European Union: Privacy landscape continues to evolve with new CJEU rulings

This is an Insight article, written by a selected partner as part of GDR's co-published content. Read more on Insight

Legal framework


The right to privacy emerged after World War II and was initially enacted in the Universal Declaration of Human Rights,[1] before finding expression in the European Convention on Human Rights (ECHR).[2] Later, the right to data protection was recognised by the European Court of Human Rights (ECtHR) as part of the broadly interpreted concept of private life.[3]

In the EU, the right to data protection was first recognised by the Treaty on the Functioning of the European Union[4] and was given the status of a human right by the Charter of Fundamental Rights of the European Union (CFR).[5]

In 1995, to harmonise data protection laws, ensure a high level of protection and guarantee the free flow of personal data, the European Commission (EC) adopted the Data Protection Directive, which had to be implemented in each member state.[6] In parallel, the ePrivacy Directive[7] was adopted in 2002 to address personal data in the specific context of electronic communication services and to adapt the applicable rules to the digital age.

Confronted with various challenges – in particular, the persistent fragmentation of data protection laws throughout the EU and increasing digitalisation – the EU decided to review the legal framework. This led to the adoption of the General Data Protection Regulation (GDPR).[8] Adopted in 2016, the GDPR became directly applicable in all member states on 25 May 2018. Reform and adaptation of other privacy-related laws as part of the EU’s Digital Strategy were also initiated.

Updates and trends

The GDPR achieved a high degree of harmonisation for the data protection rules in the EU; however, member states still have ‘margins of manoeuvre’ and can adopt national legislation to amend GDPR rules under certain circumstances (eg, for children’s consent or the scope of data subject rights).

Since 31 December 2020,[9] the GDPR is no longer directly applicable in the UK. The UK’s national data protection legislation (the UK GDPR) broadly mirrors the current GDPR.[10] If the GDPR were to change, the UK might not follow suit, so the rules might diverge.

In June 2021, the EC adopted an adequacy decision for the UK. Personal data can be transferred to the UK in most cases without any additional safeguards;[11] however, unlike other adequacy decisions, the UK adequacy decision will automatically expire in 2025.[12]

Focus on the GDPR


The GDPR seeks to protect fundamental rights and freedoms of natural persons and reduce barriers for businesses by facilitating the movement of personal data within the EU.[13] It also aims to address the data protection risks associated with new technologies and their widespread use by imposing more stringent obligations. Finally, it aims to ensure effective protection of personal data by strengthening data subjects’ rights and the obligations of those who process personal data, and by establishing authorities to monitor and ensure compliance.

Scope of application

The GDPR’s scope of application is defined by reference to activities,[14] actors[15] and geography.[16]

The GDPR applies to the ‘processing’ of ‘personal data’, which are both interpreted very broadly: ‘processing’ covers every action that can be conducted with personal data, while ‘personal data’ means any information relating to an identified or identifiable natural person.[17] Only anonymised data does not fall under the scope of the GDPR.[18]

The GDPR also recognises specific categories of personal data, namely ‘sensitive data’[19] and ‘data relating to criminal convictions and offences’.[20] Sensitive data is:

data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.[21]

The processing of those categories of data is subject to more stringent requirements. In most cases, the data subject’s consent is required.

Data processed in the course of a purely personal or household activity is exempted; however, the exemption has to be interpreted rather narrowly. Larger scale or more intrusive activities generally fall under the GDPR’s scope, even if the main purpose is personal.

The GDPR defines three ‘data protection roles’:

  • the data subject, who is the natural person whose information is being processed;
  • the controller,[22] who determines the purposes and means of the processing; and
  • the processor,[23] who processes the personal data on the controller’s behalf.

Controllers and processors are subject to specific requirements under the GDPR, whereas data subjects enjoy extensive rights.

The GDPR is very far-reaching: it applies to entities established in the EU[24] and to certain others without such an establishment.[25] In the latter case, it applies to the personal data processing of data subjects who are in the EU if the processing is related to offering goods or services or monitoring their behaviour (eg, online tracking) if the behaviour takes place in the EU. Those entities must appoint an ‘EU representative’, which acts as a point of contact for authorities and data subjects.

