Data Protection Decisions

Data Protection decisions issued by the Information and Data Protection Commissioner

YearTypeDescriptionOutcomeCorrective ActionDecision
2024Data protection complaintThe controller infringed article 17(1) of the Regulation, when it failed to erase the personal data of the complainant following the exercise of his right to erasure. Infringement of article 17 GDPR.Order to comply with the request of the complainant and permanently erase all personal data pertaining to the complainant, in terms of Article 58(2)(c) GDPR.Click Here
2024Data protection complaintThe controller uploaded two attachments containing chat transcripts to his blog post, which was published on the controller’s website.The controller failed to demonstrate that the processing of the personal data pertaining to the complainant is proportionate, necessary and justified for reasons of substantial public interest, and, therefore, the processing is deemed to be unlawful.Order to remove the two attachments from the blog post published on the controller’s website, in terms of article 58(2)(d) GDPR. Moreover, the controller was served with a reprimand pursuant to article 58(2)(b) GDPR.Click Here
2024Data protection complaintCCTV camera capturing public spaces and/or third-party propertiesInfringement of Article 6(1) GDPR.Order, in terms of Article 58(2) GDPR.Click Here
2024Data protection complaintCCTV camera capturing public spaces and/or third-party propertiesInfringement of Article 6(1) GDPR.Order, in terms of Article 58(2) GDPR.Click Here
2024Data protection complaintCCTV camera capturing public spaces and/or third-party propertiesInfringement of Article 6(1) GDPR.Order, in terms of Article 58(2) GDPR.Click Here
2024Data protection complaintCCTV camera capturing public spaces and/or third-party propertiesInfringement of Article 6(1) GDPR.Order, in terms of Article 58(2) GDPR.Click Here
2024Data protection complaintCCTV camera capturing public spaces and/or third-party propertiesInfringement of Article 6(1) GDPR.Order, in terms of Article 58(2) GDPR.Click Here
2024Data protection complaintCCTV camera capturing public spaces and/or third-party propertiesInfringement of Article 6(1) GDPR.Order, in terms of Article 58(2) GDPR.Click Here
2024Data protection complaintCCTV camera capturing public spaces and/or third-party propertiesInfringement of Article 6(1) GDPR.Order, in terms of Article 58(2) GDPR.Click Here
2024Data protection complaintCCTV camera capturing public spaces and/or third-party propertiesInfringement of Article 6(1) GDPR.Order, in terms of Article 58(2) GDPR.Click Here
2024Data protection complaintCCTV camera capturing public spaces and/or third-party propertiesInfringement of Article 6(1) GDPR.Order, in terms of Article 58(2) GDPR.Click Here
2024Ex officio investigation of a data protection casePublication of personal data on social mediaInfringement of article 6(1) of the GDPRReprimand and order to erase the personal data pursuant to article 58(2) of the GDPR.Click Here
2024Data Protection ComplaintLack of signs when processing personal data using hand-held speed cameras.Infringement of the principle of fairness and regulation 12(1) of Subsidiary Legislation 586.08Order to display appropriate signs before the data subjects approach an area where their personal data may be processed.Click Here
2024Data Protection ComplaintLack of data in relation to health.Infringement of article 32(1)(b) of the GDPR.Reprimand and an order to implement the appropriate security measures.Click Here
2024Data Protection ComplaintThe publication of a result sheet, which contained the name and identity card number of eligible, interviewed candidates.Processing is lawful pursuant to article 6(1)(c) of the GDPR. No infringement.No action to be taken.Click Here
2024Data Protection ComplaintThe controller sent a letter which was enclosed in a window envelope that displayed the identity card number of the complainant.The controller unnecessarily disclosed the identity card number of the complainant to third parties.NoneClick Here
2024Data Protection ComplaintThe controller sent a text message to the complainant for the purpose of political campaigning.The controller’s practice of collecting and using data from social media for the purpose of political campaigning, without the knowledge and consent of the complainant, is tantamount to an unfair practice and an infringement of article 6(1) of the GDPR.The controller deleted the data of the complainant during the course of the investigation.Click Here
2024Data Protection ComplaintThe complainant received a phone call from the controller to congratulate him on his birthday, and, consequently, the complainant alleged that the controller unlawfully processed his personal data for political gain.The Commissioner decided that the processing of the personal data pertaining to the complainant for the purpose of political campaigning, without the knowledge and consent of the complainant, is tantamount to an unfair practice and an infringement of article 6(1) of the GDPR.By virtue of article 58(2)(d) of the GDPR, the Commissioner ordered the controller to erase all personal data pertaining to the complainant without undue delay and by no later than five (5) working days.Click Here
2024Data Protection ComplaintThe complainant stated that the controller published her full name and identity card number on its website even though she is not a scholarship awardee, and therefore, the complainant alleged that the controller is infringing the provisions of the GDPR.The Commissioner decided that the controller failed to take into account the risks to the rights and freedoms of the data subjects which are presented by the publication of personal data on its website and to effectively demonstrate that the interference with the complainant’s right to the protection of personal data is proportionate.By virtue of article 58(2)(d) of the GDPR, the Commissioner ordered the controller to remove the list from its website and make the necessary amendments to its regulations within 20 days.Click Here
