{"id":72486,"date":"2024-04-25T23:55:43","date_gmt":"2024-04-25T21:55:43","guid":{"rendered":"https:\/\/www.lexxion.eu\/dpi\/data-protection-insider-issue-110\/"},"modified":"2024-05-12T00:33:50","modified_gmt":"2024-05-11T22:33:50","slug":"data-protection-insider-issue-110","status":"publish","type":"dpi","link":"https:\/\/www.lexxion.eu\/en\/dpi\/data-protection-insider-issue-110\/","title":{"rendered":"Data Protection Insider, Issue 110"},"content":{"rendered":"<div class=\"txtTinyMce-wrapper\" style=\"font-size: 12px; line-height: 18px; font-family: Arial, Helvetica Neue, Helvetica, sans-serif;\">\n<p style=\"font-size: 14px; line-height: 21px; word-break: break-word; text-align: justify;\"><strong><a style=\"text-decoration: none;\" href=\"https:\/\/curia.europa.eu\/juris\/document\/document.jsf?text=&amp;docid=284641&amp;pageIndex=0&amp;doclang=EN&amp;mode=lst&amp;dir=&amp;occ=first&amp;part=1&amp;cid=4792053\" target=\"_blank\" rel=\"noopener\"><span style=\"font-size: 14px; line-height: 21px;\">&#8211; CJEU Rules on Non-Material Damages &#8211;<\/span><\/a><\/strong><\/p>\n<p style=\"text-align: justify; line-height: 18px; word-break: break-word;\"><a style=\"text-decoration: underline;\" href=\"https:\/\/curia.europa.eu\/juris\/document\/document.jsf?text=&amp;docid=284641&amp;pageIndex=0&amp;doclang=EN&amp;mode=lst&amp;dir=&amp;occ=first&amp;part=1&amp;cid=4792053\" target=\"_blank\" rel=\"noopener\">On 11th April 2024, the CJEU delivered its judgment in the case of GP v juris GmbH.<\/a> The case concerned a self-employed lawyer, who was a client of the legal database company juris. The plaintiff revoked all consents, and objected to the processing of their data for the purposes of marketing. Despite this, the plaintiff received further marketing leaflets. The plaintiff then \u2018reminded juris of his prior objection to any marketing,\u2026informed juris that the creation of those prospectuses had given rise to unlawful processing of his data and requested compensation for the damage suffered by him under Article 82 of the GDPR\u2019. A further advertising leaflet then arrived, after which the plaintiff \u2018reiterated his objection, which was this time served on juris by bailiff\u2019. Accordingly, the applicant brought proceedings before the national courts. The plaintiff sought \u2018on the basis of Article 82(1)\u2026compensation for his material damage, relating to the costs\u2026incurred by him, and for his non-material damage\u2019. The plaintiff claimed that \u2018that he\u2026suffered a loss of control over his personal data as a result of the processing of those data by juris despite his objections, and that he\u2019 was entitled \u2018to obtain compensation on that basis, without having to show the effects or gravity of the infringement of his rights, guaranteed by Article 8 of the Charter\u2019 and the GDPR. The defendant, however, claimed that \u2018it had indeed established a system for managing objections to marketing and that the late taking into account of those of the applicant\u2026was due either to the fact that one of its employees had not complied with the instructions given or to the fact that it would have been excessively onerous to take those objections into account\u2019 and that \u2018the mere breach of an obligation under the GDPR, such as that under Article 21(3) thereof, cannot, in itself, constitute \u2018damage\u2019 within the meaning of Article 82(1)\u2019. In this regard, four questions were referred to the CJEU, which the Court bundled into three sets of considerations:<\/p>\n<ul style=\"text-align: justify;\">\n<li style=\"line-height: 18px;\">Whether Article 82(1) GDPR means \u2018an infringement of provisions\u2026which confer rights on the data subject is sufficient\u2026to constitute \u2018non-material damage\u2019\u2026irrespective of the degree of seriousness of the harm suffered\u2019.<\/li>\n<li style=\"line-height: 18px;\">Whether Article 82 GDPR means \u2018it is sufficient for the controller, in order to be exempted from liability under paragraph 3\u2026to claim that the damage\u2026was caused by the failure of a person acting under his authority\u2019 according to Article 29.