Browse by topic

WARNING

This list is very, very much a work in progress. It merely tries to systematize the Court’s own tagging of the cases, which is notoriously incomplete (see it in its full glory here: Case law by CJEU-topics). I will update the list to a more meaningful one; if you want to help (or have one already), drop me a line!

1. Definitions and scope

• Definition of ‘personal data’: C-579-21
• Concept of ‘information’: C-487-21
• Concept of ‘copy’: C-487-21
• Definition of ‘recipients’: C-579-21
• Concept of ‘processing’ of personal data: C-659-22
• Concept of ‘controller’: C-231-22, C-272-19, C-807-21, C-461-22, C-60-22
• Scope of GDPR: C-461-22
• Purely personal or household activity: C-461-22

2. Principles of processing

• General principles relating to processing: C-340-21, C-60-22, C-205-21, C-394-23, C-446-21, C-77-21
• Purpose limitation: C-60-22, C-394-23
• Data minimisation: C-60-22, C-394-23
• Storage limitation: C-77-21
• Accountability of the controller: C-340-21

3. Lawfulness of processing (legal basis)

• Lawfulness of processing: C-175-20, C-205-21, C-306-21, C-34-21, C-394-23, C-60-22, C-621-22, C-180-21
• Conditions for lawful processing: C-667-21
• Concept of ‘legitimate interests’: C-621-22
• Necessity of processing for legitimate interests: C-621-22
• Concept of consent: C-673-17
• Consent (including pre-ticked checkboxes, cookies): C-61-19, C-673-17, C-129-21
• Consent management framework: C-604-22
• Consent of teachers for data processing: C-34-21
• Absence of consent: C-60-22

4. Controllers, joint controllers, and processors

• Controllership and joint controllership: C-60-22, C-461-22, C-604-22
• Joint control and responsibility: C-60-22, C-683-21
• Subsequent processing by third parties: C-231-22, C-180-21, C-604-22
• TC String as personal data: C-604-22

5. Data subject rights

• Right of access: C-272-19, C-307-22, C-487-21
• Scope of right of access / obligation to provide information: C-757-22, C-169-23, C-579-21
• Provision of a copy of the data: C-487-21
• Access to data in specific contexts (former guardian, journalists, courts): C-461-22, C-245-20
• Right to object: C-394-23
• Right to restriction of processing: C-60-22
• Right to erasure (‘right to be forgotten’): C-129-21, C-200-23, C-231-22, C-60-22

6. Controller obligations

• Transparency of information: C-757-22
• Record of processing activities: C-60-22
• Security measures: C-340-21, C-687-21
• Data protection officer: C-453-21
• Liability and exemption from liability: C-741-21

7. Data breaches

• Data breach and database management: C-77-21
• Security measures (protective measures): C-340-21, C-687-21
• Transmission of data to unauthorized third parties: C-687-21

8. Special categories of data

• Biometric and genetic data: C-205-21
• Data concerning health, sexual orientation: C-21-23, C-667-21, C-446-21
• Data relating to criminal convictions/offences: C-439-19
• Data relating to title and gender identity: C-394-23

9. Specific processing contexts

• Employment context: C-65-23, C-34-21
• Assessment of employee’s working capacity: C-667-21
• Medical records and treatment liability: C-307-22
• Collection/storage of identity documents: C-61-19, C-496-17
• Credit information agencies: C-634-21
• Mobile applications, log data, electronic files: C-659-22, C-579-21, C-60-22
• Online sale of travel documents: C-394-23
• Online publication of personal data: C-456-22
• Oral disclosure of criminal data: C-740-22
• Passenger Name Record (PNR) data: C-817-19
• Personalised advertising and online social networks: C-446-21
• Publication without consent / disclosure to sponsors: C-456-22, C-621-22
• Video recording in electoral processes: C-306-21
• Transmission via electronic mailbox: C-60-22
• Sports federation: C-621-22
• Commercial interest: C-621-22

10. Cross-border data transfers

• Transfers of personal data to third countries: C-311-18
• Adequacy of protection, national security, and public interest: C-311-18
• Standard contractual clauses: C-311-18
• One-stop shop mechanism and cross-border processing: C-645-19

11. Supervisory authorities (SAs)

• Competence and powers of supervisory authorities: C-33-22, C-169-23, C-245-20, C-807-21
• Discretion and corrective powers: C-768-21
• Tasks of supervisory authority: C-416-23, C-768-21
• Administrative fines: C-768-21, C-807-21, C-683-21, C-590-22
• Complaints, requests, and excessive requests: C-416-23
• Right to complain: C-169-23

12. Remedies, liability, and compensation

• Right to compensation and liability: C-300-21, C-340-21, C-456-22, C-507-23, C-667-21, C-687-21, C-741-21, C-590-22, C-200-23
• Assessment, conditions, amount, and form of compensation: C-300-21, C-507-23, C-590-22, C-741-21
• Concept of ‘damage’ and impact of negligence: C-507-23, C-667-21
• Claim for compensation based on fear: C-590-22
• Compensation for non-material damage: C-507-23, C-456-22, C-590-22, C-667-21
• Simultaneous infringement of GDPR and national law: C-590-22
• Principle of effectiveness (remedies): C-507-23
• Relationship between remedies: C-132-21, C-21-23
• Infringement of specific data subject rights: C-757-22, C-507-23
• Unlawful processing of data: C-507-23
• Whether possible to consider the attitude/motivation of the controller: C-507-23

13. Procedural and jurisdictional issues

• Article 267 TFEU, concept of ‘court or tribunal,’ temporal effect: C-439-19, C-272-19, C-579-21
• Ability of a constitutional court to maintain effects of incompatible legislation: C-439-19
• Principles of primacy of EU law and legal certainty: C-439-19
• Procedural autonomy and consistent application: C-132-21, C-507-23
• Incompatibility of national rules: C-300-21
• Inadmissibility of request for assessment of validity: C-687-21
• Charter of Fundamental Rights of the EU: C-645-19
• Proportionality and exclusion: C-175-20, C-461-22
• Effective judicial protection and presumption of innocence: C-205-21
• Rights of defence in civil proceedings: C-180-21

14. Interaction with other legal frameworks

• Consumer protection and unfair commercial practices: C-21-23, C-319-20, C-757-22
• Abuse of a dominant position and powers of competition authorities: C-252-21
• Protection of privacy in electronic communications: C-129-21
• COVID-19 certificate processing: C-169-23
• Verification of validity of EU Digital COVID Certificates: C-659-22
• Corruption in public sector / declaration of private interests: C-184-20–
• National security and public safety: C-33-22, C-817-19