Denmark DPA reports controller to police and suggests DKK 1,5 m fine
members
–
2 min read
💸 DKK 1,5m and reported to the police for not auditing their processors for 𝒚𝒆𝒂𝒓𝒔, violating the accountability principle.
CJEU LED C-118/22 Natsionalna politsia 30 Jan 2024
members
–
1 min read
Law Enforcement Directive: Police must regularly review if they can justify continue storing biometric and genetic data and, if this isn't the case, grant erasure requests.
Denmark DPA orders municipalities to ensure Google-sharing compliance
members
–
1 min read
🔥 Danish DPA with new decision in their Helsingørgate/Chromebook case!
EDPB publishes CEF DPO documents
members
–
2 min read
📝 See post from 29 February for all the gory details!
EDPB Members and country codes
members
–
1 min read
A list of all EDPB member countries, flags and country codes for easier reading of EDPB reports!
European Commission upholds adequacy decisions for 11 third countries and territories
members
–
1 min read
Great news for those who aren't fans of TIAs: the EUC upholds adequacy for Andorra, Argentina, Canada, Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay. ✅
CJEU C-231/22 Belgian State (Data processed by an official journal) 11 Jan 2024
members
–
3 min read
National law can implicitly determine controllership, including for an official journal that only publishes data it receives, even when it doesn't have a legal personality on its own. (But note my comment on this.)
CJEU C-340/21 Natsionalna agentsia za prihodite (cybercrime) 14 Dec 2023
members
–
7 min read
Unauthorised disclosure or access doesn't equate to inadequate measures, but must be proven to prevent damages claims. National courts must assess your case concretely and cannot systematically rely on expert reports. Mere fear = non-material damages (but must be proven by the data subject).
CJEU C‑683/21 Nacionalinis visuomenės sveikatos centras 5 Dec 2023
members
–
4 min read
The definition of 'controller' is broad and you're liable for all processing, done directly or by others on your behalf, including processors. Joint controllership is determined by facts, not contracts. Know your role(s)!
CJEU C-807/21 Deutsche Wohnen 5 Dec 2023
members
–
3 min read
The definition of 'controller' is broad and includes legal persons, who are liable for any violations committed by any person in their business who act on their behalf. DPAs must demonstrate that you acted with intent or neglect to fine you and must base the max amount on the group's total revenue.
Norway DPA warns site tracking investigations 🧐
members
–
2 min read
⏰ Datatilsynet will soon start investigating non-compliant tracking technologies. If you use Meta Pixel or similar, it's time for website due diligence!