2024Data Protection ComplaintCCTV camera capturing common parts.The Commissioner decided that the controller failed to sufficiently demonstrate that the processing operation conducted by means of the camera falls outside the material scope of the Regulation.By virtue of article 58(2)(f) of the GDPR, the Commissioner ordered the controller to stop the processing operation and to remove the camera with immediate effect, and in any event by not later that (5) five working days from the date of receipt of this decision.Click Here
2024Data Protection
Complaint
The complainant alleged that the controller failed to facilitate the exercise of the right to rectification.The Commissioner decided that the controller did not infringe the provisions of the Regulation, and therefore, dismissed the complaint in its entirety.NoneClick Here
2024Data protection complaintThe complainant argued that the controller disclosed his personal data to a third-party company, to conduct a survey.Infringement of article 28(3) and article 5(2) GDPR.Reprimand and order, in terms of Article 58(2)(d) GDPR.Click Here
2024Data protection complaintThe complainant argued that the controller sent an email with commercial content, revealing the complainant’s email address and that of over one hundred and eighty (180) other recipients.Infringement of article 32(1)(b) GDPR.Reprimand and order, in terms of Article 58(2)(d) GDPR.Click Here
2024Data protection complaintThe complainant argued that following the Commissioner’s legally-binding decision to fulfil the complainant’s Subject Access Request, the controller provided the data subject with a heavily redacted copy of the requested documentation.The controller’s decision to redact the third parties’ personal data from the requested documentation, is justified under article 15(4) of the Regulation.Order in terms of Article 58(2)(c) GDPR.Click Here
2024Data protection complaintThe complainant argued that his employer has breached his data protection rights by using his personal email address to communicate with him regarding work-related matters.Infringement of article 6(1) GDPR.Reprimand in terms of Article 58(2)(b) GDPR.Click Here
Insert
YearTypeDescriptionOutcomeCorrective ActionDecision
2023Data protection complaintThe complainant argued that the controller has multiple data protection shortcomings, which were identified when handling a request to exercise the right of access.Infringement of articles 5(1)(a), 12(1), 12(3), 13, 14, 15(1), 15(3), 24(2) and 38(1) GDPR.Administrative fine of €2,500.00.Click Here
2023Data protection complaintController has unlawfully accessed the audio taken from the surveillance camera.Infringement of articles 5(1)(a), 5(1)(b), 5(1)(c) and 6 GDPR.Administrative fine of €5,000.00.Click Here
2023Data protection complaintThe complainant argued that the controller has refused to rectify her personal data without any valid legal reason.Infringement of Article 16 GDPR.Order in terms of article 52(2) GDPR.Click Here
2023Data protection complaintThe complainant argued that the controller disclosed her email address to unauthorised third parties.Infringement of article 32(1)(b) GDPR.Reprimand and order, in terms of Article 58(2) GDPR.Click Here
2023Data protection complaintThe complainant argued that the controller took photos of the complainant and other individuals, including a minor whilst they were in her residence. These photos were attached to an affidavit which was filed to a Tribunal.Infringement of article 6(1) GDPR.Reprimand and order, in terms of Article 58(2) GDPR.Click Here
2023Data protection complaintThe complainant argued that the controller failed to comply with his right to erasure, by refusing to remove his personal data, published on its website.The controller was ordered to introduce a ‘no-index’ metatag to the content head HTML of the online page, in a manner to block search engines from indexing such page and make it appear in search results.Order in terms of Article 58(2) GDPR.Click Here
2023Data protection complaintThe complainant argued that the controller failed to comply with his request to delist online search results, pursuant to article 17 of the Regulation.The controller was ordered to introduce a ‘no-index’ metatag to the content head HTML of the online page, in a manner to block search engines from indexing such page and make it appear in search results.Order in terms of Article 58(2) GDPR.Click Here
2023Data protection complaintA data subject filed a complaint alleging unauthorised access to his mailbox and failed to provide him access to such mailbox.No infringementnilClick Here
2023Data protection complaintTwo data subjects filed a complaint alleging that the controller captured and shared a video with media houses without their consent or authorisationNo infringementnilClick Here
2023Data protection complaintA data subject filed a complaint alleging that the controller changed her personal details without her authorisation, and this led to an unauthorised disclosureInfringement of article 5(1)(f) and 25 of the Regulation.Reprimand and a ban imposed.Click Here
2023Data Protection complaintA data subject filed a complaint alleging that an online gaming website transferred his payment information to a third country.Infringed article 24(1) and 13(1)(f) of the RegulationReprimand and order to bring the processing operation into compliance with the provisions of the Regulation.Click Here
2023Data protection complaintCCTV camera capturing public access areas and, or spaces.Infringement of Articles 5(1)(c) and 6(1) GDPR.Reprimand and order, in terms of Article 58(2) GDPR.Click Here
2023Data protection complaintCCTV camera capturing public access areas and, or spaces.Infringement of Articles 5(1)(c) and 6(1) GDPR.Reprimand and order, in terms of Article 58(2) GDPR.Click Here
2023Data protection complaintCCTV camera capturing public access areas and, or spaces.Infringement of Articles 5(1)(c) and 6(1) GDPR.Reprimand and orders, in terms of Article 58(2) GDPR.Click Here
2023Data protection complaintCCTV camera capturing public access areas and, or spaces.Infringement of Articles 5(1)(c) and 6(1) GDPR.Reprimand and order, in terms of Article 58(2) GDPR.Click Here
2023Data protection complaintThe complainant argued that the controller disclosed her email address to unauthorised third parties.Infringement of article 32(1)(b) GDPR.Reprimand and order, in terms of Article 58(2) GDPR.Click Here
