CJEU - DPO Hub (Page 5)

CJEU C-46/23 Ujpesti Polgarmesteri Hivatal 14 Mar 2023

members – 1 min read

DPAs can order controllers to delete unlawfully processed data without a prior request from a data subject, and regardless of where the data came from (the data subject or elsewhere).

Mar 26, 2024

CJEU C-740/22 Endemol Shine Finland 7 Mar 2024

members – 3 min read

Orally disclosing personal data = 'processing' and potentially subject to the GDPR, and sharing criminal data orally (or in writing) isn't allowed to fulfill a public access request.

Mar 26, 2024

CJEU C-479/22 P OC v Commission 7 Mar 2024

members – 3 min read

The CJEU returned a case to the General Court as they disagreed on the latter's interpretation of the concept of personal data, which is to be interpreted broadly, such as a press release with several data points that could identify someone.

Mar 21, 2024

4 new CJEU rulings

members – 1 min read

Two rulings on the concept of personal data, one stating that oral data = processing, and last one pertains to the Europol regulation. DPO Hub writeups coming!

Mar 11, 2024

🚨 CJEU confirms TC String as personal data and IAB Europe as joint controller

members – 1 min read

DPO Hub writeup coming soon!

Mar 7, 2024

CJEU C-582/14 Breyer (dynamic IP addresses) 19 Oct 2016

members – 2 min read

The CJEU held that not only static IP addresses (ref. Scarlet) are protected personal data under data protection law, but also dynamic ones, and that national laws can't restrict interest which are legitimate under EU law.

Feb 11, 2024

CJEU C-70/10 Scarlet Extended (static IP addresses) 24 Nov 2011

members – 1 min read

In a case on copyright infringement, the CJEU stated that IP addresses are protected personal data because they allow data subjects to be precisely identified.

Feb 8, 2024

CJEU LED C-118/22 Natsionalna politsia 30 Jan 2024

members – 1 min read

Law Enforcement Directive: Police must regularly review if they can justify continue storing biometric and genetic data and, if this isn't the case, grant erasure requests.

Jan 31, 2024

CJEU C-231/22 Belgian State (Data processed by an official journal) 11 Jan 2024

members – 3 min read

National law can implicitly determine controllership, including for an official journal that only publishes data it receives, even when it doesn't have a legal personality on its own. (But note my comment on this.)

Jan 16, 2024

CJEU C-340/21 Natsionalna agentsia za prihodite (cybercrime) 14 Dec 2023

members – 7 min read

Unauthorised disclosure or access doesn't equate to inadequate measures, but must be proven to prevent damages claims. National courts must assess your case concretely and cannot systematically rely on expert reports. Mere fear = non-material damages (but must be proven by the data subject).

Jan 8, 2024

CJEU C‑683/21 Nacionalinis visuomenės sveikatos centras 5 Dec 2023

members – 4 min read

The definition of 'controller' is broad and you're liable for all processing, done directly or by others on your behalf, including processors. Joint controllership is determined by facts, not contracts. Know your role(s)!

Jan 6, 2024

CJEU C-807/21 Deutsche Wohnen 5 Dec 2023

members – 3 min read

The definition of 'controller' is broad and includes legal persons, who are liable for any violations committed by any person in their business who act on their behalf. DPAs must demonstrate that you acted with intent or neglect to fine you and must base the max amount on the group's total revenue.

Jan 5, 2024