Principles relating to personal data processing and accountability

Article 5 sets out the general principles with which controllers and processors must comply when processing personal data. These principles are the cornerstone of all subsequent GDPR provisions, and they guide courts and authorities in their interpretation of the GDPR.

  • Lawfulness, fairness and transparency: personal data must be processed lawfully, fairly and in a transparent manner.
  • Purpose limitation: personal data must be collected for specified, explicit and legitimate purposes, must not be used for any purposes other than those notified to the individual and must not be further processed in any manner incompatible with those initial purposes, unless the further processing is based on a new lawful purpose.
  • Data minimisation: personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
  • Accuracy: personal data must be accurate, kept up to date and erased or rectified, if necessary.
  • Storage limitation: personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data is being processed, and otherwise must be deleted or anonymised.
  • Integrity and confidentiality: personal data must be processed in a manner that ensures appropriate security of the personal data, using appropriate technical or organisational measures (TOMs).

In accordance with the principle of accountability, controllers are responsible for and must be able to demonstrate compliance with these principles, in particular by keeping relevant documentation, such as a record of processing activities.[26] The principle of accountability also leads to a shift of the burden of proof in certain cases (ie, it is the controller’s responsibility to evidence GDPR compliance).

Lawfulness of data processing

Data processing is lawful only if and to the extent it is based on one or more of the legal bases listed in the GDPR.[27] Whether a lawful basis for processing applies, and if so which, is determined with regard to the type of personal data and the purpose of the processing.

The most common lawful bases for the processing of (ordinary) personal data are performance of a contract, consent and the controller’s overriding legitimate interests, as set out below:

  • To rely on the performance of a contract, the processing must be ‘necessary’ to the contract. If ‘there are realistic, less intrusive alternatives, the processing is not necessary’.[28]
  • Consent is often regarded as the ‘method of choice’ but in practice it is very challenging to rely on consent. The threshold for obtaining valid consent is very high. Consent has to be ‘freely given’,[29] ‘specific’ and ‘informed’ and must express the unambiguous indication of the wishes of the data subject.[30] The data subject must also be able to withdraw their consent, at any time, as easily as it was given.
  • Relying on overriding legitimate interests may also be quite challenging. First, the existence of a legitimate interest must be carefully assessed. The GDPR does not provide a list of interests to be considered as such; however, the GDPR states, for instance, that ‘the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest’.[31] Second, controllers have to balance these legitimate interests against the data subject’s fundamental rights and freedoms. Only when those rights do not override the controller’s legitimate interests is it possible to rely on this legal ground.[32]

The other three lawful bases also require the processing to be ‘necessary’ for a specific purpose, namely compliance with a legal obligation, protecting the data subjects’ vital interests, or the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Sensitive data may only be processed if a legal basis, for example, ‘explicit consent’, according to the (stricter) catalogue pursuant to article 9 GDPR, is applicable.

The GDPR also regulates specific types of processing, such as automated decision-making, including profiling. Profiling means any form of automated processing of personal data to evaluate certain personal aspects relating to the individual, in particular to analyse or predict certain aspects. The GDPR imposes certain requirements to ensure additional guarantees in the context of such data processing.

Rights of the data subject

The GDPR grants a wide range of rights to data subjects, giving them more control over their personal data. Data subject rights can be classified into two groups.

The first group covers all information obligations[33] imposed on controllers. These require a controller to:

  • give the data subject specific information about the circumstances of the data processing,[34] at the time personal data is collected or before it is processed;
  • inform the data subject before carrying out changes to the data processing;
  • inform the data subject of personal data breaches where relevant;[35] and
  • take reasonable steps to inform other controllers of a right exercised by the data subject in some cases,[36] such as if the data subject asks for their data to be erased and the data was made public by the controller.