2023Data protection complaintA data subject filed a complaint alleging that an insurance company is requesting excessive medical information.Infringed articles 5(1)(c) of the Regulation.Order to revise the Health Insurance Policy and the Health Insurance Claim Form in such a manner to comply with the principle of data minimisation in terms of article 58(2)(d) of the GDPR.Click Here
2023Data protection complaintA data subject filed a complaint alleging an infringement of her Rights in terms of Article 12, 13 and 15 of the GDPR.Infringment of article 15(3)Reprimand and order to comply in terms of Article 58(2) GDPR.Click Here
2023Data protection complaintThe complainant argued that the controller took photos of the complainant and other individuals, including a minor whilst they were in her residence. These photos were attached to an affidavit which was filed to a Tribunal.Infringement of article 6(1) GDPR.Reprimand and order, in terms of Article 58(2) GDPR.Click Here
2023ComplaintA data subject filed a complaint alleging an unauthorised disclosure.Infringed articles 5(1)(f) and 32(1)(b) of the Regulation.Reprimand and warned.Click Here
2023Data protection complaintThe controller failed to comply with the complainant’s request to access their personal data, by invoking a restriction pursuant to regulation 4(e) of the Restriction of the Data Protection (Obligations and Rights) Regulations, Subsidiary Legislation 586.09.Infringement of article 15 GDPR.Reprimand and order, in terms of Article 58(2)(c) GDPR.Click Here
2023Data protection complaintThe controller failed to comply with the complainant’s request to access their personal data, by invoking a restriction pursuant to regulation 4(e) of the Restriction of the Data Protection (Obligations and Rights) Regulations, Subsidiary Legislation 586.09.Infringement of article 15 GDPR.Reprimand and order, in terms of Article 58(2)(c) GDPR.Click Here
2023Data protection complaintThe controller failed to comply with the complainant’s request to access their personal data, by invoking a restriction pursuant to regulation 4(e) of the Restriction of the Data Protection (Obligations and Rights) Regulations, Subsidiary Legislation 586.09.Infringement of article 15 GDPR.Reprimand and order, in terms of Article 58(2)(c) GDPR.Click Here
2023Data protection complaintThe controller failed to comply with the complainant’s request to access their personal data, by invoking a restriction pursuant to regulation 4(e) of the Restriction of the Data Protection (Obligations and Rights) Regulations, Subsidiary Legislation 586.09.Infringement of article 15 GDPR.Reprimand and order, in terms of Article 58(2)(c) GDPR.Click Here
2023Data protection complaintThe controller failed to comply with the complainant’s request to access their personal data, by invoking a restriction pursuant to regulation 4(e) of the Restriction of the Data Protection (Obligations and Rights) Regulations, Subsidiary Legislation 586.09.Infringement of article 15 GDPR.Reprimand and order, in terms of Article 58(2)(c) GDPR.Click Here
2023Data protection complaintThe controller failed to comply with the complainant’s request to access their personal data, by invoking a restriction pursuant to regulation 4(e) of the Restriction of the Data Protection (Obligations and Rights) Regulations, Subsidiary Legislation 586.09.Infringement of article 15 GDPR.Reprimand and order, in terms of Article 58(2)(c) GDPR.Click Here
2023Data protection complaintThe controller failed to comply with the complainant’s request to access their personal data, by invoking a restriction pursuant to regulation 4(e) of the Restriction of the Data Protection (Obligations and Rights) Regulations, Subsidiary Legislation 586.09.Infringement of article 15 GDPR.Reprimand and order, in terms of Article 58(2)(c) GDPR.Click Here
2023Data protection complaintThe controller failed to comply with the complainant’s request to access their personal data, by invoking a restriction pursuant to regulation 4(e) of the Restriction of the Data Protection (Obligations and Rights) Regulations, Subsidiary Legislation 586.09.Infringement of article 15 GDPR.Reprimand and order, in terms of Article 58(2)(c) GDPR.Click Here
2023Data protection complaintThe controller failed to comply with the complainant’s request to access their personal data, by invoking a restriction pursuant to regulation 4(e) of the Restriction of the Data Protection (Obligations and Rights) Regulations, Subsidiary Legislation 586.09.Infringement of article 15 GDPR.Reprimand and order, in terms of Article 58(2)(c) GDPR.Click Here
2023Data protection complaintThe controller failed to comply with the complainant’s request to access their personal data, by invoking a restriction pursuant to regulation 4(e) of the Restriction of the Data Protection (Obligations and Rights) Regulations, Subsidiary Legislation 586.09.Infringement of article 15 GDPR.Reprimand and order, in terms of Article 58(2)(c) GDPR.Click Here
2023Data protection complaintThe controller failed to comply with the complainant’s request to access their personal data, by invoking a restriction pursuant to regulation 4(e) of the Restriction of the Data Protection (Obligations and Rights) Regulations, Subsidiary Legislation 586.09.Infringement of article 15 GDPR.Reprimand and order, in terms of Article 58(2)(c) GDPR.Click Here
2023Data protection complaintThe controller failed to comply with the complainant’s request to access their personal data, by invoking a restriction pursuant to regulation 4(e) of the Restriction of the Data Protection (Obligations and Rights) Regulations, Subsidiary Legislation 586.09.Infringement of article 15 GDPR.Reprimand and order, in terms of Article 58(2)(c) GDPR.Click Here
2023Data protection complaintThe controller failed to comply with the complainant’s request to access their personal data, by invoking a restriction pursuant to regulation 4(e) of the Restriction of the Data Protection (Obligations and Rights) Regulations, Subsidiary Legislation 586.09.Infringement of article 15 GDPR.Reprimand and order, in terms of Article 58(2)(c) GDPR.Click Here
2023Data Protection ComplaintA data subject filed a complaint alleging that a supermarket shared a video recording to her employer.Infringed article 6(1) of the RegulationReprimand and warned.Click Here
2023Data protection complaintInfringement of Article 12(3) GDPR.Order in terms of article 52(2) GDPR.
