Judgments on the GDPR and national data protection law
Home » Judgments on the GDPR and national data protection law
Courts in the EU, and in particular the CJEU, repeatedly issue landmark judgments on the European General Data Protection Regulation (GDPR) and data protection law. We analyse these rulings and explain what they mean in practice.
Do online retailers have to provide guest accounts and what are they allowed to use customer data for
The Hamburg Regional Court clarifies key questions regarding the processing of personal data in online shops – at least for some providers.
CJEU defines data protection damages in the case of immaterial and hypothetical damage
Several judgements on the determination of immaterial damage and the assessment of such damage under the GDPR provide new certainties for data controllers.
Pseudonymisation of data can amount to anonymisation
The EGC ruled on whether data protection law does not apply to the pseudonymisation of personal data if the recipient has no possibility of re-identification.
CJEU clarifies responsibility and the question of fault for the imposition of fines
In order to impose GDPR fines, it must be established who is responsible for the processing activity and whether and, if so, who must be at fault. The CJEU has now provided clarity.
CJEU defines right to a copy under Art. 15 GDPR
In what form and to what extent must copies of personal data be provided when data subjects exercise their data protection rights? The CJEU provides clarity and sets new standards.
The Federal Cartel Office may also find GDPR violations at Meta
The CJEU has cast doubt on the voluntary nature of consent on Facebook, allowing national competition regulators to investigate data protection breaches in certain circumstances.
CJEU rules on damages under Art. 82 GDPR
Non-material damages, damages, and the materiality threshold – the CJEU issues a long-awaited ruling. But the legal certainty now provided could lead to large waves of lawsuits.
CJEU declares parts of Germany´s BDSG invalid in terms of data protection for employees
In future, employers in Germany must use a legal basis directly from the GDPR to process their employees’ personal data.
CJEU on the right of access to data recipients
Controllers must name the specific recipients of personal data when answering right to access requests – unless one of the few exceptions applies.
Consumer associations can bring GDPR cases to court without demonstrating a specific violation of individual rights
The CJEU confirmed that national law may allow consumer associations to bring GDPR claims to court, even if they are not mandated by the data subjects and without demonstrating a specific violation of data subjects’ rights.