In Lindqvist, the court concluded that uploading data to a hosting provider within the EU where that data is available for access to anyone outside the EU does not constitute a data transfer [1]. The explanation given was that the page did not have the ability to initiate a transmission of that ...

Jan mentioned that data controllers have to ensure "every instance of their personal data is eliminated across all platforms". I believe that is a bit of an overstatement. I would have probably worded it as "every instance of their personal data where processing is authorized by the controller ...

I think there are areas where LastPass has done well and areas where they fall short. Firstly, LastPass's initial communication on August 25 2022 was sent two weeks after detecting a breach, which is reasonably timely considering they needed time to investigate the incident [1]. EDPB guidelines ...

I believe that the legislators drafting the GDPR have taken into account the concept of "behavioral surplus". Both can co-exist as long as companies exercise good judgement in the processing of data. According to Article 5(1)(c) of the GDPR, Personal data processed must be "adequate, relevant ...

According to Recital 32 of the GDPR, "pre-ticked boxes" as well as "inactivity" does not count as consent [1]. Planet49 GmbH v Bundesverband der Verbraucherzentralen was probably one of the cases which set the precedence for what constitutes consent. Planet49 had a pre-ticked checkbox on its ...

I would like to explore Article 9(2)(e) of the GDPR further as the term "manifestly made public" appears to warrant more in depth discussion. An example for such a situation could be an event organizer processing the details of an openly known HIV positive individual to invite that individual ...

I believe one main problem when imposing liability on online content occurs when there is a hard conflict between 2 legal systems [1]. Since online content is accessible worldwide, it would be difficult to subject it to law from two strikingly different jurisdictions simultaneously. The case of ...

Article 9(1) of the GDPR added genetic data, biometric data where it is used to uniquely identify a person as well as sexual orientation into the definition of "sensitive personal data". These changes were likely prompted by the social and technological changes that occurred in the decade ...