The second group includes rights that must be exercised by the data subject for the controller to act. The data subject has the right to:

  • access their personal data processed by the controller;[37]
  • obtain rectification of inaccurate or incomplete personal data;[38]
  • request restriction of processing,[39] which means that personal data can still be stored but may not be used in certain situations;
  • request erasure[40] of their personal data in particular circumstances;
  • receive the personal data they provided in a structured and commonly used machine-readable format and request the controller to transmit this directly to another controller;[41]
  • object to the processing of their personal data on grounds relating to their particular situation.[42] The controller must stop processing the data if it cannot show compelling legitimate grounds for the processing that override the individual’s interests (although this does not apply where the personal data is processed for direct marketing purposes); and
  • not be subject to a decision based solely on automated processing, including profiling, which produces legal or similar effects for the data subject.[43] This right does not apply if automated decision-making is necessary for the performance of a contract between the controller and the data subject.

If a controller or processor breaches the GDPR, the data subject has the right to lodge a complaint with any data protection supervisory authority (DPA), including those established in a member state other than where they live, as well as the right to start judicial proceedings. The data subject may also file a claim for damages.

Oversight and enforcement

Each member state has established at least one DPA,[44] which must be independent in performing its tasks and exercising its powers and must contribute to the consistent application of the GDPR throughout the EU. The DPA has a wide range of responsibilities and a broad scope of powers, including investigative and corrective powers. It can issue warnings, reprimands or fines;[45] order data to be rectified, blocked or deleted; or impose a ban on processing. A DPA regulates controllers and processors established in its own member state, as well as elsewhere if the processing affects data subjects in the member state or is otherwise connected.

If more than one DPA would have jurisdiction for a specific processing activity of a controller or processor established in the EU (ie, for cross-border processing), the DPA of the entity’s ‘main establishment’ will act as ‘lead supervisory authority’. This ‘one-stop-shop mechanism’[46] ensures more efficient cross-border proceedings.[47]

All DPAs are members of the independent European Data Protection Board (EDPB),[48] along with the European Data Protection Supervisor.[49] The EDPB is responsible for ensuring the uniform application of the GDPR throughout member states and efficient cooperation among DPAs. It can issue guidelines[50] and recommendations and make binding decisions in relation to disputes regarding which DPA is competent or the lead supervisory authority,[51] as well as in relation to urgency procedures.[52]

Updates and trends

On 24 May 2023, the EDPB issued the final version of its guidelines on the calculation of fines.[53]

In 2023, a few landmark rulings have been issued. For instance, the Court of Justice of the European Union (CJEU) ruled that the mere infringement of the GDPR is not sufficient to award damages to a data subject.[54] It also considered that providing extracts of documents or databases or even entire documents may be necessary to fulfil data subject access requests.[55]

Privacy governance

The role of the DPO

The main responsibility of the data protection officer (DPO) is to monitor GDPR compliance and to ensure awareness-raising of staff involved in processing operations.[56] The ultimate responsibility to comply with the GDPR lies, however, with the controller.

The controller[57] or the processor must appoint a DPO if their ‘core activities’ comprise the regular, systematic and large-scale monitoring of data subjects, or the large-scale processing of sensitive data or data relating to criminal convictions and offences.[58]

The DPO must be appointed on the basis of their professional qualities, their expert knowledge of data protection and their ability to fulfil the assigned tasks. They may be an employee or an external provider.[59] In both cases, the DPO must be able to perform their tasks independently and without any conflict of interest.

Once designated, the DPO’s contact details must be published and communicated to the DPA as the contact point for data subjects and DPAs.

Ensuring GDPR compliance of data processing operations

Data protection by design and by default

The controller[60] must:

  • Implement appropriate TOMs to satisfy the general data protection principles under the GDPR and to integrate necessary safeguards throughout the whole processing.[61] TOMs must be implemented considering the state of the art, the cost of implementation and the nature, scope, context and purposes of processing, as well as the risks of varying likelihood and severity for individuals.
  • Implement appropriate TOMs ensuring that, by default, only personal data that is necessary for each specific purpose of the processing is processed.[62]

The controller must also regularly review and update the TOMs.[63]

Appropriate TOMs to ensure data security

To keep personal data secure, appropriate TOMs must be implemented.[64] Technical measures are precautionary measures relating to the processing itself, such as a backup system or User-ID policy. Organisational measures cover the external framework conditions surrounding the processing, like employee training, policies or a safety plan.

