key definitions

CJEU C-313/23 Inspektorat kam Visshia sadeben savet 30 Apr 2025

members – 3 min read

That a court authorises personal data disclosure to another judicial body qualifies as processing under the GDPR – but it doesn’t make the court a controller or a DPA, and it’s not required to ensure compliance unless an Article 79(1) action is brought before it.

May 6, 2025

CJEU C-710/23 Ministerstvo zdravotnictvi 3 Apr 2025

members – 3 min read

GDPR still applies when acting on behalf of a legal person. Plus, major implications for 🇨🇿 Czech – and potentially other – public bodies handling FOI requests: you may need to consult data subjects before disclosure, and even if that's impossible, you must still balance FOI with data protection.

Apr 11, 2025

CJEU C-413/23 P EDPS v Single Resolution Board 6 Feb 2025 AG Opinion

members – 1 min read

A much-anticipated case on the concept of personal data, but the AG only advices the CJEU to set aside the General Court’s ruling and send the case back to decide on the second plea (breach of good administration and fair procedure). We're still in the dark on several aspects.

Feb 6, 2025

CJEU C-200/23 Agentsia po vpisvaniyata 4 Oct 2024

members – 6 min read

Tag, you're it! Got personal data --> you're a controller and can't shift accountability to the data subject. Temporary loss of control (e.g. public disclosure) can lead to damage, but harm must be proven. Handwritten signatures = personal data.

Dec 28, 2024

Italy: bank fined €1m and rental company €250k for unclear DPAg and no legal basis

members – 4 min read

The 🇮🇹 Garante fined a bank €1 million for anti-fraud checks as a processor on behalf of a group company without a legal basis, breaching both Articles 28(3) and 5(1)(a). The rental company was separately fined €250,000, also for an insufficient privacy notice. Here are your key takeaways! 💡

Aug 21, 2024

EDPB granted right to intervene in SRB-EDPS appeal

members – 1 min read

A strange occurance in my RSS feed today as this order from November 2023 suddenly appeared, giving the EDPB the right to intervene in the infamous SRB v EDPS case. So, not sure this is news. 🤷🏻‍♀️

May 3, 2024

CJEU C-101/01 Bodil Lindqvist 6 Nov 2003

members – 4 min read

A key (Directive 95/46/EC) ruling broadly interpreting key definitions (personal and health data, processing) and narrowly applied exceptions, but found that simply putting a website online doesn't necessarily result in transfers.

Apr 9, 2024

CJEU C-740/22 Endemol Shine Finland 7 Mar 2024

members – 3 min read

Orally disclosing personal data = 'processing' and potentially subject to the GDPR, and sharing criminal data orally (or in writing) isn't allowed to fulfill a public access request.

Mar 26, 2024

CJEU C-479/22 P OC v Commission 7 Mar 2024

members – 3 min read

The CJEU returned a case to the General Court as they disagreed on the latter's interpretation of the concept of personal data, which is to be interpreted broadly, such as a press release with several data points that could identify someone.

Mar 21, 2024

CJEU C-604/22 IAB Europe TC String 7 Mar 2024

members – 6 min read

GDPR definitions are broad; information = personal data if, with third-party data, someone can be identified. Joint controllership doesn’t automatically extend to further processing, but you’re one if you set binding rules on processing and jointly determine purposes and means.

Mar 18, 2024

🚨 CJEU confirms TC String as personal data and IAB Europe as joint controller

members – 1 min read

DPO Hub writeup coming soon!

Mar 7, 2024

CJEU C-582/14 Breyer (dynamic IP addresses) 19 Oct 2016

members – 2 min read

The CJEU held that not only static IP addresses (ref. Scarlet) are protected personal data under data protection law, but also dynamic ones, and that national laws can't restrict interest which are legitimate under EU law.

Feb 11, 2024