key definitions

CJEU C-413/23 P EDPS v Single Resolution Board 6 Feb 2025 AG Opinion

members – 1 min read

A much-anticipated case on the concept of personal data, but the AG only advices the CJEU to set aside the General Court’s ruling and send the case back to decide on the second plea (breach of good administration and fair procedure). We're still in the dark on several aspects.

Feb 6, 2025

CJEU C-200/23 Agentsia po vpisvaniyata 4 Oct 2024

members – 6 min read

Tag, you're it! Got personal data --> you're a controller and can't shift accountability to the data subject. Temporary loss of control (e.g. public disclosure) can lead to damage, but harm must be proven. Handwritten signatures = personal data.

Dec 28, 2024

Italy: bank fined €1m and rental company €250k for unclear DPAg and no legal basis

members – 4 min read

The 🇮🇹 Garante fined a bank €1 million for anti-fraud checks as a processor on behalf of a group company without a legal basis, breaching both Articles 28(3) and 5(1)(a). The rental company was separately fined €250,000, also for an insufficient privacy notice. Here are your key takeaways! 💡

Aug 21, 2024

EDPB granted right to intervene in SRB-EDPS appeal

members – 1 min read

A strange occurance in my RSS feed today as this order from November 2023 suddenly appeared, giving the EDPB the right to intervene in the infamous SRB v EDPS case. So, not sure this is news. 🤷🏻‍♀️

May 3, 2024

CJEU C-101/01 Bodil Lindqvist 6 Nov 2003

members – 4 min read

A key (Directive 95/46/EC) ruling broadly interpreting key definitions (personal and health data, processing) and narrowly applied exceptions, but found that simply putting a website online doesn't necessarily result in transfers.

Apr 9, 2024

CJEU C-740/22 Endemol Shine Finland 7 Mar 2024

members – 3 min read

Orally disclosing personal data = 'processing' and potentially subject to the GDPR, and sharing criminal data orally (or in writing) isn't allowed to fulfill a public access request.

Mar 26, 2024

CJEU C-479/22 P OC v Commission 7 Mar 2024

members – 3 min read

The CJEU returned a case to the General Court as they disagreed on the latter's interpretation of the concept of personal data, which is to be interpreted broadly, such as a press release with several data points that could identify someone.

Mar 21, 2024

CJEU C-604/22 IAB Europe TC String 7 Mar 2024

members – 6 min read

GDPR definitions are broad; information = personal data if, with third-party data, someone can be identified. Joint controllership doesn’t automatically extend to further processing, but you’re one if you set binding rules on processing and jointly determine purposes and means.

Mar 18, 2024

🚨 CJEU confirms TC String as personal data and IAB Europe as joint controller

members – 1 min read

DPO Hub writeup coming soon!

Mar 7, 2024

CJEU C-582/14 Breyer (dynamic IP addresses) 19 Oct 2016

members – 2 min read

The CJEU held that not only static IP addresses (ref. Scarlet) are protected personal data under data protection law, but also dynamic ones, and that national laws can't restrict interest which are legitimate under EU law.

Feb 11, 2024

CJEU C-70/10 Scarlet Extended (static IP addresses) 24 Nov 2011

members – 1 min read

In a case on copyright infringement, the CJEU stated that IP addresses are protected personal data because they allow data subjects to be precisely identified.

Feb 8, 2024

CJEU C-231/22 Belgian State (Data processed by an official journal) 11 Jan 2024

members – 3 min read

National law can implicitly determine controllership, including for an official journal that only publishes data it receives, even when it doesn't have a legal personality on its own. (But note my comment on this.)

Jan 16, 2024