If employers and works councils agree on ‘more specific rules’ in a works agreement regarding the processing of employees’ personal data in the employment context (Art. 88 (1) GDPR), these must take into account the general data protection principles, including the lawfulness of processing (Art. 5, Art. 6 and Art. 9 GDPR), according to the
Continue Reading Germany: Works agreements cannot legitimate inadmissible data processing.
Germany: Update: Judgment on Non-Material Damages for Loss of Control over Personal Data
In its judgement of November 18, 2024 (case number VI ZR 10/24) the German Federal Court of Justice (Bundesgerichtshof – “BGH”) clarified key legal issues regarding claims for damages under Article 82 GDPR in the event of a mere loss of control of personal data in the Facebook scraping complex. This blog
Continue Reading Germany: Update: Judgment on Non-Material Damages for Loss of Control over Personal Data
EU: Cyber Resilience Act published in EU Official Journal
On 20 November 2024, the EU Cyber Resilience Act (CRA) was published in the Official Journal of the EU, kicking off the phased implementation of the CRA obligations.
What is the CRA?
The CRA is a harmonising EU regulation, the first of its kind focusing on safeguarding consumers and businesses from cybersecurity threats.
Continue Reading EU: Cyber Resilience Act published in EU Official Journal
Germany: Judgment on Non-Material Damages for Loss of Control over Personal Data
On November 18, 2024, the German Federal Court of Justice (Bundesgerichtshof – “BGH”) made a (to date unpublished) judgment under the case number VI ZR 10/24 regarding claims for non-material damages pursuant to Art. 82 GDPR, due to the loss of control over personal data.
The judgment is based on a personal
Continue Reading Germany: Judgment on Non-Material Damages for Loss of Control over Personal Data
EU: EHDS – Access to health data for secondary use under the European Health Data Space
This is Part 3 in a series of articles on the European Health Data Space (“EHDS“). Part 1, which provides a general overview of the EHDS, is available here. Part 2, which deals with the requirements on the manufacturers of EHR-Systems under the EHDS, is available here.
This article provides an
Continue Reading EU: EHDS – Access to health data for secondary use under the European Health Data SpaceEU: Engaging vendors in the financial sector: EDPB clarifications mean more mapping and management
The European Data Protection Board (“EDPB“) adopted an opinion on 7 October 2024, providing guidance for data controllers relying on processors (and sub-processors) under the GDPR. The two key themes are:
- supply chain mapping;
- verifying compliance with flow-down obligations.
For many financial institutions, the emphasis on these obligations should not come as a
Continue Reading EU: Engaging vendors in the financial sector: EDPB clarifications mean more mapping and management
EU: CJEU Insight
October has already been a busy month for the Court of Justice of the European Union (“CJEU”), which has published a number of judgments on the interpretation and application of the GDPR, including five important decisions, all issued by the CJEU on one day – 4 October 2024.
This article provides an overview
Continue Reading EU: CJEU Insight
EU: ECJ rules that competitors are entitled to bring an injunction claim based on an infringement of the GDPR.
Introduction
In its judgement of 04 October 2024 (C-21/23), the European Court of Justice (“ECJ”, “Court”) ruled, that the provisions of Chapter VIII of the GDPR, do not preclude national rules which grant undertakings the right to rely, on the basis of the prohibition of acts of unfair competition
Continue Reading EU: ECJ rules that competitors are entitled to bring an injunction claim based on an infringement of the GDPR.
EU: CJEU Confirms that Legitimate Interests can cover purely commercial interests
Introduction
The subject of “legitimate interests” and in particular whether they can be “purely commercial” has been a topic of front and center stage debate in the Netherlands for some time. The Dutch data protection authority (AP) has historically interpreted the concept of legitimate interest narrowly, taking the position that organisations
Continue Reading EU: CJEU Confirms that Legitimate Interests can cover purely commercial interests
UK: The UK Cybersecurity and Resilience Bill – a different approach to NIS2 or a British sister act?
In the much anticipated first King’s Speech of the new Labour Government on 17 July 2024, the monarch announced that the long anticipated Cybersecurity and Resilience Bill (CS&R Bill) would be amongst those new laws making their way onto Parliament’s schedule for the next year. Six years on from the implementation of the
Continue Reading UK: The UK Cybersecurity and Resilience Bill – a different approach to NIS2 or a British sister act?