EU General Data Protection Regulation

• Guidelines 01/2021 on examples regarding personal data breach notification
• Guidelines 9/2022 on personal data breach notification under GDPR

• Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) of the GDPR in the context of the provision of online services to data subjects
• Guidelines 3/2019 on processing of personal data through video device
• Guidelines 02/2021 on virtual voice assistants

• Guidelines 02/2022 on the application of Article 60 GDPR
• Guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority
• Guidelines 03/2021 on the application of Article 65(1)(a) GDPR

• Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data
• Guidelines 04/2021 on codes of conduct as tools for transfers
• Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR
• Guidelines 07/2022 on certification as a tool for transfers

• Guidelines 8/2020 on the targeting of social media users
• Guidelines 03/2022 on deceptive design patterns in social media platform interfaces: how to recognise and avoid them

• Articles 5(2) and 6: OpenAI failed to identify the legal basis for processing personal data for training the GPT models.
• Articles 5(1)(a), 12 and 13: OpenAI did not comply with the transparency principle and information obligations, as the privacy policy was only available in English, not easily accessible on its website, and lacked information on the processing of personal data for large language model (LLM) training.
• Articles 24 and 25: OpenAI did not implement suitable age verification mechanisms, risking exposure of children under 13 to inappropriate content.
• Article 33: OpenAI did not notify the Garante about the data breach in March 2023.
• Article 83(5)(e): OpenAI failed to comply with a previous compliance order from the Garante.

• Article 33(3): Meta did not include all required information in its breach notification.
• Article 33(5): Meta failed to document the facts and remedial steps of each data breach in a manner that allows the DPC to verify compliance.
• Article 25(1): Meta did not ensure that data protection principles were integrated into the design of processing systems (privacy-by-design).
• Article 25(2): Meta did not ensure that only personal data necessary for specific purposes are processed by default (privacy-by-default).

The Italian Data Protection Authority (Garante) fined food delivery company Foodinho €5 million for breaches of the GDPR in relation to its processing of riders’ biometric data and location data, as well as use of automated decision making. The Garante found that Foodinho had violated the following provisions of the GDPR:

• In relation to the processing of riders’ personal data for automated decision making in relation to, inter alia, task management and assignments, termination of employment relationships, and performance evaluation:
  (i) Articles 5(1)(a), 12 and 13 of the GDPR, for failing to provide the relevant information to riders on its use of automated decision-making and monitoring systems, having noted that employers cannot rely on the consent of an employee for the processing of their personal data given the unequal relationship between the parties; and
  (ii) Articles 5(1)(c), 22 and 25 of the GDPR, for failing to adopt appropriate measures to protect data subjects in automated decision-making processes;
• In relation to the processing biometric data of riders for authentication purposes and the use of facial recognition technology:
  (i) Articles 5(1)(a) and 9(2)(b) of the GDPR, for processing the biometric data without a lawful basis; and
  (ii) Article 35 of the GDPR, for conducting such processing without carrying out a Data Protection Impact Assessment;
• In relation to the processing of location data of riders:
  (i) Articles 5(1)(f) and 32 of the GDPR, for failing to adopt appropriate technical and organisational measures to prevent employees from accessing the personal data of riders, including their geographical positions;
  (ii) Articles 5(1)(c), 6, 13, 14 and 25 of the GDPR, for sending riders’ personal data, including location data, to third parties, for purposes outside of the purpose for which the data was collected; and
  (iii) Articles 5(1)(a) and 88 of the GDPR, for collecting and storing personal data beyond what is necessary (e.g., collecting location data when the app is in the background); and
• In relation to other aspects of its data processing practice: Articles 5(1)(a), 5(1)(c), 5(1)(d), 5(1)(e), 13, 25 and 28 of the GDPR.

Based on its findings, the Garante imposed a fine of €5 million on Foodinho and ordered Foodinho to adopt measures to bring its processing into compliance.

For further details, please refer to the press release dated 22 November 2024 and full decision issued by the Garante dated 13 November 2024 (both in Italian).

