Data Protection Decisions
Data Protection decisions issued by the Information and Data Protection Commissioner
| Year | Type | Description | Outcome | Corrective Action | Decision |
|---|---|---|---|---|---|
| 2025 | Data protection complaint | The complainant alleged that the controller failed to handle his request to access all his personal data pursuant to the requirements of the GDPR. | The Commissioner decided that: - the controller failed to inform the complainant about the limitation invoked pursuant to article 15(4) of the GDPR, and therefore, the reply lacked the neccessary elements of transparency and fairness as required by the principles set forth in article 5(1)(a) of the GDPR; and - the reply of the controller failed to include information in relation to the processing activity as set forth in article 15(1)(a) to (h) of the GDPR, save for the information that the personal data of the complainant were not disclosed to third parties; - the controller was not justified to limit the right of access pertaining to the complainant in terms of article 15(4) of the Regulation in relation to the personal data contained in the emails exchanged among the employees of the controller, and therefore, the non-disclosure of this personal data led to an infringement of article 15(3) of the GDPR. | A reprimand and an order to comply with the right of access. | Click Here |
| 2025 | Data protection complaint | The complainant alleged that the controller failed to comply with his request to access his personal data within one (1) month from receipt of the request. In addition, the complainant alleged that the controller unlawfully invoked a restriction vis-a-vis his right to access his personal data. | The Commissioner decided that: the controller failed to provide information to the complainant in relation his request to access his personal data within one (1) month from receipt of the request; and the restriction of the right of the complainant in relation to the request to access his personal data is justified in terms of regulation 4(c) of S.L. 586.09 and regulation 21(1) of S.L. 123.127. | A reprimand for failing to provide a response in a timely manner and an order to develop an appropriate policy for handling data protection requests submitted by data subjects. | Click Here |
| 2025 | Data protection complaint | A data subject filed a complaint, alleging that the controller violated their rights by requesting a copy of their passport and failing to provide the required information. | Infringed Article 13. | To develop an internal procedure or policy. | Click Here |
| 2024 | Data protection complaint | The controller failed to demonstrate that the publication of the complainant’s identity card number is proportionate, necessary and justified for reasons of substantial public interest. | Infringement of article 6(1) GDPR. | Order, in terms of article 58(2)(d) GDPR. | Click Here |
| 2024 | Data protection complaint | A data subject filed a complaint, alleging that the controller violated their rights by failing to comply with their request to access their personal data. | Infringed Article 15. | To provide the data subject with a copy of their transaction history. | Click Here |
| 2025 | Data Protection Complaint | The complainant alleged that the controller sent the complainant’s FS3 Form, which contained the complainant’s personal data, to an unauthorised third party. | The Commissioner decided that while the transmission of the complainant’s FS3 Form to the personal email address of the processor’s employee constitutes a breach of confidentiality, based on the circumstances of the case, the facts established during the investigation, and the mitigating action taken by the controller, the breach was, or is, not likely to result in a risk to the rights and freedoms of the complainant. | N/A | Click here |
| 2025 | Data Protection complaint | CCTV camera capturing public spaces and/or third-party properties. | Infringement of Article 6(1) GDPR. | Order, in terms of Article 58(2) GDPR. | Click Here |
| 2025 | Data protection complaint | During the job application process, the controller’s franchise manager emailed the complainant together with another three candidates without using BCC, exposing email addresses. The Commissioner ruled that while this was a breach of confidentiality, it was unlikely to harm the complainant’s rights and freedoms. | Infringement of article 5(1)(f) GDPR. | N/A | Click Here |
| 2025 | Data protection complaint | Upon checking the electoral register, the complainant discovered that five (5) individuals are registered at his address, and therefore, the complainant alleged that the controller processed inaccurate personal data. | The Commissioner decided that the cancellation of the registration of voters from the Electoral Register is regulated by the provisions of the General Elections Act, and therefore, the data pertaining to the voters in question could not be erased by the controller unless the requirements set forth in article 26 of the General Elections Act are met. | N/A | Click Here |
| 2025 | Data protection complaint | The complainant alleged that there was unauthorised access to his bank account. This was revealed during mediation for his marital separation, during which his wife, through her lawyer, sent a draft agreement indicating his bank account, the account number and the amount in this account. | The Commissioner requested the audit trails from the controller and found no evidence that any employee had accessed the complainant’s bank records. | N/A | Click Here |
| 2025 | Data protection complaint | The complainant alleged that the controller violated her right to rectification under article 16 GDPR. Despite her request to correct her personal data, the controller failed to update her residential address, leading to the disclosure of health reports, compiled the hospital during her procedure, to third parties. Additionally, she alleged that the controller had access to her personal data despite not having any prior relationship. | Infringement of article 5(1)(a), article 5(1)(d), article 6(1), article 14, article 16(1) and article 37(1)(c) GDPR | Pursuant to article 58(2)(b) GDPR, a reprimand was issued regarding the identified infringements. These included the unlawful processing of personal data obtained from a publicly available source, violating the principles of lawfulness, fairness and transparency as set out in article 5(1)(a), article 6(1), and article 14 GDPR. Additionally, there was a failure to rectify inaccurate data in a timely manner, breaching article 5(1)(d) and article 16 GDPR, as well as a failure to designate a DPO, despite being a healthcare provider processing large-scale special category data, in violation of article 37(1)(c) GDPR. Pursuant to article 58(2)(d) GDPR, the controller was ordered to bring processing into compliance by rectifying the complainant’s personal data without undue delay, erasing all personal data obtained from the Electoral Register and appointing a DPO in accordance with article 37 GDPR. Furthermore, 3 administrative fines were imposed under article 58(2)(i): €12,500 for breaching article 5(1)(a), article 6(1) and article 14 GDPR; €5,000 for breaching article 16 GDPR; and €2,500 for breaching article 37(1)(c) GDPR. | Click here |
| 2025 | Data Protection complaint | CCTV camera capturing public spaces and/or third-party properties. | Infringement of article 6(1) and article 5(1)(a) GDPR. | Order, in terms of article 58(2)(f) GDPR. | Click Here |
| 2025 | Data Protection Complaint | The complainant alleged that the controller had failed to provide a full copy of her personal data undergoing processing. | The Commissioner decided that: a) the controller had not informed the complainant of the reason for partially restricting the right of access, and therefore, the controller infringed article 12(4) of the GDPR and regulation 6 of S.L. 586.09; b) the application of the restriction in terms of regulation 4(i) of S.L. 586.09 is a necessary measure, and consequently, justified. | Reprimand in terms of article 58(2)(b) of the GDPR. | Click Here |
| 2025 | Data protection complaint | The complainant alleged that a controller’s employee of the controller accessed his personal data while he was its patient. | The Commissioner found that the employee accessed personal data without authorisation, breaching the controller’s Data Protection Policy. However, the controller had appropriate measures in place, as required by articles 24 and 32 GDPR, and responded swiftly and properly to the incident, including taking disciplinary action against the employee and notifying the data subject. | N/A | Click Here |
