Case Law
Court decisions and jurisprudence from EU and national courts
Browse by Topic
CJEU (189)
JH v Policejní prezidium
CJEU
HvJ EU 20 november 2025, C-57/23, ECLI:EU:C:2025:905, (JH v Policejní prezidium). Artikel: 10 2016/680, 4(1)(c) 2016/680, 4(1)(e) 2016/680, 5 2016/680, 6 2016/680, 6(a) 2016/680, 8 2016/680, 8(2) 2016/680 Kort:
A and Others v Latvijas Republikas Saeima
CJEU
De A-G geeft aan het HvJ EU de volgende overwegingen mee : Dat
XH v European Commission
CJEU
Gaat om een beroep van T-613/21. In beroep wordt gesteld dat het Gerecht de professionele context als reden zag om de gegevens niet als persoonsgegevens te zien, maar dit is niet juist volgens het HvJ EU. Het feit dat het hier om informatie verwerkt in een werkgerelateerde context is niet een doo...
Integritetsskyddsmyndigheten v AB Storstockholms Lokaltrafik
CJEU
Deze zaak draait in essentie om de vraag wanneer persoonsgegevens worden verzameld bij de betrokkene en wanneer niet. Dit onderscheid is namelijk relevant voor de toepassing van de transparantievereisten (art. 13 of 14 AVG). In de zaak draaide het om het gebruik van bodycams in het openbaar vervo...
X v Russmedia Digital SRL, Inform Media Press SRL
CJEU
In deze zaak gaat het in essentie om de verhouding tussen de e-Commerce Richtlijn en de AVG in het bijzonder bij verwerking van bijzondere persoonsgegevens (gegevens over iemands seksueel gedrag, art. 9 AVG). Specifiek draaide het hier om een online advertentieplatform dat anonieme gebruikers de ...
165/2025 : 18 December 2025 - Opinions of the Advocate General in joined cases C-424/24, C-425/24, C-425/24
Artikelen:
CJEU
Vervolg op de uitspraak van het HvJ EU (C‑479/22 P). Na die uitspraak is duidelijk dat OLAF door publicatie van het persbericht over een maatregel genomen jegens een Griekse onderzoeker die gemeenschapsgeld onjuist zou hebben gebruikt, persoonsgegevens heeft verwerkt. Nu is de vraag aan de orde o...
Vervolg op de uitspraak van het HvJ EU (C‑479/22 P).
CJEU
Vervolg op de uitspraak van het HvJ EU (C‑479/22 P). Na die uitspraak is duidelijk dat OLAF door publicatie van het persbericht over een maatregel genomen jegens een Griekse onderzoeker die gemeenschapsgeld onjuist zou hebben gebruikt, persoonsgegevens heeft verwerkt. Nu is de vraag aan de orde o...
AR, YT, DI and RN v Österreichische Datenschutzbehörde, NADA Austria and ÖADR
CJEU
AG Spielmann begint met een niet-onbelangrijke voorvraag: is de AVG eigenlijk wel van toepassing of worden NADA en ÖADR gezien als "bevoegde autoriteiten met het oog op de voorkoming, het onderzoek, de opsporing en de vervolging van strafbare feiten of de tenuitvoerlegging van straffen" ex art. 2...
Uitleg HvJ EU over 'gerechtvaardigd belang' toegepast bij exceptieve toetsing aan evenredigheidsbeginsel in belastingzaak
CJEU
Is het percentage van belastingrente voor de vennootschapsbelasting bepaald in art. 1(b) Bbi in strijd met het evenredigheidsbeginsel?
Philippe Latombe v European Commission
CJEU
Het EU-U.S. Data Privacy Framework (DPF) op het moment van uitbrengen is geldig, zo heeft het Gerecht bepaald. Het Gerecht heeft gekeken naar alleen dat moment (punt 22), niet de huidige stand van zaken. Alle punten die Latombe naar voren heeft gebracht gaat het Gerecht niet in mee. Zo is de Data...
ND v Legal Newsdesk Sweden AB
CJEU
Dit belooft een mooie zaak te worden over wat valt onder de 'journalistieke' exceptie en hoe we de verschilende leden van
Kort:
CJEU
"Having carefully analysed the judgment in case C-383/23 [ILVA, AB], the EDPB considers that the Guidelines 4/2022, and in particular Section 6.2.1, align with this ruling, and that no change is needed at this stage."
Brillen Rottler GmbH & Co. KG v TC
CJEU
Een inzageverzoek dertien dagen na het invullen van een formulier op de website van Brillen Rottler (verwerkingsverantwoordelijke) wordt afgewezen door het bedrijf met een beroep op de in art. 12(5) AVG vervatte uitzondering dat een dergelijk verzoek 'kennelijk ongegrond of buitensporig' zou zijn...
Datenschutzbehörde, Dr. G S v Bundesministerin für Justiz, D GmbH
CJEU
Mag je een klacht weigeren te onderzoeken als nationale toezichthouder omdat over dezelfde vermeende overtreding ook al een rechtzaak is gestart? Nee zegt de AG. Je mag wel de behandeling daarvan opschorten totdat er een uitspraak is (punt 66), maar weigeren dat mag niet. (punt 70)
EDPS v SRB (Notion de données à caractère personnel)
CJEU
De volgende ronde in de SRB-saga. Het HvJ EU vernietigt het arrest van het Gerecht en verwijst deze weer terug naar het Gerecht. (1) Meningen zijn naar hun inhoud persoonsgegevens en 'betreffen' (zie Nowak-criteria) de natuurlijk persoon die deze meningen geuit heeft. Het Gerecht 'gaat voorbij aa...
Darashev CL v Prokuratura na Republika Bulgaria
CJEU
CL, politieambtenaar in Bulgarije, werd tijdens een strafrechtelijk onderzoek dat werd gevoerd door een interne eenheid van het Ministerie van Binnenlandse Zaken, als verdachte aan onderzoeksmaatregelen onderworpen. Het strafrechtelijk onderzoek werd beëindigd zonder dat CL formeel werd aangeklaa...
K. M. H. v Obshtina Stara Zagora
CJEU
De AG geeft het HvJ EU mee dat wat hem betreft
IP v Quirin Privatbank AG
CJEU
Een volgend arrest over immateriële schadevergoeding op grond van de AVG. Ook triviale gevoelens kunnen immateriële schadevergoeding opleveren op grond van de AVG, maar hoe dit precies zit / moet worden aangetoond is niet geheel duidelijk. Op de studiemiddag 'Big Tech' gehouden op 18 sept. 2025 w...
Čiekuri-Shishki
CJEU
Vraag in deze zaak is onder meer "(7) Moeten de gegevens van de door de sancties getroffen natuurlijke persoon (naam en voornaam) bekend worden gemaakt in de motivering van het vonnis en moeten zij worden gepseudonimiseerd wanneer het vonnis wordt gepubliceerd?” Helaas behandelt de AG dit niet ex...
MT v Comité de direction de l’Autorité des Services et des Marchés Financiers (FSMA)
CJEU
Deze zaak draait om de vraag of een politicus ook de 'journalistieke exceptie' in de Verordening marktmisbruik mag inroepen. Deze zaak draait in de kern niet om een gegevensbeschermingsrechtelijke vraag, maar is desalniettemin relevant nu de reikwijdte van de journalistieke exceptie die in de Ver...
xx v ww, yy, zz, vv
CJEU
Mag het lichaam van een overledene worden opgegraven om afstamming daarvan te bevestigen of te ontkrachten? Kan het recht op menselijke waardigheid (art. 1 Handvest) ook doorwerken in het recht op respect voor het menselijk lichaam na overlijden? Volgens AG Čapeta wel. Haar overwegingen zijn bove...
Artikelen:
CJEU
Het Hof van Justitie wordt in deze zaak gevraagd om uitspraak te doen over de prejudiciële vraag of advocaten het recht hebben om elk gerechtelijk dossier in te zien, ook zonder dat zij als gemachtigde van een partij optreden. De nationale wetgeving in Bulgarije maakt dit mogelijk. De verwijzende...
Het Hof van Justitie wordt in deze zaak gevraagd om uitspraak te doen over de prejudiciële vraag of advocaten het recht...
CJEU
Het Hof van Justitie wordt in deze zaak gevraagd om uitspraak te doen over de prejudiciële vraag of advocaten het recht hebben om elk gerechtelijk dossier in te zien, ook zonder dat zij als gemachtigde van een partij optreden. De nationale wetgeving in Bulgarije maakt dit mogelijk. De verwijzende...
In deze zaak heeft de Europese Commissie een beroep ingesteld tegen Hongarije wegens het aannemen van nationale...
