Case law EU Court of Justice: Personal data must be interpreted broadly Court of Justice EU June 22, 2023, IT 4301, ECLI:EU:C:2023:501 (J.M.v. Pankki) In this case, for the benefit of J.M., who worked for a while at the bank Pankki S and was also a customer there himself, some questions are put to the
Case law ING collection fraud justifies registration Amsterdam District Court May 25, 2023, IT 4295; ECLI:NL:RBAMS:2023:3210 (Applicant/ING) This case involved a large-scale collection fraud in which the applicant was involved. On an online platform of Universe.com, people could register events and buy tickets to these events. The payment transactions were arranged
Case law "Arnhem-Leeuwarden Court of Appeal rules: BKR must remove registered credits under GDPR" General Data Protection Regulation. BKR must delete the credits it registers in the Central Credit Information System (hereafter CKI) at the request of the credit providers, or at least at the request of the credit providers, the particularity codes it registers (Machine translated) https://deeplink.rechtspraak.nl/uitspraak?id=ECLI:
Case law Cell phone provider liability limitation in simswap fraud. Consumer sues cell phone provider for misappropriation of crypto after simswap fraud. Can phone provider successfully invoke limitation of liability in its terms and conditions? (Machine translated) https://deeplink.rechtspraak.nl/uitspraak?id=ECLI:NL:RBDHA:2023:5430
Case law "Inadmissibility of GDPR access request due to late filing - Amsterdam District Court" GDPR access request of personal data. Inadmissible petition filed late. (Machine translated) https://deeplink.rechtspraak.nl/uitspraak?id=ECLI:NL:RBAMS:2023:2523
Case law "Aruba Court of First Instance rules that mandatory biometric time clock is not an impermissible invasion of privacy" Labor. The requirement imposed by ANSA on employees to use its biometric time clock is not unlawful in the sense of an impermissible invasion of their right to privacy. ANSA has not unilaterally changed the terms and conditions of employment of air traffic controllers in the sense of requiring air
Case law GDPR request by courts inhouse lawyer to the board and Council for the Judiciary (The Hague Court of Appeal) GDPR requests from lawyer of a court to the board of the court and the Judicial Council in connection with an employment dispute (Machine translated) https://deeplink.rechtspraak.nl/uitspraak?id=ECLI:NL:GHDHA:2023:875
Case law Amsterdam court orders Hoster to provide name and address information Headline March 20, 2018, elaboration March 28, 2018. Hoster ordered to provide NAW data in summary proceedings. Unmistakably wrongful conduct Anonymous Person.Data Protection Act does not prevent conviction. (Machine translated) https://deeplink.rechtspraak.nl/uitspraak?id=ECLI:NL:RBAMS:2018:1873
Case law France's constitutional court approves use of AI surveillance cameras for Olympics France’s Constitutional Court ruled the government could proceed with installing artificial intelligence-powered surveillance cameras ahead of the 2024 Olympics in Paris, Politico reports. In its decision, the court ruled the installation of the cameras did not erode privacy rights because human operators will "permanently control (of) 'the development, implementation
Case law "Dissolution for disturbed employment relationship and privacy violations: employer seriously culpable" Dissolution because of a disturbed employment relationship, serious culpability of the employer because of insufficient reintegration in the first track and justified complaints of the employee about privacy violations. Regarding the amount of the fair compensation, it was considered that hardly any relevant income damage had been suffered because the
Case law Europe: CJEU holds that mere infringement of the GDPR does not give rise to a right to compensation On 4 May 2023, European Court of Justice (“CJEU”) delivered its judgment regarding the interpretation of Article 82 of the General Data Protection Regulation (“GDPR”). The CJEU held that mere infringement of the GDPR does not give rise to a right to compensation. However, there is no requirement for the
Case law CJEU Determines that a Mere Infringement of the GDPR is not Sufficient to Require Compensation On May 4, 2023, the California Privacy Protection Agency Board announced that it will hold a public meeting on May 15, 2023 to discuss California Privacy Rights Act of 2020 regulations proposals and priorities and other CPPA activities. Continue Reading https://www.huntonprivacyblog.com/2023/05/08/cjeu-determines-that-a-mere-infringement-of-the-gdpr-is-not-sufficient-to-require-compensation/
Case law CJEU: pseudonym for one may be anonymous for another, room for handling personal data Resolution with external independent examination The issue concerns a resolution scheme declared applicable to a Spanish bank by the Joint Resolution Board. This is complicated financial law matter and I will leave those financial aspects for the moment (thankfully). In the context of resolution, one of the issues to be
