In a previous blog post, we discussed the European Commission’s criticism of the Dutch data protection authority’s interpretation of legitimate interests as a lawful basis for processing personal data. In that post we noted that the issue would potentially be resolved by the Netherlands’ highest administrative court, the Council of State when it ruled
The EU Commission has expressed concerns about the Dutch data protection authority’s strict interpretation of “legitimate interests”, considering it to be “not in line with the GDPR, the guidelines of the Article 29 Working Party/EDPB and the case law of the European Court of Justice (CJEU)”. Those concerns focus on guidance issued by the Autoriteit
The Dutch Data Protection Authority (Dutch DPA) has issued fixed and periodic fines to a government ministry over its lack of security measures and transparency about who it shares personal data with, while the Danish Data Protection Agency (Danish DPA) has issued fines to a national bank for its lack of documentation on the deletion of personal data.
Continue Reading European DPAs in Action: Periodic Penalties and Deletion of Personal Data