| 2025 | Data Protection Complaint | The complainant alleged that after submitting her resignation, the controller sent an email to all its employees informing them of the complainant’s resignation, which also included the personal reasons underlying her decision to resign. The controller argued that the disclosure was lawful in terms of article 6(1)(f) of the Regulation. | The Commissioner decided that the disclosure of the complainant’s personal reasons for resigning was not necessary and therefore, the processing of the complainant’s personal data was not based on a lawful ground in terms of article 6(1) of the Regulation. | To ensure that any future communications to staff concerning an employee’s resignation do not disclose any personal reasons underlying the individual’s decision to resign. | Click Here |
| 2025 | Data Protection complaint | The ID card number of the complainant was found to be linked to another party within the information system of the controller. | The Commissioner found that the inaccurate processing was a result of the incorrect manual inputting of data by the employee of the controller, and therefore, the breach materialised due to a genuine human error, rather than as a systematic shortcoming of the controller. Nonetheless, the Commissioner decided that the controller infringed article 31 of the GDPR for failing to cooperate in a timely manner, which caused an unreasonable delay in concluding the investigation. | Reprimand in terms of article 58(2)(b) of the GDPR. | Click Here |
| Year | Type | Description | Outcome | Corrective Action | Decision |
|---|---|---|---|---|---|
| 2024 | Data protection complaint | The controller infringed article 17(1) of the Regulation, when it failed to erase the personal data of the complainant following the exercise of his right to erasure. | Infringement of article 17 GDPR. | Order to comply with the request of the complainant and permanently erase all personal data pertaining to the complainant, in terms of Article 58(2)(c) GDPR. | Click Here |
| 2024 | Data protection complaint | The controller uploaded two attachments containing chat transcripts to his blog post, which was published on the controller’s website. | The controller failed to demonstrate that the processing of the personal data pertaining to the complainant is proportionate, necessary and justified for reasons of substantial public interest, and, therefore, the processing is deemed to be unlawful. | Order to remove the two attachments from the blog post published on the controller’s website, in terms of article 58(2)(d) GDPR. Moreover, the controller was served with a reprimand pursuant to article 58(2)(b) GDPR. | Click Here |
| 2024 | Data protection complaint | CCTV camera capturing public spaces and/or third-party properties | Infringement of Article 6(1) GDPR. | Order, in terms of Article 58(2) GDPR. | Click Here |
| 2024 | Data protection complaint | CCTV camera capturing public spaces and/or third-party properties | Infringement of Article 6(1) GDPR. | Order, in terms of Article 58(2) GDPR. | Click Here |
| 2024 | Data protection complaint | CCTV camera capturing public spaces and/or third-party properties | Infringement of Article 6(1) GDPR. | Order, in terms of Article 58(2) GDPR. | Click Here |
| 2024 | Data protection complaint | CCTV camera capturing public spaces and/or third-party properties | Infringement of Article 6(1) GDPR. | Order, in terms of Article 58(2) GDPR. | Click Here |
| 2024 | Data protection complaint | CCTV camera capturing public spaces and/or third-party properties | Infringement of Article 6(1) GDPR. | Order, in terms of Article 58(2) GDPR. | Click Here |
| 2024 | Data protection complaint | CCTV camera capturing public spaces and/or third-party properties | Infringement of Article 6(1) GDPR. | Order, in terms of Article 58(2) GDPR. | Click Here |
| 2024 | Data protection complaint | CCTV camera capturing public spaces and/or third-party properties | Infringement of Article 6(1) GDPR. | Order, in terms of Article 58(2) GDPR. | Click Here |
| 2024 | Data protection complaint | CCTV camera capturing public spaces and/or third-party properties | Infringement of Article 6(1) GDPR. | Order, in terms of Article 58(2) GDPR. | Click Here |
| 2024 | Data protection complaint | CCTV camera capturing public spaces and/or third-party properties | Infringement of Article 6(1) GDPR. | Order, in terms of Article 58(2) GDPR. | Click Here |
| 2024 | Ex officio investigation of a data protection case | Publication of personal data on social media | Infringement of article 6(1) of the GDPR | Reprimand and order to erase the personal data pursuant to article 58(2) of the GDPR. | Click Here |
| 2024 | Data Protection Complaint | Lack of signs when processing personal data using hand-held speed cameras. | Infringement of the principle of fairness and regulation 12(1) of Subsidiary Legislation 586.08 | Order to display appropriate signs before the data subjects approach an area where their personal data may be processed. | Click Here |
| 2024 | Data Protection Complaint | Lack of data in relation to health. | Infringement of article 32(1)(b) of the GDPR. | Reprimand and an order to implement the appropriate security measures. | Click Here |
| 2024 | Data Protection Complaint | The publication of a result sheet, which contained the name and identity card number of eligible, interviewed candidates. | Processing is lawful pursuant to article 6(1)(c) of the GDPR. No infringement. | No action to be taken. | Click Here |
| 2024 | Data Protection Complaint | The controller sent a letter which was enclosed in a window envelope that displayed the identity card number of the complainant. | The controller unnecessarily disclosed the identity card number of the complainant to third parties. | None | Click Here |
| 2024 | Data Protection Complaint | The controller sent a text message to the complainant for the purpose of political campaigning. | The controller’s practice of collecting and using data from social media for the purpose of political campaigning, without the knowledge and consent of the complainant, is tantamount to an unfair practice and an infringement of article 6(1) of the GDPR. | The controller deleted the data of the complainant during the course of the investigation. | Click Here |
| 2024 | Data Protection Complaint | The complainant received a phone call from the controller to congratulate him on his birthday, and, consequently, the complainant alleged that the controller unlawfully processed his personal data for political gain. | The Commissioner decided that the processing of the personal data pertaining to the complainant for the purpose of political campaigning, without the knowledge and consent of the complainant, is tantamount to an unfair practice and an infringement of article 6(1) of the GDPR. | By virtue of article 58(2)(d) of the GDPR, the Commissioner ordered the controller to erase all personal data pertaining to the complainant without undue delay and by no later than five (5) working days. | Click Here |
| 2024 | Data Protection Complaint | The complainant stated that the controller published her full name and identity card number on its website even though she is not a scholarship awardee, and therefore, the complainant alleged that the controller is infringing the provisions of the GDPR. | The Commissioner decided that the controller failed to take into account the risks to the rights and freedoms of the data subjects which are presented by the publication of personal data on its website and to effectively demonstrate that the interference with the complainant’s right to the protection of personal data is proportionate. | By virtue of article 58(2)(d) of the GDPR, the Commissioner ordered the controller to remove the list from its website and make the necessary amendments to its regulations within 20 days. | Click Here |
| 2024 | Data Protection Complaint | CCTV camera capturing common parts. | The Commissioner decided that the controller failed to sufficiently demonstrate that the processing operation conducted by means of the camera falls outside the material scope of the Regulation. | By virtue of article 58(2)(f) of the GDPR, the Commissioner ordered the controller to stop the processing operation and to remove the camera with immediate effect, and in any event by not later that (5) five working days from the date of receipt of this decision. | Click Here |
| 2024 | Data Protection Complaint | The complainant alleged that the controller failed to facilitate the exercise of the right to rectification. | The Commissioner decided that the controller did not infringe the provisions of the Regulation, and therefore, dismissed the complaint in its entirety. | None | Click Here |
