Rie Aleksandra - DPO Hub (Page 4)

CJEU C-33/22 Österreichische Datenschutzbehörde 16 Jan 2024

members – 2 min read

A ruling on the GDPR's material scope clarifying that DPAs can oversee parliamentary committees' personal data processing, as they're not automatically excluded or classified as national security matters under the GDPR.

Dec 29, 2024

CJEU C-687/21 MediaMarktSaturn 25 Jan 2024

members – 3 min read

Accidental disclosure ≠ poor measures. Compensation is purely compensatory, not punitive, and requires proof of harm caused by a violation—though the severity of it doesn't affect the amount. Fear alone isn’t enough if no misuse occurred.

Dec 29, 2024

CJEU C-507/23 Pateretaju tiesibu aizsardzibas centrs (PTAC) 4 Oct 2024

members – 2 min read

A GDPR breach isn't automatically "damage" under Article 82(1). An apology may compensate for non-material damage if it fully remedies the harm and it's impossible to restore the original situation, but whether you're sorry or not doesn't matter (but maybe it can prevent matters from escalating).

Dec 28, 2024

CJEU C-768/21 Land Hessen (DPA obligation to act) 26 Sep 2024

members – 3 min read

⏰ Quickly deal with data breaches and listen to the DPA to reduce the chance of a fine (and keep access logs >3 months). DPAs aren't required to exercise a corrective power, like impose a fine, if not appropriate, necessary or proportionate to remedy the violation and ensure full GDPR compliance.

Dec 28, 2024

CJEU C-200/23 Agentsia po vpisvaniyata 4 Oct 2024

members – 6 min read

Tag, you're it! Got personal data --> you're a controller and can't shift accountability to the data subject. Temporary loss of control (e.g. public disclosure) can lead to damage, but harm must be proven. Handwritten signatures = personal data.

Dec 28, 2024

CJEU C-65/23 K GmbH (Processing of employees’ personal data) 19 Dec 2024

members – 2 min read

While Article 88 allows for more specific national rules for processing personal data in the employment context, you still have to comply with Articles 5, 6 and 9 and can't lower the standard for or ignore the 'necessity' requirement.

Dec 22, 2024

noyb win: 🇳🇱 Dutch DPA fines Netflix €4.75m for lack of information

members – 1 min read

noyb gets their first big win in their streaming services complaint project, filed in January 2019 against Amazon Prime, Apple Music, DAZN, Flimmit, Netflix, SoundCloud, Spotify and YouTube. Unsurprisingly, Netflix has already objected.

Dec 19, 2024

Record GDPR fine from Norway (NAV)

members – 6 min read

🔥 On 17 Dec, the Privacy Appeals Board overturned substantial parts of the DPA's decision against the Labour and Welfare Administration (NAV), including the record NOK 20 million fine.

Dec 18, 2024

🇮🇪 DPC fines Meta €251m for failing on data protection by design and default and breach handling

members – 1 min read

Meta failed to properly notify and document a breach affecting 3m EEA Facebook users and to build in data protection requirements throughout the design and development cycle.

Dec 18, 2024

EDPS: the European Commission's use of MS365 is non-compliant

members – 10 min read

10 Dec: EC submits compliance report. (Both parties sought annulment in July, so stay tuned!) After the EDPS' second investigation into the EC's use of Microsoft 365, they found (again) several serious EUDPR violations, notably related to purpose limitation and transfers, which are still ongoing.

Dec 11, 2024

CJEU C-446/21 Schrems (Communication of data to the general public) 4 Oct 2024

members – 5 min read

A ruling that sparks questions around 'strictly necessary' and 'purpose'. Facebook can't indiscriminately use personal data on or off their platform for personalised ads, without restricting the duration and type of data.

Dec 8, 2024

EDPB meeting minutes 4 Nov 2024

members – 2 min read

Never-before discussed 'Guidelines on the use of biometrics for physical access control' enter the spotlight! And "first complaint under the DPF redress mechanism"..? Here's the latest EDPB meeting minutes.

Dec 7, 2024