Data Protection Decisions
Data Protection decisions issued by the Information and Data Protection Commissioner
| Year | Type | Description | Outcome | Corrective Action | Decision |
|---|---|---|---|---|---|
| 2024 | Data protection complaint | The controller infringed article 17(1) of the Regulation, when it failed to erase the personal data of the complainant following the exercise of his right to erasure. | Infringement of article 17 GDPR. | Order to comply with the request of the complainant and permanently erase all personal data pertaining to the complainant, in terms of Article 58(2)(c) GDPR. | Click Here |
| 2024 | Data protection complaint | The controller uploaded two attachments containing chat transcripts to his blog post, which was published on the controller’s website. | The controller failed to demonstrate that the processing of the personal data pertaining to the complainant is proportionate, necessary and justified for reasons of substantial public interest, and, therefore, the processing is deemed to be unlawful. | Order to remove the two attachments from the blog post published on the controller’s website, in terms of article 58(2)(d) GDPR. Moreover, the controller was served with a reprimand pursuant to article 58(2)(b) GDPR. | Click Here |
| 2024 | Data protection complaint | CCTV camera capturing public spaces and/or third-party properties | Infringement of Article 6(1) GDPR. | Order, in terms of Article 58(2) GDPR. | Click Here |
| 2024 | Data protection complaint | CCTV camera capturing public spaces and/or third-party properties | Infringement of Article 6(1) GDPR. | Order, in terms of Article 58(2) GDPR. | Click Here |
| 2024 | Data protection complaint | CCTV camera capturing public spaces and/or third-party properties | Infringement of Article 6(1) GDPR. | Order, in terms of Article 58(2) GDPR. | Click Here |
| 2024 | Data protection complaint | CCTV camera capturing public spaces and/or third-party properties | Infringement of Article 6(1) GDPR. | Order, in terms of Article 58(2) GDPR. | Click Here |
| 2024 | Data protection complaint | CCTV camera capturing public spaces and/or third-party properties | Infringement of Article 6(1) GDPR. | Order, in terms of Article 58(2) GDPR. | Click Here |
| 2024 | Data protection complaint | CCTV camera capturing public spaces and/or third-party properties | Infringement of Article 6(1) GDPR. | Order, in terms of Article 58(2) GDPR. | Click Here |
| 2024 | Data protection complaint | CCTV camera capturing public spaces and/or third-party properties | Infringement of Article 6(1) GDPR. | Order, in terms of Article 58(2) GDPR. | Click Here |
| 2024 | Data protection complaint | CCTV camera capturing public spaces and/or third-party properties | Infringement of Article 6(1) GDPR. | Order, in terms of Article 58(2) GDPR. | Click Here |
| 2024 | Data protection complaint | CCTV camera capturing public spaces and/or third-party properties | Infringement of Article 6(1) GDPR. | Order, in terms of Article 58(2) GDPR. | Click Here |
| 2024 | Ex officio investigation of a data protection case | Publication of personal data on social media | Infringement of article 6(1) of the GDPR | Reprimand and order to erase the personal data pursuant to article 58(2) of the GDPR. | Click Here |
| 2024 | Data Protection Complaint | Lack of signs when processing personal data using hand-held speed cameras. | Infringement of the principle of fairness and regulation 12(1) of Subsidiary Legislation 586.08 | Order to display appropriate signs before the data subjects approach an area where their personal data may be processed. | Click Here |
| 2024 | Data Protection Complaint | Lack of data in relation to health. | Infringement of article 32(1)(b) of the GDPR. | Reprimand and an order to implement the appropriate security measures. | Click Here |
| 2024 | Data Protection Complaint | The publication of a result sheet, which contained the name and identity card number of eligible, interviewed candidates. | Processing is lawful pursuant to article 6(1)(c) of the GDPR. No infringement. | No action to be taken. | Click Here |
| 2024 | Data Protection Complaint | The controller sent a letter which was enclosed in a window envelope that displayed the identity card number of the complainant. | The controller unnecessarily disclosed the identity card number of the complainant to third parties. | None | Click Here |
| 2024 | Data Protection Complaint | The controller sent a text message to the complainant for the purpose of political campaigning. | The controller’s practice of collecting and using data from social media for the purpose of political campaigning, without the knowledge and consent of the complainant, is tantamount to an unfair practice and an infringement of article 6(1) of the GDPR. | The controller deleted the data of the complainant during the course of the investigation. | Click Here |
| 2024 | Data Protection Complaint | The complainant received a phone call from the controller to congratulate him on his birthday, and, consequently, the complainant alleged that the controller unlawfully processed his personal data for political gain. | The Commissioner decided that the processing of the personal data pertaining to the complainant for the purpose of political campaigning, without the knowledge and consent of the complainant, is tantamount to an unfair practice and an infringement of article 6(1) of the GDPR. | By virtue of article 58(2)(d) of the GDPR, the Commissioner ordered the controller to erase all personal data pertaining to the complainant without undue delay and by no later than five (5) working days. | Click Here |