| 2024 | Data protection complaint | The complainant argued that the controller disclosed his personal data to a third-party company, to conduct a survey. | Infringement of article 28(3) and article 5(2) GDPR. | Reprimand and order, in terms of Article 58(2)(d) GDPR. | Click Here |
| 2024 | Data protection complaint | The complainant argued that the controller sent an email with commercial content, revealing the complainant’s email address and that of over one hundred and eighty (180) other recipients. | Infringement of article 32(1)(b) GDPR. | Reprimand and order, in terms of Article 58(2)(d) GDPR. | Click Here |
| 2024 | Data protection complaint | The complainant argued that following the Commissioner’s legally-binding decision to fulfil the complainant’s Subject Access Request, the controller provided the data subject with a heavily redacted copy of the requested documentation. | The controller’s decision to redact the third parties’ personal data from the requested documentation, is justified under article 15(4) of the Regulation. | Order in terms of Article 58(2)(c) GDPR. | Click Here |
| 2024 | Data protection complaint | The complainant argued that his employer has breached his data protection rights by using his personal email address to communicate with him regarding work-related matters. | Infringement of article 6(1) GDPR. | Reprimand in terms of Article 58(2)(b) GDPR. | Click Here |
| 2024 | Data protection complaint | The controller contacted the complainant through two (2) direct and unsolicited marketing phone calls, even though the controller confirmed through another complaint, previously lodged by the complainant, that her personal data undergoing processing for direct marketing purposes had been erased and her two (2) mobile numbers were barred from the internal systems of the controller. | Infringement of article 21(2) and 5(2) GDPR. | Administrative fine of €15,000. | Click Here |
| 2024 | Data Protection Complaint | CCTV camera capturing public spaces and/or third-party properties | Infringement of Article 6(1) GDPR | Order in terms of Article 58(2) GDPR | Click Here |
| 2024 | Complaint | A data subject filed a complaint alleging that following a subject access request that data provided was not legible | Infringed article 5(1) (a) of the Regulation | Reprimand and warned. | Click Here |
| 2024 | Complaint | A data subject filed a complaint alleging that the controller sent an email to a third party revealing details about the complainant’s outstanding dues. | Infringed article 6(1) of the Regulation | Reprimand and warned. | Click Here |
| 2024 | Complaint | A data subject filed a complaint alleging that the controller disclosed his personal data without a valid legal basis | Infringed article 6(1) of the Regulation | Reprimand and warned. | Click Here |
| 2024 | Complaint | A data subject filed a complaint alleging that the controller disclosed his personal data without a valid legal basis | Infringed article 6(1) and 9 of the Regulation | Reprimand and warned. | Click Here |
| 2024 | Data protection complaint | The controller failed to comply with the complainant’s request to access their personal data, by invoking a restriction pursuant to regulation 4(e) of the Restriction of the Data Protection (Obligations and Rights) Regulations, Subsidiary Legislation 586.09. | Infringement of article 15 GDPR. | Reprimand and order, in terms of Article 58(2)(c) GDPR. | Click Here |
| 2024 | Data protection complaint | The controller failed to comply with the complainant’s request to access their personal data, by invoking a restriction pursuant to regulation 4(e) of the Restriction of the Data Protection (Obligations and Rights) Regulations, Subsidiary Legislation 586.09. | Infringement of article 15 GDPR. | Reprimand and order, in terms of Article 58(2)(c) GDPR. | Click Here |
| 2024 | Data protection complaint | The controller failed to comply with the complainant’s request to access their personal data, by invoking a restriction pursuant to regulation 4(e) of the Restriction of the Data Protection (Obligations and Rights) Regulations, Subsidiary Legislation 586.09. | Infringement of article 15 GDPR. | Reprimand and order, in terms of Article 58(2)(c) GDPR. | Click Here |
| 2024 | Data protection complaint | The controller failed to comply with the complainant’s request to access their personal data, by invoking a restriction pursuant to regulation 4(e) of the Restriction of the Data Protection (Obligations and Rights) Regulations, Subsidiary Legislation 586.09. | Infringement of article 15 GDPR. | Reprimand and order, in terms of Article 58(2)(c) GDPR. | Click Here |
| 2024 | Data protection complaint | The controller failed to comply with the complainant’s request to access their personal data, by invoking a restriction pursuant to regulation 4(e) of the Restriction of the Data Protection (Obligations and Rights) Regulations, Subsidiary Legislation 586.09. | Infringement of article 15 GDPR. | Reprimand and order, in terms of Article 58(2)(c) GDPR. | Click Here |
| 2024 | Data protection complaint | The controller failed to comply with the complainant’s request to access their personal data, by invoking a restriction pursuant to regulation 4(e) of the Restriction of the Data Protection (Obligations and Rights) Regulations, Subsidiary Legislation 586.09. | Infringement of article 15 GDPR. | Reprimand and order, in terms of Article 58(2)(c) GDPR. | Click Here |
| 2024 | Data protection complaint | The controller sent a WhatsApp message to the complainant for the purpose of political campaigning. | The Commissioner decided that the processing of the personal data pertaining to the complainant for the purpose of political campaigning, without the knowledge and consent of the complainant, is tantamount to an unfair practice and an infringement of article 6(1) of the GDPR. | Warning pursuant to article 58(2) of the GDPR. | Click Here |
| 2024 | Data Protection Complaint | The complainant alleged that the controller, a prospective employer disclosed his personal data to his former employer without a valid lawful basis for the purpose of determining his suitability for the role. | The Commissioner decided that the controller failed to effectively demonstrate that the complainant consented to the disclosure of his personal data to the third party or that the processing is lawful in terms of any other legal bases mentioned in article 6(1) of the GDPR, and therefore, this constitutes an infringement of article 5(2), article 6(1) and article 7(1) of the GDPR. | Reprimand in terms of article 58(2)(b) of the GDPR. | Click Here |
| 2024 | Data Protection Complaint | The complainant alleged that the controller unlawfully processed her personal data by means of production cameras whilst the complainant performed her employment duties as a ‘Game Presenter’. | The Commissioner decided that the controller processed the personal data of the complainant in a lawful manner in terms of article 6(1)(f) of the GDPR. | N/A | Click Here |
| 2024 | Data protection complaint | CCTV camera capturing public spaces and/or third-party properties | Infringement of Article 6(1) GDPR. | Order, in terms of Article 58(2) GDPR. | Click Here |
| 2024 | Data protection complaint | CCTV camera capturing public spaces and/or third-party properties | Infringement of Article 6(1) GDPR. | Order, in terms of Article 58(2) GDPR. | Click Here |
| 2024 | Data protection complaint | CCTV camera capturing public spaces and/or third-party properties | Infringement of Article 6(1) GDPR. | Order, in terms of Article 58(2) GDPR. | Click Here |
| 2024 | Data protection complaint | CCTV camera capturing public spaces and/or third-party properties | Infringement of Article 6(1) GDPR. | Order, in terms of Article 58(2) GDPR. | Click Here |
| 2024 | Data Protection Complaint | The complainant alleged that the controller unlawfully restricted her right of access to personal data, including that of her minor son, pursuant to regulation 4(e) of the Restriction of the Data Protection (Obligations and Rights) Regulations, Subsidiary Legislation 586.09. | The Commissioner decided that the restriction invoked by the controller pursuant to regulation 4(e) of Subsidiary Legislation 586.09 was indeed a necessary and proportionate measure, and, therefore, the complaint was dismissed in its entirety. | N/A | Click Here |
