EDPB Support Pool of Experts (SPE) projects
members
–
6 min read
Latest: Legitimate interest OSS case digest.
CJEU C-526/24 Brillen Rottler 19 Mar 2026
members
–
If a DSAR is made solely to engineer a compensation claim rather than to verify lawful processing, it can be refused as abusive – even if it's the first request.
Luxembourg DPA fines Amazon Europe €746m
members
–
2 min read
13 March 2026: Amazon with big win – a Luxembourg appeals court has overturned the €746 million fine and referred the case back to the DPA.
EDPB CEF 2025: Right to erasure (right to be forgotten)
members
–
4 min read
💡 Should-read key takeaways for controllers from the final report. And do we need to sift through back-ups when we get an erasure request..?
CJEU C-422/24 Storstockholms Lokaltrafik 18 Dec 2025
members
–
3 min read
If public transport ticket inspectors process personal data using body cams, they must inform data subjects under Article 13 – not Article 14 – because the data's collected directly from the data subject.
CJEU C-655/23 Quirin Privatbank 4 Sep 2025
members
–
3 min read
GDPR offers no judicial remedy outside erasure requests to stop future unlawful processing, but Member States may. Non-material damage covers negative feelings – if proven. A controller’s fault doesn’t affect compensation, and a court order banning repeat GDPR violations can’t reduce or replace it.
CJEU C-247/23 Deldits 13 Mar 2025
members
–
2 min read
A Member State can't, under any circumstances, require a data subject to provide proof of gender reassignment surgery to exercise their right to rectification. However, they may need to provide relevant and sufficient evidence reasonably needed to show that the data is inaccurate.
Rights: Access (DSAR, Right of access)
members
–
3 min read
All things right of access: Article 15 elements table, a handy flowchart, key CJEU rulings and Rie's practical guide (including how to deal with nightmare DSARs).
Access requests – in practice
members
–
3 min read
Recommendations on how to deal with the Right of access - DSARs - in practice (with grumpy DSARs checklist).
EDPB press release: Right of access CEF 2024 report
members
–
1 min read
30 DPAs participated in EDPB's 2024 CEF action on the Right of access, involving 1185 controllers. 7 identified challenges like lack of documented procedures and requesting excessive ID docs. And more awareness is needed.
CJEU C-200/23 Agentsia po vpisvaniyata 4 Oct 2024
members
–
6 min read
Tag, you're it! Got personal data --> you're a controller and can't shift accountability to the data subject. Temporary loss of control (e.g. public disclosure) can lead to damage, but harm must be proven. Handwritten signatures = personal data.
CJEU C-169/23 Masdi 28 Nov 2024
members
–
4 min read
The Art. 14(5)(c) derogation applies to *all* data not collected from the data subject, including self-generated. DPAs can, as per Art. 14(5)(c), verify if national law has measures to protect data subjects' legitimate interests, but this doesn’t include assessing Art. 32 security measures.