| 2024 | Data Protection Complaint | The complainant stated that the controller published her full name and identity card number on its website even though she is not a scholarship awardee, and therefore, the complainant alleged that the controller is infringing the provisions of the GDPR. | The Commissioner decided that the controller failed to take into account the risks to the rights and freedoms of the data subjects which are presented by the publication of personal data on its website and to effectively demonstrate that the interference with the complainant’s right to the protection of personal data is proportionate. | By virtue of article 58(2)(d) of the GDPR, the Commissioner ordered the controller to remove the list from its website and make the necessary amendments to its regulations within 20 days. | Click Here |
Insert
| Year | Type | Description | Outcome | Corrective Action | Decision |
|---|---|---|---|---|---|
| 2023 | Data protection complaint | The complainant argued that the controller has multiple data protection shortcomings, which were identified when handling a request to exercise the right of access. | Infringement of articles 5(1)(a), 12(1), 12(3), 13, 14, 15(1), 15(3), 24(2) and 38(1) GDPR. | Administrative fine of €2,500.00. | Click Here |
| 2023 | Data protection complaint | Controller has unlawfully accessed the audio taken from the surveillance camera. | Infringement of articles 5(1)(a), 5(1)(b), 5(1)(c) and 6 GDPR. | Administrative fine of €5,000.00. | Click Here |
| 2023 | Data protection complaint | The complainant argued that the controller has refused to rectify her personal data without any valid legal reason. | Infringement of Article 16 GDPR. | Order in terms of article 52(2) GDPR. | Click Here |
| 2023 | Data protection complaint | The complainant argued that the controller disclosed her email address to unauthorised third parties. | Infringement of article 32(1)(b) GDPR. | Reprimand and order, in terms of Article 58(2) GDPR. | Click Here |
| 2023 | Data protection complaint | The complainant argued that the controller took photos of the complainant and other individuals, including a minor whilst they were in her residence. These photos were attached to an affidavit which was filed to a Tribunal. | Infringement of article 6(1) GDPR. | Reprimand and order, in terms of Article 58(2) GDPR. | Click Here |
| 2023 | Data protection complaint | The complainant argued that the controller failed to comply with his right to erasure, by refusing to remove his personal data, published on its website. | The controller was ordered to introduce a ‘no-index’ metatag to the content head HTML of the online page, in a manner to block search engines from indexing such page and make it appear in search results. | Order in terms of Article 58(2) GDPR. | Click Here |
| 2023 | Data protection complaint | The complainant argued that the controller failed to comply with his request to delist online search results, pursuant to article 17 of the Regulation. | The controller was ordered to introduce a ‘no-index’ metatag to the content head HTML of the online page, in a manner to block search engines from indexing such page and make it appear in search results. | Order in terms of Article 58(2) GDPR. | Click Here |
| 2023 | Data protection complaint | A data subject filed a complaint alleging unauthorised access to his mailbox and failed to provide him access to such mailbox. | No infringement | nil | Click Here |
| 2023 | Data protection complaint | Two data subjects filed a complaint alleging that the controller captured and shared a video with media houses without their consent or authorisation | No infringement | nil | Click Here |
| 2023 | Data protection complaint | A data subject filed a complaint alleging that the controller changed her personal details without her authorisation, and this led to an unauthorised disclosure | Infringement of article 5(1)(f) and 25 of the Regulation. | Reprimand and a ban imposed. | Click Here |
| 2023 | Data Protection complaint | A data subject filed a complaint alleging that an online gaming website transferred his payment information to a third country. | Infringed article 24(1) and 13(1)(f) of the Regulation | Reprimand and order to bring the processing operation into compliance with the provisions of the Regulation. | Click Here |
| 2023 | Data protection complaint | CCTV camera capturing public access areas and, or spaces. | Infringement of Articles 5(1)(c) and 6(1) GDPR. | Reprimand and order, in terms of Article 58(2) GDPR. | Click Here |
| 2023 | Data protection complaint | CCTV camera capturing public access areas and, or spaces. | Infringement of Articles 5(1)(c) and 6(1) GDPR. | Reprimand and order, in terms of Article 58(2) GDPR. | Click Here |
| 2023 | Data protection complaint | CCTV camera capturing public access areas and, or spaces. | Infringement of Articles 5(1)(c) and 6(1) GDPR. | Reprimand and orders, in terms of Article 58(2) GDPR. | Click Here |
| 2023 | Data protection complaint | CCTV camera capturing public access areas and, or spaces. | Infringement of Articles 5(1)(c) and 6(1) GDPR. | Reprimand and order, in terms of Article 58(2) GDPR. | Click Here |
| 2023 | Data protection complaint | The complainant argued that the controller disclosed her email address to unauthorised third parties. | Infringement of article 32(1)(b) GDPR. | Reprimand and order, in terms of Article 58(2) GDPR. | Click Here |