CJEU
In deze zaak heeft de Europese Commissie een beroep ingesteld tegen Hongarije wegens het aannemen van nationale wetgeving die strengere maatregelen oplegt tegen pedofiele seksuele delinquenten en bepaalde wetten wijzigt ter bescherming van kinderen. Deze wetgeving verbiedt of beperkt de toegang v...
EDPS v Parliament and Council
CJEU
De EDPS heeft beroep aangetekend tegen de
RCC Sports
CJEU
De FIFA heeft nieuwe regels ingevoerd voor spelersmakelaars, waaronder beperkingen op het honorarium en regels over belangenverstrengeling en contractvoorwaarden. FT en RRC Sports stellen dat deze regels in strijd zijn met onder andere de
Inspektorat kam Visshia sadeben savet
CJEU
In deze zaak gaat het om prejudiciële vragen met betrekking tot de interpretatie van EU-recht inzake rechterlijke onafhankelijkheid en gegevensbescherming. De Inspektorat bij de Hoge Raad voor de Rechtspraak van Bulgarije wilde toegang tot de bankgegevens van rechters en openbare aanklagers, incl...
IP v Quirin Privatbank AG
CJEU
De AG stelt het volgende dictum voor : „
WhatsApp Ireland Ltd v European Data Protection Board
CJEU
Betreft een Bindend Besluit van de EDPB in een geschilbeslechtingsprocedure ook de verwerkingsverantwoordelijke, of alleen de (leidende) toezichthoudende autoriteit? Het Gerecht stelde het laatste, maar AG Čapeta stelt aan het HvJ EU voor anders te oordelen.
Inteligo Media SA v Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)
CJEU
AG Szpunar adviseerd het volgende: Het e-mailadres van een gebruiker, verkregen bij het aanmaken van een online account voor gratis toegang tot
Ministerstvo zdravotnictví (Données relatives au représentant d’une personne morale)
CJEU
Deze zaak gaat over L.H., die bij het Ministerie van Volksgezondheid van de Tsjechische Republiek informatie opvroeg over de identiteiten van personen die contracten voor COVID-19-screeningstests hadden ondertekend. Het Ministerie voldeed gedeeltelijk aan dit verzoek, maar anonimiseerde persoonli...
Deldits
CJEU
De eerste zaak bij het HvJ EU specifiek over
Statement 2/2025 on the implementation of the PNR Directive in light of CJEU Judgment C-817/19
CJEU
EDPB, Statement 2/2025 on the implementation of the PNR Directive in light of CJEU Judgment C-817/19, 2025
Artikel 15(1)(h) AVG geeft de betrokkene het recht om van de verwerkingsverantwoordelijke inzage te krijgen in “het...
CJEU
Artikel 15(1)(h) AVG geeft de betrokkene het recht om van de verwerkingsverantwoordelijke inzage te krijgen in “het bestaan van geautomatiseerde besluitvorming, met inbegrip van de in
Nowak
CJEU
Volgens mij is dit de eerste keer dat het Hof verwijst naar Richtsnoeren van de WP29/EDPB (r.o. 45 en 60). Voorheen heeft het Hof wel soms vrij letterlijk onderdelen daaruit overgenomen in de onderbouwing (vgl. HvJ EU 20 december 2017, C‑434/16 (Nowak) r.o 35 en WP29 Advies 4/2007 over het begrip...
Nowak
CJEU
Volgens mij is dit de eerste keer dat het Hof verwijst naar Richtsnoeren van de WP29/EDPB (r.o. 45 en 60). Voorheen heeft het Hof wel soms vrij letterlijk onderdelen daaruit overgenomen in de onderbouwing (vgl. HvJ EU 20 december 2017, C‑434/16 (Nowak) r.o 35 en WP29 Advies 4/2007 over het begrip...
JH, een Tsjechische burger, werd in 2015 beschuldigd van het niet nakomen van zijn verplichtingen bij het beheren van...
CJEU
JH, een Tsjechische burger, werd in 2015 beschuldigd van het niet nakomen van zijn verplichtingen bij het beheren van andermans vermogen. In het kader van deze strafprocedure heeft de Tsjechische politie JH’s biometrische en genetische gegevens verzameld, waaronder vingerafdrukken en een wanguits...
De kernvraag was of het Amt der Tiroler Landesregierung als 'verwerkingsverantwoordelijke' kan worden beschouwd, in het...
CJEU
De kernvraag was of het Amt der Tiroler Landesregierung als 'verwerkingsverantwoordelijke' kan worden beschouwd, in het kader van de vermeende onrechtmatige verwerking van persoonsgegevens door het versturen van een vaccinatieherinneringsbrief tijdens de COVID-19-pandemie. "Met zijn vraag wenst d...
Het begrip 'onderneming' voor het bepalen van de hoogte van de maximumboete in de AVG komt overeen met hetzelfde begrip...
CJEU
Het begrip 'onderneming' voor het bepalen van de hoogte van de maximumboete in de AVG komt overeen met hetzelfde begrip in
(EDPS v SRB (
CJEU
De A-G stelt voor dat het arrest van het Gerecht vernietigd zou moet worden door het Hof, en het Gerecht zou volgens hem opnieuw een beslissing moeten nemen:
Artikelen :
CJEU
Het Gerecht werd gevraagd te oordelen of de EDPB bindende besluiten inzake Meta wel gehandhaafd konden blijven. Het ging om Bindende Besluiten nummers 3/2022, 4/2022 en 5/2022 waarin de EDPB de Ierse toezichthouder (DPC) corrigeerde en zelfs stelde dat de DPC in voorkomend geval nader onderzoek m...
Russmedia Digital and Inform Media Press
CJEU
Een bijzonder interessante conclusie voor degenen die geïnteresseerd zijn in het snijvlak tussen de e-commerce richtlijn en de AVG. Zelfs de DSA komt even ter sprake. In essentie gaat het hier om de vraag of een exploitant van een online marktplaats voor de verwerking van persoonsgegevens via adv...
HvJ EU 9 januari 2025, C‑394/23 (Mousse).
CJEU
HvJ EU 9 januari 2025, C‑394/23 (Mousse). Artikelen: 5(1)(c), 6(1), en 21 AVG Onderwerp : Beginsel van minimale gegevensverwerking Gek genoeg verwijst het HvJ EU zelf niet naar HvJ EU 1 augustus 2022, C‑184/20 (Vyriausioji tarnybinės etikos komisija), maar dat had hier ook heel logisch geweest.
Artikelen:
CJEU
HvJ EU 9 januari 2025, C‑394/23 (Mousse). Artikelen: 5(1)(c), 6(1), en 21 AVG Onderwerp : Beginsel van minimale gegevensverwerking Gek genoeg verwijst het HvJ EU zelf niet naar HvJ EU 1 augustus 2022, C‑184/20 (Vyriausioji tarnybinės etikos komisija), maar dat had hier ook heel logisch geweest.
Artikelen
CJEU
De EU Commissie had inloggen via Facebook toegestaan voor een conferentiewebsite, waarbij het IP-adres van verzoeker naar Facebook (VS) is verzonden. Op dat moment was er geen adequaatheidsbesluit of enige andere passende waarborg. Hierdoor voldeed de Commissie niet aan de voorwaarden voor intern...
Het HvJ EU: "verzoeken [kunnen] niet louter op grond van het aantal ervan binnen een bepaalde periode als...
CJEU
Het HvJ EU: "verzoeken [kunnen] niet louter op grond van het aantal ervan binnen een bepaalde periode als „buitensporig” in de zin van [art. 57(4) AVG] worden aangemerkt, aangezien als voorwaarde voor de uitoefening van de in die bepaling geboden mogelijkheid geldt dat de toezichthoudende autorit...
VB v Natsionalna agentsia za prihodite
C-340/21 (VB v Natsionalna agentsia)
Data breach alone does not establish inadequate security measures. Burden on controller to prove adequacy.
Deutsche Wohnen SE v Staatsanwaltschaft Berlin
C-807/21 (Deutsche Wohnen)
Fines can be imposed directly on legal persons without identifying responsible natural person.
Österreichische Datenschutzbehörde v CRIF
C-487/21 (Österreichische Datenschutzbehörde)
Right of access includes obtaining a copy in commonly used electronic form.
Meta Platforms and Others v Bundeskartellamt
C-601/21 (Meta Platforms (Bundeskartellamt))
Competition authorities can assess GDPR compliance in context of competition law proceedings.
UI v Österreichische Post AG
C-300/21 (Österreichische Post)
Right to compensation under GDPR Article 82 requires proof of actual damage.
Meta Platforms v noyb
C-252/21 (Meta Platforms (noyb))
GDPR consent requirements and lead supervisory authority mechanism.
