GDPR 2.0?
members
–
9 min read
[updated] 🧨 Commission's leaked Omnibus plans due 19 Nov causes hefty discussions | Helen Dixon on the GDPR | Kuner criticises 2024 Draghi report
CJEU C-413/23 P EDPS v SRB (Concept of personal data) 4 Sep 2025
members
–
5 min read
Pseudonymised data isn’t always personal in every case to everyone – but measures must be effective. Comments are personal by nature – no need to assess content, purpose or effects. Whether a person can be identified must be assessed from the controller’s perspective, when collecting the data.
CJEU T-384/20 RENV OC v Commission (C-479/22 P)
members
–
4 min read
🔥 Update: After the CJEU sent the case back, the General Court has ordered the European Commission to pay a Greek scientist €50,000 for unlawfully processing her personal data in a press release, causing reputational, career and health-related harm.
CJEU C-40/17 Fashion ID 29 Jul 2019
members
–
4 min read
You’re a (joint) controller if you use third-party tools on your website that share personal data with the provider – but only for parts where you (jointly) determine purposes and means. If you collect the data, you must inform and get consent, and each controller must pursue a legitimate interest.
CJEU C-604/22 IAB Europe TC String 7 Mar 2024
members
–
7 min read
[Final 🇧🇪 ruling, articles] GDPR definitions are broad: information = personal data if someone can be identified using third-party data. Joint controllership doesn’t automatically cover further processing, but you are one if you set binding rules and jointly decide purposes and means.
CJEU C-313/23 Inspektorat kam Visshia sadeben savet 30 Apr 2025
members
–
3 min read
That a court authorises personal data disclosure to another judicial body qualifies as processing under the GDPR – but it doesn’t make the court a controller or a DPA, and it’s not required to ensure compliance unless an Article 79(1) action is brought before it.
CJEU C-710/23 Ministerstvo zdravotnictvi (Data concerning the representative of a legal person) 3 Apr 2025
members
–
3 min read
GDPR still applies when acting on behalf of a legal person. Plus, major implications for 🇨🇿 Czech – and potentially other – public bodies handling FOI requests: you may need to consult data subjects before disclosure, and even if that's impossible, you must still balance FOI with data protection.
CJEU C-200/23 Agentsia po vpisvaniyata 4 Oct 2024
members
–
6 min read
Tag, you're it! Got personal data --> you're a controller and can't shift accountability to the data subject. Temporary loss of control (e.g. public disclosure) can lead to damage, but harm must be proven. Handwritten signatures = personal data.
Italy: bank fined €1m and rental company €250k for unclear DPAg and no legal basis
members
–
4 min read
The 🇮🇹 Garante fined a bank €1 million for anti-fraud checks as a processor on behalf of a group company without a legal basis, breaching both Articles 28(3) and 5(1)(a). The rental company was separately fined €250,000, also for an insufficient privacy notice. Here are your key takeaways! 💡
CJEU C-101/01 Bodil Lindqvist 6 Nov 2003
members
–
4 min read
A key (Directive 95/46/EC) ruling broadly interpreting key definitions (personal and health data, processing) and narrowly applied exceptions, but found that simply putting a website online doesn't necessarily result in transfers.
CJEU C-740/22 Endemol Shine Finland 7 Mar 2024
members
–
3 min read
Orally disclosing personal data = 'processing' and potentially subject to the GDPR, and sharing criminal data orally (or in writing) isn't allowed to fulfill a public access request.
🚨 CJEU confirms TC String as personal data and IAB Europe as joint controller
members
–
1 min read
DPO Hub writeup coming soon!