??#GDPR CJEU data protection updates - July/Aug/Sept 2022

Dear fellow data protection professionals, I hope you enjoyed a great summer holiday! ????

I’m pleased to mention that recently this newsletter reached?+700?subscribers.?Welcome everyone! ??

This time I would like to inform you about:

• Three new cases?lodged at the CJEU;
• Three judgments?issued by the CJEU and?four hearings?that were held in the past months;
• Advocate General Pitruzzella’s opinions of?two cases;
• Three A-G opinions?and?two judgments, all in the upcoming month September!
• On?Monday 19 September 2022?I will join the?PrivacyPod?once again to talk about CJEU data protection case-law. ??Tune in!

Read more about it in this edition of the?CJEU data protection updates newsletter, curated by me -?Joost Gerritsen. You can view the?complete, up-to-date and searchable overview of all pending cases?on my website.

New cases lodged at the CJEU

Since the last issue of this newsletter,?3 new cases?have been lodged at the CJEU:

• The?Gemeinde Ummendorf?case (C-456/22) raises questions about Article 82(1) GDPR regarding non-material damages. Does the presumption of non-material damages require a tangible disadvantage and an objectively comprehensible impairment of personal interests?
• The?MK?case (C-461/22) is straightforward: is a legally appointed curator who performs that activity in a professional capacity a controller? Is (s)he required to provide Article 15 GDPR information?
• Finally, a Danish case from the??stre Landsret?concerns a case handler in a municipality who stored data on 20,620 citizens in unencrypted form. The data was stolen from an unlocked office. Questions have not been published yet.

The questions can be found on the list of?my website. This list also includes a new case between a German consumer and the European Commission (T-354/22). The consumer seeks a declaration that the transfers of his personal data to recipients established in third countries without an adequate level of protection are unlawful. This transfers initiated by FuturEU, a website maintained by the Commission. More information,?here.

Judgments and hearings of the CJEU

Three judgments?have been issued by the CJEU:

1. Ligue des droits humains?(C-817/19): on the 21th of June, the CJEU’s Grand Chamber ruled, among other things, that the indiscriminate processing of passengers’ data in cases of flights carried out only within the EU is forbidden, with the exception of terrorism threats. Thomas Wahl (Max Planck Institute) wrote an?insightful article?about the judgment.
2. Leistritz?(C-534/20): one day later, in a case about the legal position of DPO’s, the Court’s First Chamber confirmed that the GDPR does not stand in the way of German legislation which provides that a controller or a processor may terminate the employment contract of a DPO (who is a staff member) only with just cause, even if the contractual termination is not related to the performance of the DPO’s tasks, in so far as such legislation does not undermine the achievement of the objectives of the GDPR. Good news for the German legislator.
3. Vyriausioji tarnybin?s etikos komisija?(C-184/20): on the 1st of August, the Grand Chamber ruled that Article 9 GDPR (‘sensitive data’) must be interpreted as meaning that the publication - on the website of a Lithuanian public authority - of personal data that indirectly disclose the sexual orientation of a natural person constitutes processing of special categories of personal data. ??Given the circumstances of the case, I think this is a logical ruling. The case did however, stir up some heated discussions among privacy professionals.

You can learn about the CJEU’s?hearings?of the past three months via Mr Kranenborg’s LinkedIn-page (Member Legal Service, European Commission), who wrote summaries of the following cases:?C-349/21,?C-470/21,?C-34/21?and?C-268/21.

Published A-G opinions

Two A-G opinions have been published:

1. ?sterreichische Post?(C-154/21): according to A-G Pitruzzella, the general rule is that upon a data subject’s request (Article 15(1)? GDPR) a controller must identify the specific recipients to whom the data subject’s personal data are disclosed. Only two circumstances may restrict this right of access to an indication of the categories of recipients.
2. Ministerstvo na vatreshnite raboti?(C-205/21): A-G Pitruzzella gave his opinion in the context of processing of biometric and genetic data by the police to establish DNA profiles. National laws that allow such processing are bound by certain criteria, as noted by the Advocate General.

Upcoming judgments, opinions and hearings

September wil be a busy month:

• 8 Sept.?A-G opinion?about Articles 77 and 79 GDPR: right to lodge a complaint and right to bring legal action (C-132/21);
• 20 Sept.?Judgment?of Spacenet meta data retention case (C?793/19 & C?794/19). See the?EU Law Analysis blog;
• 20 Sept.?Judgment?VD & SR cases re: traffic data retention case in Market Abuse Regulation context (C?339/20 & C?397/20). See the?EU Law Analysis blog;
• 20 Sept.?A-G opinion?of Meta Platforms: does the GDPR hinder German competition authority to assess whether or not Meta’s data processing terms comply with the GDPR? (C-252/21). Put differently: May a competition agency apply the GDPR?;
• 22 Sept.?A-G opinion?about Article 88 GDPR. Can a national law apply knowing this law does not meet the requirements of Article 88? (C-34/21).

Overview of pending data protection cases

If you want to view all cases pending at the CJEU, please?visit my website GDPR Beetle. It includes an interesting case about Automated Decisions (Article 22 GDPR), for instance:

Listen to the PrivacyPod

On Monday 19 September 2022, I will join PrivacyPod’s virtual studio once again to talk about data protection case-law.

Have you come up with a name for my podcast segment? Working title is:?Joost’s case corner. I’m sure you can come up with something more creative! Please let me know via?Twitter?or?e-mail.

Thank you for reading!

Was this email forwarded to you??Receive the next issue directly into your own inbox after subscribing?here.