The Court of Justice of the European Union reaffirmed the conditions data protection authorities can issue fines to data controllers under the EU General Data Protection Regulation. The CJEU ruled a data controller should not receive a fine unless the violation of the GDPR was committed "intentionally or negligently." The decision stemmed from cases originating from Lithuania and Germany, which dealt with the Lithuania National Public Health Centre processing citizens' data for its COVID-19 monitoring app and a German real estate company retaining customer data longer than necessary.
CJEU clarifies DPAs' legal grounds for issuing fines under GDPR
Related stories
Notes from the IAPP Canada: AI, collaboration, deidentification on privacy pros' minds
A view from DC: Nontariff barriers in the spotlight
A dilemma of distrust: How data governance and privacy can rebuild customer confidences
A view from Brussels: What is and isn't in the EU's AI Continent Action Plan
Notes from the Asia-Pacific region: Regulatory developments in China, Hong Kong