| 2023 | Data protection complaint | A data subject filed a complaint alleging that an insurance company is requesting excessive medical information. | Infringed articles 5(1)(c) of the Regulation. | Order to revise the Health Insurance Policy and the Health Insurance Claim Form in such a manner to comply with the principle of data minimisation in terms of article 58(2)(d) of the GDPR. | Click Here |
| 2023 | Data protection complaint | A data subject filed a complaint alleging an infringement of her Rights in terms of Article 12, 13 and 15 of the GDPR. | Infringment of article 15(3) | Reprimand and order to comply in terms of Article 58(2) GDPR. | Click Here |
| 2023 | Data protection complaint | The complainant argued that the controller took photos of the complainant and other individuals, including a minor whilst they were in her residence. These photos were attached to an affidavit which was filed to a Tribunal. | Infringement of article 6(1) GDPR. | Reprimand and order, in terms of Article 58(2) GDPR. | Click Here |
| 2023 | Complaint | A data subject filed a complaint alleging an unauthorised disclosure. | Infringed articles 5(1)(f) and 32(1)(b) of the Regulation. | Reprimand and warned. | Click Here |
| 2023 | Data protection complaint | The controller failed to comply with the complainant’s request to access their personal data, by invoking a restriction pursuant to regulation 4(e) of the Restriction of the Data Protection (Obligations and Rights) Regulations, Subsidiary Legislation 586.09. | Infringement of article 15 GDPR. | Reprimand and order, in terms of Article 58(2)(c) GDPR. | Click Here |
| 2023 | Data protection complaint | The controller failed to comply with the complainant’s request to access their personal data, by invoking a restriction pursuant to regulation 4(e) of the Restriction of the Data Protection (Obligations and Rights) Regulations, Subsidiary Legislation 586.09. | Infringement of article 15 GDPR. | Reprimand and order, in terms of Article 58(2)(c) GDPR. | Click Here |
| 2023 | Data protection complaint | The controller failed to comply with the complainant’s request to access their personal data, by invoking a restriction pursuant to regulation 4(e) of the Restriction of the Data Protection (Obligations and Rights) Regulations, Subsidiary Legislation 586.09. | Infringement of article 15 GDPR. | Reprimand and order, in terms of Article 58(2)(c) GDPR. | Click Here |
| 2023 | Data protection complaint | The controller failed to comply with the complainant’s request to access their personal data, by invoking a restriction pursuant to regulation 4(e) of the Restriction of the Data Protection (Obligations and Rights) Regulations, Subsidiary Legislation 586.09. | Infringement of article 15 GDPR. | Reprimand and order, in terms of Article 58(2)(c) GDPR. | Click Here |
| 2023 | Data protection complaint | The controller failed to comply with the complainant’s request to access their personal data, by invoking a restriction pursuant to regulation 4(e) of the Restriction of the Data Protection (Obligations and Rights) Regulations, Subsidiary Legislation 586.09. | Infringement of article 15 GDPR. | Reprimand and order, in terms of Article 58(2)(c) GDPR. | Click Here |
| 2023 | Data protection complaint | The controller failed to comply with the complainant’s request to access their personal data, by invoking a restriction pursuant to regulation 4(e) of the Restriction of the Data Protection (Obligations and Rights) Regulations, Subsidiary Legislation 586.09. | Infringement of article 15 GDPR. | Reprimand and order, in terms of Article 58(2)(c) GDPR. | Click Here |
| 2023 | Data protection complaint | The controller failed to comply with the complainant’s request to access their personal data, by invoking a restriction pursuant to regulation 4(e) of the Restriction of the Data Protection (Obligations and Rights) Regulations, Subsidiary Legislation 586.09. | Infringement of article 15 GDPR. | Reprimand and order, in terms of Article 58(2)(c) GDPR. | Click Here |
| 2023 | Data protection complaint | The controller failed to comply with the complainant’s request to access their personal data, by invoking a restriction pursuant to regulation 4(e) of the Restriction of the Data Protection (Obligations and Rights) Regulations, Subsidiary Legislation 586.09. | Infringement of article 15 GDPR. | Reprimand and order, in terms of Article 58(2)(c) GDPR. | Click Here |
| 2023 | Data protection complaint | The controller failed to comply with the complainant’s request to access their personal data, by invoking a restriction pursuant to regulation 4(e) of the Restriction of the Data Protection (Obligations and Rights) Regulations, Subsidiary Legislation 586.09. | Infringement of article 15 GDPR. | Reprimand and order, in terms of Article 58(2)(c) GDPR. | Click Here |
| 2023 | Data protection complaint | The controller failed to comply with the complainant’s request to access their personal data, by invoking a restriction pursuant to regulation 4(e) of the Restriction of the Data Protection (Obligations and Rights) Regulations, Subsidiary Legislation 586.09. | Infringement of article 15 GDPR. | Reprimand and order, in terms of Article 58(2)(c) GDPR. | Click Here |
| 2023 | Data protection complaint | The controller failed to comply with the complainant’s request to access their personal data, by invoking a restriction pursuant to regulation 4(e) of the Restriction of the Data Protection (Obligations and Rights) Regulations, Subsidiary Legislation 586.09. | Infringement of article 15 GDPR. | Reprimand and order, in terms of Article 58(2)(c) GDPR. | Click Here |