Case law EU Court: mere violation of the GDPR does not entitle you to damages The right to compensation laid down in the GDPR exists only if the following three conditions are cumulatively met: a processing of personal data in violation of the provisions of the AVG, damage suffered by the data subject and a causal link between that unlawful processing and that damage. Thus,
Case law Legal Obligation for Ziggo to Forward Brein's Warning Letter to Customer with Accessible E-Book Library Ziggo is required to forward a warning letter from Brein to its customer through whose IP address a library of e-books is accessible to Internet users online and, if necessary, to provide the name and address details of this customer to Brein. Both Ziggo and Brein may process these (criminal)
Case law EU Court: processing of teachers' personal data in live streaming of public education falls under GDPR The processing of teachers' personal data when live-streaming public education that they teach via videoconference falls within the material scope of the AVG. A national regulation that does not meet the conditions of the AVG cannot be considered a detailed regulation within the meaning of the AVG. The application of
Case law Germany: ECJ ruling on employee data protection Authors: Eleni Alexiou, Katharina Pauls Although key German provisions are in breach of EU law, there will only be little changes in practice – What still needs to be taken into account On 30 March 2023, the European Court of Justice (ECJ) ruled on the requirements for national legal bases regarding
Case law German Constitutional Court confirms generalised data retention illegal After seven years of ambiguity regarding the German law on data retention, the German Federal Constitutional Court ruled it inapplicable and incompatible with EU law on Thursday (March 30). https://www.euractiv.com/section/data-protection/news/german-constitutional-court-confirms-generalised-data-retention-illegal/
Case law The right of inspection under the GDPR cannot be limited by the conditions set forth in Dutch document discovery Gelderland District Court March 22, 2023, IT 4243; ECLI:NL:RBGEL:2023:1575 (plaintiff v. De Volksbank) In this lawsuit, the plaintiff sued De Volksbank for processing personal data in various administrations and registers. The plaintiff claims that it is entitled to access this personal data and information about the
Case law Not clear exactly what plaintiff means by 'the investigation file' Gelderland District Court March 22, 2023, IT 4243; ECLI:NL:RBGEL:2023:1575 (plaintiff v. De Volksbank) In this lawsuit, the plaintiff sued De Volksbank for processing personal data in various administrations and registers. The plaintiff claims that it is entitled to access this personal data and information about the
Case law OLG Celle Overturns Lower Court's Decision on Excessiveness of Data Subject's Access Request The Higher Regional Court of Celle overturned the decision of a lower court, holding that the motivation of a data subject's Article 15 GDPR access request is irrelevant to the legitimacy of the request. https://gdprhub.eu/index.php?title=OLG_Celle_-_8_U_165/22
Case law "Rotterdam Court Orders Tax Authority to Conduct More Extensive Search in Access Request Case" When the Dutch Tax Administration answers a data subject's access request, it should search beyond the general system it uses and provide specific information as to the purpose of the processing, the potential recipients and the source of the data. https://gdprhub.eu/index.php?title=Rb._Rotterdam_-_ROT_
Case law Data protection meets civil procedure – the ECJ decision in Norra Stockholm Bygg Blogpost 14/2023 The recent case of Norra Stockholm Bygg represents another important data protection decision from the ECJ. The decision addresses the application of the General Data Protection Regulation (‘GDPR’) to Member State courts when they are handling personal data, and therefore has important practical significance for civil procedure
Case law Is the new ICT vendor liable for loss of data from old ICT environment? District Court of North Holland February 15, 2023, IT 4241; ECLI:NL:RBNHO:2023:2471 (Pit v. OfficeGrip Holding c.s.) This case deals with the question of whether a new ICT supplier is liable for damages resulting from the loss of data from its client's old ICT environment. The
Case law Automated loan processing called 'profiling' by CJEU advocate general Advocate General of the Court of Justice of the European Union Priit Pikamäe ruled automated processing to determine an individual's probability of obtaining a loan constitutes profiling under the EU General Data Protection Regulation. Pikamäe's decision states the "GDPR establishes a 'right' for the person concerned not to be subject