| 2024 | Data Protection Complaint | The complainant alleged that the controller inadvertently sent a copy of her bank account statement to a third party instead of that of her deceased relative. | The Commissioner decided that, whereas the disclosure of the bank account statement of the complainant to the third party constitutes a confidentiality breach, based on the circumstances of the case, the facts established during the course of the investigation and the mitigation action taken by the controller upon being informed about the matter, the breach was, or is unlikely to result in a risk to the rights and freedoms of the complainant. | N/A | Click Here |
| 2024 | Data Protection Complaint | A data subject filed a complaint alleging that the controller sent a newsletter email revealing his email address with other recipients. | Infringed article 32(1)(b) of the Regulation | Reprimand and warned. | Click Here |
| 2024 | Data Protection Complaint | A data subject filed a complaint alleging that the controller unlawfully accessed his bank account and disclosed his personal data with third-party entities. | No infringement. | Dismissed all allegations. | Click Here |
| 2024 | Data protection complaint | The controller failed to comply with the complainant’s request to access their personal data, by invoking a restriction pursuant to regulation 4(e) of the Restriction of the Data Protection (Obligations and Rights) Regulations, Subsidiary Legislation 586.09. | Infringement of article 15 GDPR. | Reprimand and order, in terms of Article 58(2)(c) GDPR. | Click Here |
| 2024 | Data protection complaint | The controller failed to comply with the complainant’s request to remove an online article featuring his personal data, which was published on its online portal in 2011. | The Commissioner ordered the controller to introduce a ‘no-index’ metatag to the content head HTML of the online page subject to this decision, in a manner to block search engines from indexing such page and make it appear in search results. | Reprimand and order, in terms of Article 58(2) GDPR. | Click Here |
| 2024 | Data Protection Complaint | CCTV cameras capturing public spaces and/or third-party properties | Infringement of Article 6(1) GDPR. | Orders, in terms of Article 58(2)(d) and Article 58(2)(f). | Click Here |
| 2024 | Data Protection Complaint | The complainant alleged that the controller failed to comply with his request to exercise his right of erasure of personal data in respect of the content of the judgment that was published online on the website of the controller. | The Commissioner decided that there is no valid legal ground in terms of article 17(1)(a) to (f) of the GDPR that enables the erasure of the personal data pertaining to the complainant. However, the Commissioner was of the view that the appropriate balance should be reached between the conflicting interests, and therefore, the Commissioner ordered the controller to introduce a ‘no-index’ metatag to the content head of HTML of the online page subject to the judgment, in a manner to block search engines from indexing such page and make it appear in search results. The Commissioner also decided that the reply of the controller lacked the information about the possibility of lodging a complaint with the supervisory authority and seeking a judicial remedy, and therefore, the controller infringed article 12(4) of the GDPR. | An order to introduce the appropriate technical measure and a reprimand. | Click Here |
| 2024 | Data Protection Complaint | The complainant alleged that the controller had mishandled his personal data and erroneously disclosed such data to a third party. | The Commissioner decided that the controller submitted incorrect data to another controller, and this incident manifested itself as a consequence of a human error stemming from lack of attention exercised by the employee of the controller. Whereas the Commissioner decided that the complainant did not suffer any risks to his fundamental rights and freedoms which warrant the taking of corrective measures against the controller, he nonetheless encourages the controller to ensure that members of staff handling personal data are provided with periodic data protection training. Internal policies and procedures governing the processing of personal data should also be periodically brought to the attention of these employees. A read-and-sign mechanism that they have read and understood the contents of these documents is considered as a best practice approach. | N/A | Click Here |
| 2024 | Data Protection Complaint | The complainant alleged that the controller unlawfully processed information in relation to her trade union membership. | The Commissioner dismissed the complaint in its entirety on the ground that the alleged sole verbal disclosure by the complainant of her trade union membership does not constitute “processing” within the meaning of article 4(2) of the GDPR, read in light of article 2(1) thereof. | N/A | Click Here |
| 2024 | Data Protection Complaint | The complainant alleged that the controller unlawfully processed information in relation to her trade union membership. | The Commissioner decided that the controller processed the information in relation to the trade union membership of the complainant after the trade union communicated such information directly to the controller. Therefore, the processing operation conducted by the controller in relation to the complainant is lawful and the complaint was dismissed in its entirety. | N/A | Click Here |
Insert
| Year | Type | Description | Outcome | Corrective Action | Decision |
|---|---|---|---|---|---|
| 2023 | Data protection complaint | The complainant argued that the controller has multiple data protection shortcomings, which were identified when handling a request to exercise the right of access. | Infringement of articles 5(1)(a), 12(1), 12(3), 13, 14, 15(1), 15(3), 24(2) and 38(1) GDPR. | Administrative fine of €2,500.00. | Click Here |
| 2023 | Data protection complaint | Controller has unlawfully accessed the audio taken from the surveillance camera. | Infringement of articles 5(1)(a), 5(1)(b), 5(1)(c) and 6 GDPR. | Administrative fine of €5,000.00. | Click Here |
| 2023 | Data protection complaint | The complainant argued that the controller has refused to rectify her personal data without any valid legal reason. | Infringement of Article 16 GDPR. | Order in terms of article 52(2) GDPR. | Click Here |
| 2023 | Data protection complaint | The complainant argued that the controller disclosed her email address to unauthorised third parties. | Infringement of article 32(1)(b) GDPR. | Reprimand and order, in terms of Article 58(2) GDPR. | Click Here |
| 2023 | Data protection complaint | The complainant argued that the controller took photos of the complainant and other individuals, including a minor whilst they were in her residence. These photos were attached to an affidavit which was filed to a Tribunal. | Infringement of article 6(1) GDPR. | Reprimand and order, in terms of Article 58(2) GDPR. | Click Here |
| 2023 | Data protection complaint | The complainant argued that the controller failed to comply with his right to erasure, by refusing to remove his personal data, published on its website. | The controller was ordered to introduce a ‘no-index’ metatag to the content head HTML of the online page, in a manner to block search engines from indexing such page and make it appear in search results. | Order in terms of Article 58(2) GDPR. | Click Here |
| 2023 | Data protection complaint | The complainant argued that the controller failed to comply with his request to delist online search results, pursuant to article 17 of the Regulation. | The controller was ordered to introduce a ‘no-index’ metatag to the content head HTML of the online page, in a manner to block search engines from indexing such page and make it appear in search results. | Order in terms of Article 58(2) GDPR. | Click Here |
| 2023 | Data protection complaint | A data subject filed a complaint alleging unauthorised access to his mailbox and failed to provide him access to such mailbox. | No infringement | nil | Click Here |
| 2023 | Data protection complaint | Two data subjects filed a complaint alleging that the controller captured and shared a video with media houses without their consent or authorisation | No infringement | nil | Click Here |
| 2023 | Data protection complaint | A data subject filed a complaint alleging that the controller changed her personal details without her authorisation, and this led to an unauthorised disclosure | Infringement of article 5(1)(f) and 25 of the Regulation. | Reprimand and a ban imposed. | Click Here |
| 2023 | Data Protection complaint | A data subject filed a complaint alleging that an online gaming website transferred his payment information to a third country. | Infringed article 24(1) and 13(1)(f) of the Regulation | Reprimand and order to bring the processing operation into compliance with the provisions of the Regulation. | Click Here |