2023Data protection complaintCCTV camera capturing public spaces and/or third-party propertiesInfringement of Article 6(1) GDPR.Order, in terms of Article 58(2) GDPR.Click Here
2023Data protection complaintCCTV camera capturing public spaces and/or third-party propertiesInfringement of Article 6(1) GDPR.Order, in terms of Article 58(2) GDPR.Click Here
2023Data protection complaintCCTV camera capturing public spaces and/or third-party propertiesInfringement of Article 6(1) GDPR.Order, in terms of Article 58(2) GDPR.Click Here
2023Data protection complaintCCTV camera capturing public spaces and/or third-party propertiesInfringement of Article 6(1) GDPR.Order, in terms of Article 58(2) GDPR.Click Here
2023Data protection complaintCCTV camera capturing public spaces and/or third-party propertiesInfringement of Article 6(1) GDPR.Order, in terms of Article 58(2) GDPR.Click Here
2023Data protection complaintCCTV camera capturing public spaces and/or third-party propertiesInfringement of Article 6(1) GDPR.Order, in terms of Article 58(2) GDPR.Click Here
2023Data protection complaintCCTV camera capturing public spaces and/or third-party propertiesInfringement of Article 6(1) GDPR.Order, in terms of Article 58(2) GDPR.Click Here
2023Data protection complaintCCTV camera capturing public spaces and/or third-party propertiesInfringement of Article 6(1) GDPR.Order, in terms of Article 58(2) GDPR.Click Here
2023Data protection complaintCCTV camera capturing public spaces and/or third-party propertiesInfringement of Article 6(1) GDPR.Order, in terms of Article 58(2) GDPR.Click Here
2023Data protection complaintComplainant argued that the controller infringed the GDPR by publishing footage on social media.Controller removed footage immediately and no further investigation took place.Reprimand in terms of Article 58(2) GDPR.
2023Data protection complaintComplainant alleged controller disclosed personal data to third parties without consent.Inadmissible since the data subject was deceased at the time of disclosure.None
2023Data protection complaintComplainant argued that controller unauthorisedly disclosed their personal data to a third partyInadmissible due to lack of evidenceNone
2023Data protection complaintA data subject filed a right of access request with the controller. Upon receiving the SAR, the controller forwarded the complainant’s data to a third party.Infringement of article 15 GDPR.Controller served with reprimand in terms of article 58(2)(b) GDPR.
2023Data protection complaintThe complainant argued that the controller infringed the GDPR and the EU Charter in handling a request to exercise the right to rectification.The complaint filed their complaint immediately after exercising their right to rectification and prior to the expiry of the statutory period of article 12(3) of the GDPR. The complaint was therefore found inadmissible.None
2023Data protection complaintThe complainant argued that the controller infringed the GDPR and the EU Charter in handling a request to exercise the right of access.The complaint’s claims were groundless and the complaint was found inadmissible.None
2023Data protection complaintTwo data subjects filed a complaint alleging that the controller captured and shared a video with media houses without their consent or authorisationNo infringementN/A
YearTypeDescriptionDecisionCorrective Action
2022Personal Data BreachController infringed principles of security regarding personal and special categories of data of many data subjectsInfringements of Articles 6(1), 9(1), 9(2), 14, 32(1), 5(1)(f), 33(1) and 34(1) GDPRAdministrative fine of €65,000.00.