The GDPR does not specifically define what security measures must be taken. It only lists criteria for the measures to ensure a level of security appropriate to the risk. There is no one-size-fits-all solution so controllers and processors must carry out a ‘balancing test’. They have quite a broad margin of discretion, but the decision to implement certain TOMs might be closely scrutinised. So, controllers and processors should assess the specific risks raised by their processing and the protective effects of individual TOMs. In the event of a personal data breach, TOMs should be adapted accordingly to prevent such incident from recurring.

When assessing a risk, the relevant factors are the nature of the risk,[65] its likelihood[66] and its severity.[67]

When assessing individual TOMs, the controller or processor must assess whether and how it can prevent the risk from occurring, given the state of the art, the costs of implementation and the nature, scope, context and purposes of processing. It should focus on measures such as encryption and pseudonymisation. It must take measures that can ensure the ongoing confidentiality, integrity, availability and resilience of the processing, and restore the availability of and access to the data if there is an incident.


If data processing poses a high risk to individuals, the controller must first carry out a data protection impact assessment (DPIA). A DPIA is an internal risk assessment to document any risks identified and any measures taken to mitigate the risks (eg, implementing TOMs or adding contractual safeguards with third parties).

A DPIA is required when: new technologies are used; there is a systematic and extensive evaluation of personal aspects based on automated processing; sensitive personal data is processed on a large scale; or there is systematic monitoring of a publicly accessible area on a large scale.[68]

EU guidelines suggest that a controller must consider the following criteria to determine the risk of processing,[69] and a DPIA is generally required if two of these criteria are met:

  • evaluation or scoring;
  • automated decision-making with legal or similar significant effect for data subjects;
  • systematic monitoring;
  • sensitive data or data of a highly personal nature;
  • data processed on a large scale;
  • matching or combining datasets;
  • data concerning vulnerable data subjects (eg, children);
  • innovative use or applying new technological or organisational solutions; and
  • when the processing in itself prevents data subjects from exercising a right or using a service or contract.

Finally, DPAs may establish non-exhaustive ‘blacklists’ or ‘whitelists’ of those activities that always require a DPIA and those that do not.[70]

In the rare event that the risks identified in a DPIA cannot be mitigated, the controller must consult with the relevant DPA before processing.

Contractual requirements

Although the GDPR has increased the data processor’s responsibilities, the controller remains primarily responsible. The controller must only use processors that provide sufficient guarantees to ensure GDPR compliance.[71] The controller must also conclude a binding contract with the processor setting out all the elements of the processing and certain restrictions, including that the processor may process data only upon the documented instructions of the controller, the controller has certain audit rights, and the processor must support the controller to ensure GDPR compliance.[72]

Joint controllers must determine their respective responsibilities for GDPR compliance in a transparent manner, in particular with regard to the exercise of data subject rights and the controllers’ respective duties to provide information to data subjects.[73]

Data exports

The GDPR includes restrictions regarding data transfers to countries outside the European Economic Area. Safeguards must be used to ensure an ‘adequate level of data protection’, unless the personal data is transferred to a country covered by an ‘adequacy decision’ (ie, the country has an adequate level of data protection).[74]

If the recipient country is not covered by an adequacy decision, the transfer must be subject to ‘appropriate safeguards’,[75] namely:

  • binding corporate rules (ie, group internal data protection frameworks approved by the relevant DPA);
  • standard contractual clauses (SCCs) adopted by the EC or by a DPA;[76]
  • an approved code of conduct;
  • an approved certification mechanism; or
  • individual contractual clauses authorised by the DPA.

If the transfer is not covered by these safeguards, an exemption might apply, such as where the data subject has given explicit consent or where the transfer is necessary for the performance of a contract with the data subject.[77]

Following the CJEU’s judgment in Schrems II[78] the landscape relating to data exports has significantly evolved. First, the EU–US Privacy Shield[79] has been declared invalid.[80]

Second, the EC released a new set of SCCs.[81] The new SCCs have a few new or updated aspects, including a modular approach, a docking clause that facilitates the formation of multilateral contractual relationships by allowing new parties to accede to an already existing agreement, and a ‘practical toolbox’ to comply with the Schrems II ruling.