| 2023 | Data protection complaint | CCTV camera capturing public access areas and, or spaces. | Infringement of Articles 5(1)(c) and 6(1) GDPR. | Reprimand and order, in terms of Article 58(2) GDPR. | Click Here |
| 2023 | Data protection complaint | CCTV camera capturing public access areas and, or spaces. | Infringement of Articles 5(1)(c) and 6(1) GDPR. | Reprimand and order, in terms of Article 58(2) GDPR. | Click Here |
| 2023 | Data protection complaint | CCTV camera capturing public access areas and, or spaces. | Infringement of Articles 5(1)(c) and 6(1) GDPR. | Reprimand and orders, in terms of Article 58(2) GDPR. | Click Here |
| 2023 | Data protection complaint | CCTV camera capturing public access areas and, or spaces. | Infringement of Articles 5(1)(c) and 6(1) GDPR. | Reprimand and order, in terms of Article 58(2) GDPR. | Click Here |
| 2023 | Data protection complaint | The complainant argued that the controller disclosed her email address to unauthorised third parties. | Infringement of article 32(1)(b) GDPR. | Reprimand and order, in terms of Article 58(2) GDPR. | Click Here |
| 2023 | Data protection complaint | A data subject filed a complaint alleging that an insurance company is requesting excessive medical information. | Infringed articles 5(1)(c) of the Regulation. | Order to revise the Health Insurance Policy and the Health Insurance Claim Form in such a manner to comply with the principle of data minimisation in terms of article 58(2)(d) of the GDPR. | Click Here |
| 2023 | Data protection complaint | A data subject filed a complaint alleging an infringement of her Rights in terms of Article 12, 13 and 15 of the GDPR. | Infringment of article 15(3) | Reprimand and order to comply in terms of Article 58(2) GDPR. | Click Here |
| 2023 | Data protection complaint | The complainant argued that the controller took photos of the complainant and other individuals, including a minor whilst they were in her residence. These photos were attached to an affidavit which was filed to a Tribunal. | Infringement of article 6(1) GDPR. | Reprimand and order, in terms of Article 58(2) GDPR. | Click Here |
| 2023 | Complaint | A data subject filed a complaint alleging an unauthorised disclosure. | Infringed articles 5(1)(f) and 32(1)(b) of the Regulation. | Reprimand and warned. | Click Here |
| 2023 | Data protection complaint | The controller failed to comply with the complainant’s request to access their personal data, by invoking a restriction pursuant to regulation 4(e) of the Restriction of the Data Protection (Obligations and Rights) Regulations, Subsidiary Legislation 586.09. | Infringement of article 15 GDPR. | Reprimand and order, in terms of Article 58(2)(c) GDPR. | Click Here |
| 2023 | Data protection complaint | The controller failed to comply with the complainant’s request to access their personal data, by invoking a restriction pursuant to regulation 4(e) of the Restriction of the Data Protection (Obligations and Rights) Regulations, Subsidiary Legislation 586.09. | Infringement of article 15 GDPR. | Reprimand and order, in terms of Article 58(2)(c) GDPR. | Click Here |
| 2023 | Data protection complaint | The controller failed to comply with the complainant’s request to access their personal data, by invoking a restriction pursuant to regulation 4(e) of the Restriction of the Data Protection (Obligations and Rights) Regulations, Subsidiary Legislation 586.09. | Infringement of article 15 GDPR. | Reprimand and order, in terms of Article 58(2)(c) GDPR. | Click Here |
| 2023 | Data protection complaint | The controller failed to comply with the complainant’s request to access their personal data, by invoking a restriction pursuant to regulation 4(e) of the Restriction of the Data Protection (Obligations and Rights) Regulations, Subsidiary Legislation 586.09. | Infringement of article 15 GDPR. | Reprimand and order, in terms of Article 58(2)(c) GDPR. | Click Here |
| 2023 | Data protection complaint | The controller failed to comply with the complainant’s request to access their personal data, by invoking a restriction pursuant to regulation 4(e) of the Restriction of the Data Protection (Obligations and Rights) Regulations, Subsidiary Legislation 586.09. | Infringement of article 15 GDPR. | Reprimand and order, in terms of Article 58(2)(c) GDPR. | Click Here |
| 2023 | Data protection complaint | The controller failed to comply with the complainant’s request to access their personal data, by invoking a restriction pursuant to regulation 4(e) of the Restriction of the Data Protection (Obligations and Rights) Regulations, Subsidiary Legislation 586.09. | Infringement of article 15 GDPR. | Reprimand and order, in terms of Article 58(2)(c) GDPR. | Click Here |
| 2023 | Data protection complaint | The controller failed to comply with the complainant’s request to access their personal data, by invoking a restriction pursuant to regulation 4(e) of the Restriction of the Data Protection (Obligations and Rights) Regulations, Subsidiary Legislation 586.09. | Infringement of article 15 GDPR. | Reprimand and order, in terms of Article 58(2)(c) GDPR. | Click Here |
| 2023 | Data protection complaint | The controller failed to comply with the complainant’s request to access their personal data, by invoking a restriction pursuant to regulation 4(e) of the Restriction of the Data Protection (Obligations and Rights) Regulations, Subsidiary Legislation 586.09. | Infringement of article 15 GDPR. | Reprimand and order, in terms of Article 58(2)(c) GDPR. | Click Here |
| 2023 | Data protection complaint | The controller failed to comply with the complainant’s request to access their personal data, by invoking a restriction pursuant to regulation 4(e) of the Restriction of the Data Protection (Obligations and Rights) Regulations, Subsidiary Legislation 586.09. | Infringement of article 15 GDPR. | Reprimand and order, in terms of Article 58(2)(c) GDPR. | Click Here |
| 2023 | Data protection complaint | The controller failed to comply with the complainant’s request to access their personal data, by invoking a restriction pursuant to regulation 4(e) of the Restriction of the Data Protection (Obligations and Rights) Regulations, Subsidiary Legislation 586.09. | Infringement of article 15 GDPR. | Reprimand and order, in terms of Article 58(2)(c) GDPR. | Click Here |
| 2023 | Data protection complaint | The controller failed to comply with the complainant’s request to access their personal data, by invoking a restriction pursuant to regulation 4(e) of the Restriction of the Data Protection (Obligations and Rights) Regulations, Subsidiary Legislation 586.09. | Infringement of article 15 GDPR. | Reprimand and order, in terms of Article 58(2)(c) GDPR. | Click Here |
| 2023 | Data protection complaint | The controller failed to comply with the complainant’s request to access their personal data, by invoking a restriction pursuant to regulation 4(e) of the Restriction of the Data Protection (Obligations and Rights) Regulations, Subsidiary Legislation 586.09. | Infringement of article 15 GDPR. | Reprimand and order, in terms of Article 58(2)(c) GDPR. | Click Here |
| 2023 | Data protection complaint | The controller failed to comply with the complainant’s request to access their personal data, by invoking a restriction pursuant to regulation 4(e) of the Restriction of the Data Protection (Obligations and Rights) Regulations, Subsidiary Legislation 586.09. | Infringement of article 15 GDPR. | Reprimand and order, in terms of Article 58(2)(c) GDPR. | Click Here |
| 2023 | Data Protection Complaint | A data subject filed a complaint alleging that a supermarket shared a video recording to her employer. | Infringed article 6(1) of the Regulation | Reprimand and warned. | Click Here |
| 2023 | Data protection complaint | Infringement of Article 12(3) GDPR. | Order in terms of article 52(2) GDPR. | ||
| 2023 | Data protection complaint | CCTV camera capturing public spaces and/or third-party properties | Infringement of Article 6(1) GDPR. | Order, in terms of Article 58(2) GDPR. | Click Here |
| 2023 | Data protection complaint | CCTV camera capturing public spaces and/or third-party properties | Infringement of Article 6(1) GDPR. | Order, in terms of Article 58(2) GDPR. | Click Here |
| 2023 | Data protection complaint | CCTV camera capturing public spaces and/or third-party properties | Infringement of Article 6(1) GDPR. | Order, in terms of Article 58(2) GDPR. | Click Here |
| 2023 | Data protection complaint | CCTV camera capturing public spaces and/or third-party properties | Infringement of Article 6(1) GDPR. | Order, in terms of Article 58(2) GDPR. | Click Here |