<\/li>\n<li style=\"line-height: 18px;\">Whether Article 82(1) GDPR means \u2018that, in order to determine the amount of damages due as compensation\u2026it is necessary, first, to apply mutatis mutandis the criteria for setting the amount of administrative fines laid down in Article 83\u2026and, second, to take account of the fact that several infringements of that regulation concerning the same processing operation affect the person seeking compensation\u2019.<\/li>\n<\/ul>\n<p style=\"text-align: justify; line-height: 18px; word-break: break-word;\">In this regard, the Court considered that:<\/p>\n<ul style=\"text-align: justify;\">\n<li style=\"line-height: 18px;\">Article 82(1) means \u2018an infringement of provisions\u2026which confer rights on the data subject is not sufficient, in itself, to constitute \u2018non-material damage\u2019\u2026irrespective of the degree of seriousness of the damage suffered by that person\u2019.<\/li>\n<li style=\"line-height: 18px;\">Article 82 means \u2018it is not sufficient for the controller, in order to be exempted from liability\u2026, to claim that the damage in question was caused by the failure of a person acting under his or her authority\u2019 under Article 29.<\/li>\n<li style=\"line-height: 18px;\">Article 82(1) means \u2018that in order to determine the amount of damages\u2026, it is not necessary, first, to apply mutatis mutandis the criteria for setting the amount of administrative fines\u2026in Article 83\u2026and, second, to take account of the fact that several infringements of that regulation concerning the same processing operation affect the person seeking compensation\u2019.<\/li>\n<\/ul>\n<p style=\"text-align: justify; line-height: 18px; word-break: break-word;\">There is much to recommend a closer reading of this case, not least the Court\u2019s subtle differentiations regarding the concepts of infringement and damage, its discussion of the criteria for claiming non-material damages, and its discussion of the distinctions between provisions relating to compensation, and those relating to administrative fines.<\/p>\n<p>&nbsp;<\/p>\n<\/div>\n<div class=\"txtTinyMce-wrapper\" style=\"font-size: 12px; line-height: 18px; font-family: Arial, Helvetica Neue, Helvetica, sans-serif;\">\n<p style=\"font-size: 14px; line-height: 21px; word-break: break-word; text-align: justify;\"><strong><a style=\"text-decoration: none;\" href=\"https:\/\/curia.europa.eu\/juris\/document\/document.jsf?text=&amp;docid=284655&amp;pageIndex=0&amp;doclang=EN&amp;mode=req&amp;dir=&amp;occ=first&amp;part=1&amp;cid=4743695\" target=\"_blank\" rel=\"noopener\">&#8211; AG Opinion on the Powers of Supervisory Authorities<\/a><span style=\"font-size: 14px; line-height: 21px;\"><a style=\"text-decoration: none;\" href=\"https:\/\/curia.europa.eu\/juris\/document\/document.jsf?text=&amp;docid=280623&amp;pageIndex=0&amp;doclang=EN&amp;mode=lst&amp;dir=&amp;occ=first&amp;part=1&amp;cid=6864747\" target=\"_blank\" rel=\"noopener\">&#8211;<\/a><\/span><\/strong><\/p>\n<p style=\"line-height: 18px; word-break: break-word; text-align: justify;\"><a style=\"text-decoration: underline;\" href=\"https:\/\/curia.europa.eu\/juris\/document\/document.jsf?text=&amp;docid=284655&amp;pageIndex=0&amp;doclang=EN&amp;mode=req&amp;dir=&amp;occ=first&amp;part=1&amp;cid=4743695\" target=\"_blank\" rel=\"noopener\">On 11th April 2024, the AG delivered their Opinion in the case of TR v Land Hessen<\/a>. The case concerned a savings bank, which had chosen not to inform a data subject of a data breach \u2013 presuming this would not constitute a high risk. The data subject complained to the DPA of \u2018a breach of Article 34 of the GDPR\u2019 and \u2018of the short period of three months for which the savings bank\u2019s access logs were retained, and the fact that all savings bank employees had comprehensive access rights\u2019. The DPA, however, took the matter no further claiming \u2018the savings bank had not infringed Article 34\u2019. Subsequently, the data subject \u2018lodged an action against the decision\u2026before the Verwaltungsgericht Wiesbaden\u2026the referring court, asking it to order the\u2019 DPA \u2018to take action against the savings bank\u2019. The data subject asserted they were entitled to have the \u2018complaint handled