Privacy International v Secretary of State
C-623/17 (Privacy International)
General and indiscriminate transmission of traffic data to security agencies incompatible with EU law.
Data Protection Commissioner v. Facebook Ireland Ltd, and Maximillian Schrems
Schrems II
“although not requiring a third country to ensure a level of protection identical to that guaranteed in the EU legal order, the term ‘adequate level of protection’ must […] be understood as requiring the third country in fact to ensure, by reason of its domestic law or its international commitments, a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union by virtue of the regulation, read in the light of the Charter.
Data Protection Commissioner v Facebook Ireland and Maximillian Schrems
C-311/18 (Schrems II)
Invalidated Privacy Shield adequacy decision and upheld validity of Standard Contractual Clauses with additional safeguards required.
Data Protection Commissioner v. Facebook Ireland Ltd, and Maximillian Schrems
Schrems II
“the national supervisory authorities are responsible for monitoring compliance with the EU rules concerning the protection of natural persons with regard to the processing of personal data. Each of those authorities is therefore vested with the power to check whether a transfer of personal data from its own Member State to a third country complies with the requirements laid down in that regulation” / “The exercise of that responsibility is of particular importance where personal data is tra
Data Protection Commissioner v. Facebook Ireland Ltd, and Maximillian Schrems
Schrems II
“[…] the standard data protection clauses adopted by the Commission on the basis of Article 46(2)(c) of the GDPR are solely intended to provide contractual guarantees that apply uniformly in all third countries to controllers and processors established in the European Union and, consequently, independently of the level of protection guaranteed in each third country. In so far as those standard data protection clauses cannot, having regard to their very nature, provide guarantees beyond a contrac
BUNDESVERBAND DER VERBRAUCHERZENTRALEN UND VERBRAUCHERVERBANDE —BERBRAUCHERZENTRALE BUNDESVERBAND V. PLANET49 GmbH (“PLANET49”)
Planet49
Cookie data is personal data where the cookies likely to be placed on the terminal equipment of a user participating in the promotional lottery contained a number assigned to the registration data of that user (who must enter his/her name+address in the registration form.) By linking that number with that data, a connection between a person and the data stored by the cookies arises. Therefore, the data is not anonymous data. (¶45)
Bundesverband der Verbraucherzentralen v Planet49 GmbH
C-673/17 (Planet49)
Pre-ticked checkboxes do not constitute valid consent. Consent must be active.
BUNDESVERBAND DER VERBRAUCHERZENTRALEN UND VERBRAUCHERVERBANDE —BERBRAUCHERZENTRALE BUNDESVERBAND V. PLANET49 GmbH (“PLANET49”)
Planet49
The information that service provider must give to a website user includes “the duration of the operation of cookies and whether or not third parties may have access to those cookies.” (¶80)
BUNDESVERBAND DER VERBRAUCHERZENTRALEN UND VERBRAUCHERVERBANDE —BERBRAUCHERZENTRALE BUNDESVERBAND V. PLANET49 GmbH (“PLANET49”)
Planet49
Consent is “not validly constituted if the storage of information, or access to information already stored in an website user’s terminal equipment, is permitted by way of a checkbox pre-ticked by the service provider which the user must deselect to refuse his or her consent.” The indication of the data subject’s wishes must, inter alia, be ‘specific’ in the sense that “it must relate specifically to the processing of the data in question and cannot be inferred from an indication of the data subj
BUNDESVERBAND DER VERBRAUCHERZENTRALEN UND VERBRAUCHERVERBANDE —BERBRAUCHERZENTRALE BUNDESVERBAND V. PLANET49 GmbH (“PLANET49”)
Planet49
The restrictions of Article 5(3) of the ePrivacy Directive apply to any information stored in a terminal equipment, regardless of whether or not it is persona. (¶70)
Google LLC, venant aux droits de Google Inc. v Commission nationale de l’informatique et des libertés (CNIL)
Google - Global De-linking
Territorial scope of EU data protection law: The present case falls within the territorial scope of GDPR because “it is apparent from the information provided in the order for reference, first, that Google’s establishment in French territory carries on, inter alia, commercial and advertising activities, which are inextricably linked to the processing of personal data carried out for the purposes of operating the search engine concerned, and, second, that that search engine must, in view of, inte
GC and Others v CNIL
C-136/17 (GC and Others)
Conditions for delisting sensitive data from search results.
Google LLC, venant aux droits de Google Inc. v Commission nationale de l’informatique et des libertés (CNIL)
Google - Global De-linking
National data protection authorities: Although EU law does not currently require that the de-referencing granted concern all versions of the search engine in question, but “it also does not prohibit such a practice”. The CNIL and the french courts are competent to weigh up, “in the light of national standards of protection of fundamental rights whether a data subject’s right to privacy and the protection of personal data concerning him or her, on the one hand, and the right to freedom of informa
Google LLC v CNIL
C-507/17 (Google Territorial Scope)
Right to delisting does not require global de-referencing under EU law.
FASHION ID GmbH & Co. KG v. VERBRAUCHERZENTRALE NRW eV
Fashion ID
Consent: It is the duty of the operator to obtain prior consent from the data subject. The consent given to the operator relates only to the operation or set of operations involving the processing of personal data in respect of which the operator actually determines the purposes and means. (¶¶100–102 and ¶106)
FASHION ID GmbH & Co. KG v. VERBRAUCHERZENTRALE NRW eV
Fashion ID
Concept of joint-controllers: The operator of a website, such as Fashion ID, that embeds on that website a social plugin causing the browser of a visitor to that website to request content from the provider of that plugin and, to that end, to transmit to that provider the personal data of the visitor can be considered to be a controller. That liability is, however, limited to the operation or set of operations involving the processing of personal data in respect of which it actually determines t
FASHION ID GmbH & Co. KG v. VERBRAUCHERZENTRALE NRW eV
Fashion ID
Duty to inform: It is the duty of the operator to inform, but the information that must be provided to the data subject need “relate only to the operation or set of operations involving the processing of personal data in respect of which that operator actually determines the purposes and means”. The information must be given by the controller immediately, that is to say, when the data are collected. (¶¶100–101 and ¶¶103–106)
Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW eV
C-40/17 (Fashion ID)
Website operators using Facebook Like button are joint controllers for data collection.
FASHION ID GmbH & Co. KG v. VERBRAUCHERZENTRALE NRW eV
Fashion ID
Legitimate interest: In a situation such as that at issue in the main proceedings, in which the operator of a website embeds on that website a social plugin causing the browser of a visitor to that website to request content from the provider of that plugin and, to that end, to transmit to that provider personal data of the visitor, “it is necessary that that operator and that provider each pursue a legitimate interest, […], through those processing operations in order for those operations to be
FASHION ID GmbH & Co. KG v. VERBRAUCHERZENTRALE NRW eV
Fashion ID
ePrivacy Directive: The ECJ did not determine whether the Facebook “Like” button involves such storing or access subject to the ePrivacy Directive, but left it to the national court to make this assessment and determine whether such consent would be required under the e-Privacy rules. The ECJ did not state whether such consent should be obtained by the website operator, by the third-party plugin, or by both.
FASHION ID GmbH & Co. KG v. VERBRAUCHERZENTRALE NRW eV
Fashion ID
Representation of data subjects: Articles 22 to 24 of Directive 95/46 must be interpreted as “not precluding national legislation which allows consumer-protection associations to bring or defend legal proceedings against a person allegedly responsible for an infringement of the protection of personal data.” (¶63)
SERGEJS BUIVIDS v. THE AUGSTĀKĀ TIESA
Buivids
Interpretation: The exceptions to material scope of the Data Protection Directive (activities outside of EU law/processing operations “which concern public security, defense, State security and the activities of the State in areas of criminal law” + the household exception) must be interpreted narrowly but the derogation related to ‘journalistic activities’ must be interpreted broadly. Processing for Journalistic Purposes: ‘Journalistic activities’ are those which have as their purpose the disc
SERGEJS BUIVIDS v. THE AUGSTĀKĀ TIESA
Buivids
Material scope: The recording of a video of police officers in a police station, while a statement is being made, and the publication of that video on a video website, on which users can send, watch and share videos, are matters which come within the scope of that directive. (¶¶ 31-32, 46-47)
SERGEJS BUIVIDS v. THE AUGSTĀKĀ TIESA
Buivids
Processing: A video recording of persons which is stored on a continuous recording device — the hard disk drive of that system — constitutes automatic processing of personal data (see, Ryneš). (¶34). Also, loading personal data onto an internet page constitutes processing since placing information on an internet page entails the operation of loading that page onto a server and the operations necessary to make that page accessible to people who are connected to the internet which are performed, a
SERGEJS BUIVIDS v. THE AUGSTĀKĀ TIESA
Buivids
Right to Privacy: In the present case, it “cannot be ruled out that the recording and publication of the video in question, which took place without the persons concerned being informed of the recording and its purposes, constitutes an interference with the fundamental right to privacy of those persons, namely the police officers featured in that video.” (¶67) The jurisprudence of the European Court of Human Rights on Article 8(1) of the Convention for the Protection of Human Rights and Fundamen
UNABHäNGIGES LANDESZENTRUM FüR DATENSCHUTZ SCHLESWIG-HOLSTEIN v. WIRTSCHAFTSAKADEMIE SCHLESWIG-HOLDSTEIN GmbH
Wirtschaftsakademie
Powers of Supervisory Authority: Where an undertaking established outside the European Union has several establishments in different Member States, the supervisory authority of a Member State is entitled to exercise its powers with respect to an establishment of that undertaking situated in the territory of that Member State even if, as a result of the division of tasks within the group, (i) that establishment is responsible solely for the sale of advertising space and other marketing activities
Unabhängiges Landeszentrum für Datenschutz v Wirtschaftsakademie Schleswig-Holstein
C-210/16 (Wirtschaftsakademie)
Facebook fan page administrators are joint controllers with Facebook.