2022Data Protection ComplaintCCTV camera capturing public access areas and, or spacesInfringement of Articles 5.1(c) and 6.1 GDPRReprimand and orders, in terms of Article 58.2 GDPR
2022Data Protection ComplaintCCTV camera capturing public access areas and, or spacesInfringement of Articles 5.1(c) and 6.1 GDPRReprimand and orders, in terms of Article 58.2 GDPR
2022Data Protection ComplaintController has unlawfully disclosed the complainant's personal data Infringements of Articles 24(2), 32(1)(b) and 32(4) GDPRAdministrative fine of €2,500.00
2022Data Protection ComplaintCCTV camera capturing public access areas and, or spacesInfringement of Articles 5.1(c) and 6.1 GDPRReprimand and orders, in terms of Article 58.2 GDPR
2022Data Protection ComplaintThe controller failed to respect the principle of data minimisation by collecting excessive data through a registration form Infringement of Article 5(1)(c) GDPRReprimand and orders, in terms of Article 58.2 GDPR
2022Data Protection ComplaintThe complaint is on the refusal to erase the complainant's personal data from an electronic websiteThe refusal is justified on the basis of article 17(3)(b)Complaint has been dismissed in its entirety
2022Data Protection ComplaintThe controller failed to respect the timeframe prescribed by article 12(3) GDPR to respond the complainant's access requestInfringement of Article 12(3) GDPRReprimand and orders, in terms of Article 58.2 GDPR
2022Data Protection ComplaintThe controller infringed the GDPR for having processed the complainant's personal data included in her identity card without a valid legal basisInfringement of Article 6(1) GDPRReprimand and orders, in terms of Article 58.2 GDPR
2022Data Protection ComplaintThe controller failed to inform the complainant that the call between the controller’s employee and the complainant was being recordedInfringement of Article 13 GDPRReprimand, in terms of Article 58.2 GDPR
2022Personal Data BreachController infringed principles of security regarding personal data of data subjects and failed to implement appropriate technical and organisational measuresInfringements of Articles 32(1) and 32(2) of the GDPRAdministrative fine of €250,000 in terms of Article 58.2 GDPR
2022Personal data breachThe controller was subject to a credential
stuffing attack. The attacker may have accessed and viewed the personal data of a very limited number of accounts.
Infringement of article 32 GDPR.Controller instructed to bring its processing operations into compliance with the provisions of the Regulation in terms of article 58(2)(a).
2022Personal data breachThe controller was subject to a brute force attack. The attacker may have accessed and viewed the personal data of a very limited number of accounts.Infringement of article 32 GDPR.Controller instructed to bring its processing operations into compliance with the provisions of the Regulation in terms of article 58(2)(a).
2022Personal data breachThe controller was subject to a brute force attack. The attacker may have accessed and viewed the personal data of a very limited number of accounts.Infringement of article 32 GDPR.Controller instructed to bring its processing operations into compliance with the provisions of the Regulation in terms of article 58(2)(a).
2022Personal data breachPersonal data was disclosed to trusted party within the controller’s organizationInfringement of article 32 GDPRController instructed to bring its processing operations into compliance with the provisions of the Regulation in terms of article 58(2)(a).
2022Personal data breachA device containing personal and special categories of data was stolenInfringement of article 32 GDPRController served with a reprimand in terms of article 58(2)(b) and instructed to bring its processing operations into compliance with the provisions of the Regulation in terms of article 58(2)(a).
2022Personal data breachThe controller’s main server was affected by a ransomware which encrypted some personal dataInfringement of article 32 GDPRController served with a reprimand in terms of article 58(2)(b)
YearTypeDescriptionDecisionCorrective Action
2021Data Protection ComplaintThe controller sent unsolicited direct marketing electronic communications without using the "blind carbon copy".Infringement of Article 32.1(b) GDPR and Regulation 9.2 of S.L. 586.01Reprimand and warning, in terms of Article 58.2 GDPR
2021Data Protection ComplaintUnauthorized disclosure of personal data to a third partyInfringement of Article 32.1(b) GDPRInstructions, in terms of Article 58.2 GDPR
2021Data Breach NotificationPolicy documents were sent out by postal mail to wrong recipients due to a human mistake of an employeeInfringement of Article 5.1(f) GDPRReprimand, in terms of Article 58.2 GDPR
2021Data Protection ComplaintThe controller posted and shared a photograph on social media, disclosing the registration number of the data subject's vehicleInfringement of Articles 5.1 (c) and 6.1 (f) GDPRInstructions, in terms of Article 58.2 GDPR
2021Data Breach NotificationThe controller disclosed personal emails to unauthorised third parties, using "To" field instead of the "blind carbon copy".Infringement of Articles 5.1 (e)/(f) and 32.1 (b) GDPRReprimand, in terms of Article 58.2 GDPR
2021Data Protection ComplaintAlleged infringement of GDPR when the controller unlawfully leaked data subjects' data to third partiesNo evidence which unequivocally demonstrates unauthorised disclosureNil
2021Data Protection ComplaintFollowing a formal representation made to a proposed development, the controller published personal details on its websiteInfringement of Article 5.1 (a) GDPROrders, in terms of Article 58.2 GDPR