and to be informed of the outcome\u2019, submitted that the DPA \u2018was obliged to establish the facts underpinning the savings bank\u2019s risk assessment without confining itself to the measures expressly requested, and that it should have fined the savings bank\u2019. According to the plaintiff, \u2018where a breach is established, the principle of expediency does not apply, so that the\u2019 DPA \u2018did not have the discretion to decide whether or not to act but that, at most, its discretion extended to which measures it was considering adopting\u2019. In this regard, the following question was referred to the Court: \u2018Are Article 57(1)(a) and (f), Article 58(2)(a) to (j) and Article 77(1)\u2019 GDPR \u2018to be understood as meaning that, where the supervisory authority finds that data processing has infringed the data subject\u2019s rights, the supervisory authority must always take action in accordance with Article 58(2)\u2019 GDPR? In response, the AG concluded, building on the SHUFA case, that the Articles in question mean that \u2018where the supervisory authority finds that data processing has infringed the data subject\u2019s rights, the supervisory authority must take action under Article 58(2)\u2019 of the GDPR \u2018to the extent necessary to ensure full compliance\u2026. In that respect, it is required to select, taking into account the specific circumstances of each individual case, the appropriate, necessary and proportionate action to remedy the infringement and ensure that the data subject\u2019s rights are respected\u2019. The AG also stated, however, that \u2018the data subject does not have the right to require the adoption of a particular measure\u2019 and that the stated \u2018principles also apply to the system of administrative fines\u2019. It remains, however, as always, to be seen to whether, and to which extent, the Court will follow the AG\u2019s Opinion.<\/p>\n<p>&nbsp;<\/p>\n<\/div>\n<div class=\"txtTinyMce-wrapper\" style=\"font-size: 12px; line-height: 18px; font-family: Arial, Helvetica Neue, Helvetica, sans-serif;\">\n<p style=\"font-size: 14px; line-height: 21px; word-break: break-word; text-align: justify;\"><strong><a style=\"text-decoration: none;\" href=\"https:\/\/hudoc.echr.coe.int\/eng#{%22itemid%22:[%22001-233106%22]}\" target=\"_blank\" rel=\"noopener\"><span style=\"font-size: 14px; line-height: 21px;\"><span style=\"line-height: 18px;\">&#8211; ECtHR: The Bulgarian Regime on Data Storage of Conviction Data is Unforeseeable &#8211;<\/span><\/span><\/a><\/strong><\/p>\n<p style=\"line-height: 18px; word-break: break-word; text-align: justify;\"><a style=\"text-decoration: underline;\" href=\"https:\/\/hudoc.echr.coe.int\/eng#{%22itemid%22:[%22001-233106%22]}\" target=\"_blank\" rel=\"noopener\">On 16th April, the ECtHR, in Borislav Tonchev v Bulgaria, ruled that the legal framework in Bulgaria which regulates the storage of data on substitute administrative penalties is not foreseeable, and thus not in accordance with the law.<\/a> As to the facts of the case, the applicant was employed as a prison guard. In the meantime, he was caught driving drunk and issued with an administrative fine as a substitute for a criminal conviction. The data in the record were subsequently disclosed to his prospective employer when the applicant applied for a new post and also to his current employer, which resulted in his dismissal. The applicant complained to the ECtHR that his right to private life under Article 8 ECHR had been breached because of the continued retention of his data in the record, and the disclosure of this data to his previous employer. The Court first noted that the processing of data on convictions constitutes an interference with an individual\u2019s right to private life. As to the justification of the interference, the Court started by examining whether the interference was in accordance with law and focused specifically on the foreseeability of the law. The Court noted that: \u2018Those regulations lay down clear a time-limit (five years up until February 2013, and fifteen years since then) for keeping record cards for substitute administrative penalties (\u2026). By contrast, the regulations appear to contain ambiguity on the question