key definitions

GDPR 2.0?

members – 6 min read

16 Sep: Have your say on the upcoming Digital Omnibus (deadline 14 Oct.) | The Commission is proposing to simplify the European Single Market, including the GDPR Articles 4, 30, 40 and 42.

Sep 16, 2025

CJEU C-413/23 P EDPS v SRB (Concept of personal data) 4 Sep 2025

members – 3 min read

CJEU on General Court: 1) ❌ Someone's comment = their personal data, no need to examine further 2) ✅ Pseudonymised data isn’t always personal data for everyone, in every case 3) ❌ Identifiability must be assessed when data is collected and from the controller’s perspective; Deloitte's not relevant.

Sep 7, 2025

CJEU C-40/17 Fashion ID 29 Jul 2019

members – 4 min read

You’re a (joint) controller if you use third-party tools on your website that share personal data with the provider – but only for parts where you (jointly) determine purposes and means. If you collect the data, you must inform and get consent, and each controller must pursue a legitimate interest.

Jun 17, 2025

CJEU C-604/22 IAB Europe TC String 7 Mar 2024

members – 7 min read

[Final 🇧🇪 ruling, articles] GDPR definitions are broad: information = personal data if someone can be identified using third-party data. Joint controllership doesn’t automatically cover further processing, but you are one if you set binding rules and jointly decide purposes and means.

May 25, 2025

CJEU C-313/23 Inspektorat kam Visshia sadeben savet 30 Apr 2025

members – 3 min read

That a court authorises personal data disclosure to another judicial body qualifies as processing under the GDPR – but it doesn’t make the court a controller or a DPA, and it’s not required to ensure compliance unless an Article 79(1) action is brought before it.

May 6, 2025

CJEU C-710/23 Ministerstvo zdravotnictvi (Data concerning the representative of a legal person) 3 Apr 2025

members – 3 min read

GDPR still applies when acting on behalf of a legal person. Plus, major implications for 🇨🇿 Czech – and potentially other – public bodies handling FOI requests: you may need to consult data subjects before disclosure, and even if that's impossible, you must still balance FOI with data protection.

Apr 11, 2025

CJEU C-200/23 Agentsia po vpisvaniyata 4 Oct 2024

members – 6 min read

Tag, you're it! Got personal data --> you're a controller and can't shift accountability to the data subject. Temporary loss of control (e.g. public disclosure) can lead to damage, but harm must be proven. Handwritten signatures = personal data.

Dec 28, 2024

Italy: bank fined €1m and rental company €250k for unclear DPAg and no legal basis

members – 4 min read

The 🇮🇹 Garante fined a bank €1 million for anti-fraud checks as a processor on behalf of a group company without a legal basis, breaching both Articles 28(3) and 5(1)(a). The rental company was separately fined €250,000, also for an insufficient privacy notice. Here are your key takeaways! 💡

Aug 21, 2024

CJEU C-101/01 Bodil Lindqvist 6 Nov 2003

members – 4 min read

A key (Directive 95/46/EC) ruling broadly interpreting key definitions (personal and health data, processing) and narrowly applied exceptions, but found that simply putting a website online doesn't necessarily result in transfers.

Apr 9, 2024

CJEU C-740/22 Endemol Shine Finland 7 Mar 2024

members – 3 min read

Orally disclosing personal data = 'processing' and potentially subject to the GDPR, and sharing criminal data orally (or in writing) isn't allowed to fulfill a public access request.

Mar 26, 2024

CJEU C-479/22 P OC v Commission 7 Mar 2024

members – 3 min read

The CJEU returned a case to the General Court as they disagreed on the latter's interpretation of the concept of personal data, which is to be interpreted broadly, such as a press release with several data points that could identify someone.

Mar 21, 2024

🚨 CJEU confirms TC String as personal data and IAB Europe as joint controller

members – 1 min read

DPO Hub writeup coming soon!

Mar 7, 2024