In a recent ruling, the Court of Justice of the European Union (CJEU) addressed the right of access to information in cases of automated decision-making and profiling under the GDPR. The case, CK v Magistrat der Stadt Wien and Dun & Bradstreet Austria GmbH (Case C-203/22), examined the extent to which individuals are entitled to receive meaningful information about the logic behind automated decision-making processes, as well as the balance between transparency and the protection of trade secrets.

This case study examines ILVA A/S v. Danish Public Prosecutor, a CJEU ruling that clarifies whether GDPR fines should be based on the revenue of an individual company or its entire corporate group. The case is significant because it aligns GDPR enforcement with EU competition law principles and could increase the financial penalties for subsidiaries of multinational groups.

The digitalization of services has led to increasingly complex interactions between data protection law and business practices. At the core of Mousse v. CNIL & SNCF Connect, the Court of Justice of the European Union (CJEU) was asked to determine whether a company can require customers to select a gendered title (“Mr.” or “Ms.”) when purchasing travel tickets.

We continue the exploration of direct marketing around the EU. This article describes the regulatory framework governing direct marketing in Denmark, Sweden and Norway.

The European Data Protection Board (EDPB) recently published the "Guidelines 1/2024 on Processing of Personal Data based on Article 6(1)(f) GDPR" to clarify how organizations can legally process data under the legitimate interest basis of the GDPR.

This case provides crucial insights into GDPR enforcement. It examines the conditions for compensating non-material damage, the adequacy of apologies as remedies, and the irrelevance of a controller’s intent in determining compensation, clarifying key aspects of data protection rights.

This case is a valuable step forward in data privacy. It looks at how GDPR can be enforced not only by data subjects and authorities but also by competitors. It also expands what’s considered “health data” under GDPR, which could impact many businesses.

This article continues our deep dive into direct marketing regulations across Europe. It is focusing on the frameworks of the Baltic region: Lithuania, Latvia, and Estonia. Each country has its own set of laws governing how businesses can engage with consumers, making it essential to understand these distinctions for compliant and effective marketing strategies.

I believe direct marketing is one of the most popular topics within data privacy field (of course not counting AI). Often, businesses and professionals focus primarily on the GDPR, particularly Recital 47, which allows direct marketing based on “legitimate interest”. This reliance on a broad interpretation of GDPR overlooks the reality that each EU Member State has its own specific regulations and requirements, particularly for consent and consumer privacy protections in direct marketing practices.