Anna Oberschelp de Meneses

Subscribe to all posts by Anna Oberschelp de Meneses

German court decides that GDPR consent can be tied to receiving advertising

On June 27, 2019, the High Court of Frankfurt decided that a consent for data processing tied to a consent for receiving advertising can be considered as freely given under the GDPR. The case concerned an electricity company that relied on consent obtained by another company to advertise its products and services to the claimant. … Continue Reading

CJEU rules that Facebook and website operators are joint controllers if the website embeds Facebook’s “Like” button

On July 29, 2019, the Court of Justice of the European Union (“CJEU”) handed down its judgment in the Fashion ID case (Case C-40/17).   The CJEU found that when a website operator embeds Facebook’s “Like” button on its website, Facebook and the website operator become joint controllers. The case clarifies the relationship between website operators … Continue Reading

The European Data Protection Board and the European Data Protection Supervisor consider the European Commission to be a processor of patient data in the eHealth Digital Service Infrastructure

On July 12, 2019, the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) issued a joint opinion on the processing of patient data and the role of the European Commission within the eHealth Digital Service Infrastructure (“eHDSI”). Background The eHDSI system was established in the context of the eHealth Network.  The … Continue Reading

German Supervisory Authorities Issue Guidance on Data Subject Rights

Guidance on how to identify data subjects On July 1, 2019, the Bavarian Supervisory Authority for the public sector (“SA”) published guidance on how to verify the identity of data subjects exercising their data protection rights under the GDPR. The guidance is directed at public bodies, but is also helpful for private entities. According to … Continue Reading

French Supervisory Authority will issue new guidelines on cookies

On June 28, 2019, the French Supervisory Authority (CNIL) announced that it will issue new guidelines on the use of cookies for direct marketing purposes.  It will issue these guidelines in two phases. First, during July 2019, the CNIL will update its guidance issued in 2013 on cookies.  According to the CNIL, the 2013 guidance … Continue Reading

Association of German Supervisory Authorities issues paper on broad consent for research

On April 3, 2019, the Association of German Supervisory Authorities (“Datenschutzkonferenz” or “DSK”) issued a paper (available here in German) on the interpretation of “broad consent” for scientific research in Recital 33 of the GDPR and the interplay with the definition of consent  and the principle of purpose limitation. According to the DSK, broad consent … Continue Reading

Polish Supervisory Authority issues GDPR fine for data scraping without informing individuals

On March 26, 2019, the Polish Supervisory Authority (“SA”) issued a fine of around €220,000 against a company that processed contact data obtained from publicly available sources without informing the individuals concerned (decision in Polish here and English summary here). Article 14 of the GDPR requires data controllers, who do not obtain personal data directly … Continue Reading

EU Advocate General Issues Opinion on Consent for Cookies and Intersection with the GDPR

On March 21, 2019, Advocate General Szpunar released his opinion in the Planet49 case, currently pending before the Court of Justice of the European Union (CJEU).  The case centers on the use of consent for the processing of personal data and consent for the use of cookies. Planet49 GmbH offered an online lottery service for … Continue Reading

The Court of Justice of the European Union reiterates broad application of the EU Data Protection Law’s journalism exception to online platforms

On January 14, 2019, the Court of Justice of the European Union (“CJEU”) decided that video recordings of police officers in the exercise of their duties and the uploading of such videos on YouTube may constitute “journalistic activities” in the meaning of the journalism exception of the EU Data Protection Directive (“Directive”) (available here). The … Continue Reading

EU-Japan Adopt Mutual Adequacy Decision

[Update to previous post from August 17, 2018] On January 23, 2019, the European Commission and Japan mutually recognized each other’s data protection laws as providing an adequate level of protection of personal data (see European Commission press release here). As a result, nearly all personal data can now flow freely between the EU and … Continue Reading

Google fined €50 million in France for GDPR violation

On January 21, 2019, the French Supervisory Authority for data protection (“CNIL”) issued a fine of €50 million against Google for violations of the General Data Protection Regulation (“GDPR”) (the decision was published in French here).  The CNIL’s decision was triggered by complaints from two non-profit organizations together representing 9974 individuals. The case raises a … Continue Reading

Austrian Data Protection Authority Validates Paid Subscription Model as a Viable Alternative to Ad Tracking

On 30 November 2018, the Austrian Data Protection Authority (“DPA”) decided that the website of an online media publisher – which offers users the option to either consent to advertising cookies or pay for a subscription – gives users a free choice that is compatible with the requirements of consent under the GDPR. (The decision … Continue Reading

German Courts Decide Whether an Infringement of the GDPR also Qualifies as Unfair-Competitive Behavior

Under the Data Protection Directive (now superseded by the General Data Protection Regulation, “GDPR”), it was disputed whether a violation of the German Data Protection Law transposing the Directive could serve as a basis for anti-competition claims under the German Act Against Unfair Competition (“Gesetz gegen den unlauteren Wettbewerb”, “UWG”).  Since the entry into force … Continue Reading

CNIL imposes GDPR-consent in online advertising space

On November 9, 2018, the French Supervisory Authority for Data Protection (known as the “CNIL”) announced that it issued a formal warning (available here) ordering the company Vectaury to change its consent experience for customers and purge all data collected on the basis of invalid consent previously obtained.   Vectaury is an advertising network that … Continue Reading

Portuguese hospital receives and contests 400,000 € fine for GDPR infringement

On July 17, 2018, the Portuguese Supervisory Authority (“CNPD”) imposed a fine of 400.000 € on a hospital for infringement of the European Union General Data Protection Regulation (“GDPR”).  The decision has not been made public.  Earlier this week, the hospital publicly announced that it will contest the fine. According to press reports, the CNPD … Continue Reading

Italian court decides that a data protection officer does not have to be a certified ISO 27001 Auditor

On September 5, 2018, a first instance Administrative Court in Italy decided that a public company cannot reject an application for the position of data protection officer (“DPO”) on the basis that the applicant is not a certified ISO 27001 Auditor / Lead Auditor (decision available here). ISO 27001 is an international information security standard. … Continue Reading

EU and Japan conclude talks on reciprocal adequacy finding

On July 17, 2018, the European Commission successfully concluded negotiations with Japan on a reciprocal adequacy finding which will allow personal data to flow freely from the EU to Japan (and vice versa). The adequacy decision has not yet been formally adopted, as it must still undergo the respective EU and Japanese approval procedures, which … Continue Reading
LexBlog