OC – CJEU Judgment (European Union, 2024)
CJEU judgment — not a DPA enforcement action
This is a Court of Justice ruling, not an enforcement action by a data protection authority. It is not included in cookie statistics or the Risk Calculator.
The Court of Justice of the European Union ruled on an appeal regarding the definition of personal data. This decision is important because it clarifies how personal data should be interpreted, which can affect many cases in the future. Companies need to understand that the definition of personal data can be complex and context-dependent.
What happened
The Court held that the General Court misinterpreted the definition of personal data in a previous case.
Who was affected
The claimant, OC, who argued that their personal data was misclassified.
What the authority found
The Court ruled that the General Court made legal errors regarding how personal data is defined and assessed.
Why this matters
This ruling sets a precedent for how personal data is interpreted, which could impact various legal cases. Companies should be aware that the definition of personal data is not always straightforward.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
This is an appeal of the earlier case [https://gdprhub.eu/index.php?title=CJEU_-_T%E2%80%91384/20_-_OC_v_European_Commission T‑384/20 - OC v European Commission.] The claimant (OC) appealed the general court’s decision on three grounds. That the General Court had legally misinterpreted the definition of personal data and had failed to observe proper administrative procedures when making its judgement (right to a presumption of innocence and the right to good administration under the Charter of Fundamental Rights). On the concept of personal data, the claimant argued that the general court had legally misinterpreted the concept of an ‘identifiable natural person’. They used two points to make this argument: 1) Identifiability is not tied to whether an “average reader” can identify you. The case law states that identifiability depends on whether an individual holds ‘additional factors...necessary for identification... [these factors] can be available to a person other than the controller’ (see C-582/14 at para 39 and 41). The General Court’s use of an average reader does not analyse the factors that the specific reader in the case holds. Thus, contrary to the case law, it does not test whether a person has the additional factors needed for identification. The General Court’s novel use of this test was therefore erroneous. 2) The General Court had erred in arguing that the ‘means reasonably likely’ to be used to identify a data subject (recital 26 GDPR and recital 16 EUDPR) was limited. Rather, the court should have looked at the costs and time required for the identification of the claimant to determine whether the claimant could be identified using ‘reasonable means’. This would be in line with what recital 25 GDPR actually states. The Court held that the General Court had made several errors of law and that the first ground of appeal must be upheld. First, the Court noted that the EUDPR (Regulation 2018/1725) - the piece of legislation applicable at the ca
Outcome
CJEU Judgment
A judgment by the Court of Justice of the European Union, typically on a preliminary reference from a national court.
Related Cases (0)
No other cases found for OC in EU
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. OC - European Union (2024). Retrieved from cookiefines.eu
Last updated: