Data Protection Weekly 42/2022

Oct 21, 2022

European Union

Opinion of the Advocate General of the CJEU on the interpretation of Art. 82 GDPR in Case C-300/21 

According to Advocate General Campos Sánchez-Bordona, the relevant Article 82(1) GDPR should be interpreted as follows:  

  • A mere infringement of GDPR provisions is not in itself sufficient for the purposes of the award of compensation for damages. 
  • Compensation for non-material damages does not cover “mere upset” that the person concerned may feel. 
  • Article 82(1) GDPR does not have the character of a punitive nature.  

    However, we are yet to see if this opinion will be a concurring or a dissenting opinion because the CJEU has not yet released its decision. 

    Important news for companies that are not established in the EU 

    The EDPB published an updated version of the guidelines on personal data breach notifications under the GDPR. Under the previous guidelines, notifications were made to the supervisory authority in the Member State where the controller’s representative in the EU is established (WP250 rev.01 page 18). In the revised guidelines at page 18, the EDPB states that:  

    “[T]he mere presence of a representative in a Member State does not trigger the one-stop- shop system. For this reason, the breach will need to be notified to every single authority for which affected data subjects reside in their Member State. This notification shall be done in compliance with the mandate given by the controller to its representative and under the responsibility of the controller” 


    Italian SA fines US Company offering diabetes app 

    The Italian SA has imposed an administrative fine against the controller (a US company) EUR 45,000 because it, unlawfully disclosed email accounts and health data relating to about 2,000 Italian diabetic patients and committed additional infringements of data protection laws. In particular, after downloading the app, users were expected to accept, by a single click, the terms of use of the service jointly with the contents of the privacy policy. This prevented them from giving their consent separately to the individual processing operations including the processing of health-related data.  


    The French SA fines Clearview AI EUR 20 million 

    The French supervisory authority (CNIL) found that, among others, Clearview seriously risked the fundamental rights of data subjects resulting from its processing. The CNIL then referred the matter to the restricted committee for sanctions. Th restricted committee has now imposed a maximum financial penalty of 20 million euros in accordance with Art. 83 of the GDPR.  

    Subsequently, the restricted committee also ordered Clearview to promptly delete the personal data within two months failure to which will attract a farther penalty of 100,000 euros for every day after the two-month period.