UNABHäNGIGES LANDESZENTRUM FüR DATENSCHUTZ SCHLESWIG-HOLSTEIN v. WIRTSCHAFTSAKADEMIE SCHLESWIG-HOLDSTEIN GmbH
Wirtschaftsakademie
Territorial Scope / Concept of “establishment”: Facebook Germany is responsible for promoting and selling advertising space and carries on activities addressed to persons residing in Germany. Given that a social network such as Facebook generates a substantial part of its income from advertisements posted on the web pages set up and accessed by users, and given that Facebook’s establishment in Germany is intended to ensure the promotion and sale in Germany of advertising space that makes Faceboo
UNABHäNGIGES LANDESZENTRUM FüR DATENSCHUTZ SCHLESWIG-HOLSTEIN v. WIRTSCHAFTSAKADEMIE SCHLESWIG-HOLDSTEIN GmbH
Wirtschaftsakademie
Joint controllers: The administrator of a fan page hosted on Facebook is a controller as it is “taking part, by its definition of parameters depending in particular on its target audience and the objectives of managing and promoting its activities, in the determination of the purposes and means of processing the personal data of the visitors to its fan page.” The fact that an administrator uses the platform provided by Facebook in order to benefit from the associated services cannot exempt it fr
Jehovah’s Witnesses
Jehovah’s Witnesses
Access: Exercise of the right to access cannot be systematically denied on the basis of privacy violations without analyzing the specific circumstances. (¶¶ 89-94)
Peter Nowak v Data Protection Commissioner
Nowak
The court emphasized, in accordance with the opinion of the Advocate General, that “if the identification of the data subject was prohibited by law or practically impossible on account of the fact that it requires a disproportionate effort in terms of time, cost and man-power, so that the risk of identification appears in reality to be insignificant” then the dynamic IP addresses would not constitute ‘personal data.’
Peter Nowak v Data Protection Commissioner
C-434/16 (Nowak)
Examination scripts constitute personal data of the candidate.
Peter Puškár v Finančné riaditeľstvo Slovenskej republiky and Kriminálny úrad finančnej správy
Puškár
Lawful basis (in general): Subject to the exceptions permitted under Article 13 of the Data Protection Directive, all processing of personal data must comply, first, with the principles relating to data quality (in Article 6 of that directive) and, have lawful basis (by complying with one criteria for making data processing legitimate listed in Article 7 of that directive) (see, Bara). The list of lawful basis in Article 7 is an exhaustive and restrictive list of cases in which the processing of
Peter Puškár v Finančné riaditeľstvo Slovenskej republiky and Kriminálny úrad finančnej správy
Puškár
Principle of proportionality: The protection of the fundamental right to respect for private life at the European Union level “requires that derogations from the protection of personal data and its limitations be carried out within the limits of what is strictly necessary” (see, to that effect, judgment of 21 December 2016, Tele2 Sverige and Watson and Others, C‑203/15 and C‑698/15, EU:C:2016:970, paragraph 96 and the case-law cited). (¶112)
Peter Puškár v Finančné riaditeľstvo Slovenskej republiky and Kriminálny úrad finančnej správy
Puškár
Admissibility of illegally obtained evidence: Article 47 of the Charter of Fundamental Rights of the EU precludes national court from rejecting, as evidence of an infringement of the protection of personal data, a list, such as the contested list, submitted by the data subject and containing personal data relating to him, “if that person had obtained that list without the consent, legally required, of the person responsible for processing that data, unless such rejection is laid down by national
Peter Puškár v Finančné riaditeľstvo Slovenskej republiky and Kriminálny úrad finančnej správy
Puškár
Right to Adequate Legal Remedy: Making the admissibility of a legal action brought by a person alleging infringement of his right to data protection subject to the prior exhaustion of the administrative remedies available does not violate Article 47 of the Charter of Fundamental Rights of the EU “provided that the practical arrangements for the exercise of such remedies do not disproportionately affect the right to an effective remedy before a court referred to in that article.” It is important,
Peter Puškár v Finančné riaditeľstvo Slovenskej republiky and Kriminálny úrad finančnej správy
Puškár
Lawful Basis (Public Interest): Article 7(e) Directive 95/46 must be interpreted as not precluding the processing of personal data by the authorities of a Member State for the purpose of collecting tax and combating tax fraud such as that effected by drawing up the contested list in the main proceedings, without the consent of the data subjects, “provided that, first, those authorities were invested by the national legislation with tasks carried out in the public interest within the meaning of t
Peter Puškár v Finančné riaditeľstvo Slovenskej republiky and Kriminálny úrad finančnej správy
Puškár
Principles (Purpose Limitation): The objective of the processing of personal data is inextricably linked to the task of the controller. Consequently, the transfer of the task to the latter must clearly include the purpose of the processing. (¶110)
Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde v Rīgas pašvaldības SIA ‘Rīgas satiksme’
Rigas
setting out a test based on three criteria to decide whether a processing operation can rely on this ground. The Court reached a surprising conclusion, stating that while there is legitimate interest to process (disclose) data in the case at hand, the controller (a public authority) would also need a legal obligation to lawfully disclose the data.
Patrick BREYER v. BUNDESREPUBLIK DEUTSCHLAND, (“BREYER”)
Breyer
Legitimate interest: Article 7(f) of Directive 95/46 “precludes Member States from excluding, categorically and in general, the possibility of processing certain categories of personal data without allowing the opposing rights and interests at issue to be balanced against each other in a particular case. Thus, Member States cannot definitively prescribe, for certain categories of personal data, the result of the balancing of the opposing rights and interests, without allowing a different result
Patrick Breyer v Bundesrepublik Deutschland
C-582/14 (Breyer)
Dynamic IP addresses can be personal data when holder can identify the person.
Patrick BREYER v. BUNDESREPUBLIK DEUTSCHLAND, (“BREYER”)
Breyer
Necessity: The applicant cannot be deemed to have proved the necessity of having the personal data at issue transferred where the only justification provided was to supplement his written defense before the Greek Examining Magistrate. Applicant did not provide any information or justification as to how the submission of the requested documents containing that data would affect the Greek proceedings, the risks to which he would be exposed in procedural terms, and the merits of his defense if the
Patrick BREYER v. BUNDESREPUBLIK DEUTSCHLAND, (“BREYER”)
Breyer
The court emphasized, in accordance with the opinion of the Advocate General, that “if the identification of the data subject was prohibited by law or practically impossible on account of the fact that it requires a disproportionate effort in terms of time, cost and man-power, so that the risk of identification appears in reality to be insignificant” then the dynamic IP addresses would not constitute ‘personal data.’
Data Protection Commissioner v. Schrems and Facebook
Schrems I
Independence of DPA: The Directive seeks to ensure an effective, complete, and high level of protection of the fundamental rights and freedoms of natural persons. The guarantee of a DPA’s independence is intended to ensure effectiveness and reliability of the monitoring of compliance, and is an essential component of data protection. DPAs powers extend to their own Member State, but not to processing in third countries. However, DPAs are responsible for monitoring transfers from a Member State t
Maximillian Schrems v Data Protection Commissioner
C-362/14 (Schrems I)
Invalidated Safe Harbor adequacy decision. National supervisory authorities can examine adequacy decisions.