The Data Protection Commission of Ireland (DPC) fined LinkedIn Ireland Unlimited Company (LinkedIn) €310 million for breaches of the GDPR relating to its processing of personal data for behavioural analysis and targeted advertising purposes.

The DPC found that LinkedIn has failed to establish valid legal bases for processing personal data, specifically:

• The consent obtained was not “freely given, sufficiently informed or specific, or unambiguous” for processing third-party data of members (Article 6(1)(a));
• The “legitimate interests” basis was not validly relied on for processing first-party personal data of members as “LinkedIn’s interests were overridden by the interests and fundamental rights and freedoms of data subjects” (Article 6(1)(f)); and
• Contractual necessity could not be validly relied on to justify the processing of first-party data of members for behavioural analysis and targeted advertising (Article 6(1)(b)).

The DPC also found that LinkedIn has violated Articles 13(1)(c) and 14(1)(c) of the GDPR in respect of the information it provided to data subjects regarding its reliance on Article 6(1)(a), (b) and (f) as legal bases for processing and further contravened the principle of fairness under Article 5(1)(a).

In addition to the fine, the DPC issued a reprimand and an order to LinkedIn to bring its processing operations into compliance with the GDPR, pursuant to Article 58(2).

For further details, please refer to the press release issued by the DPC dated 24 October 2024.

The Dutch Data Protection Authority (AP) fined Uber €290 million for breaches of the GDPR relating to the transfer of personal data of European taxi drivers to the United States without appropriate safeguards.

AP found that Uber collected sensitive information of drivers from Europe (including account details, taxi licences, location data, photos, payment details, identity documents, criminal and medical data) and retained it on servers in the United States. The transfers in question took place between 6 August 2021 and 27 November 2023. At the material time, the EU-US Privacy Shield was invalidated as a mechanism for transatlantic data transfers by the decision of the Court of Justice of the European Union in 2020. Even though standard contractual clauses (SCC) could still provide a valid basis for transferring personal data to a country outside the EU (if an equivalent level of protection can be guaranteed in practice), Uber no longer used SCC from August 2021 and only relied on the EU-US Data Privacy Framework (the successor to the EU-US Privacy Shield) from near the end of 2023. Thus, AP considered that the personal data transferred during the said period was insufficiently protected and found that Uber had contravened Article 44 of the GDPR.

During the investigation, AP closely cooperated with the French Data Protection Authority (CNIL) and coordinated with other European data protection authorities on the decision. For further details, please refer to the press releases issued by the AP and the CNIL, both dated 26 August 2024.

The Dutch Data Protection Authority (AP) imposed a fine of €600,000 on A.S. Watson Health & Beauty Continental Europe B.V. (A.S. Watson) for violating Articles 5(1)(a) and 6 of the GDPR.

The AP’s investigation in October and November 2019 revealed that Kruidvat, a subsidiary of A.S. Watson, placed on its “Kruidvat.nl” website cookies on users’ devices without first obtaining valid consent from the users. The use of cookies on the website was also checked by default, meaning that users’ consent obtained in respect of processing of their personal data was not a “freely given, specific, informed and unambiguous” indication as required under Article 4 of the GDPR.

Moreover, it was found that the cookies collected information such as users’ location data, the pages they visited, the products they added to their shopping basket and purchased, and the recommendations they clicked on. The AP considered that the data collected was particularly sensitive. Given the nature of healthcare products available for purchase on Kruidvat’s website, when combined with the location data obtained through IP address tracking, highly specific and invasive user profiles of individuals visiting the “Kruidvat.nl” website could be created.

In light of the above, the AP determined that the processing of personal data of the website visitors was unlawful, thus contravening Articles 5 and 6 of the GDPR.

On 1 July 2024, the Oslo District Court upheld the 65 million kroner (approximately €5.55 million) fine imposed by the Norwegian Data Protection Authority (Datatilsynet) against the dating application (app) Grindr for its failure to comply with the consent requirement under the GDPR.

