GDPR

Subscribe to GDPR via RSS

On November 10, 2021, the UK Supreme Court ruled[1] that class representatives in data privacy class action suits need to prove damage or distress suffered to be successful. Compensation cannot be granted simply by virtue of proving that a company violated the law. The case was heard under the UK’s pre-2018 data protection law, but the UK GDPR arguably does not change the essence of the Court’s ruling.[2]
Continue Reading Lloyd v. Google: UK Supreme Court Rejects Data Protection Class Action in Landmark Ruling

On June 15, 2021, the Court of Justice of the European Union (CJEU) confirmed[1] that non-leading supervisory authorities (SAs) can initiate national judicial proceedings concerning cross-border data processing in two circumstances:[2] i) where there is an “urgent need” to act, or ii) if the case has a local impact.
Continue Reading CJEU Confirms Exceptions to One-Stop-Shop Mechanism Under the GDPR

On May 12, 2021, the Dutch supervisory authority (the Autoriteit Persoonsgegevens or AP) issued a press release on a EUR 525,000 fine against Locatefamily.com for failing to appoint an EU representative, with additional penalty payments pending should the violation persist. The press release is available in English here, and the decision is available in Dutch here (“Decision”).
Continue Reading Locatefamily.com Fined EUR 525,000 for Failure to Appoint an EU Representative

On September 7, 2020, the European Data Protection Board (EDPB) published draft guidelines (Guidelines) intended to clarify the roles of the parties processing personal data and when they are operating as controllers, joint controllers, or processors under the EU General Data Protection Regulation (GDPR).
Continue Reading Draft EDPB Guidelines Clarify the Roles of Parties Processing Personal Data and Call for Detailed Data Processing Agreements

On Monday September 7, 2020, the European Data Protection Board (EDPB) issued draft Guidelines 8/2020 on the targeting of social media users (the “Draft Guidelines”). The Draft Guidelines have far-reaching implications for social media platforms, advertisers, and adtech companies, as they will result in a clarification of the roles and responsibilities of the key stakeholders, and establish rules for consent.

The Draft Guidelines are open for public consultation until October 19, 2020. Interested companies can submit their comments to the EDPB.
Continue Reading EDPB Issues Guidelines on Social Media Targeting Under GDPR

On May 4, 2020, the European Data Protection Board (EDPB) adopted new guidelines (the guidelines) regarding the use of consent as a legal basis for processing personal data under the General Data Protection Regulation (GDPR).[1] The guidelines update and replace the Article 29 Working Party’s April 2018 guidance on the same topic.

The guidelines remain largely unchanged from the earlier version but do provide helpful clarifications on two points: a) the validity of consent when interacting with so-called “cookie walls”; and b) “scrolling” as a means of indicating consent.
Continue Reading EDPB Adopts Updated Consent Guidance