Data Protection Commissioner v. Schrems and Facebook
Schrems I
Safe harbour: US public authorities are not required to comply with safe harbor principles. Decision 2000/520 specifies that safe harbor principles may be limited to the extent necessary to meet national security, public interest or law enforcement requirements, or statute, regulation or caselaw. Self-certified US organizations receiving personal data from the EU are thus bound to disregard safe harbor principles when they conflict with US legal requirements. Decision 2000/520 does not contain s
Data Protection Commissioner v. Schrems and Facebook
Schrems I
Interference with fundamental right: Decision 2000/520 enables interference with the fundamental right to respect for private life of persons whose personal data is or could be transferred from the EU to the US. (¶87)
Data Protection Commissioner v. Schrems and Facebook
Schrems I
Necessity/proportionality: The Decision does not contain any finding regarding US rules intended to limit the interference when they pursue legitimate objectives such as national security, nor refer to effective legal protection against such interference. FTC procedures and private dispute resolution mechanisms concern compliance with safe harbor principles (against US organizations) and cannot be applied with respect to measures originating from the State. Moreover, the Commission found that if
SMARANDA BARA ET AL. V. PRESEDINTELE CASEI NATIONALE DE ASIGURARI DE SANATATE (CNAS) ET AL., 1.10.2015 (“BARA”)
Bara
Personal data: Tax data transferred are personal data, since they are “information relating to an identified or identifiable natural person.” (¶ 29)
WELTIMMO S.R.O. V. NEMZETI A DATVEDELMI ES INFORMACIOSZABADSAGH ATOSAG (HUNGARIAN DPA), 1.10.15 (“WELTIMMO”)
Weltimmo
Definition of processing: The operation of loading personal data on an internet page constitutes processing. (¶37)
SMARANDA BARA ET AL. V. PRESEDINTELE CASEI NATIONALE DE ASIGURARI DE SANATATE (CNAS) ET AL., 1.10.2015 (“BARA”)
Bara
Processing: Both the transfer of the data by ANAF, and the subsequent processing by CNAS, constitute processing of personal data. (¶ 29)
SMARANDA BARA ET AL. V. PRESEDINTELE CASEI NATIONALE DE ASIGURARI DE SANATATE (CNAS) ET AL., 1.10.2015 (“BARA”)
Bara
Principle of fairness and lawfulness: The requirement of fair processing laid down in Article 6 of Directive 95/46 requires a public administrative body to inform the data subjects of the transfer of their data to another public administrative body for the purpose of their processing by the latter in its capacity as recipient of those data. (¶¶ 34–38)
WELTIMMO S.R.O. V. NEMZETI A DATVEDELMI ES INFORMACIOSZABADSAGH ATOSAG (HUNGARIAN DPA), 1.10.15 (“WELTIMMO”)
Weltimmo
Establishment: The concept of establishment must be interpreted broadly. The legal form of such establishment (e.g. branch, subsidiary etc) is not the determining factor. The formalist approach whereby organizations are considered to be established solely in the place in which they are registered is not the correct approach. There is a 3-pronged test: (i) Is there an exercise of real and effective activity — even a minimal one? (ii) Is the activity through stable arrangements? and (iii) Is perso
SMARANDA BARA ET AL. V. PRESEDINTELE CASEI NATIONALE DE ASIGURARI DE SANATATE (CNAS) ET AL., 1.10.2015 (“BARA”)
Bara
Right to be informed: National law that does not require the specific transfer involved in the case cannot constitute “prior information” under Article 10 of Directive 95/46 (information requirement where data is collected from the data subject), enabling the controller to dispense with his obligation to inform the data subject of the recipients of the data. (¶¶ 34–38). Article 11 (information requirement where data is not collected from data subject) requires that specified information be provi
WELTIMMO S.R.O. V. NEMZETI A DATVEDELMI ES INFORMACIOSZABADSAGH ATOSAG (HUNGARIAN DPA), 1.10.15 (“WELTIMMO”)
Weltimmo
Data protection authorities powers and cooperation: In the event that the Hungarian DPA should consider that Weltimmo has an establishment not in Hungary, but in another Member State, it may exercise its powers only within its own territory, and it may, irrespective of the applicable law and before even knowing which national law is applicable, thereby investigate the complaint. If it becomes apparent that it is the law of another Member State that applies, that DPA cannot impose penalties outsi
CLIENT EARTH ET AL. V. EFSA, 16.7.2015 (“CLIENT EARTH”)
Client Earth
Personal data: The information as to which expert is the author of each comment made by the external experts constitutes personal data even where the information is provided as part of a professional activity. Personal data is not the same as private data and, therefore, claiming (i) information does not fall within the scope of private life; or (ii) information has been publish on the internet is irrelevant. The characterization of information as personal data does not depend on whether the per
CLIENT EARTH ET AL. V. EFSA, 16.7.2015 (“CLIENT EARTH”)
Client Earth
Necessity/proportionality: No automatic priority can be conferred on the objective of transparency over the right to protection of personal data.Where obtaining the information was necessary to ascertain the objectivity of the expert scientist access is justified. (¶¶ 51–58)
DENNEKAMP V. EUROPEAN PARLIAMENT (15.7.2015) (“DENNEKAMP II”)
Dennekamp II
Data transfers: Articles 7–9 of Regulation 45/2001 precisely limit the possibility of transferring personal data so as to make it subject to strict conditions which, if not fulfilled, prohibit any transfer. Those conditions always include the necessity of the transfer in the light of various aims. (¶ 58)
DENNEKAMP V. EUROPEAN PARLIAMENT (15.7.2015) (“DENNEKAMP II”)
Dennekamp II
Necessity: An applicant for access to documents containing personal data must establish necessity (i.e. the transfer must be the most appropriate of the possible measures and it is proportionate to the goal) (¶¶ 60–61)
McCULLOUGH V. CEDEFOP (11.6.2015) (“McCULLOUGH”)
McCULLOUGH
Personal data: Personal does not mean private. Surnames in minutes are personal data even where (i) the minutes refer to meetings in connection with the exercise of their public duties and not in the private sphere, and (ii) the surnames were published in the internet. (¶ 66)
RYNES V. ÚŘAD PRO OCHRANU OSOBNICH ÚDAJŮ, 11.12.2014 (“RYNES”)
Rynes
Personal data: The image of a person recorded by a camera constitutes personal data because it makes it possible to identify the person concerned. (¶ 22)
RYNES V. ÚŘAD PRO OCHRANU OSOBNICH ÚDAJŮ, 11.12.2014 (“RYNES”)
Rynes
Legitimate interest: Arts. 7(f), 11(2) and 13(1)(d) and (g) make it possible to take into account the legitimate interests of the controller in protecting the property, health and life of his family and himself. (¶34)
RYNES V. ÚŘAD PRO OCHRANU OSOBNICH ÚDAJŮ, 11.12.2014 (“RYNES”)
Rynes
Household exception: The household exception must be interpreted narrowly. Video surveillance that covers, even partially, a public space cannot be regarded as a purely personal or household activity. (¶¶ 28–35)
MINISTER VOOR IMMIGRATIE V. M, 17.7.2014 (“Minister v. M”)
Minister v. M
Right to access: The right of access is a per-requisite to obtain rectification, erasure or blocking of personal data (¶¶ 44-46). To comply with the right of access it is sufficient for the applicant to be provided with a full summary of those data in an intelligible form, that is, a form which allows him to become aware of those data and to check that they are accurate and processed in compliance with the Directive. He need not be given a copy of the documents. (¶¶ 59-60)
MINISTER VOOR IMMIGRATIE V. M, 17.7.2014 (“Minister v. M”)
Minister v. M
Personal data: The data relating to the applicant for a residence permit included in the minute (applicant’s name, DOB, nationality, gender, ethnicity, religion and language) constitute personal data. The legal analysis in the minute may contain personal data but it does not in itself constitute such data. The legal analysis is not information relating to the applicant, but at most, in so far as not limited to a purely abstract interpretation of the law, is information about the assessment and a
GOOGLE SPAIN SL V. AEPD (THE DPA) & MARIO COSTEJA GONZALEZ, 13.May.2014 (“GOOGLE v. Spain”)
Google Spain
Right to object: A data subject has a right to object to the processing based on legitimate interest. Data controllers must suspend processing and conduct a review as soon as an objection is received. (¶¶ 75–76)
Google Spain SL and Google Inc. v AEPD and Mario Costeja González
C-131/12 (Google Spain)
Established the right to be forgotten (delisting). Search engines are data controllers.
