Details:

Summary The data controller had engaged an external company to carry out the duties of access to data according to Art. 15 GDPR. However, the engaged company conducted the correspondence with the data subjects under its own logo and in English language, so that it was not apparent to the data subjects who was responsible for the data processing. As a result, the data controller infringed the principle of transparency laid down in Art. 12 GDPR and did not sufficiently fulfil its obligations to provide information in accordance with Art. 15 GDPR. In addition, the data protection supervisory authority found that no written contract for data processing had been concluded between the data controller and the external company, thus constituting a further breach of Art. 28 (9) GDPR.
Link: link
Related articles:  Art. 15 GDPR, Art. 28 GDPR
Type: Insufficient fulfilment of data subjects rights
Fine: EUR 50,000
Sector Not assigned

 

All data is based on The CMS’s Law GDPR Enforcement Tracker Source: https://www.enforcementtracker.com/

Tags: case law