Two rulings on the concept of personal data, one stating that oral data = processing, and last one pertains to the Europol regulation. DPO Hub writeups coming!
In a case on copyright infringement, the CJEU stated that IP addresses are protected personal data because they allow data subjects to be precisely identified.
Police must regularly review if they can justify to continue storing biometric and genetic data and, if this isn't the case, grant erasure requests. This ruling applies to Directive (EU) 2016/680 (LED).
Controllership can be determined implicitly from national law, even for an official journal that only publishes data as it receives, including when that journal doesn't have a legal personality (but note my comment on this!).
Unauthorised disclosure or access doesn't equate to inadequate measures, but must be proven to prevent damages claims. National courts must assess your case concretely and cannot systematically rely on expert reports. Mere fear 😱 = non-material damages (but must be proven by the data subject).
The definition of 'controller' is broad and you're liable for all processing, done directly or by others on your behalf, including processors. Joint controllership is determined by facts, not contracts. Know your role(s)!
The definition of 'controller' is broad and includes legal persons, who are liable for any violations committed by any person in their business who act on their behalf. DPAs must demonstrate that you acted with intent or neglect to fine you and must base the max amount on the group's total revenue.