Can't find what you're looking for? Try the search bar!
Looking forward to seeing many contacts next week at the IAPP Congress in Brussels – let me know if you would like to meet up on the Wednesday or Thursday. On Tuesday 14 November we are giving an invite-only workshop to select companies on Tomorrow’s Data Challenges, with discussions on topics such as dark patterns, […]
“Pay or data” and cookie walls are clearly controversial topics, but I feel something needs to be said regarding their justification – else LinkedIn and the broader web may seem to be a very anti-business environment from a data protection perspective, based on various posts and articles I have seen in recent months. Running a […]
I’m seeing significant misinterpretations of the CJEU’s newest GDPR judgment. The CJEU *did not say* today that simply seeing information on a mobile app is processing of personal data. Instead, it said that *the process by which a COVID certificate is scanned by a device and then interpreted to reveal a green checkmark or a […]
Fines aren’t the only possible sanction in case of an infringement of data protection rules – prison is also a possibility in certain countries. That’s exactly the outcome of a case in France, where a former head of HR received a six-month (suspended) prison sentence yesterday. In that case, the person in question had created […]
100% GDPR compliant” claims seem to have made a big comeback with the flurry of GenerativeAI tools being released*. As a reminder, claiming that a software solution is GDPR compliant is a marketing trick at best and misleading at worst. First, if you’re not sure what the sources are on which a particular AI system […]
I’m not sure X/Y’s data protection practices are compliant” is not a justification for filing a complaint, says the Belgian DPA in a new decision, reminding data subjects that they should exercise their rights before a complaint or at least be able to show that an alleged non-compliance by a controller or processor somehow affects […]
Important comment by the Belgian Market Court in a new judgment, here on confidentiality of controller/processor documents vis-�-vis a complainant: “the general principle regarding the prohibition of the abuse of rights prevents a complainant [�] from using the complaint to obtain information that it would not be able to obtain lawfully by other means”. The […]
Great news about the EU-U.S. adequacy decision! But let’s remember that many organisations want a solution for global transfers, not just for the United States. While the EU-U.S. adequacy decision helps a lot, it is only part of the solution that organisations need. Let’s look at some of the other components. Another part of the […]
After some initial thoughts on Tuesday, here is a slightly expanded analysis of the “contract” legal ground assessment by the CJEU in its new Meta judgment (C-252/21). Once again, I hope this ruling will not be misapplied in practice – and that controllers who build personalisation into a service for valid reasons are not forced […]
Objectively indispensable”, that’s how the CJEU describes the threshold for processing of personaldata to be necessary for performance (or conclusion) of a contract under Art. 6(1)(b) GDPR. In its new Meta judgment (case 252/21), the Court of Justice examined many points of law, but it may be useful to other organisations to look at paragraphs […]
