Great news for those who aren't fans of TIAs: the EUC upholds adequacy for Andorra, Argentina, Canada, Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay. ✅
Controllership can be determined implicitly from national law, even for an official journal that only publishes data as it receives, including when that journal doesn't have a legal personality (but note my comment on this!).
Unauthorised disclosure or access doesn't equate to inadequate measures, but must be proven to prevent damages claims. National courts must assess your case concretely and cannot systematically rely on expert reports. Mere fear 😱 = non-material damages (but must be proven by the data subject).
The definition of 'controller' is broad and you're liable for all processing, done directly or by others on your behalf, including processors. Joint controllership is determined by facts, not contracts. Know your role(s)!
The definition of 'controller' is broad and includes legal persons, who are liable for any violations committed by any person in their business who act on their behalf. DPAs must demonstrate that you acted with intent or neglect to fine you and must base the max amount on the group's total revenue.
⏰ Datatilsynet will soon start investigating non-compliant tracking technologies. If you use Meta Pixel or similar, it's time for website due diligence!