rights - DPO Hub

CJEU C-526/24 Brillen Rottler 19 Mar 2026

members – 1 min read

If a DSAR is made solely to engineer a compensation claim rather than to verify lawful processing, it can be refused as abusive – even if it's the first request.

Mar 19, 2026

Luxembourg DPA fines Amazon Europe €746m

members – 2 min read

13 March 2026: Amazon with big win – a Luxembourg appeals court has overturned the €746 million fine and referred the case back to the DPA.

Mar 19, 2026

EDPB CEF 2025: Right to erasure (right to be forgotten)

members – 4 min read

💡 Should-read key takeaways for controllers from the final report. And do we need to sift through back-ups when we get an erasure request..?

Feb 22, 2026

CJEU C-422/24 Storstockholms Lokaltrafik 18 Dec 2025

members – 3 min read

If public transport ticket inspectors process personal data using body cams, they must inform data subjects under Article 13 – not Article 14 – because the data's collected directly from the data subject.

Dec 18, 2025

EDPB Support Pool of Experts (SPE) projects

members – 6 min read

Latest: The Digital Euro and its token-based offline modality (Oct) | AI and Data Protection Training curriculum (Jun) | An overview of SPE projects.

Oct 21, 2025

CJEU C-655/23 Quirin Privatbank 4 Sep 2025

members – 3 min read

GDPR offers no judicial remedy outside erasure requests to stop future unlawful processing, but Member States may. Non-material damage covers negative feelings – if proven. A controller’s fault doesn’t affect compensation, and a court order banning repeat GDPR violations can’t reduce or replace it.

Sep 7, 2025

CJEU C-247/23 Deldits 13 Mar 2025

members – 2 min read

A Member State can't, under any circumstances, require a data subject to provide proof of gender reassignment surgery to exercise their right to rectification. However, they may need to provide relevant and sufficient evidence reasonably needed to show that the data is inaccurate.

Mar 13, 2025

Rights: Access (DSAR, Right of access)

members – 3 min read

All things right of access: Article 15 elements table, a handy flowchart, key CJEU rulings and Rie's practical guide (including how to deal with nightmare DSARs).

Feb 28, 2025

Access requests – in practice

members – 3 min read

Recommendations on how to deal with the Right of access - DSARs - in practice (with grumpy DSARs checklist).

Feb 18, 2025

EDPB press release: Right of access CEF 2024 report

members – 1 min read

30 DPAs participated in EDPB's 2024 CEF action on the Right of access, involving 1185 controllers. 7 identified challenges like lack of documented procedures and requesting excessive ID docs. And more awareness is needed.

Jan 20, 2025

CJEU C-200/23 Agentsia po vpisvaniyata 4 Oct 2024

members – 6 min read

Tag, you're it! Got personal data --> you're a controller and can't shift accountability to the data subject. Temporary loss of control (e.g. public disclosure) can lead to damage, but harm must be proven. Handwritten signatures = personal data.

Dec 28, 2024

CJEU C-169/23 Masdi 28 Nov 2024

members – 4 min read

The Art. 14(5)(c) derogation applies to *all* data not collected from the data subject, including self-generated. DPAs can, as per Art. 14(5)(c), verify if national law has measures to protect data subjects' legitimate interests, but this doesn’t include assessing Art. 32 security measures.

Nov 28, 2024