Blog
Blog » HAPPY BIRTHDAY GDPR – 5 LANDMARK DECISIONS OF THE CJEU FROM THE LAST 5 YEARS
HAPPY BIRTHDAY GDPR – 5 LANDMARK DECISIONS OF THE CJEU FROM THE LAST 5 YEARS
15 June 2023
Five years ago, probably the most common concern of companies across the European Union was to reach compliance with the General Data Protection Regulation. In the recent years, tempers have calmed down, nevertheless the application of the GDPR raises interesting legal questions from time to time. To celebrate the GDPR’s fifth birthday, we collected five landmark decisions of the Court of Justice of the European Union interpreting the GDPR that made a high impact on data controllers’ lives.
#1 The DIGI case about purpose limitation
In 2020 Hungarian telco company DIGI was fined for HUF 100 Million by the Hungarian supervisory authority since an ethical hacker revealed that a test database is available online which contains the personal data of DIGI’s clients collected for the purposes of the conclusion and performance of subscription contracts. DIGI created the test database following a technical malfunction but after correcting the error, forgot to delete it.
DIGI challenged this decision before the administrative court which wanted CJEU[1] to answer the question whether the principle of purpose limitation precludes the controller from using personal data in a test database which were previously collected in another database.
The Luxembourg Court clarified that the principle of purpose limitation does not preclude the controller from storing personal data in a database set up for testing and error correction purposes if such further processing is compatible with the initial data collection purposes.
#2 The Fashion ID case about joint controllers
In this case[2], the CJEU confirmed that the capacity of being a data controller is independent of the fact whether the data controller has access or not to the data.
Fashion ID, an online clothing retailer embedded on his webpage the Like social plugin of Facebook, which means that the personal data of the webpage visitors is transmitted to the Facebook. A consumer protection association started a litigation against Fashion ID and the national court referred the case to Luxembourg.
In this context, the CJEU ruled that the fact that Fashion ID does not have access to the collected and transmitted data, does not preclude him from being a controller. In fact, Fashion ID is regarded as a joint controller with Facebook, given that the data processing is carried out in the economic interest of both parties for their jointly determined purposes.
#3 The Austrian Post case about the right to compensation
Data controllers can keep calm, as in a fresh decision[3], the CJEU ruled that not every infringement of the GDPR gives rise to a right to compensation.
The Austrian Post collected information on the political affinities of the Austrian people and used a special algorithm to categorize and send them targeted advertising. An individual claimed that he suffered non-material damages as a consequence of this data processing and started a litigation to seek compensation.
The Austrian Supreme Court asked the CJEU whether a mere infringement of the GDPR is sufficient to confer a right to compensation. The CJEU clarified that while administrative remedies can be sought in case of an infringement of the GDPR, the right to compensation offered by the GDPR is conditional upon a damage suffered.
#4 Hungarian case about the admissibility of parallel proceedings
In a case connected to Hungary[4], the CJEU needed to answer the question whether administrative and civil remedies offered by the GDPR may be exercised parallelly.
Regarding the factual background, after the company only partially complied with the access request of a shareholder, the latter started an administrative litigation against the decision of the Hungarian supervisory authority and parallelly filed a civil lawsuit against the company.
The administrative court sent the case to the CJEU which found that the administrative and civil remedies provided for by the GDPR may be exercised concurrently with and independently of each other.
#5 The Schrems II case about annulling the Privacy Shield
Undoubtedly, the decision that made the highest impact on data controllers’ lives was the one delivered in the case started by Maximilian Schrems, the nemesis of Mark Zuckerberg in relation to data transfers to the United States[5].
In this case, the CJEU found that the EU-U.S. Privacy Shield mechanism, which facilitated data transfers to the United States, did not provide an adequate protection to personal data transferred to the U.S., therefore considered it as invalid.
Companies who transferred personal data to the U.S. based on the Privacy Shield needed to find other ways to be able to transmit personal data the U.S. lawfully, for example using the standard contractual clauses.
Now, at least, the new Transatlantic Privacy Framework is on the horizon, so hopefully data transfers to the U.S. will be significantly easier.
This article was originally published on CEE Legal Matters on 25/05/2023
-
WHAT ARE THE FORMAL AND CONTENT REQUIREMENTS OF COMPANY DOCUMENTS IN B2B TRANSACTIONS IN HUNGARY?
Few people may know, but legislation often imposes formal and content requirements for certain documents. In most cases, these rules are for the sake of identification, which is in the interest of both parties, so it is important to pay attention to them to avoid misunderstandings. In this article, we examine the content requirements for documents used in business to business (B2B) transactions.
Read more » -
HOW FAR THE EMPLOYER’S SPHERE OF CONTROL EXTENDS IN HUNGARY, ACCORDING TO THE SUPREME COURT?
Under Hungarian labour law, the employer may be exempted from compensating the employee for damage caused in connection with the employment relationship if the damage was caused by circumstances beyond the employer’s control. But how far does the employer's control extend, and does it really have to take every eventuality into account, even the most unpredictable? In its recent decision, the Hungarian Supreme Court addressed this question.
Read more » -
WE ARE 15!
Recently we celebrated our 15th Anniversary, which is a very important milestone for us. Looking back, our Office went through a long improvement until the formation of our present profile: providing legal support in domestic and international commercial law issues and helping our clients doing business in Hungary.
Read more »