EDPB Members and country codes
members
–
1 min read
A list of all EDPB member countries, flags and country codes for easier reading of EDPB reports!
European Commission upholds adequacy decisions for 11 third countries and territories
members
–
1 min read
Great news for those who aren't fans of TIAs: the EUC upholds adequacy for Andorra, Argentina, Canada, Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay. ✅
CJEU C-231/22 Belgian State (Data processed by an official journal) 11 Jan 2024
members
–
3 min read
National law can implicitly determine controllership, including for an official journal that only publishes data it receives, even when it doesn't have a legal personality on its own. (But note my comment on this.)
CJEU C-340/21 Natsionalna agentsia za prihodite (cybercrime) 14 Dec 2023
members
–
7 min read
Unauthorised disclosure or access doesn't equate to inadequate measures, but must be proven to prevent damages claims. National courts must assess your case concretely and cannot systematically rely on expert reports. Mere fear = non-material damages (but must be proven by the data subject).
CJEU C‑683/21 Nacionalinis visuomenės sveikatos centras 5 Dec 2023
members
–
4 min read
The definition of 'controller' is broad and you're liable for all processing, done directly or by others on your behalf, including processors. Joint controllership is determined by facts, not contracts. Know your role(s)!
CJEU C-807/21 Deutsche Wohnen 5 Dec 2023
members
–
3 min read
The definition of 'controller' is broad and includes legal persons, who are liable for any violations committed by any person in their business who act on their behalf. DPAs must demonstrate that you acted with intent or neglect to fine you and must base the max amount on the group's total revenue.
Norway DPA warns site tracking investigations 🧐
members
–
2 min read
⏰ Datatilsynet will soon start investigating non-compliant tracking technologies. If you use Meta Pixel or similar, it's time for website due diligence!
EDPB Guidelines 5/2020 on consent
members
–
6 min read
A 1-page summary of the EDPB's Guidelines: structure of valid consent, when is it invalid, what to do when it's withdrawn, key highlights and resources.
Lawfulness: Consent - examples
members
–
33 min read
In need of consent inspiration or determine if your setup is (likely) compliant? Review this page for numerous examples!
CJEU C-456/22 Gemeinde Ummendorf 14 Dec 2023
members
–
1 min read
No national de minimis threshold and data subjects must prove damage. NB: This is another CJEU ruling from today, also related to Article 82.
CJEU: Data breach ≠ poor measures (but you must prove it) and fear only can constitute non-material damage
members
–
1 min read
How not to get sued by data subjects (se full write-up of case in C-340/21 post)
AI Act reaches political agreement (post update)
members
–
1 min read
[post update] The AI Act enters into force 20 days after publication in the Official Journal and becomes (mostly) applicable 2 years after this.