May 23
Danish DPA Data Protection Digital Markets Act EU-US cooperation EDPB hits Meta, the EU General Court explains the nature

DP News – Week 21: Car rental employee fined for unlawfully accessing customer data, Belgium Data Protection Authority rules software platform administrator as data processor, not controller and football league organizer fined for GDPR violations after failing to erase player data!

A former Management Trainee at a global car rental company in the UK was fined for illegally accessing customer data. Between 18 March and 1 April 2019, the individual accessed at least 213 records across 25 branches without authorization, particularly during an unscheduled visit on 31 March 2019. Following an internal audit and investigation, the trainee were dismissed for gross misconduct, and the case was referred to the Information Commissioner’s Office. The individual pleaded guilty at Huddersfield Magistrates’ Court and was fined £265, with additional costs and a victim surcharge. 

Head of Investigations Andy Curry said: “[j]ust because your job may give you access to other people’s personal information, it doesn’t mean you have the legal right to look at it whenever you like.”

Read more here

***The Belgium Data Protection Authority (DPA) concluded that the administrator of a software platform for booking doctor appointments is a data processor, not a data controller, as they do not determine the purposes of data processing. The platform administrator only provided an online scheduling system, with purposes set by healthcare providers. Consequently, access requests under GDPR should be directed to the data controllers (healthcare providers), not the data processor. The DPA found no GDPR violations by the platform administrator regarding the individual’s access request complaint.

Read more here


The Austrian DPA fined a football league organizer €12,100 for failing to erase a player’s personal data after the player’s request. The player’s profile, which included identifiable information, remained partially visible on the league’s website despite the DPA’s order to delete it entirely. The fine was issued due to the controller’s repeated non-compliance and minimal cooperation.

Read more here

See more related posts »

Related blog posts