CJEU C-604/22 IAB Europe TC String
members
–
6 min read
IAB Europe is a joint controller and because their 'TC String' contains data about an identifiable user, it's personal data.
4 new CJEU rulings
members
–
1 min read
Two rulings on the concept of personal data, one stating that oral data = processing, and last one pertains to the Europol regulation. DPO Hub writeups coming!
🚨 CJEU confirms TC String as personal data and IAB Europe as joint controller
members
–
1 min read
DPO Hub writeup coming soon!
CJEU C-582/14 Breyer (dynamic IP addresses)
members
–
2 min read
The CJEU held that not only static IP addresses (ref. Scarlet) are protected personal data under data protection law, but also dynamic ones.
CJEU C-70/10 Scarlet Extended (static IP addresses)
members
–
1 min read
In a case on copyright infringement, the CJEU stated that IP addresses are protected personal data because they allow data subjects to be precisely identified.
CJEU C-118/22 Natsionalna politsia
members
–
Police must regularly review if they can justify to continue storing biometric and genetic data and, if this isn't the case, grant erasure requests. This ruling applies to Directive (EU) 2016/680 (LED).
CJEU C-231/22 Belgian State
members
–
3 min read
Controllership can be determined implicitly from national law, even for an official journal that only publishes data as it receives, including when that journal doesn't have a legal personality (but note my comment on this!).
CJEU C-340/21 Natsionalna agentsia za prihodite (cybercrime)
members
–
7 min read
Unauthorised disclosure or access doesn't equate to inadequate measures, but must be proven to prevent damages claims. National courts must assess your case concretely and cannot systematically rely on expert reports. Mere fear 😱 = non-material damages (but must be proven by the data subject).
CJEU C‑683/21 Nacionalinis visuomenės sveikatos centras
members
–
4 min read
The definition of 'controller' is broad and you're liable for all processing, done directly or by others on your behalf, including processors. Joint controllership is determined by facts, not contracts. Know your role(s)!
CJEU C-807/21 Deutsche Wohnen
members
–
3 min read
The definition of 'controller' is broad and includes legal persons, who are liable for any violations committed by any person in their business who act on their behalf. DPAs must demonstrate that you acted with intent or neglect to fine you and must base the max amount on the group's total revenue.
CJEU C-456/22 Gemeinde Ummendorf
members
–
1 min read
No national de minimis threshold and data subjects must prove damage. NB: This is another CJEU ruling from today, also related to Article 82.
CJEU: Data breach ≠ poor measures (but you must prove it) and fear only can constitute non-material damage
members
–
1 min read
How not to get sued by data subjects (se full write-up of case in C-340/21 post)