CJEU publishes an updated Fact Sheet summarising key case law on protection of personal data

The Fact Sheet presents only a selection of the most significant rulings, grouped per key topic. A judgment dealing with several topics may therefore appear in the Fact Sheet multiple times. The key topics include:

Rights to the protection of personal data recognised by the Charter.

This section includes cases that focus on the interplay between secondary legislation (such as regulations and directives) and Articles 7 (respect for private and family life) and 8 (protection of personal data) of the Charter. For example, a judgment in Luxembourg Business Registers (C-37/20 and C-601/20) invalidates amendments to AML obligations that require information on the beneficial ownership of legal entities to be accessible to any member of general public. The judgment in Digital Rights Ireland (C-293/12 and C-594/12) invalidates the Telecom Data Retention Directive requiring a general and indiscriminate retention of all traffic and location data of all electronic communications users, and the judgment in Tele2 Sverige (C-203/15 and C-698/15) concludes that national legislation requiring such general and indiscriminate data retention exceeds the limits of what is strictly necessary and cannot be considered to be justified in a democratic society.

Processing of personal data, including the key concepts of data protection law (personal data, processing, controller and joint controller) and conditions for lawfulness of data processing.

This is the largest section of the Fact Sheet. It includes summaries of the CJEU judgments that have shaped the EU data protection law, ranging from Google Spain and Google (C-131/12), Ryneš (C-212/13), Breyer (C-582/14), Nowak (C-434/16), Lindqvist (C-101/01), Fashion ID (C-40/17) to the more recent Nacionalinis visuomenės sveikatos centras (C-683/21) and Österreichische Datenschutzbehörde (C-33/22), amongst others.

Processing of personal data within the meaning of sector-specific regulations.

This section looks at a variety of cases that consider the processing of personal data in: (i) the electronic communications sector; and (ii) criminal matters. Examples of the cases covered include Privacy International (C-623/17), La Quadrature du Net (C-511/18, C-512/18 and C-520/18) and Prokuratuur (Conditions of access to data relating to electronic communications) (C-746/18), and more recent La Quadrature du Net and others (Personal data and action to combat counterfeiting) (C-470/21).

Transfer of personal data to third countries.

The Fact Sheet provides detailed summaries of the key CJEU rulings on the transfers of personal data to jurisdictions without adequacy status, including Lindqvist (C-101/01), Schrems I (C-362/14), and Schrems II (C-311/18).

Protection of personal data on the internet, including cookie consents, processing data in online social networks, and right to be forgotten.

This section explores the CJEU case law on rights of individuals on the internet. Key judgments are summarised, including Planet49 (C-673/17), GC and Others (De-referencing of sensitive data) (C-136/17), Google (Territorial scope of dereferencing) (C-507/17), Google (De-referencing of allegedly inaccurate content) (C-460/20) and Meta Platforms and Others (General terms of use of a social network) (C-252/21). 

National supervisory authorities.

The Fact Sheet analyses cases relating to the determination of applicable law and the competent authority (Weltimmo (C-230/14)), the powers of national supervisory authorities (Schrems I (C-362/14), Wirtschaftsakademie Schleswig Holstein (C-210/16), Facebook Ireland and Others (C-645/19), and Österreichische Datenschutzbehörde (C-33/22)), the conditions for imposing administrative fines (including the judgments in Nacionalinis visuomenės sveikatos centras (C-683/21) and Deutsche Wohnen (C-807/21)), and the relationship between the powers of national data protection authorities and other authorities (Meta Platforms and Others (General terms of use of a social network) (C-252/21)).

The Protection of personal data Fact Sheet is available here.