In addition, data exporters must review whether the recipient abroad can guarantee compliance with EU data privacy law (a ‘transfer impact assessment’), and under certain circumstances implement additional technical, organisational and contractual measures,[82] depending on the level of security for the data in the country of the data importer.[83] The GDPR also restricts transfers of personal data to organisations and their subordinate bodies governed by public international law, or to any other body that is set up by, or on the basis of, an agreement between two or more countries.

Personal data breaches

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data.[84] This could include, for instance, a lost USB stick, an intrusion by a hacker or the sending of an email to the wrong recipient.

If the breach poses a risk to data subjects, the controller must notify the relevant DPA without delay and, where feasible, within 72 hours of becoming aware of the breach. Where there is a high risk, the affected data subjects must also be notified. In practice, these tight deadlines are challenging for businesses, and the emphasis is often on assessing when a business can reasonably be said to be ‘aware’, bearing in mind the complexities of many data breach investigations.

A wide range of factors are relevant to assess the level of risk: the type of breach;[85] the nature, sensitivity and volume of personal data; the consequences for affected individuals; the number of affected individuals; and the likelihood and severity of the consequences on affected individuals, such as discrimination, identity theft or financial loss.

Controllers must document each data breach.[86]

Focus on specific requirements

Sector-specific requirements

In sectors like banking, healthcare, social security, post, telecoms and gambling, specific data protection requirements apply.

Regarding telecoms, with the entry into force of the European Electronic Communications Code (EECC), the regulatory landscape has become increasingly complex. In particular, over-the-top providers are now subject to applicable rules.


In 2016, the EU adopted the Directive on Security of Network and Information Systems[87] (the NIS Directive) to enhance cybersecurity standards for certain businesses with IT infrastructure in the EU.[88]

In December 2022, the revised NIS Directive, the NIS 2 Directive,[89] was published. The NIS 2 Directive expands the scope of the current NIS Directive by adding new sectors, introducing a clear size cap and by strengthening applicable requirements.

Other EU digital and data-related legislation

The EU’s Digital Strategy aims to protect individuals and foster innovation by imposing rules to safely navigate digitalisation. The Digital Services Act,[90] which regulates online intermediaries and platforms, came into force on 16 November 2022.[91] The Digital Markets Act,[92] which sets out rules on gatekeeper platforms, entered into force on 1 November 2022. Once ‘gatekeepers’ are designated, they will have until March 2024 to ensure compliance.

Other data-related legislative proposals of the EU’s Digital Strategy include the Data Act (which regulates access to data by users and third parties), the Data Governance Act (setting out rules inter alia for providers of data-sharing services) and the Artificial Intelligence Act (which provides for stringent regulation of artificial intelligence systems).

The 2002 ePrivacy Directive applies in addition to the GDPR. It covers a wide range of issues, such as collection of traffic data, cookies[93] and unsolicited communications. EU discussions to replace the directive with a regulation continue.


The GDPR has established a stringent and far-reaching data protection framework. It shifts a lot of responsibility to businesses that process personal data. As a best practice, many businesses have set up privacy governance committees to manage GDPR risk. This approach is extending to businesses that are not subject to the GDPR, because many countries have adopted or are in the process of adopting similar comprehensive privacy frameworks.[94] Aligning different national requirements is difficult for businesses, not only because EU member states still have leeway to enact country-specific rules, but also because the approach taken in countries outside the EU sometimes conflicts with the GDPR. That said, for those looking to implement global compliance programmes, developing principles-based policies and procedures with the GDPR as their bedrock is often a pragmatic solution.


[1] Universal Declaration of Human Rights, article 12.

[2] Convention for the Protection of Human Rights and Fundamental Freedoms, article 8.

[3] European Court of Human Rights (ECtHR), 26 March 1987, Leander v Sweden; ECtHR, 4 May 2000, Rotaru v Romania.

[4] Treaty on the Functioning of the European Union, article 16.