2021Data Protection ComplaintInfrigement of GDPR when the controller unlawfully leaked individuals' data (namely a medical report) to third partiesInfringement of Article 9.2 GDPRReprimand, in terms of Article 58.2 GDPR
2021Data Protection ComplaintController disclosed personal data relating to the complainant as a private individual in relation to a holiday trip in 2017, without consent or authorisationInfringement of Articles 5.1 (a) and 6.1 GDPRReprimand and orders, in terms of Article 58.2 GDPR
2021Data Protection ComplaintController failed to reply a data subject access request within one (1) month of receipt of such requestInfringement of Articles 12.3, 15.1 and 15.3 GDPRReprimand and orders, in terms of Article 58.2 GDPR
2021Data Protection Complaintcontroller failed to implement the appropriate technical and organisational measures to ensure the ongoing confidentiality of the complainant’s personal dataInfringement of Articles 5.1 (f) and 32.1 (b)Reprimand and warning, in terms of Article 58.2 GDPR
2021Data Protection ComplaintThe controller failed to provide an updated privacy policy on its website at the time of the subject access request. The policy didn't contain the minimum set of information, failing the controller in providing information relating to the processing of personal data pursuant to the transparency.Infringement of Article 37.7, 5.1 (a), 12.1Reprimand, in terms of Article 58.2 GDPR
2021Data Protection ComplaintCCTV camera capturing public access areas and, or spacesInfringement of Articles 5.1(a) and 6.1 GDPRReprimand and orders, in terms of Article 58.2 GDPR
2021Data Protection ComplaintThe controller failed to blur data subjects faces when uploading a footage on social media, and additionally, identified the complainant by name as one of the person in the footage, without consent or authorisationInfringement of Articles 5.1(a) and 6.1 GDPRReprimand and warning, in terms of Article 58.2 GDPR
2021Data Protection ComplaintCCTV camera capturing public access areas and, or spacesInfringement of Articles 5.1(a) and 6.1 GDPRReprimand and orders, in terms of Article 58.2 GDPR
2021Personal Data BreachController infringed the principle of integrity and confidentiality when the complainant's personal data concerning health was disclosed to an unauthorised third party Infringement of Articles 5.1(f) and 32.1(b) GDPRReprimand and orders, in terms of Article 58.2 GDPR
2021Data Protection ComplaintComplainant filed a subject access request, however the identity procedure adopted by the controller imposed an unnecessary burden on the data subjectInfringement of Articles 12.2 and 24.2 GDPRReprimand and orders, in terms of Article 58.2 GDPR
2021Data Protection ComplaintAn employee of the controller unlawfully disclosed the complainant's personal data to an unauthorised mannerInfringement of Articles 5.1(f) and 32.1(b) GDPRReprimand and orders, in terms of Article 58.2 GDPR
2021Data Protection ComplaintController infringed the principle of integrity and confidentiality when annual maintenance invoices regarding the controller were disclosed to an unauthorised third partyInfringement of Articles 5.1(f) and 32.1(b) GDPRReprimand and orders, in terms of Article 58.2 GDPR
2021Data Protection ComplaintController published an email address which was inactive and unattended on its website, creating uncertainty amongst the data subjects who tried to file a subject access requestInfringement of Articles 5.1(a) GDPRReprimand and warning, in terms of Article 58.2 GDPR
2021Data Protection ComplaintController unlawfully disclosed by email the complainant's personal data to an unauthorised third party. The complainant explicitly indicated that such data should remain private and confidentialInfringement of Articles 5.1(f) and 32.1(b) GDPRReprimand and orders, in terms of Article 58.2 GDPR
2021Data Protection ComplaintThe controller published a newspaper information notice containing personal data regarding the complainantNo infringement as the processing is necessary for the the purposes of the legitimate interests of controllerNil
2021Data Protection ComplaintThe controller published a newspaper information notice containing personal data regarding the complainantNo infringement as the processing is necessary for the the purposes of the legitimate interests of controllerNil
2021Data Protection ComplaintThe controller published a newspaper information notice containing personal data regarding the complainantNo infringement as the processing is necessary for the the purposes of the legitimate interests of controllerNil
2021Data Protection ComplaintThe controller provided evidence on the action taken upon a subject access request in due timeNo infringement and complaint dismissedNil
2021Data Protection ComplaintThe IDPC did not come across any evidence of unauthorised disclosure of the complainant's personal dataNo infringement and complaint dismissedNil
2021Data Protection ComplaintComplaint is against the use of a CCTV camera installed on a property. However, such camera is not capturing public access areas and, or spacesNo infringement as there is no processing of personal data in terms of article 4(2)GDPRNil
2021Data Protection ComplaintController failed to erase the complainant's personal data following the exercise of the right of erasureInfringement of Article 17.1 GDPRReprimand and warning, in terms of Article 58.2 GDPR