The case originated from a complaint lodged by the Norwegian Consumer Council in 2020 as Grindr was found to have shared sensitive personal data of users with numerous commercial third parties, several of which reserved the right to further share the data with other companies for targeted advertising. The personal data shared by Grindr included the users’ GPS locations, IP addresses, advertising ID, age, gender, device information and users’ names on the app.

The court upheld Datatilsynet’s decision that the purported consents Grindr obtained for sharing personal data were invalid, as users could only accept the privacy policy in its entirety to use the app and were not asked specifically if they wanted to consent to the sharing of their data with third parties for behavioural advertisements. It was also found that the information on the sharing of personal data was not properly communicated to users. Hence, the purported consents fell short of the requirement of a valid “consent” under Article 4 of the GDPR.

Furthermore, the court confirmed Datatilsynet’s findings that the information of a person being a registered user of Grindr (which markets itself specifically to the LGBTQ+ community) is considered as personal data concerning a person’s sexual orientation, which falls within the definition of special category of personal data under Article 9(1) of the GDPR. As the purported consents obtained were not valid, by sharing the said personal data, Grindr has failed to comply with the GDPR. With more stringent consent requirements under Article 9 of the GDPR, the court considered that Grindr also failed to obtain “explicit consent” in accordance with Article 9(2)(a) of the GDPR.

The French Data Protection Authority (CNIL) fined Amazon France Logistique (Amazon), which manages the Amazon group’s large warehouses in France, €32 million for breaches of the GDPR relating to employee monitoring using scanners and video surveillance processing.

The CNIL found that in giving scanners to its employees to document the performance of the tasks assigned to them in real time, Amazon has (i) failed to comply with the data minimisation principle (in contravention of Article 5(1)(c)); (ii) failed to ensure lawful processing in using indicators which are excessively intrusive illegal, including indicators which make it possible to constantly monitor any time an employee’s scanner is interrupted, potentially requiring employees to justify every break or interruption (in contravention of Article 6); and (iii) failed to ensure that the privacy policy of Amazon had been given to temporary workers before their personal data was collected using the scanners or processed (in contravention of Articles 12 and 13).  

Further, CNIL found that in using video surveillance processing, Amazon has (i) failed to properly inform employees and external visitors of the video surveillance systems by providing information on notice boards or in other media or documents (in contravention of Articles 12 and 13), and (ii) failed to comply with the obligation to ensure security of personal data in using weak access password and sharing access account among several users (in contravention of Article 32).

For further details, please refer to the press release and the decision issued by the CNIL dated 23 January 2024.

The Dutch Data Protection Authority (AP), in cooperation with the French Data Protection Authority (CNIL), issued a €10 million fine on Uber Technologies, Inc. and Uber B.V. (Uber) for breaches of the GDPR by (i) failing to provide the data requested under the right of access in a clear manner and an accessible format and only providing such information in English (in contravention of Article 12(1)); (ii) not making the online form for exercising rights within the application used by drivers sufficiently accessible, as the form was located deep within the app and spread across various menus, and it could have been placed in a more logical location (in contravention of Article 12(2)); (iii) providing incomplete information in their privacy statement about data transfers outside the European Union and the specific security measures regarding the data transfers (in contravention of Articles 13(1)(f) and 15(2)), as well as overly general information about data retention periods (in contravention of Articles 13(2)(a), 15(1)(a) and 15(1)(d)); and (iv) failing to explicitly mention the right to data portability in their privacy statement (in contravention of Article 13(2)(b)).

In determining the amount of the fine, AP considered the size of the organisation and the severity and gravity of the infringements. At the time of the infringements, about 120,000 drivers were working for Uber in Europe.

For further details, please refer to the press release issued by the AP and the press release issued by the CNIL, both dated 31 January 2024.

