Consent or Pay resources
members
–
2 min read
Updated this post to gather some of the Consent or Pay resources while we wait for the EDPB's Guidelines!
CJEU C-416/23 Österreichische Datenschutzbehörde (Excessive requests) 9 Jan 2025
members
–
4 min read
Art. 57(4) 'requests' include 'complaints' in 57(1)(f) and 77(1) and aren't 'excessive' due to volume alone; DPAs must show abuse, and can then charge a reasonable fee or refuse to act after considering all circumstances and ensuring their choice is justified.
CJEU C-394/23 Mousse 9 Jan 2025
members
–
5 min read
Processing customers' titles to personalise communication based on gender isn’t essential for performing a contract; nor is it for a legitimate interest if they weren't informed beforehand, the processing isn't strictly necessary, or the balancing test goes in their favor.
CJEU C-21/23 Lindenapotheke 4 Oct 2024
members
–
5 min read
NB! Updated re: explicit consent. Competitors can take legal action against your GDPR violations if considered an illegal unfair commercial practice. Special category personal data threshold is lowered: ordering pharmacy-only medicinal products online is considered sharing health data.
🇮🇪 DPC fines Meta €91m for failing to safeguard passwords and notify breaches
members
–
1 min read
UPDATE 1 Jan: Summary + full decision published! The DPC fines Meta for failing to safeguard users' passwords (storing them in plaintext!) and for notifying the breach too late.
Welcome! Start here 👇
members
–
1 min read
To make the most out of your subscription, read through this post: How to use DPO Hub effectively and find your way around.
CJEU C-61/22 Landeshauptstadt Wiesbaden 21 Mar 2024
members
–
1 min read
A ruling on Regulation 2019/1157 on ID card security, where the CJEU clarified that its adoption couldn’t violate Article 35 of the GDPR, as it wasn’t subject to a DPIA requirement. (They also concluded that the regulation was invalid!)
CJEU LED C-80/23 Ministerstvo na vatreshnite raboti (Registration of biometric and genetic data II) 28 Nov 2024
members
–
3 min read
Law Enforcement Directive: Competent authorities must prove that systematically collecting biometric and genetic data of accused persons is strictly necessary under LED Article 10; they can't leave it up to a court.💡 But the truly interesting part lies in 'strictly necessary'.
CJEU C-33/22 Österreichische Datenschutzbehörde 16 Jan 2024
members
–
2 min read
A ruling on the GDPR's material scope clarifying that DPAs can oversee parliamentary committees' personal data processing, as they're not automatically excluded or classified as national security matters under the GDPR.
CJEU C-687/21 MediaMarktSaturn 25 Jan 2024
members
–
3 min read
Accidental disclosure ≠ poor measures. Compensation is purely compensatory, not punitive, and requires proof of harm caused by a violation—though the severity of it doesn't affect the amount. Fear alone isn’t enough if no misuse occurred.
CJEU C-507/23 Pateretaju tiesibu aizsardzibas centrs (PTAC) 4 Oct 2024
members
–
2 min read
A GDPR breach isn't automatically "damage" under Article 82(1). An apology may compensate for non-material damage if it fully remedies the harm and it's impossible to restore the original situation, but whether you're sorry or not doesn't matter (but maybe it can prevent matters from escalating).
CJEU C-768/21 Land Hessen (DPA obligation to act) 26 Sep 2024
members
–
3 min read
⏰ Quickly deal with data breaches and listen to the DPA to reduce the chance of a fine (and keep access logs >3 months). DPAs aren't required to exercise a corrective power, like impose a fine, if not appropriate, necessary or proportionate to remedy the violation and ensure full GDPR compliance.