GDPR Extra cases

Question 1

An online clothing store collects users’ email addresses during checkout. One week later, it sends them marketing emails — but users were never asked if they agree.
👉 Is this allowed?

Answer 1

Issue: Sending marketing emails without consent

Rule: Article 6(1)(a) – Processing must be based on clear consent

Application: The users didn’t agree to marketing. The company can’t assume consent.

Conclusion: ❌ This is illegal – GDPR requires freely given and informed consent for marketing.

Question 2

A hospital stores patient records without encryption. A hacker later steals thousands of health records.
👉 What kind of GDPR issue is this?

Answer 2

Issue: Data breach and lack of security

Rule: Article 5(1)(f) – Data must be stored with confidentiality and integrity

Application: Medical data is sensitive; no encryption = weak protection

Conclusion: ❌ This is a GDPR breach – the hospital didn’t use proper security.

Question 3

A 13-year-old signs up for a social media app by checking a box that says “I accept the terms.” The app is based in Belgium.
👉 Is this valid consent under the GDPR?

Answer 3

Issue: Consent by a minor under 16

Rule: Article 8 – Children must be at least 16 (or 13 if national law allows)

Application: Belgium follows the default 16 rule unless changed by national law

Conclusion: ❌ Probably invalid consent – unless parental permission was obtained.

Question 4

A survey company keeps people’s answers (with names and addresses) for 10 years — even though the research project ended after 6 months.
👉 Does this respect the GDPR?

Answer 4

Issue: Keeping personal data longer than necessary

Rule: Article 5(1)(e) – Storage limitation principle

Application: The data is kept much longer than needed for the purpose

Conclusion: ❌ This violates GDPR – data must be deleted when it’s no longer needed.

Question 5

Q (Front):
A small company collects customers’ phone numbers for delivery, but then uses them to send product promotions without telling them.
👉 What GDPR principle is being broken?

Answer 5

Issue: Using data for a different purpose than originally stated

Rule: Article 5(1)(b) – Purpose limitation

Application: Customers gave data for delivery only, not ads

Conclusion: ❌ This is illegal – the company needs separate consent for promotions.

Question 6

A website says “By using our site, you automatically agree to all data use.” It does not provide any explanation or option to say no.
👉 Is this valid GDPR consent?

Answer 6

Issue: No real, informed consent

Rule: Article 7 – Consent must be freely given, specific, and informed

Application: “Automatic consent” without explanation is not valid

Conclusion: ❌ This is not valid consent under the GDPR.

Question 7

Q (Front):
A company processes biometric data (like facial recognition) for office security, but doesn’t inform employees or ask for their permission.
👉 What kind of data is this and is it allowed?

Answer 7

Issue: Processing sensitive data without consent

Rule: Article 9 – Biometric data = special category

Application: Biometric data needs explicit consent or strong legal reason

Conclusion: ❌ Illegal – unless the company has clear legal basis and informs staff.