Court of Justice of the European Union clarifies the right of access by the data subject in cases of automated decision-making and profiling

On 27 February 2025, the Court of Justice of the European Union (CJEU) delivered a judgment concerning the right of access by the data subject in cases of automated decision-making and profiling in the context of Article 15(1)(h) of the GDPR.

The case originated from a request for a preliminary ruling by the Administrative Court of Vienna, Austria, which involves a legal dispute between CK  (an individual) and the City Council of Vienna regarding the enforcement of a court order. CK was refused a mobile telephone contract based on an automated credit assessment conducted by Dun & Bradstreet Austria GmbH (“D&B”) and hence brought the matter before the Austrian Data Protection Authority. D&B was ordered to provide CK with “meaningful information about the logic involved” in the automated decision-making based on CK’s personal data. However, D&B claimed that the relevant algorithm used was protected by trade secret.

The CJEU confirmed that to constitute “meaningful information about the logic involved” in automated decision-making under Article 15(1)(h) of the GDPR, the data controller is required to explain, in a concise, transparent, intelligible and easily accessible form, the procedure and principles actually applied to use the data subject’s personal data in automated processing to reach a specific result, such as a credit profile. It was emphasised that meaningful information must enable data subjects to understand what kind of personal data were used and how the data affected the decision, in allowing them to effectively exercise their rights to express their point of view and contest the decision under Article 22(3) of the GDPR.

Although data controllers are not required to disclose  complex mathematical formulas or algorithms in their entirety, or the detailed description of all processing steps in automated decision-making, the CJEU noted that information should effectively describe the rationale and criteria relied upon in reaching the automated decision.

Further, the CJEU held that where a data controller claims that information to be provided contains trade secret (within the meaning of Article 2(1) of the Trade Secrets Directive (EU) - Directive 2016/943) or personal data of third parties, the data controller must provide the allegedly protected information to the competent supervisory authority or court for the latter to balance the rights and interests at issue to determine the extent of the data subject’s right of access. It was stressed that, as stated in Recital 63 of the GDPR, trade secret should not be a ground of refusal to provide all information to the data subject.

Court of Justice of the European Union clarifies the concept of “undertaking” in relation to calculation of fines against subsidiaries on GDPR infringements

On 13 February 2025, the Court of Justice of the European Union (CJEU) made a ruling on the interpretation of the concept of “undertaking” when calculating administrative fines for GDPR infringements committed by subsidiaries, in the context of Article 83(4) to (6) of the GDPR.

The case arose from a request for a preliminary ruling from the Vestre Landsret (High Court of Western Denmark) in criminal proceedings against ILVA A/S, a furniture store chain (the data controller), for alleged GDPR infringements as regards the retention of the data of at least 350,000 former customers. ILVA is a subsidiary of Lars Larsen Group, which is headquartered in Denmark.

The Danish Public Prosecutor’s Office, upon the recommendation of the Danish Data Protection Authority (Datatilsynet), sought a fine of DKK 1.5 million (approximately €201,000) against ILVA with the overall turnover of Lars Larsen Group as the basis of the calculation. Subsequently, the Aarhus District Court found ILVA guilty and imposed a much lower fine of DKK 100,000 (approximately €13,400), taking into account only ILVA’s turnover since it was of the view that ILVA functioned as an independent retail entity and Lars Larsen Group was not established solely for handling the Group’s data. The Public Prosecutor’s Office appealed against the District Court’s decision.

The referring court sought clarification from the CJEU on whether the term “undertaking” in Article 83(4) to (6) of the GDPR should be aligned with the concept of “undertaking” under Articles 101 and 102 of the Treaty on the Functioning of the European Union (TFEU), and if so, whether the total worldwide annual turnover of the entire economic entity should be considered when calculating the fine.

It was ruled that the term “undertaking” in Article 83(4) to (6) of the GDPR corresponds to the concept of “undertaking” in the TFEU, which is also consistent with Recital 150 of the GDPR. The CJEU found that when a fine regarding GDPR infringement is imposed on a data controller that is part of a larger undertaking, the maximum amount of the fine must be determined based on a percentage of the entire undertaking’s total worldwide annual turnover in the preceding business year. The CJEU further emphasised that a fine must be “effective, proportionate and dissuasive” in consideration of the actual or material economic capacity of the recipient of the fine.