| 2023 | Data protection complaint | The controller failed to comply with the complainant’s request to access their personal data, by invoking a restriction pursuant to regulation 4(e) of the Restriction of the Data Protection (Obligations and Rights) Regulations, Subsidiary Legislation 586.09. | Infringement of article 15 GDPR. | Reprimand and order, in terms of Article 58(2)(c) GDPR. | Click Here |
| 2023 | Data protection complaint | The controller failed to comply with the complainant’s request to access their personal data, by invoking a restriction pursuant to regulation 4(e) of the Restriction of the Data Protection (Obligations and Rights) Regulations, Subsidiary Legislation 586.09. | Infringement of article 15 GDPR. | Reprimand and order, in terms of Article 58(2)(c) GDPR. | Click Here |
| 2023 | Data Protection Complaint | A data subject filed a complaint alleging that a supermarket shared a video recording to her employer. | Infringed article 6(1) of the Regulation | Reprimand and warned. | Click Here |
| 2023 | Data protection complaint | Infringement of Article 12(3) GDPR. | Order in terms of article 52(2) GDPR. | ||
| 2023 | Data protection complaint | CCTV camera capturing public spaces and/or third-party properties | Infringement of Article 6(1) GDPR. | Order, in terms of Article 58(2) GDPR. | Click Here |
| 2023 | Data protection complaint | CCTV camera capturing public spaces and/or third-party properties | Infringement of Article 6(1) GDPR. | Order, in terms of Article 58(2) GDPR. | Click Here |
| 2023 | Data protection complaint | CCTV camera capturing public spaces and/or third-party properties | Infringement of Article 6(1) GDPR. | Order, in terms of Article 58(2) GDPR. | Click Here |
| 2023 | Data protection complaint | CCTV camera capturing public spaces and/or third-party properties | Infringement of Article 6(1) GDPR. | Order, in terms of Article 58(2) GDPR. | Click Here |
| 2023 | Data protection complaint | CCTV camera capturing public spaces and/or third-party properties | Infringement of Article 6(1) GDPR. | Order, in terms of Article 58(2) GDPR. | Click Here |
| 2023 | Data protection complaint | CCTV camera capturing public spaces and/or third-party properties | Infringement of Article 6(1) GDPR. | Order, in terms of Article 58(2) GDPR. | Click Here |
| 2023 | Data protection complaint | CCTV camera capturing public spaces and/or third-party properties | Infringement of Article 6(1) GDPR. | Order, in terms of Article 58(2) GDPR. | Click Here |
| 2023 | Data protection complaint | CCTV camera capturing public spaces and/or third-party properties | Infringement of Article 6(1) GDPR. | Order, in terms of Article 58(2) GDPR. | Click Here |
| 2023 | Data protection complaint | CCTV camera capturing public spaces and/or third-party properties | Infringement of Article 6(1) GDPR. | Order, in terms of Article 58(2) GDPR. | Click Here |
| 2023 | Data protection complaint | Complainant argued that the controller infringed the GDPR by publishing footage on social media. | Controller removed footage immediately and no further investigation took place. | Reprimand in terms of Article 58(2) GDPR. | |
| 2023 | Data protection complaint | Complainant alleged controller disclosed personal data to third parties without consent. | Inadmissible since the data subject was deceased at the time of disclosure. | None | |
| 2023 | Data protection complaint | Complainant argued that controller unauthorisedly disclosed their personal data to a third party | Inadmissible due to lack of evidence | None | |
| 2023 | Data protection complaint | A data subject filed a right of access request with the controller. Upon receiving the SAR, the controller forwarded the complainant’s data to a third party. | Infringement of article 15 GDPR. | Controller served with reprimand in terms of article 58(2)(b) GDPR. | |
| 2023 | Data protection complaint | The complainant argued that the controller infringed the GDPR and the EU Charter in handling a request to exercise the right to rectification. | The complaint filed their complaint immediately after exercising their right to rectification and prior to the expiry of the statutory period of article 12(3) of the GDPR. The complaint was therefore found inadmissible. | None | |
| 2023 | Data protection complaint | The complainant argued that the controller infringed the GDPR and the EU Charter in handling a request to exercise the right of access. | The complaint’s claims were groundless and the complaint was found inadmissible. | None | |
| 2023 | Data protection complaint | Two data subjects filed a complaint alleging that the controller captured and shared a video with media houses without their consent or authorisation | No infringement | N/A |
| Year | Type | Description | Decision | Corrective Action |
|---|---|---|---|---|
| 2022 | Personal Data Breach | Controller infringed principles of security regarding personal and special categories of data of many data subjects | Infringements of Articles 6(1), 9(1), 9(2), 14, 32(1), 5(1)(f), 33(1) and 34(1) GDPR | Administrative fine of €65,000.00. |
| 2022 | Data Protection Complaint | CCTV camera capturing public access areas and, or spaces | Infringement of Articles 5.1(c) and 6.1 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2022 | Data Protection Complaint | CCTV camera capturing public access areas and, or spaces | Infringement of Articles 5.1(c) and 6.1 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2022 | Data Protection Complaint | Controller has unlawfully disclosed the complainant's personal data | Infringements of Articles 24(2), 32(1)(b) and 32(4) GDPR | Administrative fine of €2,500.00 |
