2024-W41: NEW RESOURCES
Eli Atanasov, CIPP/E, PhD
?? I help businesses put their privacy compliance on autopilot, saving them time and money in the process.
Hi privacy navigators, We’ve just added some great new resources to the ?? Privacy Navigator.
Latest resources:
Case C?21/23 CJEU, Lindenapotheke: GDPR and Unfair Competition Law Overlap
This ?ruling from the CJEU confirmed that GDPR breaches can also qualify as unfair commercial practices, allowing traders to file for injunctive relief under national unfair competition laws.
The judgement clarified that data protection and unfair competition remedies coexist, meaning GDPR violations may simultaneously trigger market law sanctions—particularly when the breach involves "material provisions" with market relevance.
The case, which arose from a dispute between two German pharmacies, involved the processing of health data when customers ordered medicinal products online.
The court found that even information provided for non-prescription items qualifies as health data under the GDPR, extending privacy protections to such transactions.
Read it here.
See the press release here.
Case C?621/22, KNLT: Legitimate Interests in Data Processing
In this case, the CJEU confirmed that marketing and commercial interests can be considered legitimate interests under Article 6(1)(f) GDPR, as long as the data processing is strictly necessary and there are no less intrusive alternatives.
The ruling emphasizes the proportionality test in balancing a company’s interests with the data subject’s rights, which must not be outweighed by those interests.
It’s clarified that the legitimate interest doesn’t need to be formally established by law but must be lawful—meaning it must not contravene any existing laws.
Moreover, the decision stresses the importance of data subjects’ reasonable expectations, as outlined in Recital 47 GDPR, highlighting that businesses must consider whether individuals would reasonably expect their data to be used for such purposes.
Read it here.
Case C?507/23: Non-Material Damage and the Role of Apologies in GDPR Compensation
In Case C-507/23, the CJEU addressed important questions related to non-material damage compensation under Article 82(1) GDPR.
The court ruled that, under certain circumstances, an apology may be sufficient to compensate for non-material damage caused by the unlawful processing of personal data. This decision came in the context of a case in Latvia, where a public authority (the Consumer Rights Protection Centre) used an individual’s image without consent in a video campaign.
The court clarified that while non-material damage does not require tangible harm, there must be a causal link between the GDPR violation and the damage. Additionally, the court stated that the attitude or motivation of the data controller—such as whether the violation occurred during a task carried out in the public interest—does not mitigate or aggravate the compensation owed.
This ruling is significant because it recognizes that non-material damage, such as harm to reputation or emotional distress, can be addressed through non-financial compensation, like a formal apology.
However, the apology must fully compensate the harm suffered, making it a key aspect of the judgment that broadens the understanding of remedies available under the GDPR.
According to the court,?full compensation?means that the apology must entirely rectify the non-material damage caused. This excludes any punitive factors related to the controller's intent or motivation. The apology must restore the data subject to the position they would have been in if the GDPR breach had not occurred. If the harm is more serious, the apology alone may not suffice, and financial compensation could still be required to ensure the data subject is fully compensated
Read it here.
PRO TIP OF THE WEEK
Did you know that Privacy Navigator gives you much more than news in your inbox?
Research any topic using the Privacy Navigator in three easy steps:
领英推荐
Click the advanced search button below the search bar. If you want to make your search quicker you can start typing directly in the search bar.
2. Narrow down your search
For this example, let’s research data protection impact assessments [1]. After briefly browsing the resources, you can narrow them down by keyword [2], or resource type [3]. You can always reset the filters [4].
In this case, let’s show only guidelines.
3. ?Check the latest DPA decisions
To complete your research, you can find DPA decisions across the EU and the UK by using our Fine Tracker. Simply Select the country [1], sector [2], or the type of violation [3]. If you want a broader search, you can skip some of the filters.
The last step is to open the file by clicking “see more” [4].
All the above research tools are completely free. No subscription, no registration.
Case C?446/21, Schrems vs Facebook: Targeted Ads and Data Minimisation
In?Case C-446/21, Schrems vs Facebook, the?CJEU?ruled that while?targeted advertising?is not inherently illegal, companies must adhere to the?data minimisation principle?under?GDPR Article 5(1)(c).
This means personal data cannot be stored or processed indefinitely for advertising purposes. The ruling directly challenges?Meta's practice?of retaining vast amounts of user data for extended periods without clearly defined limits on how long the data is kept for ad targeting, even with user consent.
The court underscored that personal data processing must be limited to what is?strictly necessary?for the purpose for which it was collected, and companies must ensure they only retain data as long as necessary.
The?CJEU?also addressed the use of?publicly available data, making it clear that data shared for one purpose cannot be repurposed for advertising without explicit and specific consent. This reinforces the?purpose limitation principle, ensuring that companies cannot repurpose data without clear authorization.
Moreover, the ruling emphasized the need for companies to implement?clear data deletion protocols. Meta's practice of holding user data indefinitely was found to be non-compliant with GDPR, as companies must delete personal data once it is no longer required for the original purpose.
Read it here.
See the press release here.
Case C?200/23: Handwritten Signatures and Non-Material Damage under GDPR
In this case from Bulgaria, the CJEU ruled that a handwritten signature constitutes personal data under Article 4(1) GDPR, confirming its protection under data privacy laws.
The case also clarified the interpretation of non-material damage under Article 82(1) GDPR, establishing that such damage does not require tangible adverse consequences. ?
This ruling broadens the scope of data subjects' rights to compensation for non-material damages, such as fear, anxiety, or emotional distress, caused by the mishandling of their personal data.
The CJEU further emphasized that an opinion from a Member State’s supervisory authority (like a data protection authority) is not sufficient to exempt a data controller from liability in case of GDPR infringements.
In this particular case, the court ruled that the Agency for Registrations (Bulgaria's commercial register authority) could not avoid liability for publishing personal data, such as signatures, in violation of GDPR, even though they argued that they had relied on national supervisory authority guidance.
Read it here.
That's all for now, see you next week!
Eli
email:?[email protected]