Court of Justice of the European Union clarifies conditions for awarding ‘non-material damage’

On 14 December 2023, the Court of Justice of the European Union (CJEU) ruled that the misuse of personal data following a cyberattack constitutes “non-material damage” under the GDPR. The case stemmed from a 2019 cyberattack of the Bulgarian National Revenue Agency, after which cybercriminals published personal data concerning millions of persons. The Bulgarian Supreme Administrative Court requested the CJEU to determine the conditions for awarding non-material damages, and the extent to which the data controller needed to demonstrate adequate security measures were in place.

In the judgment, the CJEU answered the referred questions as follows:

• In the event of unauthorised disclosure of or unauthorised access to personal data, courts must assess the appropriateness of the protective measures implemented in a concrete manner, and cannot infer from the unauthorised disclosure or unauthorised access alone that the protective measures implemented by the data controller were not appropriate.
• It is for the data controller to prove that the protective measures implemented were appropriate.
• In the event that the unauthorised disclosure of personal data or unauthorised access to those data is committed by a ‘third party’ (such as cybercriminals), unless the data controller can prove that it is in no way responsible for the damage suffered by the data subjects, the data controller may be required to compensate the data subjects concerned.
• The fear experienced by a data subject concerning a possible misuse of his personal data by third parties as a result of an infringement of the GDPR is, in itself, capable of constituting ‘non-material damage’.

For further details of the judgment, please refer to (1) CJEU’s Judgment and (2) Press Release issued by the CJEU dated 14 December 2023.

Court of Justice of the European Union rules on the lawfulness of credit scoring

On 7 December 2023, the Court of Justice of the European Union (CJEU) handed down two rulings to oppose two data processing practices by credit information agencies. The rulings against German credit information agency concerned its practice of automated establishment of a probability score regarding an individual’s ability to meet payment commitments in the future based on the personal data of that individual and its retention of customer insolvency data.

The CJEU was asked by the German Administrative Court of Wiesbaden to clarify whether credit scoring, a mathematical statistical method used to predict the probability of future behaviour such as the repayment of a loan, constituted “automated decision making” under Article 22 of the GDPR, and whether SCHUFA’s retention period of 3 years for information relating to the granting of a discharge from remaining debts was lawful.

The CJEU held that credit scoring must be regarded as an ‘automated individual decision’, which was prohibited in principle under Article 22, in so far as third parties (including SCHUFA’s clients, such as banks) attribute to it a determining role in the granting of credit. It was for the Administrative Court of Wiesbaden to assess whether the German Federal Law on data protection contains any valid exceptions to that prohibition in accordance with the GDPR, and if it does, whether the general conditions for data processing under the GDPR had been met.

As regards the retention of information on debt discharge, the CJEU considered that it was contrary to the GDPR for private agencies to keep such data for longer than the 6-month period mandated by German law for the public insolvency register. Since the retention of data beyond six months was held unlawful, the data subject has the right to have the data deleted and the agency is obliged to delete the data as soon as possible. Even where the storage for six months is lawful, the data subject will still have the right to object to the processing of his data and the right to have the data erased, unless the existence of overriding legitimate grounds can be demonstrated.

For further details of the judgment, please refer to (1) CJEU’s Judgments of Case C-634/21 and Joined Cases C‑26/22 and C‑64/22 and (2) Press Release issued by the CJEU dated 7 December 2023.

Court of Justice of the European Union rules on the imposition and calculation of administrative fines

On 5 December 2023, the Court of Justice of the European Union (CJEU) reaffirmed the conditions under which supervisory authorities could issue fines to data controllers under the GDPR and ruled that a data controller should not receive a fine unless the violation of the GDPR was committed “intentionally or negligently”. The decision stemmed from cases originating from Lithuania and Germany, which respectively dealt with the Lithuania National Public Health Centre processing citizens’ data for its COVID-19 monitoring app and a German real estate company retaining personal data to tenants for longer than necessary.