| 2022 | Data Protection Complaint | CCTV camera capturing public access areas and, or spaces | Infringement of Articles 5.1(c) and 6.1 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2022 | Data Protection Complaint | The controller failed to respect the principle of data minimisation by collecting excessive data through a registration form | Infringement of Article 5(1)(c) GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2022 | Data Protection Complaint | The complaint is on the refusal to erase the complainant's personal data from an electronic website | The refusal is justified on the basis of article 17(3)(b) | Complaint has been dismissed in its entirety |
| 2022 | Data Protection Complaint | The controller failed to respect the timeframe prescribed by article 12(3) GDPR to respond the complainant's access request | Infringement of Article 12(3) GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2022 | Data Protection Complaint | The controller infringed the GDPR for having processed the complainant's personal data included in her identity card without a valid legal basis | Infringement of Article 6(1) GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2022 | Data Protection Complaint | The controller failed to inform the complainant that the call between the controller’s employee and the complainant was being recorded | Infringement of Article 13 GDPR | Reprimand, in terms of Article 58.2 GDPR |
| 2022 | Personal Data Breach | Controller infringed principles of security regarding personal data of data subjects and failed to implement appropriate technical and organisational measures | Infringements of Articles 32(1) and 32(2) of the GDPR | Administrative fine of €250,000 in terms of Article 58.2 GDPR |
| 2022 | Personal data breach | The controller was subject to a credential stuffing attack. The attacker may have accessed and viewed the personal data of a very limited number of accounts. | Infringement of article 32 GDPR. | Controller instructed to bring its processing operations into compliance with the provisions of the Regulation in terms of article 58(2)(a). |
| 2022 | Personal data breach | The controller was subject to a brute force attack. The attacker may have accessed and viewed the personal data of a very limited number of accounts. | Infringement of article 32 GDPR. | Controller instructed to bring its processing operations into compliance with the provisions of the Regulation in terms of article 58(2)(a). |
| 2022 | Personal data breach | The controller was subject to a brute force attack. The attacker may have accessed and viewed the personal data of a very limited number of accounts. | Infringement of article 32 GDPR. | Controller instructed to bring its processing operations into compliance with the provisions of the Regulation in terms of article 58(2)(a). |
| 2022 | Personal data breach | Personal data was disclosed to trusted party within the controller’s organization | Infringement of article 32 GDPR | Controller instructed to bring its processing operations into compliance with the provisions of the Regulation in terms of article 58(2)(a). |
| 2022 | Personal data breach | A device containing personal and special categories of data was stolen | Infringement of article 32 GDPR | Controller served with a reprimand in terms of article 58(2)(b) and instructed to bring its processing operations into compliance with the provisions of the Regulation in terms of article 58(2)(a). |
| 2022 | Personal data breach | The controller’s main server was affected by a ransomware which encrypted some personal data | Infringement of article 32 GDPR | Controller served with a reprimand in terms of article 58(2)(b) |
| Year | Type | Description | Decision | Corrective Action |
|---|---|---|---|---|
| 2021 | Data Protection Complaint | The controller sent unsolicited direct marketing electronic communications without using the "blind carbon copy". | Infringement of Article 32.1(b) GDPR and Regulation 9.2 of S.L. 586.01 | Reprimand and warning, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | Unauthorized disclosure of personal data to a third party | Infringement of Article 32.1(b) GDPR | Instructions, in terms of Article 58.2 GDPR |
| 2021 | Data Breach Notification | Policy documents were sent out by postal mail to wrong recipients due to a human mistake of an employee | Infringement of Article 5.1(f) GDPR | Reprimand, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | The controller posted and shared a photograph on social media, disclosing the registration number of the data subject's vehicle | Infringement of Articles 5.1 (c) and 6.1 (f) GDPR | Instructions, in terms of Article 58.2 GDPR |
| 2021 | Data Breach Notification | The controller disclosed personal emails to unauthorised third parties, using "To" field instead of the "blind carbon copy". | Infringement of Articles 5.1 (e)/(f) and 32.1 (b) GDPR | Reprimand, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | Alleged infringement of GDPR when the controller unlawfully leaked data subjects' data to third parties | No evidence which unequivocally demonstrates unauthorised disclosure | Nil |