2021Data Protection ComplaintController failed to implement the appropriate technical and organisational measures to ensure the ongoing confidentiality of the complainant’s personal dataInfringement of Articles 5.1 (f) and 32.1 (b) GDPRReprimand and warning, in terms of Article 58.2 GDPR
2021Data Protection ComplaintThe controller failed to provide the complainant with a copy of certain information which falls within the definition of personal dataInfringement of Article 15 GDPRReprimand and orders, in terms of Article 58.2 GDPR
2021Data Protection ComplaintThe complaint is against the use of a CCTV cameras installed on a property. The controller has a compelling legitimate interst, which is of real existence based on a situation of distressNo infringement in terms of data protection lawNil
2021Data Protection ComplaintThe complaint was on the validity and legality of the disciplinary proceedings and other issues of an employment natureOutside the scope of data protection law and complaint dismissedNil
2021Data Protection ComplaintThe controller failed to provide the complainant with a copy of certain information which falls within the definition of personal dataInfringement of Article 15 GDPRReprimand and orders, in terms of Article 58.2 GDPR
2021Data Protection ComplaintCCTV camera capturing public access areas and, or spacesInfringement of Articles 5.1(a) and 6.1 GDPRReprimand and orders, in terms of Article 58.2 GDPR
2021Data Protection ComplaintCCTV camera capturing public access areas and, or spacesInfringement of Articles 5.1(a) and 6.1 GDPRReprimand and orders, in terms of Article 58.2 GDPR
2021Data Protection ComplaintCCTV camera capturing public access areas and, or spacesInfringement of Articles 5.1(a) and 6.1 GDPRReprimand and orders, in terms of Article 58.2 GDPR
2021Data Protection ComplaintCCTV camera capturing public access areas and, or spacesInfringement of Articles 5.1(a) and 6.1 GDPRReprimand and orders, in terms of Article 58.2 GDPR
2021Data Protection ComplaintController failed to erase the complainant's personal data following the exercise of the right of erasureInfringement of Article 17.1 GDPRReprimand and orders, in terms of Article 58.2 GDPR
2021Data Protection ComplaintController failed to provide the complainant with a copy of personal data and failed to erase personal data following the exercise of his/her data subject rightInfringements of Articles 12.3, 12.4, 15.1, 15.3 GDPRReprimand and orders, in terms of Article 58.2 GDPR
2021Data Protection ComplaintController accessed personal data concerning the complainant in an unauthorised mannerInfringements of Articles 5.1(b), 5.1(f), and 32.1(b) GDPRReprimand and warning, in terms of Article 58.2 GDPR
2021Data Protection ComplaintThe controller failed to comply with a right to data portability request, unless an administrative fee is paid. The controller also failed to demonstrate the manifestly unfounded or excessive character of such requestInfringements of Articles 12(5) and 20 GDPRReprimand and orders, in terms of Article 58.2 GDPR
YearTypeDescriptionDecisionCorrective Action
2020Data Protection ComplaintUnauthorized use of personal data leading to employment disciplinary proceedingsInfringement of Articles 5.1(c) and 6.1 GDPRReprimand and instructions, in terms of Article 58.2 GDPR
2020Data Protection ComplaintPersonal data contained in a condition report disclosed to other occupants of third party properties Infringement of Article 5.1(a) GDPRReprimand and instructions, in terms of Article 58.2 GDPR
2020Data Protection ComplaintInstallation of CCTV cameras at an establishment without affixing proper signageInfringement of Articles 13 and 5.1 GDPRReprimand and instructions, in terms of Article 58.2 GDPR
2020Data Protection ComplaintCCTV camera capturing public spacesInfringement of Articles 5.1(c) and 6.1 GDPRReprimand and instructions, in terms of Article 58.2 GDPR
2020Data Protection ComplaintProcessing of personal data without the consent of the data subjectInfringement of Articles 5.1(a) and 6.1 GDPRReprimand and instructions, in terms of Article 58.2 GDPR
2020Personal Data BreachUnauthorized disclosure of personal data to a third partyInfringement of Article 5.1(f) GDPRReprimand and instructions, in terms of Article 58.2 GDPR
2020Personal Data BreachHacking attack attempting to access online users', by making use of usernames and passwords originating from a third-party databaseInfringement of Article 5. (f) GDPRReprimand and instructions, in terms of Article 58.2 GDPR
2020Personal Data BreachHacking attack attempting to access online users', by making use of usernames and passwords originating from a third-party databaseInfringement of Article 5 (f)Reprimand and instructions, in terms of Article 58.2 GDPR
2020Personal Data BreachHacking attack using bots attempting to login into users' accountController has sufficient and appropriate technical and organisational measures in placeNil
2020Personal Data BreachFormer employee processed the controller's data for own purposesInfringement of Article 32.1(b) GDPRReprimand and instructions, in terms of Article 58.2 GDPR
2020Personal Data BreachUnauthorized disclosure of the complainant's confidential data to an external clientInfringement of Articles 5.1(f) and 32.1(b) GDPRAdministrative fine of €5,000, in terms of Article 58.2 (i) GDPR
2020Personal Data BreachAccidental loss of personal data when a box of documents which contained employment filled-in forms went missingInfringement of Article 32.1(b) GDPRAdministrative fine of €2,500 and orders, in terms of Article 58.2 GDPR
