DPIAs: Key resources
members
–
5 min read
Data Protection Impact Assessments (DPIAs) key resources v1 – starting with every DPA's website!
UK ICO fines Clearview AI €8.9m and orders stop in processing
members
–
2 min read
And on 8 Oct 2025, the 🇬🇧 Upper Tribunal (appeal court) upheld three of Information Commissioner’s four grounds of appeal, sending the case back to the lower appeal court.
The DPO role: Article 37(1)(b)
members
–
5 min read
10 Oct: Estonia's thresholds for 'large-scale' (5k, 10k, 50k) | Breaking down Article 37(1)(b) key terms: 'core activities', 'regular', 'systematic', 'monitoring' and 'large scale'. And what should you do if you're still unsure whether you need to appoint a DPO? Appoint one voluntarily?
CJEU T-384/20 RENV OC v Commission (C-479/22 P)
members
–
4 min read
🔥 Update: After the CJEU sent the case back, the General Court has ordered the European Commission to pay a Greek scientist €50,000 for unlawfully processing her personal data in a press release, causing reputational, career and health-related harm.
Norway DPA fines the Labour and Welfare Administration (NAV) NOK 20 million
members
–
6 min read
[updated] After the Privacy Appeals Board overturned substantial parts of the DPA's decision against the Labour and Welfare Administration (NAV), including the record NOK 20 million fine, the DPA has decided to reassess the case.
Norway DPA fines Telenor ASA NOK 4 million for DPO violations
members
–
9 min read
[updated] After initially flagging a potential NOK 99m (~€8.3m) fine, Datatilsynet fined Telenor ASA NOK 4m (~€351,000) for failing to properly assess and document the DPO role (independence, conflicts of interest, reporting lines) – the case is now with the 🇳🇴 Privacy Appeals Board.
CJEU C-199/24 Legal Newsdesk Sweden 4 Sep 2025 AG Opinion
members
–
3 min read
AG Szpunar: National law can’t make defamation the only remedy if criminal conviction data are published online for payment. Publishing conviction records online for payment, without any processing or editing, isn’t processing for journalistic purposes.
CJEU C-655/23 Quirin Privatbank 4 Sep 2025
members
–
3 min read
GDPR offers no judicial remedy outside erasure requests to stop future unlawful processing, but Member States may. Non-material damage covers negative feelings – if proven. A controller’s fault doesn’t affect compensation, and a court order banning repeat GDPR violations can’t reduce or replace it.
CJEU C-383/23 ILVA (GDPR fine) 13 Feb 2025
members
–
4 min read
2 Sep: 💸 ILVA fined €201k | When fining a controller in a corporate group, DPAs must base the maximum fine on the *group’s* total worldwide turnover from the prior business year. A crucial ruling for anyone in a company group – here's also text you can copy for an email to your Management/Board.
10x CJEU in Sep + Community Learning Seasons: risks, DPIAs
members
–
3 min read
🚨 Two key CJEU rulings: EDPS v SRB on personal data & pseudonymisation (3 Sep.) and Latombe v Commission on the EU-US DPF (4 Sep.), plus one more ruling and seven Advocate General opinions. Buckle up!
The UK Data (Use and Access) Act (DUAA) 2025
members
–
9 min read
ICO launches consultations for amendments | Get quickly up to speed on the new UK Data (Use and Access) Act. 💬 "there is no need to panic. Many of the changes empower rather than require, and even if embraced could be done so incrementally."
EDPS audit of the Commission's MS365 use
members
–
11 min read
28 July: EDPS closes its investigation into the European Commission’s use of Microsoft 365, now deeming it compliant after previously finding serious EUDPR violations, notably on purpose limitation and international transfers.