GOOGLE SPAIN SL V. AEPD (THE DPA) & MARIO COSTEJA GONZALEZ, 13.May.2014 (“GOOGLE v. Spain”)
Google Spain
Legitimate interest balancing test: Legitimate interest requires balancing of the interest of the controller and third party with the interest of the data subject. In this particular case, having regard to the sensitivity for data subject’s private life of information contained in announcements and the fact that the initial publication occurred 16 years earlier, the data subject has established that the links should be removed. (¶¶ 70–75, 80-81, 98)
GOOGLE SPAIN SL V. AEPD (THE DPA) & MARIO COSTEJA GONZALEZ, 13.May.2014 (“GOOGLE v. Spain”)
Google Spain
Processing: The operation of loading personal data on an internet page must be considered processing (as the court held in Lindquist). Crawling the internet in search of information and publishing it through a search engine constitutes processing, regardless of the fact that the operator of the search engine also carries out the same operations in respect of other types of information and does not distinguish between the latter and the personal data. It is not necessary that the personal data be
GOOGLE SPAIN SL V. AEPD (THE DPA) & MARIO COSTEJA GONZALEZ, 13.May.2014 (“GOOGLE v. Spain”)
Google Spain
Concept of ‘establishment’: An ‘establishment’ exists where an organization engages in the effective and real exercise of activity through stable arrangements in a EU Member State. It is not require that the processing be carried out by the establishment itself. The processing of personal data by the not-established controller suffices if it is “carried out in the context of the activities” of the establishment. In this case, the activities of the search engine and those of its establishment in
GOOGLE SPAIN SL V. AEPD (THE DPA) & MARIO COSTEJA GONZALEZ, 13.May.2014 (“GOOGLE v. Spain”)
Google Spain
Concept of ‘controller’: A search engine operator determines the purposes and means of that activity and thus of the processing of personal data that it itself carries out within the framework of the activity and is thus a controller. (¶¶ 33–41)
DIGITAL RIGHTS IRELAND LTD V. IRELAND,
Digital Rights Ireland
Data retention: Legally mandated communications meta-data retention can only be a justified interference with the right of privacy and the right to data protection under EU law if the retention is done for the purpose of fighting ‘serious crime’, on the basis of objective criteria and where there are clear substantial and procedural conditions laid down by law.
DIGITAL RIGHTS IRELAND LTD V. IRELAND,
Digital Rights Ireland
Article 7 CFR: The obligation on providers of publicly available electronic communications services or public communications networks to retain data relating to a person’s private life and his communications in itself constitutes an interference with Article 7. Access of competent national authorities to the data constitutes a further interference with that right. Any limitation on the exercise of rights and freedoms laid down by the CFR must be provided by law, respect their essence and, subjec
Digital Rights Ireland Ltd v Minister for Communications
C-293/12 (Digital Rights Ireland)
Invalidated Data Retention Directive as incompatible with fundamental rights.
X, 12.12.2013 (“X”)
X
Access: Directive 95/46 does not require Member States to levy fees when the right of access to personal data is exercised, nor does it prohibit the levying of such fees as long as they are not excessive. (¶¶ 22, 25, 28–30)
IPI V. ENGLEBERT (7.Nov.2013) (“ENGLEBERT”)
Englebert
Personal data: Data collected by private detectives relating to persons acting as estate agents concern identified or identifiable natural persons, and therefore constitute personal data. (¶ 26)
IPI V. ENGLEBERT (7.Nov.2013) (“ENGLEBERT”)
Englebert
Right to be informed (derogation): Member States are allowed but not required to transpose into national law exceptions to the obligation to inform. (¶¶42-46, 50)
SCHWARZ V. BOCHUM, 17.10.2014 (“SCHWARZ”)
Schwarz
Personal data: Fingerprints constitute personal data, as they objectively contain unique information about individuals which allows them to be identified with precision. (¶ 27)
SCHWARZ V. BOCHUM, 17.10.2014 (“SCHWARZ”)
Schwarz
Processing: Taking and storing fingerprints constitute processing. (¶¶ 28–29)
SCHWARZ V. BOCHUM, 17.10.2014 (“SCHWARZ”)
Schwarz
Lawful basis: It is essential for citizens of the EU to own a passport in order to travel to a third country, and a passport must contain fingerprints. Therefore, citizens are not free to object to processing of their fingerprints, and thus persons applying for passports cannot be deemed to have consented to that processing. (¶ 32)
SCHWARZ V. BOCHUM, 17.10.2014 (“SCHWARZ”)
Schwarz
Centralized storage of the data and used for other purposes does not affect the validity of the Regulation, which provides only for preventing illegal entry into the EU. (¶¶ 61-62)
SCHWARZ V. BOCHUM, 17.10.2014 (“SCHWARZ”)
Schwarz
No sufficiently effective yet less invasive alternative exist as taking fingerprints/pictures is causes no physical or mental discomfort and the technology for the only alternative (iris scan) is not advance enough. (¶¶ 48-53).
SCHWARZ V. BOCHUM, 17.10.2014 (“SCHWARZ”)
Schwarz
Necessity/proportionality: Secure storage of fingerprints reduces risk of passports falsification and to facilitates EU borders control and,thus, it is appropriate.(¶¶ 41-45).
WORTEN-EQUIPAMENTOS PARA O LAR SA V. ACT (AUTHORITY FOR WORKING CONDITIONS), 30.5.2013 (“WORTEN”)
Worten
Necessity/proportionality: Collection and processing of personal data contained in the record of working time to ensure compliance with national legislation relating to working conditions is lawful if it is necessary for compliance with a legal obligation to which the controller is subject. Access should be grated only to authorities having powers of monitoring compliance with legal requirements. An obligation to provide immediate access to the record could be necessary if it contributes to the
WORTEN-EQUIPAMENTOS PARA O LAR SA V. ACT (AUTHORITY FOR WORKING CONDITIONS), 30.5.2013 (“WORTEN”)
Worten
Personal Data: Data contained in the record of working time concerning, in relation to each worker, the daily work periods and rest periods, constitute personal data because they represent “information relating to an identified or identifiable natural person.” (¶ 19)
WORTEN-EQUIPAMENTOS PARA O LAR SA V. ACT (AUTHORITY FOR WORKING CONDITIONS), 30.5.2013 (“WORTEN”)
Worten
Security: Data protection law requires controllers (not Member States) to adopt technical and organizational measures which, having regard to the state of the art and cost of their implementation, are to ensure a level of security appropriate to the risks represented. Controller must ensure that only those persons duly authorized have access. (¶¶ 24–25, 28–29)
BONNIER AUDIO ABET AL. V. PERFECT COMMUNICATIONS WEDEN, 19.April.2012 (“BONNIER”)
Bonnier
Data Retention Directive (Directive 2006/24): Directive 2006/24 deals exclusively with handling and retention of data generated by electronic communication service providers for the purpose of the investigation, detection, and prosecution of serious crime and their communication to competent national authorities. A national provision transposing the EU intellectual property directive which permits an ISP in civil proceedings to be ordered to give a copyright holder information on the subscriber
BONNIER AUDIO ABET AL. V. PERFECT COMMUNICATIONS WEDEN, 19.April.2012 (“BONNIER”)
Bonnier
e-Privacy Directive (Directive 2002/58): The communication of name and address of a person using an IP address from which files were shared (for copyrighted audio books) falls within the scope of Directive 2002/58 (and within the scope of Directive 2004/48, dealing with copyright). (¶¶ 52-54)
BONNIER AUDIO ABET AL. V. PERFECT COMMUNICATIONS WEDEN, 19.April.2012 (“BONNIER”)
Bonnier
Processing: Communication of name and address sought by applicants constitutes processing of personal data. (¶ 52)
BONNIER AUDIO ABET AL. V. PERFECT COMMUNICATIONS WEDEN, 19.April.2012 (“BONNIER”)
Bonnier
Personal Data: IP addresses are personal data within the scope of EU data protection law
BONNIER AUDIO ABET AL. V. PERFECT COMMUNICATIONS WEDEN, 19.April.2012 (“BONNIER”)
Bonnier
Balancing of fundamental rights: EU data protection rules do not preclude national legislation from providing that national courts can order IP address information to be provided to copyright owners whose rights have been infringed.
