Data Protection Insider, Issue 141

16. Oktober 2025  |   von DPI Editorial Team
Data Protection Insider, Issue 141 - DPI 37

CJEU: OLAF in Breach of Data Protection Rules When Publishing a Press Release

On 1st October, the General Court ruled on appeal that the publication of the applicant’s data in an OLAF press release was unlawful and gave rise to damages in OC v European Commission. As to the facts of the case, the applicant was a researcher at a Greek University who had received a research grant by the EC. The EC, however, noticed irregularities in the spending of the grant, and OLAF initiated investigations. After finalising the said investigations, OLAF published a press release in which it reported on the investigations, using terms such as ‘fraud’ and stating, amongst others, that some of the researchers paid by the grant were not aware of that and of the joint accounts opened in their names. The press release did not mention the name of the applicant. However, it published ‘information and personal data which make it easy to identify her, namely her nationality, gender, young age, the fact that her father worked at the Greek university concerned, and the amount of the grant awarded’. The applicant claimed that the press release unlawfully disclosed her personal data, in breach of the EU Data Protection Regulation (EUDPR), and that many of the claims made in it were false, in breach of the principle of presumption of innocence and the obligations on due diligence and impartiality in Article 41(1) CFREU. The dispute between the applicant and OLAF escalated to the General Court, whose initial judgment was appealed by the applicant. In the appeal judgment the Court first ruled that it is in principle not unlawful of OLAF to issue press releases containing personal data. However, it ruled that in casu, OLAF’s press release breached Article 4(1)(a) and Article 5(1)(a) EUDPR, because the published information ‘not only permits identification of the applicant, but, in addition, it is not necessary, with the exception of the amount of the grant awarded, for the purpose of reporting on the allegations made against the applicant following OLAF’s investigation. The applicant’s age, gender, nationality and family ties had no bearing on the facts at issue and reference to them in no way forms part of the task of informing the public of OLAF’s activities’. Second, it ruled that the processing of the applicant’s data in the press release constitutes a further processing of the data, which were originally collected for investigation purposes. The Court concluded that the conditions on further processing the applicant’s data in Article 4(1)(b) and Article 6(c)-(e) EUDPR were breached, because OLAF did not take sufficient safeguards, especially in view of the nature of the data and information published – i.e. the potential indirect identification of the applicant in connection with the criminal allegations, before releasing information on the case. Last but not least, the Court agreed with two of the applicant’s claims on inaccurate information about her in the press release, namely that the investigations were in a matter of ‘fraud’ (by contrast ‘irregularities’ were used in the actual OLAF report) and that researchers who were paid by the grant were not aware of that, including that bank accounts were opened on their names (a matter on which OLAF did not seem to have enough proof in its actual report). The inaccurate information was examined by the Court as a matter of breach of the principle of presumption of innocence and of the principle of good administration in Article 41(1) CFREU. Finally, the Court awarded the applicant damages totalling 50,000 Euros.

EDPB Publications

Over the past two weeks, the EDPB has published the following important documents:

  • 9th October 2025: ‘Joint Guidelines on the Interplay between the Digital Markets Act and the General Data Protection Regulation’;
  • 3rd October 2025: ‘Recommendations on calculating the audit cycle in EU Large-Scale IT Systems’.

EU-Korea Mutual Adequacy Decision

On 16th September 2025, the Korean Personal Information Protection Commission’s (PIPC) ‘decision, which recognises the European Union’s personal data protection framework as equivalent’ entered into force. According to the Commission: ‘Together with the 2021 European Commission’s adequacy decision on the Republic of Korea, this establishes a comprehensive area of free and safe personal data flows between the two jurisdictions’. The Commission further notes that this is an ‘innovative mutual adequacy arrangement’ which covers ‘both the private and public sectors’. The Commission considers that the agreement ‘will not only further facilitate trade, but also joint research, as well as regulatory cooperation between the two sides’ as well as being ‘the basis for working even closer together to shape global discussions on personal data protection, artificial intelligence (AI) and to contribute proactively to the spread of digital trust worldwide’.

Über

DPI Editorial Team

Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.

Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.

Hinterlasse eine Antwort

Zurück zur Übersicht