- New adequacy decision for EU-U.S. data transfers
- CJEU: Requirements for GDPR damage claims
- CJEU: Lawfulness of processing in case of Art. 26 and 30 GDPR violations
- CJEU: News on the right to be forgotten
- Advocate General: Objective criteria for determining joint controllership (Article 26 of the GDPR)
- General Court: Personal data or not? No real news in seemingly clarifying judgment
- CJEU: B2B terms and conditions can be incorporated into written contracts via links
- CJEU: Companies not entitled to compensation if they forget to inform about right of withdrawal from contract
- EU Commission proposes ‘GDPR Procedural Regulation’
- Cologne District Court: Button solution also applies to termination of transportation contracts by email
- Berlin Administrative Court: Data subjects must identify themselves where the controller has reasonable doubts
- Email marketing update
- Federal Labour Court: Use of video recording in dismissal protection proceedings despite data protection concerns
Recommended reading in the areas of EU and German IT and data protection law
1. New adequacy decision for EU-U.S. data transfers
by Sven Schonhofen, LL.M.
The EU Commission adopted an adequacy decision for the EU-U.S. Data Privacy Framework on 10 July 2023. U.S. data recipients must self-certify under the EU-U.S. Data Privacy Framework. If a U.S. data recipient is certified, personal data can flow safely from the EU to the U.S. on the basis of the new adequacy decision, without the need for additional data transfer mechanisms.
Conclusion: The EU Commission confirmed that the new safeguards under U.S. law also apply to other data transfer mechanisms, such as standard contractual clauses. Organisations involved in data transfers to the U.S. should assess what is their preferred and most appropriate data transfer mechanism (adequacy decision or standard contractual clauses). You can find more information on our blog, in the Q&A of the EU Commission and in a statement by the European Data Protection Board.
2. CJEU: Requirements for GDPR damage claims
by Sven Schonhofen, LL.M.
In its judgment of 4 May 2023 (docket no.: C-300/21), the CJEU ruled that not every infringement of the GDPR gives rise, by itself, to a right of compensation. The right to compensation rather requires a GDPR infringement, material or non-material damage and a causal link between the damage and the infringement. Further, the CJEU held that the right to compensation is not limited to non-material damage that reaches a certain threshold of seriousness.
Conclusion: This landmark decision by the CJEU has not brought the desired clarity. Plaintiffs must show damages. However, the requirements are not too high. In the future, the national courts will have to set limits for claims for damages.
3. CJEU: Lawfulness of processing in case of Art. 26 and 30 GDPR violations
by Tim Sauerhammer
In its judgment of 4 May 2023 (docket no.: C-60/22), the CJEU ruled that breach of the obligations to conclude an agreement establishing joint controllership (Article 26 of the GDPR) or to maintain a record of processing activities (Article 30 of the GDPR) does not lead to a violation of the obligation of accountability in the sense of Article 5(2), (1)(a) of the GDPR. Accordingly, the data subject’s right to erasure or to restriction of processing does not arise due to these breaches.
Conclusion: The ruling clarifies that not every breach of obligations under the GDPR automatically results in a right to erasure or restriction of processing.