| 2023 | Data protection complaint | CCTV camera capturing public spaces and/or third-party properties | Infringement of Article 6(1) GDPR. | Order, in terms of Article 58(2) GDPR. | Click Here |
| 2023 | Data protection complaint | CCTV camera capturing public spaces and/or third-party properties | Infringement of Article 6(1) GDPR. | Order, in terms of Article 58(2) GDPR. | Click Here |
| 2023 | Data protection complaint | CCTV camera capturing public spaces and/or third-party properties | Infringement of Article 6(1) GDPR. | Order, in terms of Article 58(2) GDPR. | Click Here |
| 2023 | Data protection complaint | CCTV camera capturing public spaces and/or third-party properties | Infringement of Article 6(1) GDPR. | Order, in terms of Article 58(2) GDPR. | Click Here |
| 2023 | Data protection complaint | CCTV camera capturing public spaces and/or third-party properties | Infringement of Article 6(1) GDPR. | Order, in terms of Article 58(2) GDPR. | Click Here |
| 2023 | Data protection complaint | Complainant argued that the controller infringed the GDPR by publishing footage on social media. | Controller removed footage immediately and no further investigation took place. | Reprimand in terms of Article 58(2) GDPR. | |
| 2023 | Data protection complaint | Complainant alleged controller disclosed personal data to third parties without consent. | Inadmissible since the data subject was deceased at the time of disclosure. | None | |
| 2023 | Data protection complaint | Complainant argued that controller unauthorisedly disclosed their personal data to a third party | Inadmissible due to lack of evidence | None | |
| 2023 | Data protection complaint | A data subject filed a right of access request with the controller. Upon receiving the SAR, the controller forwarded the complainant’s data to a third party. | Infringement of article 15 GDPR. | Controller served with reprimand in terms of article 58(2)(b) GDPR. | |
| 2023 | Data protection complaint | The complainant argued that the controller infringed the GDPR and the EU Charter in handling a request to exercise the right to rectification. | The complaint filed their complaint immediately after exercising their right to rectification and prior to the expiry of the statutory period of article 12(3) of the GDPR. The complaint was therefore found inadmissible. | None | |
| 2023 | Data protection complaint | The complainant argued that the controller infringed the GDPR and the EU Charter in handling a request to exercise the right of access. | The complaint’s claims were groundless and the complaint was found inadmissible. | None | |
| 2023 | Data protection complaint | Two data subjects filed a complaint alleging that the controller captured and shared a video with media houses without their consent or authorisation | No infringement | N/A |
| Year | Type | Description | Decision | Corrective Action |
|---|---|---|---|---|
| 2022 | Personal Data Breach | Controller infringed principles of security regarding personal and special categories of data of many data subjects | Infringements of Articles 6(1), 9(1), 9(2), 14, 32(1), 5(1)(f), 33(1) and 34(1) GDPR | Administrative fine of €65,000.00. |
| 2022 | Data Protection Complaint | CCTV camera capturing public access areas and, or spaces | Infringement of Articles 5.1(c) and 6.1 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2022 | Data Protection Complaint | CCTV camera capturing public access areas and, or spaces | Infringement of Articles 5.1(c) and 6.1 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2022 | Data Protection Complaint | Controller has unlawfully disclosed the complainant's personal data | Infringements of Articles 24(2), 32(1)(b) and 32(4) GDPR | Administrative fine of €2,500.00 |
| 2022 | Data Protection Complaint | CCTV camera capturing public access areas and, or spaces | Infringement of Articles 5.1(c) and 6.1 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2022 | Data Protection Complaint | The controller failed to respect the principle of data minimisation by collecting excessive data through a registration form | Infringement of Article 5(1)(c) GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2022 | Data Protection Complaint | The complaint is on the refusal to erase the complainant's personal data from an electronic website | The refusal is justified on the basis of article 17(3)(b) | Complaint has been dismissed in its entirety |
| 2022 | Data Protection Complaint | The controller failed to respect the timeframe prescribed by article 12(3) GDPR to respond the complainant's access request | Infringement of Article 12(3) GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2022 | Data Protection Complaint | The controller infringed the GDPR for having processed the complainant's personal data included in her identity card without a valid legal basis | Infringement of Article 6(1) GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2022 | Data Protection Complaint | The controller failed to inform the complainant that the call between the controller’s employee and the complainant was being recorded | Infringement of Article 13 GDPR | Reprimand, in terms of Article 58.2 GDPR |
| 2022 | Personal Data Breach | Controller infringed principles of security regarding personal data of data subjects and failed to implement appropriate technical and organisational measures | Infringements of Articles 32(1) and 32(2) of the GDPR | Administrative fine of €250,000 in terms of Article 58.2 GDPR |
| 2022 | Personal data breach | The controller was subject to a credential stuffing attack. The attacker may have accessed and viewed the personal data of a very limited number of accounts. | Infringement of article 32 GDPR. | Controller instructed to bring its processing operations into compliance with the provisions of the Regulation in terms of article 58(2)(a). |
| 2022 | Personal data breach | The controller was subject to a brute force attack. The attacker may have accessed and viewed the personal data of a very limited number of accounts. | Infringement of article 32 GDPR. | Controller instructed to bring its processing operations into compliance with the provisions of the Regulation in terms of article 58(2)(a). |
| 2022 | Personal data breach | The controller was subject to a brute force attack. The attacker may have accessed and viewed the personal data of a very limited number of accounts. | Infringement of article 32 GDPR. | Controller instructed to bring its processing operations into compliance with the provisions of the Regulation in terms of article 58(2)(a). |
| 2022 | Personal data breach | Personal data was disclosed to trusted party within the controller’s organization | Infringement of article 32 GDPR | Controller instructed to bring its processing operations into compliance with the provisions of the Regulation in terms of article 58(2)(a). |
| 2022 | Personal data breach | A device containing personal and special categories of data was stolen | Infringement of article 32 GDPR | Controller served with a reprimand in terms of article 58(2)(b) and instructed to bring its processing operations into compliance with the provisions of the Regulation in terms of article 58(2)(a). |
| 2022 | Personal data breach | The controller’s main server was affected by a ransomware which encrypted some personal data | Infringement of article 32 GDPR | Controller served with a reprimand in terms of article 58(2)(b) |
| Year | Type | Description | Decision | Corrective Action |
|---|---|---|---|---|
| 2021 | Data Protection Complaint | The controller sent unsolicited direct marketing electronic communications without using the "blind carbon copy". | Infringement of Article 32.1(b) GDPR and Regulation 9.2 of S.L. 586.01 | Reprimand and warning, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | Unauthorized disclosure of personal data to a third party | Infringement of Article 32.1(b) GDPR | Instructions, in terms of Article 58.2 GDPR |
| 2021 | Data Breach Notification | Policy documents were sent out by postal mail to wrong recipients due to a human mistake of an employee | Infringement of Article 5.1(f) GDPR | Reprimand, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | The controller posted and shared a photograph on social media, disclosing the registration number of the data subject's vehicle | Infringement of Articles 5.1 (c) and 6.1 (f) GDPR | Instructions, in terms of Article 58.2 GDPR |
