Blog
Blog » HAPPY BIRTHDAY GDPR – 5 LANDMARK DECISIONS OF THE CJEU FROM THE LAST 5 YEARS
HAPPY BIRTHDAY GDPR – 5 LANDMARK DECISIONS OF THE CJEU FROM THE LAST 5 YEARS
15 June 2023
Five years ago, probably the most common concern of companies across the European Union was to reach compliance with the General Data Protection Regulation. In the recent years, tempers have calmed down, nevertheless the application of the GDPR raises interesting legal questions from time to time. To celebrate the GDPR’s fifth birthday, we collected five landmark decisions of the Court of Justice of the European Union interpreting the GDPR that made a high impact on data controllers’ lives.
#1 The DIGI case about purpose limitation
In 2020 Hungarian telco company DIGI was fined for HUF 100 Million by the Hungarian supervisory authority since an ethical hacker revealed that a test database is available online which contains the personal data of DIGI’s clients collected for the purposes of the conclusion and performance of subscription contracts. DIGI created the test database following a technical malfunction but after correcting the error, forgot to delete it.
DIGI challenged this decision before the administrative court which wanted CJEU[1] to answer the question whether the principle of purpose limitation precludes the controller from using personal data in a test database which were previously collected in another database.
The Luxembourg Court clarified that the principle of purpose limitation does not preclude the controller from storing personal data in a database set up for testing and error correction purposes if such further processing is compatible with the initial data collection purposes.
#2 The Fashion ID case about joint controllers
In this case[2], the CJEU confirmed that the capacity of being a data controller is independent of the fact whether the data controller has access or not to the data.
Fashion ID, an online clothing retailer embedded on his webpage the Like social plugin of Facebook, which means that the personal data of the webpage visitors is transmitted to the Facebook. A consumer protection association started a litigation against Fashion ID and the national court referred the case to Luxembourg.
In this context, the CJEU ruled that the fact that Fashion ID does not have access to the collected and transmitted data, does not preclude him from being a controller. In fact, Fashion ID is regarded as a joint controller with Facebook, given that the data processing is carried out in the economic interest of both parties for their jointly determined purposes.
#3 The Austrian Post case about the right to compensation
Data controllers can keep calm, as in a fresh decision[3], the CJEU ruled that not every infringement of the GDPR gives rise to a right to compensation.
The Austrian Post collected information on the political affinities of the Austrian people and used a special algorithm to categorize and send them targeted advertising. An individual claimed that he suffered non-material damages as a consequence of this data processing and started a litigation to seek compensation.
The Austrian Supreme Court asked the CJEU whether a mere infringement of the GDPR is sufficient to confer a right to compensation. The CJEU clarified that while administrative remedies can be sought in case of an infringement of the GDPR, the right to compensation offered by the GDPR is conditional upon a damage suffered.
#4 Hungarian case about the admissibility of parallel proceedings
In a case connected to Hungary[4], the CJEU needed to answer the question whether administrative and civil remedies offered by the GDPR may be exercised parallelly.
Regarding the factual background, after the company only partially complied with the access request of a shareholder, the latter started an administrative litigation against the decision of the Hungarian supervisory authority and parallelly filed a civil lawsuit against the company.
The administrative court sent the case to the CJEU which found that the administrative and civil remedies provided for by the GDPR may be exercised concurrently with and independently of each other.
#5 The Schrems II case about annulling the Privacy Shield
Undoubtedly, the decision that made the highest impact on data controllers’ lives was the one delivered in the case started by Maximilian Schrems, the nemesis of Mark Zuckerberg in relation to data transfers to the United States[5].
In this case, the CJEU found that the EU-U.S. Privacy Shield mechanism, which facilitated data transfers to the United States, did not provide an adequate protection to personal data transferred to the U.S., therefore considered it as invalid.
Companies who transferred personal data to the U.S. based on the Privacy Shield needed to find other ways to be able to transmit personal data the U.S. lawfully, for example using the standard contractual clauses.
Now, at least, the new Transatlantic Privacy Framework is on the horizon, so hopefully data transfers to the U.S. will be significantly easier.
This article was originally published on CEE Legal Matters on 25/05/2023
-
CJEU DECISION IN A GDPR-RELATED CASE: DOES THE VIOLATION OF THE GDPR AUTOMATICALLY CONSTITUTE NON-MATERIAL DAMAGE?
Does the infringement of the data subjects’ rights by the controller give automatically rise to compensation? Can the controller be exempted from liability solely on the basis that the damage was the result of the fact that its employee did not comply with its instructions? What are decisive criteria to determine the amount of damages? In this article we analyse the fresh decision of the CJEU which addressed the previous questions.
Read more » -
HUNGARY – PERSONAL SCOPE EXTENSION OF JURISDICTION CLAUSE TO NON-SIGNATORY UNDER BRUSSELS IBIS
Does the principle of independence of the choice-of-court agreement require that parties shall expressly transfer the dispute resolution clause in case of transfer of the main contract? When can the personal scope of a jurisdiction agreement be extended to a non-signatory? A Hungarian appellate court decided upon these questions under the Brussels Ibis Regulation in a recent judgment
Read more » -
SETTING ASIDE ARBITRAL AWARDS IN HUNGARY
Given that there is no right of appeal in arbitration proceedings, it is important to be aware of what other legal remedies are available to you against an arbitral award. According to the Hungarian Arbitration Act, the parties may request the competent state court to set aside the award, which is a “mandatory” remedy, which cannot be waived by the parties in advance.
Read more »