of whether the electronic data derived from those cards are to be deleted alongside the record cards themselves, or whether they are to be retained for longer or indeed indefinitely (\u2026). With the digitalisation of the relevant records (\u2026), this question takes on considerable importance\u2019. It concluded that such \u2018vague\u2019 regulations, coupled with the rulings of the Supreme Administrative Court which justified the indefinite retention of the criminal records in question, cannot be considered to be foreseeable. The Court did not go into the question of the necessity of the data retention regime, as criticised by Judge Pavli in his Concurring Opinion.<\/p>\n<p>&nbsp;<\/p>\n<\/div>\n<div class=\"txtTinyMce-wrapper\" style=\"font-size: 12px; line-height: 18px; font-family: Arial, Helvetica Neue, Helvetica, sans-serif;\">\n<p style=\"font-size: 14px; line-height: 21px; word-break: break-word; text-align: justify;\"><strong><a style=\"text-decoration: none;\" href=\"https:\/\/www.edpb.europa.eu\/news\/news\/2024\/edpb-sets-out-priorities-2024-2027-and-clarifies-implementation-dpf-redress_en\" target=\"_blank\" rel=\"noopener\"><span style=\"font-size: 14px; line-height: 21px;\"><span style=\"line-height: 18px;\">&#8211; Updates from the EU Institutions and Bodies &#8211;<\/span><\/span><\/a><\/strong><\/p>\n<p style=\"line-height: 18px; word-break: break-word;\"><a style=\"text-decoration: underline;\" href=\"https:\/\/www.edpb.europa.eu\/news\/news\/2024\/edpb-sets-out-priorities-2024-2027-and-clarifies-implementation-dpf-redress_en\" target=\"_blank\" rel=\"noopener\">In the past two weeks, the EDPS and the EDPB adopted the following documents:<\/a><\/p>\n<ul>\n<li style=\"line-height: 18px;\">On 9th April, the EDPS adopted its annual report \u2013 available <a style=\"text-decoration: underline;\" href=\"https:\/\/www.edps.europa.eu\/system\/files\/2024-04\/2024-04-09-annual-report-2023_en.pdf\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/li>\n<li style=\"line-height: 18px;\">On 17th April, the EDPB adopted an Opinion, in which it criticized Meta\u2019s \u2018Pay or Consent\u2019 Policy \u2013 available <a style=\"text-decoration: underline;\" href=\"https:\/\/www.edpb.europa.eu\/news\/news\/2024\/edpb-consent-or-pay-models-should-offer-real-choice_en\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/li>\n<li style=\"line-height: 18px;\">On 18th April, the EDPB adopted its Strategy for 2024 \u2013 2027 and information on the implementation of the redress mechanism in the EU-US Data Privacy Framework \u2013 see <a style=\"text-decoration: underline;\" href=\"https:\/\/www.edpb.europa.eu\/news\/news\/2024\/edpb-sets-out-priorities-2024-2027-and-clarifies-implementation-dpf-redress_en\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/li>\n<\/ul>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>&#8211; CJEU Rules on Non-Material Damages &#8211; On 11th April 2024, the CJEU delivered its [&hellip;]<\/p>\n","protected":false},"author":144,"featured_media":71586,"menu_order":0,"comment_status":"open","ping_status":"closed","template":"","dpi-category":[],"dpi-tag":[],"class_list":["post-72486","dpi","type-dpi","status-publish","has-post-thumbnail","hentry"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi\/72486","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi"}],"about":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/types\/dpi"}],"author":[{"embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/users\/144"}],"replies":[{"embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/comments?post=72486"}],"version-history":[{"count":1,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi\/72486\/revisions"}],"predecessor-version":[{"id":72487,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi\/72486\/revisions\/72487"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/media\/71586"}],"wp:attachment":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/media?parent=72486"}],"wp:term":[{"taxonomy":"dpi-category","embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi-category?post=72486"},{"taxonomy":"dpi-tag","embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi-tag?post=72486"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}