It has been 5 years - where does the EU stand now?

⚖️ Data subject rights : RW v. Österreichische Post AG (January 12, 2023) Data subjects have the right to know the third parties with whom their personal data is shared. There may be exceptional situations where the sharing is impossible, for reasons such as where the controller cannot identify the recipient, or where it is impossible for the controller to provide information about specific recipients. In this case, the post office refused to share details of third party recipients of personal data of the data subject but we can expect to see more case laws on the exempted cases where a controller may refuse to provide the information. 

⚔️ Conflicting provisions for genetic data: V.S. v. Ministerstvo na vatreshnite raboti, Glavna direktsia za borba s organiziranata prestapnost (January 26, 2023) In the spirit of transposing the GDPR in national laws, Member States should create specific applicable rules and conflicts in applicable laws should be clarified by national courts. Conflicting provisions in law can be seen in various sectors in the EU and the goal should be to remove uncertainty with clear and unambiguous provisions.

💪 Independence of DPOs: X-FAB Dresden GmbH & Co. KG vs FC (February 9, 2023) The independent nature of a DPO´s role is very critical for the fulfillment of its responsibilities. A conflict of interest is highly probable in cases where DPOs serve multiple roles - which is a common occurrence. It is unavoidable that the performance level in other roles will not affect the DPO´s role. In smaller organizations, it is challenging to find one resource dedicated as a DPO, but steps should be taken to ensure the independence of the DPO.

💸 Pecuniary damages : UI v. Austrian Post AG (May 4, 2023) Non-material damages arising from breach of GDPR should be considered as damages to be compensated. In this case, the data subject was offended with this political categorization, as per an illegal processing of his personal data by the postal services. With national courts being held responsible to create rules for compensation of damages (both material and non-material) arising out of GDPR, we may see more case laws on various interpretations of harm and damages.  

📋 Copies of personal data: FF vs DSB (May 4, 2023) Against data subjects’ requests for copies of their personal data, controllers should not provide summaries or general description of the same. The essence of law lies in the data subject getting a faithful reproduction of all its personal data stored and processed by the controller. To meet this requirement, controllers may argue on grounds of practical challenges for extracting a user's personal data from its entire database, which also includes other users´ personal data, but the same should not be a just ground to deny the rights of the data subject.