| 2021 | Data Breach Notification | The controller disclosed personal emails to unauthorised third parties, using "To" field instead of the "blind carbon copy". | Infringement of Articles 5.1 (e)/(f) and 32.1 (b) GDPR | Reprimand, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | Alleged infringement of GDPR when the controller unlawfully leaked data subjects' data to third parties | No evidence which unequivocally demonstrates unauthorised disclosure | Nil |
| 2021 | Data Protection Complaint | Following a formal representation made to a proposed development, the controller published personal details on its website | Infringement of Article 5.1 (a) GDPR | Orders, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | Infrigement of GDPR when the controller unlawfully leaked individuals' data (namely a medical report) to third parties | Infringement of Article 9.2 GDPR | Reprimand, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | Controller disclosed personal data relating to the complainant as a private individual in relation to a holiday trip in 2017, without consent or authorisation | Infringement of Articles 5.1 (a) and 6.1 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | Controller failed to reply a data subject access request within one (1) month of receipt of such request | Infringement of Articles 12.3, 15.1 and 15.3 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | controller failed to implement the appropriate technical and organisational measures to ensure the ongoing confidentiality of the complainant’s personal data | Infringement of Articles 5.1 (f) and 32.1 (b) | Reprimand and warning, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | The controller failed to provide an updated privacy policy on its website at the time of the subject access request. The policy didn't contain the minimum set of information, failing the controller in providing information relating to the processing of personal data pursuant to the transparency. | Infringement of Article 37.7, 5.1 (a), 12.1 | Reprimand, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | CCTV camera capturing public access areas and, or spaces | Infringement of Articles 5.1(a) and 6.1 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | The controller failed to blur data subjects faces when uploading a footage on social media, and additionally, identified the complainant by name as one of the person in the footage, without consent or authorisation | Infringement of Articles 5.1(a) and 6.1 GDPR | Reprimand and warning, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | CCTV camera capturing public access areas and, or spaces | Infringement of Articles 5.1(a) and 6.1 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2021 | Personal Data Breach | Controller infringed the principle of integrity and confidentiality when the complainant's personal data concerning health was disclosed to an unauthorised third party | Infringement of Articles 5.1(f) and 32.1(b) GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | Complainant filed a subject access request, however the identity procedure adopted by the controller imposed an unnecessary burden on the data subject | Infringement of Articles 12.2 and 24.2 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | An employee of the controller unlawfully disclosed the complainant's personal data to an unauthorised manner | Infringement of Articles 5.1(f) and 32.1(b) GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | Controller infringed the principle of integrity and confidentiality when annual maintenance invoices regarding the controller were disclosed to an unauthorised third party | Infringement of Articles 5.1(f) and 32.1(b) GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | Controller published an email address which was inactive and unattended on its website, creating uncertainty amongst the data subjects who tried to file a subject access request | Infringement of Articles 5.1(a) GDPR | Reprimand and warning, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | Controller unlawfully disclosed by email the complainant's personal data to an unauthorised third party. The complainant explicitly indicated that such data should remain private and confidential | Infringement of Articles 5.1(f) and 32.1(b) GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | The controller published a newspaper information notice containing personal data regarding the complainant | No infringement as the processing is necessary for the the purposes of the legitimate interests of controller | Nil |
| 2021 | Data Protection Complaint | The controller published a newspaper information notice containing personal data regarding the complainant | No infringement as the processing is necessary for the the purposes of the legitimate interests of controller | Nil |
| 2021 | Data Protection Complaint | The controller published a newspaper information notice containing personal data regarding the complainant | No infringement as the processing is necessary for the the purposes of the legitimate interests of controller | Nil |
| 2021 | Data Protection Complaint | The controller provided evidence on the action taken upon a subject access request in due time | No infringement and complaint dismissed | Nil |
| 2021 | Data Protection Complaint | The IDPC did not come across any evidence of unauthorised disclosure of the complainant's personal data | No infringement and complaint dismissed | Nil |
| 2021 | Data Protection Complaint | Complaint is against the use of a CCTV camera installed on a property. However, such camera is not capturing public access areas and, or spaces | No infringement as there is no processing of personal data in terms of article 4(2)GDPR | Nil |
| 2021 | Data Protection Complaint | Controller failed to erase the complainant's personal data following the exercise of the right of erasure | Infringement of Article 17.1 GDPR | Reprimand and warning, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | Controller failed to implement the appropriate technical and organisational measures to ensure the ongoing confidentiality of the complainant’s personal data | Infringement of Articles 5.1 (f) and 32.1 (b) GDPR | Reprimand and warning, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | The controller failed to provide the complainant with a copy of certain information which falls within the definition of personal data | Infringement of Article 15 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | The complaint is against the use of a CCTV cameras installed on a property. The controller has a compelling legitimate interst, which is of real existence based on a situation of distress | No infringement in terms of data protection law | Nil |
| 2021 | Data Protection Complaint | The complaint was on the validity and legality of the disciplinary proceedings and other issues of an employment nature | Outside the scope of data protection law and complaint dismissed | Nil |
| 2021 | Data Protection Complaint | The controller failed to provide the complainant with a copy of certain information which falls within the definition of personal data | Infringement of Article 15 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | CCTV camera capturing public access areas and, or spaces | Infringement of Articles 5.1(a) and 6.1 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | CCTV camera capturing public access areas and, or spaces | Infringement of Articles 5.1(a) and 6.1 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | CCTV camera capturing public access areas and, or spaces | Infringement of Articles 5.1(a) and 6.1 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | CCTV camera capturing public access areas and, or spaces | Infringement of Articles 5.1(a) and 6.1 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | Controller failed to erase the complainant's personal data following the exercise of the right of erasure | Infringement of Article 17.1 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | Controller failed to provide the complainant with a copy of personal data and failed to erase personal data following the exercise of his/her data subject right | Infringements of Articles 12.3, 12.4, 15.1, 15.3 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | Controller accessed personal data concerning the complainant in an unauthorised manner | Infringements of Articles 5.1(b), 5.1(f), and 32.1(b) GDPR | Reprimand and warning, in terms of Article 58.2 GDPR |
| 2021 | Data Protection Complaint | The controller failed to comply with a right to data portability request, unless an administrative fee is paid. The controller also failed to demonstrate the manifestly unfounded or excessive character of such request | Infringements of Articles 12(5) and 20 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| Year | Type | Description | Decision | Corrective Action |
