EDPB Annual Report 2023
members
–
1 min read
📝 Today, the EDPB shared their 2023 annual report. Read the press release directly here and grab both the report and its Executive Summary.
Denmark DPA changes data processing agreement SCCs
members
–
1 min read
🇩🇰 DPA changes sub-processor third-party beneficiary clause in their SCCs for data processing agreements as per Article 28(8). Agreements signed before this are still valid.
New CJEU ruling + AG opinion DPAs might dread (C-768/21 Land Hessen)
members
–
1 min read
Breaching GDPR rights doesn't automatically result in non-material damage, and controllers can't (ever?) escape liability simply because someone under their authority didn't follow instructions, and an AG Opinion may disrupt DPAs workload. 😬
CJEU C-101/01 Bodil Lindqvist 6 Nov 2003
members
–
4 min read
A key (Directive 95/46/EC) ruling broadly interpreting key definitions (personal and health data, processing) and narrowly applied exceptions, but found that simply putting a website online doesn't necessarily result in transfers.
CJEU C-46/23 Ujpesti Polgarmesteri Hivatal 14 Mar 2023
members
–
1 min read
DPAs can order controllers to delete unlawfully processed data without a prior request from a data subject, and regardless of where the data came from (the data subject or elsewhere).
CJEU C-740/22 Endemol Shine Finland 7 Mar 2024
members
–
3 min read
Orally disclosing personal data = 'processing' and potentially subject to the GDPR, and sharing criminal data orally (or in writing) isn't allowed to fulfill a public access request.
Denmark DPA says cookie walls are legal - and not
members
–
2 min read
Update 26 Mar 2024: the DPA rejects reopening the cases, upholding that analytics/statistics aren't a necessary part of the alternative to paid access.
France DPA fines Amazon €32m for invasive employee monitoring
members
–
3 min read
[22 March update: Amazon has appealed] The 🇫🇷 CNIL fined Amazon for excessively intrusive monitoring, using several illegal indicators and unsecure video surveillance software, without sufficiently informing employees and visitors.
🔥 Swedish Tax Agency greenlights (?) US cloud services
members
–
2 min read
Following the EU-US DPF, the 🇸🇪 Tax Agency approves using Microsoft Office 365 and Teams. Despite emphasising that everyone must do their own assessments, I'd say this could strengthen your own cloud services assessments.
CJEU C-479/22 P OC v Commission 7 Mar 2024
members
–
3 min read
The CJEU returned a case to the General Court as they disagreed on the latter's interpretation of the concept of personal data, which is to be interpreted broadly, such as a press release with several data points that could identify someone.
France: unemployment breach impacts 43m dating back 20 years
members
–
1 min read
🇫🇷 Massive breach and what we can learn immediately from it: data minimisation, deletion, breach response plans - and communication that people actually understand!
CJEU C-604/22 IAB Europe TC String 7 Mar 2024
members
–
6 min read
GDPR definitions are broad; information = personal data if, with third-party data, someone can be identified. Joint controllership doesn’t automatically extend to further processing, but you’re one if you set binding rules on processing and jointly determine purposes and means.