipients)

members – 3 min read

You have the right to know to whom your personal data have been disclosed, with the actual identity of the recipients. (2023 ruling added to Right of access Topic page.)

Aug 16, 2024

EDPB Guidelines 1/2022 Right of access

members – 3 min read

A snapshot of the EDPB Guidelines dealing with DSARs: Brief overview, key points, and some advice for data protection pros.

Jul 19, 2024

Rights: Access (DSAR) - examples

members – 40 min read

Right of access examples from the EDPB and ICO.

Jul 17, 2024

CJEU C-461/22 MK (legal guardian)

members – 1 min read

A former legal guardian who acted in a professional capacity is a controller and must comply with the GDPR, including the right of access.

Jul 14, 2024

Right to object and right to erasure: insights from OSS decisions

members – 2 min read

EDPB SPE project: Article 60 One-Stop-Shop thematic case digest analysing Articles 17 and 21. Key takeaway: Create, document, implement and control policies and procedures, including complaints management. PS: The 'data subject journey' is your secret weapon!

Jul 9, 2024

EDPB Support Pool of Experts (SPE) projects

members – 3 min read

An overview of SPE project so far. Which ones (if any) should you spend time on? (Maybe the OSS case digests.)

Jul 7, 2024

CJEU C-487/21 Österreichische Datenschutzbehörde v CRIF (right to copy)

members – 5 min read

You have the right to a faithful and intelligible copy of all your personal data, even full documents or extracts from documents or databases, if that's crucial for your rights and while respecting others' rights and freedoms.

Jun 14, 2024

AG Medina on the 14(5)(c) derogation (C-169/23 Másdi)

members – 2 min read

Advocate General Opinion: First interpretation of the Art. 14(5)(c) derogation! It applies to all data not collected from the data subject, a DPA can check all conditions of it, and the 'measures' aren't related to Art. 32.

Jun 10, 2024