The CJEU was asked by a Lithuanian court and a German court to interpret the GDPR regarding the imposition and calculation of administrative fine on controller for infringements under Article 83.

Regarding the imposition of an administrative fine under Article 83, the CJEU ruled that a supervisory authority may not impose a fine on a data controller for an infringement of the GDPR unless that infringement was committed wrongfully, i.e. intentionally or negligently. A data controller may be fined for conduct falling within the scope of the GDPR where that data controller could not have been unaware of the infringing nature of its conduct, regardless of whether or not it was aware of the infringement.

In addition, the CJEU held that, where the data controller is a legal person, it is not necessary for the infringement to have been committed by its management body, or for that body to have knowledge of such infringement. On the contrary, a legal person is liable both for infringements committed by its representatives, directors or managers, and for those committed by any other person acting in the course of the business of that legal person and on its behalf. Further, the imposition of fines is not premised upon a finding of an infringement being committed by an identified natural person. A data controller may also be fined for operations performed by a data processor to the extent that the data controller may be held responsible for such operations.

As regards the calculation of an administrative fine under Article 83, the CJEU ruled that where the addressee of a fine is, or forms part of, an undertaking, a supervisory authority must take as its basis the concept of an “undertaking” under EU competition law, which defines an economic unit even if in law that economic unit consists of several persons, natural or legal. Accordingly, for the calculation of a fine, a supervisory authority must take into account the total worldwide turnover of the undertaking concerned, taken as a whole, in the preceding business year, as the basis for penalties.

For further details of the judgment, please refer to (1) CJEU’s Judgments of Case C-683/21 and Case C-807/21 and (2) Press Release issued by the CJEU dated 5 December 2023.

The European Commission Retains all its Existing Adequacy Decisions

On 15 January 2024, the European Commission concluded its review and evaluation of its 11 existing adequacy decisions under the 1995 Data Protection Directive and the GDPR.

In its published report, the European Commission finds that personal data transferred from the European Union to Andorra, Argentina, Canada, Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay, continues to benefit from adequate data protection safeguards. As such, the adequacy decisions adopted for these 11 countries and territories would remain in place and data can continue to flow freely to these jurisdictions.

The review has demonstrated that the data protection frameworks in these countries and territories have further converged with the EU’s framework and strengthened protection of personal data in their jurisdictions. The review also showed that public authorities in the 11 jurisdictions are subject to appropriate safeguards in the area of access to data by public authorities, notably for law enforcement or national security purposes.

For further details of the review, please refer to the European Commission’s full report dated 15 January 2024.

• limiting access to EU data subject's personal data by US intelligence services to what is necessary and proportionate to protect national security (under the US's Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities');
• providing EU data subjects whose data would be transferred to the US under the DPF with several new rights (i.e., to access their data, or to correct or delete inaccurate or unlawfully handled data); and
• establishing a two-tier redress mechanism for EU data subjects (i.e., EU data subjects' complaints would first be investigated by the Civil Liberties Protection Officer (CLPO) of the US intelligence community, and the data subjects may appeal the CLPO's decision before the independent and newly established Data Protection Review Court).

• Contracts concluded on or before 21 September 2022 on the basis of the Old SCCs shall continue to provide appropriate safeguards for the purpose of the UK GDPR (provided that the processing operations that are the subject matter of the contract remain unchanged) until 21 March 2024.
• From 22 September 2022, either the IDTA or the Addendum will have to be incorporated for new contracts concerning international transfers of personal data under the UK GDPR.
• From 22 March 2024, the old SCCs will no longer be deemed to provide “appropriate safeguards” for the purpose of the UK GDPR. All contracts that have incorporated the old SCCs will have to be substituted by either the IDTA or the Addendum by 21 March 2024.