The Spanish Data Protection Authority (AEPD) imposed a total fine of 6.000.000 EUR on CAIXABANK, S.A., for : unlawful processing of its clients’ personal data (4.000.000 EUR); and not providing sufficient information regarding the processing of personal data (2.000.000 EUR).
By order of 12 March 2021, the Conseil d’Etat (the French supreme administrative court) dismissed the request of various associations, including the Syndicat de la Médecine Générale (SMG) and the Ligue des Droits de l’Homme (Human Rights League), asking the interim relief judge of the Conseil d’Etat to order the suspension of the partnership between the Ministry of Health and the company Doctolib as part of the plan to accelerate vaccination against COVID-19, insofar as its online appointment booking system involved the hosting of health data with an American company (AWS).
On December 7, 2020, the CNIL (the French data protetion authority) pronounced two record sanctions of €100 million against GOOGLE LLC and GOOGLE IRELAND LIMITED (€60 and €40 million respectively), and €35 million against AMAZON EUROPE CORE for non-compliance with
By Decision of 11 November 2020 (C-61/19), the Court of Justice of the European Union (CJEU) specified the conditions applicable to obtain a GDPR compliant consent.
Indeed, the Court ruled that the data subjects’ consent to the processing of their personal data was not valid in the following cases:
where the controller (i.e., Orange România) pre-ticked the consent box referring to a clause contained in a contract and stating that the customer has consented to the collection and storage of their personal data (in this case, their identity document); or
where it was not clear as to whether individuals could refuse the processing operations without suffering any consequences on the possibility to conclude the service agreement; or
where the individuals’ freedom of choice could be affected by requiring the individuals to complete an additional form to refuse the processing of personal data