Yesterday, I had the pleasure of giving a 5h presentation on the latest case law on the GDPR and other data protection legislation at various levels (Belgium, other EU countries, the Court of Justice and the European Court of Human Rights) to Data Protection Officers from a broad range of organisations and companies.
The past few months have been full of interesting decisions, from the “fines for negligence & wilful intent” cases before the CJEU to the Belgian Data Protection Authority’s first big data broker decision, with various European and EU decisions on automated decision-making and credit scoring also in the mix. Cybersecurity, CCTV, ex-employee data subject requests, etc., lots to talk about.
Some decisions are more questionable than others, so I shared insights into some of the counterarguments, as well as pointers on litigation reflexes that can also be of use to DPOs in their role (e.g. in the context of investigations by the BDPA’s Inspection Service).
We also discussed the role of the DPO in an evolving legal landscape, with the adoption of much other data-related legislation (Data Act, Data Governance Act, Digital Services Act, Digital Markets Act, and soon the AI Act).
A few key takeaways?
– Automated decision-making judgments (such as the CJEU’s SCHUFA I & II judgments of 7 December 2023, as well as the BDPA’s car sharing decision of 19 December 2023) are already having an effect on providers of various kinds of services that could theoretically help with decision-making processes
– The notions of “controller” and “joint controller” remain subject to many discussions (and we will see in a few weeks whether that gets refined further at the level of the CJEU), so organisations have to properly document their choices
– Some authorities increasingly refer to EDPB guidelines without questioning their legal value and whether they are binding (also: few organisations are really investigating how to challenge EDPB positions, but that may change)
– Legitimate interest as a legal ground is under heavy fire, in particular where there are transparency issues (e.g. no evidence of prior information to data subjects), but documentation is key to ensuring that a controller has a story to tell
– It remains crucial to properly define the scope of a data subject request – and to limit the answer to what is truly sought, also using the limits to data subject rights (e.g. those foreseen in Art. 12 and 15 GDPR)
– Organisations really need to have a policy in place regarding e-mail monitoring and access (for e.g. sick leave, departure, unauthorised behaviour, etc.) and to consider what happens after an employee leaves
Do you think your company could benefit from a dedicated workshop on relevant trends? Get in touch!
And if you are in Brussels on 8 March, register for our complimentary workshops on datagovernance and 3rd party risk management (AI, cybersecurity etc.): https://lnkd.in/eRcWMExV
Did this analysis get you thinking? Reach out!
DataLaws.net is entirely open-access, and instead of getting your data in exchange for this content, how about another trade? If this commentary saved you research time or sparked an idea, feel free to invite me over for tea, chai or a hot chocolate next time you are around Brussels or Antwerp - or invite me over to your offices for a chat!
Get in touch ↗ Let's connect on LinkedIn ↗