| 2021 | Data Protection Complaint | Following a formal representation made to a proposed development, the controller published personal details on its website | Infringement of Article 5.1 (a) GDPR | Orders, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | Infrigement of GDPR when the controller unlawfully leaked individuals' data (namely a medical report) to third parties | Infringement of Article 9.2 GDPR | Reprimand, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | Controller disclosed personal data relating to the complainant as a private individual in relation to a holiday trip in 2017, without consent or authorisation | Infringement of Articles 5.1 (a) and 6.1 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | Controller failed to reply a data subject access request within one (1) month of receipt of such request | Infringement of Articles 12.3, 15.1 and 15.3 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | controller failed to implement the appropriate technical and organisational measures to ensure the ongoing confidentiality of the complainant’s personal data | Infringement of Articles 5.1 (f) and 32.1 (b) | Reprimand and warning, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | The controller failed to provide an updated privacy policy on its website at the time of the subject access request. The policy didn't contain the minimum set of information, failing the controller in providing information relating to the processing of personal data pursuant to the transparency. | Infringement of Article 37.7, 5.1 (a), 12.1 | Reprimand, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | CCTV camera capturing public access areas and, or spaces | Infringement of Articles 5.1(a) and 6.1 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | The controller failed to blur data subjects faces when uploading a footage on social media, and additionally, identified the complainant by name as one of the person in the footage, without consent or authorisation | Infringement of Articles 5.1(a) and 6.1 GDPR | Reprimand and warning, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | CCTV camera capturing public access areas and, or spaces | Infringement of Articles 5.1(a) and 6.1 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2021 | Personal Data Breach | Controller infringed the principle of integrity and confidentiality when the complainant's personal data concerning health was disclosed to an unauthorised third party | Infringement of Articles 5.1(f) and 32.1(b) GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | Complainant filed a subject access request, however the identity procedure adopted by the controller imposed an unnecessary burden on the data subject | Infringement of Articles 12.2 and 24.2 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | An employee of the controller unlawfully disclosed the complainant's personal data to an unauthorised manner | Infringement of Articles 5.1(f) and 32.1(b) GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | Controller infringed the principle of integrity and confidentiality when annual maintenance invoices regarding the controller were disclosed to an unauthorised third party | Infringement of Articles 5.1(f) and 32.1(b) GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | Controller published an email address which was inactive and unattended on its website, creating uncertainty amongst the data subjects who tried to file a subject access request | Infringement of Articles 5.1(a) GDPR | Reprimand and warning, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | Controller unlawfully disclosed by email the complainant's personal data to an unauthorised third party. The complainant explicitly indicated that such data should remain private and confidential | Infringement of Articles 5.1(f) and 32.1(b) GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | The controller published a newspaper information notice containing personal data regarding the complainant | No infringement as the processing is necessary for the the purposes of the legitimate interests of controller | Nil |
| 2021 | Data Protection Complaint | The controller published a newspaper information notice containing personal data regarding the complainant | No infringement as the processing is necessary for the the purposes of the legitimate interests of controller | Nil |
| 2021 | Data Protection Complaint | The controller published a newspaper information notice containing personal data regarding the complainant | No infringement as the processing is necessary for the the purposes of the legitimate interests of controller | Nil |
| 2021 | Data Protection Complaint | The controller provided evidence on the action taken upon a subject access request in due time | No infringement and complaint dismissed | Nil |
| 2021 | Data Protection Complaint | The IDPC did not come across any evidence of unauthorised disclosure of the complainant's personal data | No infringement and complaint dismissed | Nil |
| 2021 | Data Protection Complaint | Complaint is against the use of a CCTV camera installed on a property. However, such camera is not capturing public access areas and, or spaces | No infringement as there is no processing of personal data in terms of article 4(2)GDPR | Nil |
| 2021 | Data Protection Complaint | Controller failed to erase the complainant's personal data following the exercise of the right of erasure | Infringement of Article 17.1 GDPR | Reprimand and warning, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | Controller failed to implement the appropriate technical and organisational measures to ensure the ongoing confidentiality of the complainant’s personal data | Infringement of Articles 5.1 (f) and 32.1 (b) GDPR | Reprimand and warning, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | The controller failed to provide the complainant with a copy of certain information which falls within the definition of personal data | Infringement of Article 15 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | The complaint is against the use of a CCTV cameras installed on a property. The controller has a compelling legitimate interst, which is of real existence based on a situation of distress | No infringement in terms of data protection law | Nil |
