key definitions

C-200/23 Agentsia po vpisvaniyata

members – 3 min read

An authority of a commercial register = both recipient and controller. Handwritten signatures = personal data. Temporary loss of control (e.g. public disclosure) can lead to damage, but harm must be proven. And a few more points in today's CJEU ruling!

Oct 4, 2024

Italy: bank fined €1m and rental company €250k for unclear DPAg and no legal basis

members – 4 min read

The 🇮🇹 Garante fined a bank €1 million for anti-fraud checks as a processor on behalf of a group company without a legal basis, breaching both Articles 28(3) and 5(1)(a). The rental company was separately fined €250,000, also for an insufficient privacy notice. Here are your key takeaways! 💡

Aug 21, 2024

EDPB granted right to intervene in SRB-EDPS appeal

members – 1 min read

A strange occurance in my RSS feed today as this order from November 2023 suddenly appeared, giving the EDPB the right to intervene in the infamous SRB v EDPS case. So, not sure this is news. 🤷🏻‍♀️

May 3, 2024

CJEU C-101/01 Bodil Lindqvist

members – 4 min read

A key (Directive 95/46/EC) ruling broadly interpreting key definitions (personal and health data, processing) and narrowly applied exceptions, but found that simply putting a website online doesn't necessarily result in transfers.

Apr 9, 2024

CJEU C-740/22 Endemol Shine Finland

members – 3 min read

The CJEU held that orally disclosing personal data is 'processing' and potentially subject to the GDPR + sharing criminal data orally (or in writing) is not allowed to fulfill a public access request.

Mar 26, 2024

CJEU C-479/22 P OC v Commission

members – 3 min read

The CJEU returned a case to the General Court as they disagreed on the latter's interpretation of the concept of personal data—which is to be interpreted broadly—such as a press release with several data points that could identify someone.

Mar 21, 2024

CJEU C-604/22 IAB Europe TC String

members – 6 min read

IAB Europe is a joint controller and because their 'TC String' contains data about an identifiable user, it's personal data.

Mar 18, 2024

🚨 CJEU confirms TC String as personal data and IAB Europe as joint controller

members – 1 min read

DPO Hub writeup coming soon!

Mar 7, 2024

CJEU C-582/14 Breyer (dynamic IP addresses)

members – 2 min read

The CJEU held that not only static IP addresses (ref. Scarlet) are protected personal data under data protection law, but also dynamic ones.

Feb 11, 2024

CJEU C-70/10 Scarlet Extended (static IP addresses)

members – 1 min read

In a case on copyright infringement, the CJEU stated that IP addresses are protected personal data because they allow data subjects to be precisely identified.

Feb 8, 2024

CJEU C-231/22 Belgian State

members – 3 min read

Controllership can be determined implicitly from national law, even for an official journal that only publishes data as it receives, including when that journal doesn't have a legal personality (but note my comment on this!).

Jan 16, 2024

CJEU C‑683/21 Nacionalinis visuomenės sveikatos centras

members – 4 min read

The definition of 'controller' is broad and you're liable for all processing, done directly or by others on your behalf, including processors. Joint controllership is determined by facts, not contracts. Know your role(s)!

Jan 6, 2024