EGAN & HACKETT V. EUROPEAN PARLIAMENT, 28.3.2012 (“EGAN & HACKETT”)
Egan & Hackett v. Parliament
Access: Exercise of the right to access cannot be systematically denied on the basis of privacy violations without analyzing the specific circumstances. (¶¶ 89-94)
ASOCIACION NACIONAL DE ESTABLECIMIENTOS FINANCIEROS DE CREDITO (ASNEF) AND FEDERACION DE COMERCIO ELECTRONICO Y MARKETING DIRECTO (FECEMD) V. ADMINISTRACION DEL ESTADO, 24.Nov.2011 (“ASNEF”)
ASNEF
Direct applicability of Directive 95/46: Whenever the provisions of a Directive appear to be unconditional and sufficiently precise,they have direct effect if the Member State has failed to implement that Directive in domestic law by the end of the prescribed period. Article 7(f) is sufficiently precise, as it states an unconditional obligation. (¶¶ 52-55)
SCARLET EXTENDED SA V. SOCIETE BELGE DES AUTEURS, COMPOSITEURS ET EDITEURS SCRL (SABAM), 24.Nov.2011 (“SCARLET”)
Scarlet
Personal data: IP addresses are protected personal data because they allow the concerned users to be precisely identified. (¶ 51)
SCARLET EXTENDED SA V. SOCIETE BELGE DES AUTEURS, COMPOSITEURS ET EDITEURS SCRL (SABAM), 24.Nov.2011 (“SCARLET”)
Scarlet
Necessity/proportionality: Requiring ISPs to install a system for filtering electronic communications would be incompatible with EU Directives, namely with Article 15(1) of Directive 2000/31, which prohibits imposition of an obligation on an Internet service provider to carry out general monitoring of the information that it transmits on its network, and would be against the fundamental rights of Internet users to the protection of their personal data and freedom of expression guaranteed under t
ASOCIACION NACIONAL DE ESTABLECIMIENTOS FINANCIEROS DE CREDITO (ASNEF) AND FEDERACION DE COMERCIO ELECTRONICO Y MARKETING DIRECTO (FECEMD) V. ADMINISTRACION DEL ESTADO, 24.Nov.2011 (“ASNEF”)
ASNEF
Valid purposes for processing: EU data protection law sets out an exhaustive and restrictive list of cases in which the processing of personal data can be regarded as lawful. Member States cannot add new principles relating to the lawfulness of processing or impose additional requirements. (¶¶ 29-32)
DENNEKAMP V. EUROPEAN PARLIAMENT, 23.11.2011 (“DENNEKAMPI”)
Dennekamp I
Lawful basis: The argument that release of names of former MEP assistants would reveal their political opinions and therefore constitute sensitive data was not substantiated and cannot make up for the fact that the contested decision failed to show why disclosure would specifically and effectively undermine their right to privacy within the meaning of Article 4(1)(b) of Regulation 45/2001. (¶101)
DENNEKAMP V. EUROPEAN PARLIAMENT, 23.11.2011 (“DENNEKAMPI”)
Dennekamp I
Balancing fundamental rights: Regulation 1049/2001 (access to documents) and Regulation 45/2001 (data protection) do not contain any provisions granting one primacy over the other, therefore full application of both should, in principle, be ensured. (¶¶ 23-24)
JORDANA V. COMMISSION, 7.7.2011 (“JORDANA”)
Jordana
Definition of personal data: The first and last names of the persons on the reserve list and the officials mentioned in the individual decisions of appointment to grade A6 can be considered to fall within the personal data definition. (¶ 91)
JORDANA V. COMMISSION, 7.7.2011 (“JORDANA”)
Jordana
Processing: Transfer of data constitutes processing. (¶ 91)
JORDANA V. COMMISSION, 7.7.2011 (“JORDANA”)
Jordana
Access: Article 4(1)(b) of Regulation 1049/2001 is indivisible, and requires that the violation of private life and the integrity of the individual are always analyzed in conformity with the right to protection of personal data. Thus it establishes a specific regime where personal data may be communicated to the public. In rejecting the application for access to documents, the Commission had failed to apply Regulation 45/2001 in its analysis, and thus erred. (¶¶ 99-100)
V & EDPS V. EUROPEAN PARLAMENT, 5.7.2011 (“V v. European Parliament”)
V. v. Parliament
Lawful Basis: The applicant did not consent to the transfer of her medical file by the Commission to the European Parliament. The transfer was not “necessary for the purposes of complying with the specific rights and obligations of the controller in the field of employment law,” in accordance with Article 10(2)(b). The Parliament’s obligation to control fitness for duty could have been achieved by less intrusive means. Nor does Article 10(3) justify the transfer. (¶¶ 137–139)
V & EDPS v. EUROPEAN PARLAMENT
V. v. Parliament
Article 8 (Respect for Private Life) of the ECHR: Article 8 ECHR on private life relates to a fundamental right which covers the right to secrecy of one’s medical state. The transfer of that data to a third party, even another EU institution, is an interference with that right, whatever the final use. Such interference may be justified if it is “in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of t
VOLKER UND MARKUS SCHECKE GBR V. LAND HESSEN, EIFERT V. LAND HESSEN AND BUNDESANSTALT FUR LANDWIRTSCHAFT UND ERNAHRUNG, 9.Nov.2010 (“SCHECKE”)
Schecke
Personal Data: Legal persons can claim protection under EU data protection law only insofar as the official title of the legal person identifies one or more natural persons. It is of no relevance in this respect that the data published concerns activities of a professional nature (see also Rechunungshof, paragraphs 73 and 74)
VOLKER UND MARKUS SCHECKE GBR V. LAND HESSEN, EIFERT V. LAND HESSEN AND BUNDESANSTALT FUR LANDWIRTSCHAFT UND ERNAHRUNG, 9.Nov.2010 (“SCHECKE”)
Schecke
Purpose for processing: The legislation at issue does base the processing on consent. Rather, it provides that they are to be informed. Thus, processing is not based on their consent. (¶ 54)
VOLKER UND MARKUS SCHECKE GBR V. LAND HESSEN, EIFERT V. LAND HESSEN AND BUNDESANSTALT FUR LANDWIRTSCHAFT UND ERNAHRUNG, 9.Nov.2010 (“SCHECKE”)
Schecke
Interference with the fundamental rights of privacy and data protection: Chapter of Fundamental Rights (CFR) Article 52(1) accepts that limitations may be imposed on fundamental rights, as long as they are provided by law, respect the essence of those rights and are proportionate (necessary and genuinely meet objectives of general interest recognized by the EU or the need to protect the rights and freedoms of others.) The CJEU concluded that by imposing an obligation to publish personal data rel
COMMISSION V. BAVARIAN LAGER CO., 29.Jun.2010 (“BAVARIAN LAGER”)
Bavarian Lager
Personal data: Surnames and forenames may be regarded as personal data. Thus the list of names of participants in a meeting is personal data, since persons can be identified. (¶ 68)
COMMISSION V. BAVARIAN LAGER CO., 29.Jun.2010 (“BAVARIAN LAGER”)
Bavarian Lager
Access: Where a request based on Regulation No 1049/2001 (Access to Documents Regulation) seeks to obtain documents including personal data, applicable EU data protection law applies in its entirety. When requesting minutes of a meeting between the Commission and a member state that include the names of the participants, the requester must establish an express and legitimate purpose or need for disclosure of the names of the participants. The Commission was right to verify whether the data subje
COMMISSION V. BAVARIAN LAGER CO., 29.Jun.2010 (“BAVARIAN LAGER”)
Bavarian Lager
Processing: Communication of personal data in response to a request for access to documents constitutes processing. (¶69)
COMMISSION V. GERMANY, 9.Mar.2010 (“GERMANY”)
Germany
Independence of Supervisory Authorities: Independence means a status which ensures that the body concerned can act completely freely, without taking any instructions or being put under any pressure. The requirement of independence does not only concern the relationship between the supervisory authorities and the bodies subject to that supervision. The adjective “complete” implies a decision-making power independent of any direct or indirect external influence on the supervisory authority. DPAs m
COLLEGE VAN BURGEMEESTER EN WETHOUDERS VAN ROTTERDAM V. RIJKEBOER, 7.5.2009 (“RIJKEBOER”)
Rijkeboer
Right of Access: Rules limiting the storage of information on the recipients or categories of recipient of personal data and on the content of the data disclosed to a period of one year and correspondingly limiting access to that information, while basic data is stored for a much longer period, do not constitute a fair balance of the interest and obligation at issue, unless it can be shown that longer storage of that information would constitute an excessive burden on the controller (determinati
LSG-GESELLSCHAFT ZUR WAHRNEHMUNG VON LEISTUNGSSCHUTZRECHTEN GMBH V. TELE2 TELECOMMUNICATION GMBH, 19.Feb.2009 (“Tele2”)
Tele2
Personal Data: Communication of names and physical addresses of certain users, whose IP address and date and time of connection were know, involves the making available of personal data, that is, information relating to identified or identifiable natural persons.