| 2021 | Data Protection Complaint | The complaint was on the validity and legality of the disciplinary proceedings and other issues of an employment nature | Outside the scope of data protection law and complaint dismissed | Nil |
| 2021 | Data Protection Complaint | The controller failed to provide the complainant with a copy of certain information which falls within the definition of personal data | Infringement of Article 15 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | CCTV camera capturing public access areas and, or spaces | Infringement of Articles 5.1(a) and 6.1 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | CCTV camera capturing public access areas and, or spaces | Infringement of Articles 5.1(a) and 6.1 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | CCTV camera capturing public access areas and, or spaces | Infringement of Articles 5.1(a) and 6.1 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | CCTV camera capturing public access areas and, or spaces | Infringement of Articles 5.1(a) and 6.1 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | Controller failed to erase the complainant's personal data following the exercise of the right of erasure | Infringement of Article 17.1 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | Controller failed to provide the complainant with a copy of personal data and failed to erase personal data following the exercise of his/her data subject right | Infringements of Articles 12.3, 12.4, 15.1, 15.3 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | Controller accessed personal data concerning the complainant in an unauthorised manner | Infringements of Articles 5.1(b), 5.1(f), and 32.1(b) GDPR | Reprimand and warning, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | The controller failed to comply with a right to data portability request, unless an administrative fee is paid. The controller also failed to demonstrate the manifestly unfounded or excessive character of such request | Infringements of Articles 12(5) and 20 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| Year | Type | Description | Decision | Corrective Action |
|---|---|---|---|---|
| 2020 | Data Protection Complaint | Unauthorized use of personal data leading to employment disciplinary proceedings | Infringement of Articles 5.1(c) and 6.1 GDPR | Reprimand and instructions, in terms of Article 58.2 GDPR |
| 2020 | Data Protection Complaint | Personal data contained in a condition report disclosed to other occupants of third party properties | Infringement of Article 5.1(a) GDPR | Reprimand and instructions, in terms of Article 58.2 GDPR |
| 2020 | Data Protection Complaint | Installation of CCTV cameras at an establishment without affixing proper signage | Infringement of Articles 13 and 5.1 GDPR | Reprimand and instructions, in terms of Article 58.2 GDPR |
| 2020 | Data Protection Complaint | CCTV camera capturing public spaces | Infringement of Articles 5.1(c) and 6.1 GDPR | Reprimand and instructions, in terms of Article 58.2 GDPR |
| 2020 | Data Protection Complaint | Processing of personal data without the consent of the data subject | Infringement of Articles 5.1(a) and 6.1 GDPR | Reprimand and instructions, in terms of Article 58.2 GDPR |
| 2020 | Personal Data Breach | Unauthorized disclosure of personal data to a third party | Infringement of Article 5.1(f) GDPR | Reprimand and instructions, in terms of Article 58.2 GDPR |
| 2020 | Personal Data Breach | Hacking attack attempting to access online users', by making use of usernames and passwords originating from a third-party database | Infringement of Article 5. (f) GDPR | Reprimand and instructions, in terms of Article 58.2 GDPR |
| 2020 | Personal Data Breach | Hacking attack attempting to access online users', by making use of usernames and passwords originating from a third-party database | Infringement of Article 5 (f) | Reprimand and instructions, in terms of Article 58.2 GDPR |
| 2020 | Personal Data Breach | Hacking attack using bots attempting to login into users' account | Controller has sufficient and appropriate technical and organisational measures in place | Nil |
| 2020 | Personal Data Breach | Former employee processed the controller's data for own purposes | Infringement of Article 32.1(b) GDPR | Reprimand and instructions, in terms of Article 58.2 GDPR |
| 2020 | Personal Data Breach | Unauthorized disclosure of the complainant's confidential data to an external client | Infringement of Articles 5.1(f) and 32.1(b) GDPR | Administrative fine of €5,000, in terms of Article 58.2 (i) GDPR |
| 2020 | Personal Data Breach | Accidental loss of personal data when a box of documents which contained employment filled-in forms went missing | Infringement of Article 32.1(b) GDPR | Administrative fine of €2,500 and orders, in terms of Article 58.2 GDPR |
| 2020 | Personal Data Breach | Disclosure of personal email addresses to all the recipients of the email | Infringement of Article 32.1(b) GDPR | Administrative fine of €2,500, in terms of Article 58.2 (i) GDPR |
| 2020 | Personal Data Breach | A third party gained unauthorized access to an account held by another individual | Infringement of Article 32.1(b) GDPR | Administrative fine of €2,000, in terms of Article 58.2 (i) GDPR |
