GDPR

In recent months, the European Court of Justice (“CJEU”) issued five judgments providing some clarity on the scope of individuals’ rights to claim compensation for “material and non-material damage” under Article 82 of the GDPR. These rulings will inform companies’ exposure to compensation claims, particularly in the context of the EU’s Collective Redress Directive, but open questions remain about the quantum of compensation courts will offer in these cases and we expect both the CJEU and national courts to deliver additional case-law clarifying this topic in the coming year (for more information on recent CJEU cases related to compensation, see our previous blog posts here and here).

  • In VB v Natsionalna agentsia za prihodite (C-340/21), the CJEU concluded that individuals may have suffered “non-material damage”—and therefore be able to claim compensation—if they can demonstrate that they feared future misuse of personal data that was compromised in a personal data breach.  
  • In VX v Gemeinde Ummendorf (C-456/22), the CJEU found that there is no de minimis threshold for damage, below which individuals cannot claim for compensation.
  • In BL v MediaMarktSaturn (C-687-21), the CJEU restated its existing case-law, and expanded upon its analysis in VB by clarifying that alleged harms cannot be “purely hypothetical”.
  • In Kočner v Europol (C-755/21), the CJEU awarded non-material damages of €2000 for the publication in newspapers of transcripts of “intimate” text messages.
  • In GP v Juris GmbH (C-741/21), the CJEU found that where one processing activity infringes multiple provisions of the GDPR, this should not allow claimants to “double-count” the harm they suffered.

We provide further detail on each case below.Continue Reading Rounding up Five Recent CJEU Cases on GDPR Compensation

On February 28, the European Data Protection Board (“EDPB”) announced that EU supervisory authorities (“SAs”) will undertake a coordinated enforcement action in 2024 regarding data subjects’ right of access under the GDPR.  For context, the EDPB selects a particular topic each year to serve as the focus for pan-EU coordinated enforcement.

In 2023, regulators focused upon data protection officers’ designation and role.  And, on January 17, 2024, the EDPB published its report providing an overview of the actions SAs took in the context of the 2023 action.  This blog post provides an overview of what you can expect from the coordinated enforcement action in 2024, based on the lessons learned from 2023.Continue Reading EDPB’s 2024 Coordinated Enforcement Action on the Access Right: What Can You Expect?

On March 7, 2024, the European Court of Justice (“CJEU”) rendered its judgment in an appeal against a decision of the EU General Court (C-479/22P).  In the original decision, the General Court decided that the information contained in a press release by OLAF (a European anti-fraud organization) regarding fraud committed by an unnamed scientist was not personal data as the scientist was not identifiable from the press release (for more on the General Court’s decision, see our blog post here). The scientist appealed the decision arguing that she could easily be identified from the information released by OLAF and thus that the data were personal data.  The EU law concerned in this case is Regulation (EU) 2018/1725, which applies to the processing of personal data within EU bodies, rather than the GDPR, though the definition of personal data is the same in both regulations.Continue Reading European Court Clarifies Concept of Personal Data

On March 7, 2024, the CJEU rendered its judgement in the IAB Europe case (C-604/22).   The case relates to role of IAB Europe, a sector organization, in its Transparency and Consent Framework (“TCF”) used by companies to record the GDPR consent granted (or not granted) by a user and to document compliance with their GDPR transparency obligations.  The framework is widely used in digital advertising, including in real-time bidding scenarios; below, we set out the court’s three main findings.Continue Reading CJEU Decides the IAB Europe Case, Expanding the Concept of Controllership

On February 13, 2024, the European Data Protection Board (“EDPB”) adopted an opinion on the notion of “main establishment” of a controller in the context of Article 4(16)(a) of GDPR.  The opinion aims to clarify (i) the relevant conditions for the determination of whether a controller has a “main establishment” in the EU, for controllers that have more than one establishment in the EU; and (ii) the application of the so-called “one-stop-shop” mechanism in these scenarios.  

We provide below an overview of the EDPB’s opinion.Continue Reading EDPB Clarifies the Notion of “Main Establishment” under the GDPR

In December 2023, the Dutch SA fined a credit card company €150,000 for failure to perform a proper data protection impact assessment (“DPIA”) in accordance with Art. 35 GDPR for its “identification and verification process”.Continue Reading Dutch SA Sanctions Credit Card Company for Failure to Perform Data Protection Impact Assessment

On January 15, 2024, the European Commission released its report on the first review of the functioning of the existing eleven adequacy decisions adopted under the pre-GDPR framework.  

The Commission concluded that personal data transferred from the European Economic Area to any of Andorra, Argentina, Canada (for PIPEDA-regulated entities), the Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay continue to receive an adequate level of protection.Continue Reading European Commission Retains Adequacy Decisions for Data Transfers to Eleven Countries

On October 11, 2023, the French data protection authority (“CNIL”) issued a set of “how-to” sheets on artificial intelligence (“AI”) training databases. The sheets are open to consultation until December 15, 2023, and all AI stakeholders (including companies, researchers, NGOs) are encouraged to provide comments.  Continue Reading French CNIL Opens Public Consultation On Guidance On The Creation Of AI Training Databases

On October 26, 2023, the European Court of Justice (“CJEU”) decided that the GDPR grants a patient the right to obtain a copy of his or her medical record free of charge (case C-307/22, FT v DW).   As a result, the CJEU held that a provision under German law that permitted doctors to ask their patients to pay for the costs associated with providing access to their medical record is contrary to EU law.Continue Reading CJEU Holds That GDPR Right of Access Overrules Local Laws

On 3 October 2023, the UK Information Commissioner’s Office (“ICO”) finalized its Employment practices and data protection − Monitoring workers guidance (“Guidance”) to account for new types of work, including work from home, and the use of more sophisticated technologies for monitoring. In November 2022, we published a detailed blog post on the ICO’s public consultation.

The finalized Guidance is aimed at employers. It does not prevent employers from engaging in monitoring; rather, it sets out how they can do so in compliance with data protection law.  The Guidance defines “monitoring workers” as “any form of monitoring of people who carry out work on [an employer’s] behalf” and can include “monitoring workers on particular work premises or elsewhere” both during and outside working hours. The Guidance is clear that it applies to homeworking.  It also applies to a range of monitoring technologies and purposes, including (but not limited to) technologies for monitoring timekeeping or access control; keystroke monitoring to track, capture and log keyboard activity; and productivity tools which log how workers spend their time.Continue Reading UK Information Commissioner’s Office Releases New Guidance for Monitoring at Work