CJEU - DPO Hub (Page 2)

CJEU C-687/21 MediaMarktSaturn 25 Jan 2024

members – 3 min read

Accidental disclosure ≠ poor measures. Compensation is purely compensatory, not punitive, and requires proof of harm caused by a violation—though the severity of it doesn't affect the amount. Fear alone isn’t enough if no misuse occurred.

Dec 29, 2024

CJEU C-507/23 Pateretaju tiesibu aizsardzibas centrs (PTAC) 4 Oct 2024

members – 2 min read

A GDPR breach isn't automatically "damage" under Article 82(1). An apology may compensate for non-material damage if it fully remedies the harm and it's impossible to restore the original situation, but whether you're sorry or not doesn't matter (but maybe it can prevent matters from escalating).

Dec 28, 2024

CJEU C-768/21 Land Hessen (DPA obligation to act) 26 Sep 2024

members – 3 min read

⏰ Quickly deal with data breaches and listen to the DPA to reduce the chance of a fine (and keep access logs >3 months). DPAs aren't required to exercise a corrective power, like impose a fine, if not appropriate, necessary or proportionate to remedy the violation and ensure full GDPR compliance.

Dec 28, 2024

CJEU C-200/23 Agentsia po vpisvaniyata 4 Oct 2024

members – 6 min read

Tag, you're it! Got personal data --> you're a controller and can't shift accountability to the data subject. Temporary loss of control (e.g. public disclosure) can lead to damage, but harm must be proven. Handwritten signatures = personal data.

Dec 28, 2024

CJEU C-65/23 K GmbH (Processing of employees’ personal data) 19 Dec 2024

members – 2 min read

While Article 88 allows for more specific national rules for processing personal data in the employment context, you still have to comply with Articles 5, 6 and 9 and can't lower the standard for or ignore the 'necessity' requirement.

Dec 22, 2024

CJEU C-446/21 Schrems (Communication of data to the general public) 4 Oct 2024

members – 5 min read

A ruling that sparks questions around 'strictly necessary' and 'purpose'. Facebook can't indiscriminately use personal data on or off their platform for personalised ads, without restricting the duration and type of data.

Dec 8, 2024

CJEU C-169/23 Masdi 28 Nov 2024

members – 4 min read

The Art. 14(5)(c) derogation applies to *all* data not collected from the data subject, including self-generated. DPAs can, as per Art. 14(5)(c), verify if national law has measures to protect data subjects' legitimate interests, but this doesn’t include assessing Art. 32 security measures.

Nov 28, 2024

CJEU C-17/22 HTB Neunte Immobilien Portfolio 12 Sep 2024

members – 5 min read

National case-law could be relevant under Article 6(1)(c) legal obligation. The CJEU offers further guidance on legitimate interest assessments and highlights the importance of the data subjects' 'reasonable expectations'.

Nov 25, 2024

CJEU C-252/21 Meta Platforms and Others (General terms of use of a social network) 'Bundeskartellamt' 4 Jul 2023

members – 6 min read

The 'Bundeskartellamt' ruling, where the CJEU applies 'strictly' to the legal bases necessity test for the first time. 🔥 You might rely on legitimate interest for direct marketing, network security or product improvement, but the processing must now meet this higher threshold.

Nov 13, 2024

CJEU C-621/22 KNLTB (legitimate interests) 4 Oct 2024

members – 3 min read

Article 6(1)(f) allows disclosure for a commercial interest if the processing is *strictly* necessary and not outweighed by the interests, rights or freedoms of the data subjects. The interest doesn't have to be determined by law, but it must be lawful. And CJEU nudges consent again.

Oct 29, 2024

CJEU C-634/21 SCHUFA Holding (Scoring) 7 Dec 2023

members – 4 min read

Credit scoring = Art. 22(1) 'automated individual decision-making' when a third party heavily relies on a probability value to form or end a contract with a data subject. A ruling of "ground-breaking importance for AI-based decisions" according to the Hamburg DPA!

Oct 20, 2024

CJEU LED ePD C-548/21 Bezirkshauptmannschaft Landeck (Attempt to access personal data stored on a mobile phone) 4 Oct 2024

members – 1 min read

A case relating to the ePrivacy and Law Enforcement Directives, concluding that police access to phones isn't limited to the fight against serious crime.

Oct 4, 2024