[5] Charter of Fundamental Rights of the European Union, article 8.

[6] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

[7] Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector.

[8] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

[9] The end of the Brexit transition period.

[10] The EU General Data Protection Regulation (GDPR) was retained (with some amendment) in UK law by the European Union (Withdrawal) Act 2018.

[11] The decision does not cover personal data that is transferred for purposes of UK immigration control or that otherwise falls within the scope of a certain immigration exemption under the UK Data Protection Act 2018.

[12] The EU will monitor the UK law for any divergence before then.

[13] The GDPR is intended to help promote European economic development.

[14] GDPR, article 2.

[15] GDPR, article 4.

[16] GDPR, article 3. See also European Data Protection Board (EDPB), Guidelines 3/2018 on the territorial scope of the GDPR.

[17] For example, the fact that a person took part in a meeting or signed a specific document is considered personal data.

[18] Anonymisation is quite hard to achieve in practice. In most cases where anonymisation is attempted, data will only be considered ‘pseudonymised’ (eg, identifiers or references to individuals are removed but it is still possible to re-identify data with additional knowledge from other sources). The GDPR fully applies to pseudonymised data.

[19] Also called ‘special category’ data.

[20] GDPR, article 10.

[21] GDPR, article 9.

[22] The controller can be a natural or legal person, public authority, agency or any other body. When two or more controllers jointly determine the purposes and means of a processing activity, they are ‘joint controllers’. See also EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR.

[23] The processor can be a natural or legal person, public authority, agency or any other body. See also EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR.

[24] This is the ‘establishment criterion‘.

[25] This is the ‘targeting criterion’.

[26] GDPR, article 30.

[27] GDPR, article 6.

[28] For example, the use of a cloud storage application necessarily requires that personal data be stored in the respective cloud so that the controller can rely on the performance of a contract exemption; however, the use of the data for other purposes (eg, analysing data for marketing purposes) is not necessary and requires another legal basis. For further information, see EDPB, Guidelines 2/2019 on the processing of personal data under article 6(1)(b) of the GDPR in the context of the provision of online services to data subjects.

[29] The requirement of freely given consent is sometimes particularly hard to achieve (eg, when an employer asks employees for consent).

[31] GDPR, recital 47.

[32] In light of the ‘accountability principle’, controllers must generally document the balancing of interest test.

[33] GDPR, articles 12, 13 and 15.

[34] This applies irrespective of whether the personal data is collected directly from the data subject.

[35] GDPR, article 34.

[36] GDPR, article 29(2).

[37] Right of access: GDPR, article 15. See also EDPB, Guidelines 01/2022 on data subject rights – Right of access.

[38] Right to rectification: GDPR, article 16.

[39] Right to restriction of processing: GDPR, article 18.

[40] Right to be forgotten: GDPR, article 17.

[41] Right to data portability: GDPR, article 20. See Article 29 Working Party (WP29), Guidelines on the right to data portability, WP242 rev.01.

[42] Right to object: GDPR, article 21.

[43] GDPR, article 22.

[44] Germany, as a federal country, has several data protection supervisory authorities (DPAs). Where more than one DPA is established in a member state, that member state must designate the supervisory authority that is to represent the others at the EU level.

[45] Up to €20 million or 4 per cent of worldwide annual (group) turnover, whichever is higher.

[46] A register containing decisions taken by DPAs following the ‘one-stop-shop mechanism’ is published by the EDPB.

[47] There is still some uncertainty over the definition of ‘main establishment’.

[48] The EDPB replaced the WP29, which ceased to exist on 25 May 2018.

[49] The European Data Protection Supervisor is the DPA for the EU institutions and bodies.

[50] During its first plenary meeting, the EDPB endorsed some of the WP29 Guidelines, such as those on consent, transparency, personal data breach notification, the obligation to maintain records of processing activities and the application and setting of administrative fines.

[51] GDPR, article 65.

[52] GDPR, article 66.

[54] Court of Justice of the European Union (CJEU), 4 May 2023, Case C-300/21.

[55] CJEU, 4 May 2023, Case C-487/21.