2020Personal Data BreachDisclosure of personal email addresses to all the recipients of the emailInfringement of Article 32.1(b) GDPRAdministrative fine of €2,500, in terms of Article 58.2 (i) GDPR
2020Personal Data BreachA third party gained unauthorized access to an account held by another individual Infringement of Article 32.1(b) GDPRAdministrative fine of €2,000, in terms of Article 58.2 (i) GDPR
2020Personal Data BreachUnauthorized disclosure of personal data to third partiesInfringement of Article 5.1(f) GDPRReprimand and warning, in terms of Article 58.2 GDPR
2020Personal Data BreachPersonal data was erroneously disclosed to an unintended recipientThe remedial action taken by the data controller has mitigated the posed riskInstructions, in terms of Article 58.2 GDPR
2020Personal Data BreachDisclosure of personal email addresses to all the recipients of the emailInfringement of Articles 5.1(f) and 32.1(b) GDPRAdministrative fine of €2,500, in terms of Article 58.2 (i) GDPR
2020Data Protection ComplaintUnsolicited sending of numerous direct marketing electronic communications without consent and right to object request ignoredInfringement of Articles 6,7 and 21 GDPR and regulation 9 of S.L 586.01Administrative fine of €15,000 and orders, in terms of Article 58.2 GDPR
2020Personal Data BreachDisclosure of personal email addresses to all the recipients of the emailInfringement of Article 5.1(a) GDPRReprimand and warning, in terms of Article 58.2 GDPR
2020Data Protection ComplaintPersonal data undergoing processing was partially provided following a right of access request. Privacy Policy not satisfying the transparency requirementsInfringement of Articles 13 and 15 GDPRAdministrative fine of €20,000, in terms of Article 83.2 GDPR
2020Data Protection ComplaintProcessing operations not in compliance with transparency requirementsInfringement of Article 13 GDPRReprimand and orders, in terms of Article 58.2 GDPR
2020Data Protection ComplaintUnsolicited sending of electronic direct marketing communication without consent, privacy policy not in compliance with transparency requirements and right of access request ignoredInfringement of Articles 13 and 15 GDPR and regulation 9 of S.L 586.01Administrative fine of €4,000 and orders, in terms of Article 58.2 GDPR
2020Data Protection ComplaintUnauthorized disclosure of personal data related to healthInfringement of Article 9 GDPRReprimand and orders, in terms of Article 58.2 GDPR
2020Data Protection ComplaintAdvertising showing complainant's mobile numberInfringement of Articles 5.1 and 6 GDPRAdministrative fine of € 3,000 and orders, in terms of Article 58.2 GDPR
2020Personal Data BreachUnauthorised notification letter, with details of third parties printed on the backInfringement of Articles 5.1(f) and 32.1(b) GDPRAdministrative fine of € 3,000, in terms of Article 58.2 GDPR
2020Data Protection ComplaintController failed to provide information following a right of access request and failed to inform the data subject about a restrictionInfringement of Articles 12.3 and 15.3 GDPR, and regulation 4(e) of S.L. 586.09Administrative fine of € 5,000 and orders, in terms of Article 58.2 GDPR.
2020Data Protection ComplaintCCTV camera capturing public access areas and, or spacesInfringement of Articles 5.1(c) and 6.1 GDPRInstructions, in terms of Article 58.2 GDPR
2020Data Protection ComplaintCCTV camera capturing public access areas and, or spacesInfringement of Articles 5.1(c) and 6.1 GDPRReprimand and orders, in terms of Article 58.2 GDPR
2020Data Protection ComplaintCCTV camera capturing public access areas and, or spacesInfringement of Articles 5.1(c) and 6.1 GDPRReprimand and orders, in terms of Article 58.2 GDPR
2020Data Protection ComplaintCCTV camera capturing public access areas and, or spacesInfringement of Articles 5.1(c) and 6.1 GDPRReprimand and orders, in terms of Article 58.2 GDPR
2020Data Protection ComplaintSharing of an email containing personal data pertaining to the complainant and to his/her daughter with non-authorised recipientsInfringement of Articles 5.1(c), (f), and 32 GDPRReprimand and instruction, in terms of Article 58.2 GDPR
2020Data Protection ComplaintController errouneously addressed an envelope cointaining a confidential letter, resulting to the disclosure of complainant's personal data Infringement of Article 5.1 (f) and 32.1 (b) GDPRReprimand and instruction, in terms of Article 58.2 GDPR
2020Data Protection ComplaintCCTV camera capturing public access areas and, or spacesInfringement of Articles 5.1(c) and 6.1 GDPRReprimand and orders, in terms of Article 58.2 GDPR
2020Data Protection ComplaintCCTV camera capturing public access areas and, or spacesInfringement of Articles 5.1(c) and 6.1 GDPRReprimand and orders, in terms of Article 58.2 GDPR
2020Data Protection ComplaintCCTV camera capturing public access areas and, or spacesInfringement of Articles 5.1(c) and 6.1 GDPRReprimand and orders, in terms of Article 58.2 GDPR
2020Data Protection ComplaintController failed to provide the data subject with information about the processing and a copy of his/her personal fileInfringement of Article 15.1 and 15.3 GDPRReprimand and instruction, in terms of Article 58.2 GDPR
2020Data Protection ComplaintController failed to provide the data subject with information about the processing and a copy of his personal fileInfringement of Articles 15.1 and 15.3 GDPRReprimand and instruction, in terms of Article 58.2 GDPR
2020Data Protection ComplaintController has unlawfully disclosed the complainant's personal dataInfringement of Article 6.1 GDPRReprimand and warning, in terms of Article 58.2 GDPR
Skip to content