A processor is instructed to report on customers who bought a product both last month and at least once in the three months before that. Unfortunately, the processor makes a mistake and uses personal data collected by another controller for a different purpose.
The mistake is found before the report is created, and nobody has access to personal date he or she should not have had access to.
How should the processor act on this situation and what should the controller do, if anything?
The Supervisory Authority is notified whenever an organization intends to process personal data, except for some specific situations. The Supervisory Authority keeps a publicly accessible register of these data processing operations.
What else is a legal obligation of the Supervisory Authority in reaction to such a notification?
In what way are online activities of people most effectively used by modern marketers?
A German company wants to enter into a binding contract with a processor in the Netherlands for the processing of sensitive personal data of German data subjects. The Dutch Supervisory Authority is informed of the type of data and the aims of the processing, including the contract describing what data will be processed and what data protection procedures and practices will be in place.
According to the GDPR, what should the Dutch Supervisory Authority do in this scenario?
