roles - DPO Hub

CJEU C-638/23 Amt der Tiroler Landesregierung 27 Feb 2025

members – 2 min read

An entity without legal personality can be a controller if it can fulfil those obligations and national law at least implicitly defines the processing scope; it doesn’t need to precisely specify processing activities or purpose.

Mar 3, 2025

CJEU C-492/23 Russmedia Digital and Inform Media Press 6 Feb 2025 AG Opinion

members – 1 min read

AG Szpunar: Marketplace operators are processors for ad data (must protect it) and controllers for advertisers' data (must verify identity). Liability applies if you actively manage, modify or promote content.

Feb 6, 2025

CJEU C-200/23 Agentsia po vpisvaniyata 4 Oct 2024

members – 6 min read

Tag, you're it! Got personal data --> you're a controller and can't shift accountability to the data subject. Temporary loss of control (e.g. public disclosure) can lead to damage, but harm must be proven. Handwritten signatures = personal data.

Dec 28, 2024

Italy: bank fined €1m and rental company €250k for unclear DPAg and no legal basis

members – 4 min read

The 🇮🇹 Garante fined a bank €1 million for anti-fraud checks as a processor on behalf of a group company without a legal basis, breaching both Articles 28(3) and 5(1)(a). The rental company was separately fined €250,000, also for an insufficient privacy notice. Here are your key takeaways! 💡

Aug 21, 2024

CJEU C-461/22 MK (Professional guardian) 11 Jul 2024

members – 1 min read

A former legal guardian who acted in a professional capacity is a controller and must comply with the GDPR, including the right of access.

Jul 14, 2024

Dutch DPA on education sector social media marketing

members – 4 min read

The DPA stresses that their advice applies generally to all social media and "of great importance" to all educational institutions and similar organisations in 🇳🇱.

Jun 17, 2024

CJEU C-604/22 IAB Europe TC String 7 Mar 2024

members – 6 min read

GDPR definitions are broad; information = personal data if, with third-party data, someone can be identified. Joint controllership doesn’t automatically extend to further processing, but you’re one if you set binding rules on processing and jointly determine purposes and means.

Mar 18, 2024

🚨 CJEU confirms TC String as personal data and IAB Europe as joint controller

members – 1 min read

DPO Hub writeup coming soon!

Mar 7, 2024

Sweden MedHelp 1177 case

members – 8 min read

This case is not only a goldmine for DPOs in the Swedish healthcare sector (although particularly so), but DPOs in general, for assessing roles, legal bases and processor liability.

Feb 22, 2024

CJEU C-231/22 Belgian State (Data processed by an official journal) 11 Jan 2024

members – 3 min read

National law can implicitly determine controllership, including for an official journal that only publishes data it receives, even when it doesn't have a legal personality on its own. (But note my comment on this.)

Jan 16, 2024

CJEU C‑683/21 Nacionalinis visuomenės sveikatos centras 5 Dec 2023

members – 4 min read

The definition of 'controller' is broad and you're liable for all processing, done directly or by others on your behalf, including processors. Joint controllership is determined by facts, not contracts. Know your role(s)!

Jan 6, 2024

Sweden DPA fines Bonnier News SEK 13m for profiling without consent

members – 1 min read

…

Jun 28, 2023