| 2020 | Personal Data Breach | Unauthorized disclosure of personal data to third parties | Infringement of Article 5.1(f) GDPR | Reprimand and warning, in terms of Article 58.2 GDPR |
| 2020 | Personal Data Breach | Personal data was erroneously disclosed to an unintended recipient | The remedial action taken by the data controller has mitigated the posed risk | Instructions, in terms of Article 58.2 GDPR |
| 2020 | Personal Data Breach | Disclosure of personal email addresses to all the recipients of the email | Infringement of Articles 5.1(f) and 32.1(b) GDPR | Administrative fine of €2,500, in terms of Article 58.2 (i) GDPR |
| 2020 | Data Protection Complaint | Unsolicited sending of numerous direct marketing electronic communications without consent and right to object request ignored | Infringement of Articles 6,7 and 21 GDPR and regulation 9 of S.L 586.01 | Administrative fine of €15,000 and orders, in terms of Article 58.2 GDPR |
| 2020 | Personal Data Breach | Disclosure of personal email addresses to all the recipients of the email | Infringement of Article 5.1(a) GDPR | Reprimand and warning, in terms of Article 58.2 GDPR |
| 2020 | Data Protection Complaint | Personal data undergoing processing was partially provided following a right of access request. Privacy Policy not satisfying the transparency requirements | Infringement of Articles 13 and 15 GDPR | Administrative fine of €20,000, in terms of Article 83.2 GDPR |
| 2020 | Data Protection Complaint | Processing operations not in compliance with transparency requirements | Infringement of Article 13 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2020 | Data Protection Complaint | Unsolicited sending of electronic direct marketing communication without consent, privacy policy not in compliance with transparency requirements and right of access request ignored | Infringement of Articles 13 and 15 GDPR and regulation 9 of S.L 586.01 | Administrative fine of €4,000 and orders, in terms of Article 58.2 GDPR |
| 2020 | Data Protection Complaint | Unauthorized disclosure of personal data related to health | Infringement of Article 9 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2020 | Data Protection Complaint | Advertising showing complainant's mobile number | Infringement of Articles 5.1 and 6 GDPR | Administrative fine of € 3,000 and orders, in terms of Article 58.2 GDPR |
| 2020 | Personal Data Breach | Unauthorised notification letter, with details of third parties printed on the back | Infringement of Articles 5.1(f) and 32.1(b) GDPR | Administrative fine of € 3,000, in terms of Article 58.2 GDPR |
| 2020 | Data Protection Complaint | Controller failed to provide information following a right of access request and failed to inform the data subject about a restriction | Infringement of Articles 12.3 and 15.3 GDPR, and regulation 4(e) of S.L. 586.09 | Administrative fine of € 5,000 and orders, in terms of Article 58.2 GDPR. |
| 2020 | Data Protection Complaint | CCTV camera capturing public access areas and, or spaces | Infringement of Articles 5.1(c) and 6.1 GDPR | Instructions, in terms of Article 58.2 GDPR |
| 2020 | Data Protection Complaint | CCTV camera capturing public access areas and, or spaces | Infringement of Articles 5.1(c) and 6.1 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2020 | Data Protection Complaint | CCTV camera capturing public access areas and, or spaces | Infringement of Articles 5.1(c) and 6.1 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2020 | Data Protection Complaint | CCTV camera capturing public access areas and, or spaces | Infringement of Articles 5.1(c) and 6.1 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2020 | Data Protection Complaint | Sharing of an email containing personal data pertaining to the complainant and to his/her daughter with non-authorised recipients | Infringement of Articles 5.1(c), (f), and 32 GDPR | Reprimand and instruction, in terms of Article 58.2 GDPR |
| 2020 | Data Protection Complaint | Controller errouneously addressed an envelope cointaining a confidential letter, resulting to the disclosure of complainant's personal data | Infringement of Article 5.1 (f) and 32.1 (b) GDPR | Reprimand and instruction, in terms of Article 58.2 GDPR |
| 2020 | Data Protection Complaint | CCTV camera capturing public access areas and, or spaces | Infringement of Articles 5.1(c) and 6.1 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2020 | Data Protection Complaint | CCTV camera capturing public access areas and, or spaces | Infringement of Articles 5.1(c) and 6.1 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2020 | Data Protection Complaint | CCTV camera capturing public access areas and, or spaces | Infringement of Articles 5.1(c) and 6.1 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2020 | Data Protection Complaint | Controller failed to provide the data subject with information about the processing and a copy of his/her personal file | Infringement of Article 15.1 and 15.3 GDPR | Reprimand and instruction, in terms of Article 58.2 GDPR |
| 2020 | Data Protection Complaint | Controller failed to provide the data subject with information about the processing and a copy of his personal file | Infringement of Articles 15.1 and 15.3 GDPR | Reprimand and instruction, in terms of Article 58.2 GDPR |
| 2020 | Data Protection Complaint | Controller has unlawfully disclosed the complainant's personal data | Infringement of Article 6.1 GDPR | Reprimand and warning, in terms of Article 58.2 GDPR |