In a decision on immaterial damages under Article 82 of the EU General Data Protection Regulation (GDPR), the Higher Regional Court of Dresden, Germany (case number 4 U 940/24), set out important monitoring and auditing obligations of controllers with respect to their processors.  

The controller (defendant) operates an online music

Continue Reading Germany: Monitoring and auditing obligations of controllers with respect to their processors

On April 9, 2025, the coalition agreement of the future German Federal Government, consisting of the three German parties CDU, CSU and SPD, was published. The document entitled “Responsibility for Germany” contains several plans, including some that may fundamentally change the German data protection supervisory authority structure and that aim to ease the regulatory burden

Continue Reading Germany: New government plans to centralize data protection supervision and reduce regulation for small and medium-sized companies

The seventh annual edition of DLA Piper’s GDPR Fines and Data Breach Survey has revealed another significant year in data privacy enforcement, with an aggregate total of EUR1.2 billion (USD1.26 billion/GBP996 million) in fines issued across Europe in 2024.

Ireland once again remains the preeminent enforcer issuing EUR3.5 billion (USD3.7 billion/GBP2.91 billion) in fines since

Continue Reading EU: DLA Piper GDPR Fines and Data Breach Survey: January 2025

If employers and works councils agree on ‘more specific rules’ in a works agreement regarding the processing of employees’ personal data in the employment context (Art. 88 (1) GDPR), these must take into account the general data protection principles, including the lawfulness of processing (Art. 5, Art. 6 and Art. 9 GDPR), according to the

Continue Reading Germany: Works agreements cannot legitimate inadmissible data processing.

In its judgement of November 18, 2024 (case number VI ZR 10/24) the German Federal Court of Justice (Bundesgerichtshof – “BGH”) clarified key legal issues regarding claims for damages under Article 82 GDPR in the event of a mere loss of control of personal data in the Facebook scraping complex. This blog

Continue Reading Germany: Update: Judgment on Non-Material Damages for Loss of Control over Personal Data

On November 18, 2024, the German Federal Court of Justice (Bundesgerichtshof – “BGH”) made a (to date unpublished) judgment under the case number VI ZR 10/24 regarding claims for non-material damages pursuant to Art. 82 GDPR, due to the loss of control over personal data.

The judgment is based on a personal

Continue Reading Germany: Judgment on Non-Material Damages for Loss of Control over Personal Data

The European Data Protection Board (“EDPB“) adopted an opinion on 7 October 2024, providing guidance for data controllers relying on processors (and sub-processors) under the GDPR. The two key themes are:

  1. supply chain mapping;
  2. verifying compliance with flow-down obligations.

For many financial institutions, the emphasis on these obligations should not come as a

Continue Reading EU: Engaging vendors in the financial sector: EDPB clarifications mean more mapping and management

October has already been a busy month for the Court of Justice of the European Union (“CJEU”), which has published a number of judgments on the interpretation and application of the GDPR, including five important decisions, all issued by the CJEU on one day – 4 October 2024. 

This article provides an overview

Continue Reading EU: CJEU Insight 

Summary

In its judgement of 11 July 2024 (C-757/22), the European Court of Justice (‘ECJ’) ruled that the violation of a controller’s information obligations under Art. 12 and 13 GDPR, can be subject to a representative action under Article 80(2) GDPR.

Facts of the case

Meta Platforms Ireland Limited (“

Continue Reading Europe/Germany:  Right to bring collective action for violations of information obligations under GDPR

On August 21, 2024, the second expert committee appointed under the Thai Personal Data Protection Act (PDPA) of 2019, issued an administrative fine to a major private company involved in online sales. The company allowed a significant amount of personal data to leak to call center gangs without implementing adequate security measures as required by

Continue Reading THAILAND: First PDPA Enforcement in Thailand: A Landmark Case