LSG-GESELLSCHAFT ZUR WAHRNEHMUNG VON LEISTUNGSSCHUTZRECHTEN GMBH V. TELE2 TELECOMMUNICATION GMBH, 19.Feb.2009 (“Tele2”)
Tele2
Balancing rights: The judgment relies heavily on the Promusicae judgment to hold that: (1) Access providers which merely provide users with Internet access, without offering other services or exercising any control over the services provided to users, must be regarded as intermediaries under Article 8(3) of Directive 2001/29; (2) under the principle of proportionality, ISPs’ duty of disclosure gives way to users’ privacy rights in this case, where temporary IP addresses must not be stored for th
TIETOSUOJAVALTUUTETTU [FINNISH DATA PROTECTION OMBUDSMAN] V. SATAKUNNAN MARKKINAPORSSI OY AND SATAMEDIA OY, 16.12.2008 (“SATAKUNNAN&SATAMEDIA”)
SATAKUNNAN & SATAMEDIA
Processing for solely journalistic purposes: Member States are required to provide derogations in relation to protection of personal data, solely for journalistic purposes or artistic or literary expression, which fall within the fundamental right to freedom of expression, insofar as necessary for reconciliation of the two rights. Activities may be classified as “journalistic” if their sole object is the disclosure to the public of information, opinions or ideas, irrespective of the medium used
TIETOSUOJAVALTUUTETTU [FINNISH DATA PROTECTION OMBUDSMAN] V. SATAKUNNAN MARKKINAPORSSI OY AND SATAMEDIA OY, 16.12.2008 (“SATAKUNNAN&SATAMEDIA”)
SATAKUNNAN & SATAMEDIA
Processing: The collection, publication, transfer on a CD-ROM and by text messaging all constitute processing. This is the case even where the operations exclusively concern material that has already been published in unaltered form in the media. (¶¶ 35–37)
TIETOSUOJAVALTUUTETTU [FINNISH DATA PROTECTION OMBUDSMAN] V. SATAKUNNAN MARKKINAPORSSI OY AND SATAMEDIA OY, 16.12.2008 (“SATAKUNNAN&SATAMEDIA”)
SATAKUNNAN & SATAMEDIA
Personal data: Surname, given name of certain natural persons whose income exceeds certain thresholds as well as the amount of their earned and unearned income constitute personal data. The fact the the information was made publicly available by a governmental agency and that is had already been published in unaltered form in the media does not exempt it from the scope of data protection law.
PROMUSICAE, 29.Jan.2008 (“PROMUSICAE”)
PROMUSICAE
Personal Data: Names and physical addresses of certain users of an internet service, whose IP address and date and time of connection were know, are personal data, that is, information relating to identified or identifiable natural persons. (¶¶ 30&45)
Productores de Música de España (Promusicae) v Telefónica de España SAU
PROMUSICAE
Balancing fundamental rights: EU law does not require Member States to lay down an obligation to communicate personal data in order to ensure effective protection of copyright in the context of civil proceedings. However, EU law requires that Member States take care to rely on an interpretation of the directives they transpose which allows a fair balance to be struck between the various fundamental rights protected.
NIKOLAOU V. COMMISSION
Nikolaou
Processing: A leak (unauthorised transmission of personal data to a journalist by someone inside OLAF) and the publication of a press release each constitute processing (¶204)
NIKOLAOU V. COMMISSION
Nikolaou
Personal data: The information published in the press release was personal data, since the data subject was easily identifiable, under the circumstances. The fact that the applicant was not named did not protect her anonymity. (¶ 222)
NIKOLAOU V. COMMISSION
Nikolaou
Non-contractual liability under EU law: The normal rule is that the burden of proof is on the applicant to establish: i) the illegal action of a EU institution; ii) damages; iii) proof that the damages were caused by the illegal action of the institution. However, the burden of proof shifts to the institution when a fact giving rise to damages could have resulted from various causes, and the institution has not introduced any element of proof as to which was the true cause, even though it was be
BANK AUSTRIA CREDITANSTALT AG V COMMISSION OF THE EUROPEAN COMMUNITIES, 30.5.2006 (“BANK AUSTRIA”)
Bank Austria
Personal data: The data of a legal person is not protected under EU data protection law. (¶ 95)
PARLIAMENT V. COUNCIL (PNR)
PNR
Transfers: Where the transfers of personal data are authorized under an agreement that was adopted ultra vires, the authorization is void.
ESCH-LEONHARDT AND OTHERS V EUROPEAN CENTRAL BANK
ESCH-LEONHARDT
Necessity/proportionality: An employer may consider whether the use of internal email by staff (i) was necessary for the performance of their contract of employment; (ii) whether the content may become relevant for a report on their conduct in the service; (iii) whether a shortened version would suffice for proper management of personal files; and (iv) the fact that the staff in question contravened rules on the use of the internal email system by using it, as members of a trade union, for purpo
ESCH-LEONHARDT AND OTHERS V EUROPEAN CENTRAL BANK
ESCH-LEONHARDT
Processing: Inclusion of the letters in the personal files constitutes processing. (¶ 39)
ESCH-LEONHARDT AND OTHERS V EUROPEAN CENTRAL BANK
ESCH-LEONHARDT
Lawful basis for processing: Inclusion of a letter concerning an staff member’s use of internal e-mail to transmit union information in his personal file is specially restricted data but its processing does not infringe data protection law as it concerns data which the person himself has manifestly made public. (¶ 57)
LINDQUIST, 6.11.2003 (“LINDQUIST”)
Lindquist
Persona Data: Holding that the name of a person in conjunction with his/her telephone number, and information about his/her working conditions or hobbies constitute personal data. (¶ 24)
LINDQUIST, 6.11.2003 (“LINDQUIST”)
Lindquist
Transfers to third countries: The publication on the internet does not constitute a transfer, as an internet user would have to connect to the internet and personally carry out the necessary actions to consult those pages where: (i) the internet pages did not contain the technical means to send that information automatically to people who did not intentionally seek access; and, (ii) the internet page is stored with his/her hosting provider in that or another Member State. (¶¶ 60–61, 68, 70)
LINDQUIST, 6.11.2003 (“LINDQUIST”)
Lindquist
Processing for purely personal or household activity: Creating a website for a Church which includes personal information of co-workers, constitutes activities that may be mainly charitable and religious, but are not exempted from data protection law under the ‘exclusively personal or domestic’ exemption. (¶¶ 45–47)
LINDQUIST, 6.11.2003 (“LINDQUIST”)
Lindquist
Balancing of fundamental rights: Data protection and freedom of expression must be balanced against each other, and data protection law provides in itself multiple mechanisms allowing a balancing of the different fundamental rights to be carried out. Therefore it is not a disproportionate violation of the principle of freedom of expression. (¶¶ 82–87 and ¶ 90)
LINDQUIST, 6.11.2003 (“LINDQUIST”)
Lindquist
Definition of processing: The operation of loading personal data on an internet page must be considered to be processing. (¶ 25)
LINDQUIST, 6.11.2003 (“LINDQUIST”)
Lindquist
Health personal data: Reference to the fact that an individual has injured her foot and is on medical leave constitutes personal data concerning health , as the concept must be given a wide interpretation so as to include all aspects, both physical and mental, of the health of an individual. (¶¶50–51)
RECHNUNGSHOF V. OSTER REICHISCHER RUNDFUNK, 20.5.2003 (“RUNDFUNK”)
Rundfunk
Lawful basis for proceeding (Necessity requirement): The CJEU held that for an employer to publish the names and incomes of employees to a third party is an interference with the right to respect for private life, protected by article 8 of the European Convention on Human Rights (para 74), but it might be justified if it was both necessary for and appropriate to the aim of keeping salaries within reasonable limits, (that being for the national courts to determine)
RECHNUNGSHOF V. OSTER REICHISCHER RUNDFUNK, 20.5.2003 (“RUNDFUNK”)
Rundfunk
Direct applicability of Directive 95/46: Wherever provisions of a directive appear to be unconditional and sufficiently precise, they may, in the absence of implementing measures adopted within the prescribed period, be relied on against any incompatible national provision, or insofar as they define rights which individuals are able to assert against the State. (¶ 98)
RECHNUNGSHOF V. OSTER REICHISCHER RUNDFUNK, 20.5.2003 (“RUNDFUNK”)
Rundfunk
[Article 8 (Right to Private Life) of ECHR](https://docs.legal.digital/coe/#article-8): To the extent Directive 95/46 governs the processing of personal data liable to infringe fundamental freedoms, in particular the right to privacy, must be interpreted in light of that right, which forms an integral part of the general principles of EU law. [Article 8 ECHR](https://docs.legal.digital/coe/#article-8) states that public authorities must not interfere with the right to respect for private life, u
RECHNUNGSHOF V. OSTER REICHISCHER RUNDFUNK, 20.5.2003 (“RUNDFUNK”)
Rundfunk
Personal Data: The collection of data by name relating to an individual’s professional income, with a view to communicating it to third parties, falls within the scope of Article 8. The ECtHR has held that communication of the data infringes the right of the persons concerned to respect for private life. (¶¶ 73–74)