CJEU C-698/23 P EDPS v Parliament and Council 8 May 2025 AG Opinion
members
–
1 min read
An Advocate General Opinion on a case about Europol and regulators – safe to skip for most!
CJEU C-313/23 Inspektorat kam Visshia sadeben savet 30 Apr 2025
members
–
3 min read
That a court authorises personal data disclosure to another judicial body qualifies as processing under the GDPR – but it doesn’t make the court a controller or a DPA, and it’s not required to ensure compliance unless an Article 79(1) action is brought before it.
CJEU C-710/23 Ministerstvo zdravotnictvi (Data concerning the representative of a legal person) 3 Apr 2025
members
–
3 min read
GDPR still applies when acting on behalf of a legal person. Plus, major implications for 🇨🇿 Czech – and potentially other – public bodies handling FOI requests: you may need to consult data subjects before disclosure, and even if that's impossible, you must still balance FOI with data protection.
CJEU C-654/23 Inteligo Media 27 Mar 2025 AG Opinion
members
–
2 min read
AG Szpunar: If someone creates an online account that includes access to your email newsletters, sending them qualifies as 'direct marketing’ under the ePrivacy Directive Article 13 and is covered by the exception in point 2. Under Article 95 GDPR, a lawful basis under Article 6 isn’t needed.
CJEU GC EUDPR T‑354/22 Bindl v Commission 8 Jan 2025
members
–
2 min read
[19 March: The case is appealed.] The CJEU's General Court orders the European Commission to pay €400 in non-material damages for US transfers made in March 2022, when no adequacy decision or alternative safeguard was in place.
CJEU C-247/23 Deldits 13 Mar 2025
members
–
2 min read
A Member State can't, under any circumstances, require a data subject to provide proof of gender reassignment surgery to exercise their right to rectification. However, they may need to provide relevant and sufficient evidence reasonably needed to show that the data is inaccurate.
CJEU C‑829/24 Commission v Hungary 12 Feb 2025 Order
members
–
1 min read
The CJEU fast-tracks a case against Hungary where the European Commission claims violations of multiple EU laws, including the GDPR Articles 5, 6, 9 and 10.
CJEU C-203/22 Dun & Bradstreet Austria 27 Feb 2025
members
–
4 min read
You must clearly explain actual procedures and principles applied in ADM and if you claim information contains protected data or trade secrets, you must provide it to the DPA or court, which'll balance rights and interests and determine the extent of a DSAR.
CJEU C-638/23 Amt der Tiroler Landesregierung 27 Feb 2025
members
–
2 min read
An entity without legal personality can be a controller if it can fulfil those obligations and national law at least implicitly defines the processing scope; it doesn’t need to precisely specify processing activities or purpose.
CJEU C-492/23 Russmedia Digital and Inform Media Press 6 Feb 2025 AG Opinion
members
–
1 min read
AG Szpunar: Marketplace operators are processors for ad data (must protect it) and controllers for advertisers' data (must verify identity). Liability applies if you actively manage, modify or promote content.
DPO Hub 2024 CJEU GDPR-related rulings
members
–
1 min read
A list of all GDPR-related (plus one) CJEU rulings from 2024 with titles, dates, DPO Hub snippets, tags and CJEU keywords (with key Articles etc.).
CJEU GC T-70/23 Data Protection Commission v European Data Protection Board 29 Jan 2025
members
–
2 min read
The General Court dismissed DPC's actions against the EDPB and ordered them to pay the costs, meaning they must conduct new investigations and issue new Art. 60(3) draft decisions for the three 2022 Art. 65 Binding Decisions in cases against Meta (Facebook, Instagram, WhatsApp).