EDPB Support Pool of Experts (SPE) projects
members
–
6 min read
Latest: Legitimate interest OSS case digest.
Luxembourg DPA fines Amazon Europe €746m
members
–
2 min read
13 March 2026: Amazon with big win – a Luxembourg appeals court has overturned the €746 million fine and referred the case back to the DPA.
EDPB CEF 2025: Right to erasure (right to be forgotten)
members
–
4 min read
💡 Should-read key takeaways for controllers from the final report. And do we need to sift through back-ups when we get an erasure request..?
CJEU C-655/23 Quirin Privatbank 4 Sep 2025
members
–
3 min read
GDPR offers no judicial remedy outside erasure requests to stop future unlawful processing, but Member States may. Non-material damage covers negative feelings – if proven. A controller’s fault doesn’t affect compensation, and a court order banning repeat GDPR violations can’t reduce or replace it.
CJEU C-200/23 Agentsia po vpisvaniyata 4 Oct 2024
members
–
6 min read
Tag, you're it! Got personal data --> you're a controller and can't shift accountability to the data subject. Temporary loss of control (e.g. public disclosure) can lead to damage, but harm must be proven. Handwritten signatures = personal data.
Right to object and right to erasure: insights from OSS decisions
members
–
2 min read
EDPB SPE project: Article 60 One-Stop-Shop thematic case digest analysing Articles 17 and 21. Key takeaway: Create, document, implement and control policies and procedures, including complaints management. PS: The 'data subject journey' is your secret weapon!
CJEU C-129/21 Proximus (subscribers' consent) 27 Oct 2022
members
–
3 min read
Consent is required to list subscribers' details in publicly available directories. If obtained, including on behalf of other controllers, a data subject can withdraw it (= an erasure request) from any of them, and each controller may need to inform the others.
CJEU C-46/23 Ujpesti Polgarmesteri Hivatal 14 Mar 2023
members
–
1 min read
DPAs can order controllers to delete unlawfully processed data without a prior request from a data subject, and regardless of where the data came from (the data subject or elsewhere).
CJEU LED C-118/22 Natsionalna politsia 30 Jan 2024
members
–
1 min read
Law Enforcement Directive: Police must regularly review if they can justify continue storing biometric and genetic data and, if this isn't the case, grant erasure requests.