The Court of Justice of the European Union reaffirmed the conditions data protection authorities can issue fines to data controllers under the EU General Data Protection Regulation. The CJEU ruled a data controller should not receive a fine unless the violation of the GDPR was committed "intentionally or negligently." The decision stemmed from cases originating from Lithuania and Germany, which dealt with the Lithuania National Public Health Centre processing citizens' data for its COVID-19 monitoring app and a German real estate company retaining customer data longer than necessary.
CJEU clarifies DPAs' legal grounds for issuing fines under GDPR
Related stories
A view from Brussels: Will the EU pause the AI Act?
Notes from the Asia-Pacific region: India's digital landscape marches ahead
Navigate 2025: Rise of AI brings novel litigation, copyright issues
Navigate 2025: How individuals' feelings inform AI governance practices
There's no opting-out of universal opt-outs
