4 new CJEU rulings
members
–
1 min read
Two rulings on the concept of personal data, one stating that oral data = processing, and last one pertains to the Europol regulation. DPO Hub writeups coming!
🚨 CJEU confirms TC String as personal data and IAB Europe as joint controller
members
–
1 min read
DPO Hub writeup coming soon!
CJEU C-582/14 Breyer (dynamic IP addresses) 19 Oct 2016
members
–
2 min read
The CJEU held that not only static IP addresses (ref. Scarlet) are protected personal data under data protection law, but also dynamic ones, and that national laws can't restrict interest which are legitimate under EU law.
CJEU C-70/10 Scarlet Extended (static IP addresses) 24 Nov 2011
members
–
1 min read
In a case on copyright infringement, the CJEU stated that IP addresses are protected personal data because they allow data subjects to be precisely identified.
CJEU LED C-118/22 Natsionalna politsia 30 Jan 2024
members
–
1 min read
Law Enforcement Directive: Police must regularly review if they can justify continue storing biometric and genetic data and, if this isn't the case, grant erasure requests.
CJEU C-231/22 Belgian State (Data processed by an official journal) 11 Jan 2024
members
–
3 min read
National law can implicitly determine controllership, including for an official journal that only publishes data it receives, even when it doesn't have a legal personality on its own. (But note my comment on this.)
CJEU C-340/21 Natsionalna agentsia za prihodite (cybercrime) 14 Dec 2023
members
–
7 min read
Unauthorised disclosure or access doesn't equate to inadequate measures, but must be proven to prevent damages claims. National courts must assess your case concretely and cannot systematically rely on expert reports. Mere fear = non-material damages (but must be proven by the data subject).
CJEU C‑683/21 Nacionalinis visuomenės sveikatos centras 5 Dec 2023
members
–
4 min read
The definition of 'controller' is broad and you're liable for all processing, done directly or by others on your behalf, including processors. Joint controllership is determined by facts, not contracts. Know your role(s)!
CJEU C-807/21 Deutsche Wohnen 5 Dec 2023
members
–
3 min read
The definition of 'controller' is broad and includes legal persons, who are liable for any violations committed by any person in their business who act on their behalf. DPAs must demonstrate that you acted with intent or neglect to fine you and must base the max amount on the group's total revenue.
CJEU C-456/22 Gemeinde Ummendorf 14 Dec 2023
members
–
1 min read
No national de minimis threshold and data subjects must prove damage. NB: This is another CJEU ruling from today, also related to Article 82.
CJEU: Data breach ≠ poor measures (but you must prove it) and fear only can constitute non-material damage
members
–
1 min read
How not to get sued by data subjects (se full write-up of case in C-340/21 post)
CJEU (SCHUFA): On credit scoring, automated decision-making and courts' review of DPA decisions
members
–
2 min read
Two CJEU rulings on SCHUFA Holding: Credit scoring = ADM when decisive for granting credit + national courts can fully review legally binding DPA decisions.