|---|---|---|---|---|
| 2020 | Data Protection Complaint | Unauthorized use of personal data leading to employment disciplinary proceedings | Infringement of Articles 5.1(c) and 6.1 GDPR | Reprimand and instructions, in terms of Article 58.2 GDPR |
| 2020 | Data Protection Complaint | Personal data contained in a condition report disclosed to other occupants of third party properties | Infringement of Article 5.1(a) GDPR | Reprimand and instructions, in terms of Article 58.2 GDPR |
| 2020 | Data Protection Complaint | Installation of CCTV cameras at an establishment without affixing proper signage | Infringement of Articles 13 and 5.1 GDPR | Reprimand and instructions, in terms of Article 58.2 GDPR |
| 2020 | Data Protection Complaint | CCTV camera capturing public spaces | Infringement of Articles 5.1(c) and 6.1 GDPR | Reprimand and instructions, in terms of Article 58.2 GDPR |
| 2020 | Data Protection Complaint | Processing of personal data without the consent of the data subject | Infringement of Articles 5.1(a) and 6.1 GDPR | Reprimand and instructions, in terms of Article 58.2 GDPR |
| 2020 | Personal Data Breach | Unauthorized disclosure of personal data to a third party | Infringement of Article 5.1(f) GDPR | Reprimand and instructions, in terms of Article 58.2 GDPR |
| 2020 | Personal Data Breach | Hacking attack attempting to access online users', by making use of usernames and passwords originating from a third-party database | Infringement of Article 5. (f) GDPR | Reprimand and instructions, in terms of Article 58.2 GDPR |
| 2020 | Personal Data Breach | Hacking attack attempting to access online users', by making use of usernames and passwords originating from a third-party database | Infringement of Article 5 (f) | Reprimand and instructions, in terms of Article 58.2 GDPR |
| 2020 | Personal Data Breach | Hacking attack using bots attempting to login into users' account | Controller has sufficient and appropriate technical and organisational measures in place | Nil |
| 2020 | Personal Data Breach | Former employee processed the controller's data for own purposes | Infringement of Article 32.1(b) GDPR | Reprimand and instructions, in terms of Article 58.2 GDPR |
| 2020 | Personal Data Breach | Unauthorized disclosure of the complainant's confidential data to an external client | Infringement of Articles 5.1(f) and 32.1(b) GDPR | Administrative fine of €5,000, in terms of Article 58.2 (i) GDPR |
| 2020 | Personal Data Breach | Accidental loss of personal data when a box of documents which contained employment filled-in forms went missing | Infringement of Article 32.1(b) GDPR | Administrative fine of €2,500 and orders, in terms of Article 58.2 GDPR |
| 2020 | Personal Data Breach | Disclosure of personal email addresses to all the recipients of the email | Infringement of Article 32.1(b) GDPR | Administrative fine of €2,500, in terms of Article 58.2 (i) GDPR |
| 2020 | Personal Data Breach | A third party gained unauthorized access to an account held by another individual | Infringement of Article 32.1(b) GDPR | Administrative fine of €2,000, in terms of Article 58.2 (i) GDPR |
| 2020 | Personal Data Breach | Unauthorized disclosure of personal data to third parties | Infringement of Article 5.1(f) GDPR | Reprimand and warning, in terms of Article 58.2 GDPR |
| 2020 | Personal Data Breach | Personal data was erroneously disclosed to an unintended recipient | The remedial action taken by the data controller has mitigated the posed risk | Instructions, in terms of Article 58.2 GDPR |
| 2020 | Personal Data Breach | Disclosure of personal email addresses to all the recipients of the email | Infringement of Articles 5.1(f) and 32.1(b) GDPR | Administrative fine of €2,500, in terms of Article 58.2 (i) GDPR |
| 2020 | Data Protection Complaint | Unsolicited sending of numerous direct marketing electronic communications without consent and right to object request ignored | Infringement of Articles 6,7 and 21 GDPR and regulation 9 of S.L 586.01 | Administrative fine of €15,000 and orders, in terms of Article 58.2 GDPR |
| 2020 | Personal Data Breach | Disclosure of personal email addresses to all the recipients of the email | Infringement of Article 5.1(a) GDPR | Reprimand and warning, in terms of Article 58.2 GDPR |
| 2020 | Data Protection Complaint | Personal data undergoing processing was partially provided following a right of access request. Privacy Policy not satisfying the transparency requirements | Infringement of Articles 13 and 15 GDPR | Administrative fine of €20,000, in terms of Article 83.2 GDPR |
| 2020 | Data Protection Complaint | Processing operations not in compliance with transparency requirements | Infringement of Article 13 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2020 | Data Protection Complaint | Unsolicited sending of electronic direct marketing communication without consent, privacy policy not in compliance with transparency requirements and right of access request ignored | Infringement of Articles 13 and 15 GDPR and regulation 9 of S.L 586.01 | Administrative fine of €4,000 and orders, in terms of Article 58.2 GDPR |
| 2020 | Data Protection Complaint | Unauthorized disclosure of personal data related to health | Infringement of Article 9 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2020 | Data Protection Complaint | Advertising showing complainant's mobile number | Infringement of Articles 5.1 and 6 GDPR | Administrative fine of € 3,000 and orders, in terms of Article 58.2 GDPR |
| 2020 | Personal Data Breach | Unauthorised notification letter, with details of third parties printed on the back | Infringement of Articles 5.1(f) and 32.1(b) GDPR | Administrative fine of € 3,000, in terms of Article 58.2 GDPR |
| 2020 | Data Protection Complaint | Controller failed to provide information following a right of access request and failed to inform the data subject about a restriction | Infringement of Articles 12.3 and 15.3 GDPR, and regulation 4(e) of S.L. 586.09 | Administrative fine of € 5,000 and orders, in terms of Article 58.2 GDPR. |
| 2020 | Data Protection Complaint | CCTV camera capturing public access areas and, or spaces | Infringement of Articles 5.1(c) and 6.1 GDPR | Instructions, in terms of Article 58.2 GDPR |
| 2020 | Data Protection Complaint | CCTV camera capturing public access areas and, or spaces | Infringement of Articles 5.1(c) and 6.1 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2020 | Data Protection Complaint | CCTV camera capturing public access areas and, or spaces | Infringement of Articles 5.1(c) and 6.1 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2020 | Data Protection Complaint | CCTV camera capturing public access areas and, or spaces | Infringement of Articles 5.1(c) and 6.1 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2020 | Data Protection Complaint | Sharing of an email containing personal data pertaining to the complainant and to his/her daughter with non-authorised recipients | Infringement of Articles 5.1(c), (f), and 32 GDPR | Reprimand and instruction, in terms of Article 58.2 GDPR |
| 2020 | Data Protection Complaint | Controller errouneously addressed an envelope cointaining a confidential letter, resulting to the disclosure of complainant's personal data | Infringement of Article 5.1 (f) and 32.1 (b) GDPR | Reprimand and instruction, in terms of Article 58.2 GDPR |
| 2020 | Data Protection Complaint | CCTV camera capturing public access areas and, or spaces | Infringement of Articles 5.1(c) and 6.1 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2020 | Data Protection Complaint | CCTV camera capturing public access areas and, or spaces | Infringement of Articles 5.1(c) and 6.1 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2020 | Data Protection Complaint | CCTV camera capturing public access areas and, or spaces | Infringement of Articles 5.1(c) and 6.1 GDPR | Reprimand and orders, in terms of Article 58.2 GDPR |
| 2020 | Data Protection Complaint | Controller failed to provide the data subject with information about the processing and a copy of his/her personal file | Infringement of Article 15.1 and 15.3 GDPR | Reprimand and instruction, in terms of Article 58.2 GDPR |
| 2020 | Data Protection Complaint | Controller failed to provide the data subject with information about the processing and a copy of his personal file | Infringement of Articles 15.1 and 15.3 GDPR | Reprimand and instruction, in terms of Article 58.2 GDPR |
| 2020 | Data Protection Complaint | Controller has unlawfully disclosed the complainant's personal data | Infringement of Article 6.1 GDPR | Reprimand and warning, in terms of Article 58.2 GDPR |