The Court of Justice of the European Union reaffirmed the conditions data protection authorities can issue fines to data controllers under the EU General Data Protection Regulation. The CJEU ruled a data controller should not receive a fine unless the violation of the GDPR was committed "intentionally or negligently." The decision stemmed from cases originating from Lithuania and Germany, which dealt with the Lithuania National Public Health Centre processing citizens' data for its COVID-19 monitoring app and a German real estate company retaining customer data longer than necessary.
CJEU clarifies DPAs' legal grounds for issuing fines under GDPR
Related stories
Notes from the IAPP Canada: New government PIA standard takes effect mid-October
A case study in privacy operations: The Maryland SPI rule
10 tips to prepare for the EU Cyber Resilience Act
A view from Brussels: State of the (European) Union
US senator aims to advance US AI leadership with sandbox, federal regulatory exemptions