[56] GDPR, article 39.

[57] A group of undertakings may appoint a single data protection officer (DPO), GDPR, article 37(2).

[58] Member states can stipulate further cases where a DPO must be appointed. Article 37(4) of the GDPR contains an opening clause allowing member states to impose other requirements for the appointment of a DPO. For instance, Germany has provisions in place that go beyond the general DPO requirement under the GDPR. Irrespective of a legal obligation, companies can also appoint a DPO voluntarily, and this has been recommended by several DPAs.

[59] Off the record, certain DPAs have expressed concerns over the appointment of external DPOs by businesses that process a significant amount of personal data.

[60] GDPR, article 25.

[61] For example, when a controller builds a new product, it must ensure that the product is developed with privacy in mind. This can, for example, be documented and achieved by adding ‘privacy gates’ into the product development cycle.

[62] For example, some applications may require the functionality to turn certain data collection on and off, and the default setting should be ‘off’.

[63] GDPR, article 24.

[64] GDPR, article 32.

[65] For example, data destruction, data alteration, unauthorised disclosure or unauthorised access.

[66] Taking into account, for example, the data transfer method (eg, in the cloud) or the storage method (duration, location).

[67] Taking into account, for example, the importance of the data or the type of likely damage.

[68] GDPR, article 35(3).

[70] GDPR, articles 35(4) and 35(5). The EDPB publishes opinions on draft lists submitted to it by the DPAs.

[71] This requires appropriate processes for vendor management to document that the selection of processors is based on reasonable criteria.

[72] ibid.

[73] GDPR, article 26.

[74] GDPR, article 45. So far, the Commission has recognised the following countries as providing an adequate level of data protection: Andorra, Argentina, Canada, the Faroe Islands, Guernsey, the Isle of Man, Israel, Japan, Jersey, New Zealand, South Korea, Switzerland, the UK and Uruguay.

[75] GDPR, article 46.

[76] See, for instance, the standard contractual clauses (SCCs) adopted by the Danish DPA.

[77] GDPR, article 49.

[78] On 16 July 2020, the CJEU in the Schrems II case (C-311/18) invalidated the EU–US Privacy Shield and said that those who transfer data out of the European Economic Area (EEA) using the SCCs must review whether the recipient of data abroad can guarantee compliance with EU data privacy law. Both findings were based on the wide rights of US government agencies to access personal data and the lack of judicial redress for non-US citizens.

[79] The Privacy Shield was a scheme that allowed data to flow from the EEA to US companies registered with the scheme.

[80] Talks around a Privacy Shield replacement are still ongoing. In December 2022, the European Commission launched the process towards the adoption of an adequacy decision for the EU–US Data Privacy Framework. A proposal for a draft adequacy decision has been released and transmitted to the EDPB for its opinion, which was delivered on 28 February 2023. The EDPB welcomed improvements but concerns remain.

[81] One for the transfer of personal data to third countries (see Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council) and one for use between controllers and processors based in the EU (Commission implementing decision (EU) 2021/915 of 4 June 2021 on standard contractual clauses between controllers and processors under article 28(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council and article 29(7) of Regulation (EU) 2018/1725 of the European Parliament and of the Council).

[83] The 18-month transition period for those using the pre-existing SCCs ended on 27 December 2022.

[84] GDPR, article 4(12).

[85] Generally a distinction is made between a confidentiality breach, an availability breach or an integrity breach.

[86] Documentation is to be made available to the relevant DPA upon request.

[87] Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union.

[88] The directive generally applies to certain critical infrastructure where specific thresholds are met (eg, energy, health, transport, banking and digital infrastructure).

[89] Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No. 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive).

[90] Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC (the Digital Services Act (DSA)).

[91] The DSA will be directly applicable across the EU. Most provisions of the DSA become applicable from 17 February 2024 (although some apply earlier).

[92] Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act).

[93] For instance, certain cookies may be used only if the user has given consent, and certain marketing communications require that recipients have explicitly opted in to receive them.

[94] For example, Australia, Brazil, South Korea or California, Nevada and Colorado in the US.

Unlock unlimited access to all Global Data Review content