CJEU - DPO Hub (Page 2)

CJEU C-446/21 Schrems (Communication of data to the general public) 4 Oct 2024

members – 5 min read

A ruling that sparks questions around 'strictly necessary' and 'purpose'. Facebook can't indiscriminately use personal data on or off their platform for personalised ads, without restricting the duration and type of data.

Dec 8, 2024

CJEU C-169/23 Masdi 28 Nov 2024

members – 4 min read

The Art. 14(5)(c) derogation applies to *all* data not collected from the data subject, including self-generated. DPAs can, as per Art. 14(5)(c), verify if national law has measures to protect data subjects' legitimate interests, but this doesn’t include assessing Art. 32 security measures.

Nov 28, 2024

CJEU C-17/22 HTB Neunte Immobilien Portfolio 12 Sep 2024

members – 5 min read

National case-law could be relevant under Article 6(1)(c) legal obligation. The CJEU offers further guidance on legitimate interest assessments and highlights the importance of the data subjects' 'reasonable expectations'.

Nov 25, 2024

CJEU C-252/21 Meta Platforms and Others (General terms of use of a social network) 4 Jul 2023

members – 6 min read

The 'Bundeskartellamt' ruling, where the CJEU applies 'strictly' to the legal bases necessity test for the first time. 🔥 You might rely on legitimate interest for direct marketing, network security or product improvement, but the processing must now meet this higher threshold.

Nov 13, 2024

CJEU C-621/22 KNLTB (legitimate interests) 4 Oct 2024

members – 3 min read

Article 6(1)(f) allows disclosure for a commercial interest if the processing is *strictly* necessary and not outweighed by the interests, rights or freedoms of the data subjects. The interest doesn't have to be determined by law, but it must be lawful. And CJEU nudges consent again.

Oct 29, 2024

CJEU C-634/21 SCHUFA Holding (scoring) 7 Dec 2023

members – 4 min read

Credit scoring = Art. 22(1) 'automated individual decision-making' when a third party heavily relies on a probability value to form or end a contract with a data subject. 🚨 A ruling of "ground-breaking importance for AI-based decisions" according to the Hamburg DPA!

Oct 20, 2024

CJEU LED ePD C-548/21 Bezirkshauptmannschaft Landeck (Attempt to access personal data stored on a mobile phone) 4 Oct 2024

members – 1 min read

A case relating to the ePrivacy and Law Enforcement Directives, concluding that police access to phones isn't limited to the fight against serious crime.

Oct 4, 2024

Interesting non-GDPR CJEU case on gender change (C-4/23 Mirin)

members – 1 min read

💡 (Non-GDPR/ePrivacy) CJEU ruling stating that Member States can't refuse to recognise changed name and gender approved in another Member State.

Oct 4, 2024

CJEU C-154/21 RW v Österreichische Post (recipients) 12 Jan 2023

members – 3 min read

You have the right to know the actual identities of the recipients your personal data has been shared with.

Aug 16, 2024

CJEU C-757/22 Meta Platforms Ireland (Representative action) 11 Jul 2024

members – 2 min read

Consumer protection groups can take legal action against controllers they believe violate data subjects' rights, including the right to information. With C-319/20, this ruling *could* be a bit of a bombshell! #classaction

Jul 14, 2024

CJEU C-461/22 MK (Professional guardian) 11 Jul 2024

members – 1 min read

A former legal guardian who acted in a professional capacity is a controller and must comply with the GDPR, including the right of access.

Jul 14, 2024

CJEU C-590/22 PS (Incorrect address) and C-182/22 Scalable Capital 20 Jun 2024

members – 5 min read

⚖️ 9 points interpreting Art. 82(1), including: its aim is to compensate for damage, not to punish or deter GDPR violations; fear alone or stolen personal data can trigger claims if proven; and national courts can grant minimal compensation for minor damage.

Jun 25, 2024