The CJEU’s March 19, 2026, judgment in Case C-526/24 marks a significant development in GDPR enforcement, holding for the first time that even a single data access request may be refused as “excessive” under Article 12(5) GDPR if made in bad faith, while also confirming that an unjustified refusal to comply with such a request can itself give rise to damages liability under Article 82(1) GDPR.
Continue Reading CJEU: First Request for Access May Be Rejected as Abusive Under GDPR
With its Russmedia judgment (C-492/23, Grand Chamber, 2 December 2025), the Court of Justice of the European Union (CJEU or Court) fundamentally reshapes how online marketplaces and other platforms hosting user-generated content must approach data protection compliance.
Continue Reading CJEU’s Russmedia Decision Expands Platform Controller Duties Under GDPR
The newly published German Coalition Agreement 2025 (CA 2025), German language version available here, outlines a digital agenda of the new German government, aimed at strengthening Germany’s position as a leader in digital innovation, data protection, and technological sovereignty. This GT Alert provides an overview of key digital policy areas that the CA 2025
The European Data Protection Board (EDPB) has recently (re)positioned itself on several controversial topics and published three new guidelines and opinions. Although not legally binding, they do have a significant influence on proceedings before the supervisory authorities and courts. This GT Alert discusses the EDPB’s new guidelines and their implications for companies dealing with personal
So much has been said about the new Cross-Border standard contractual clauses (SCC), which the EU Commission finally adopted on 4 June 2021 (see GT blog post from 9 June 2021), that it almost went unnoticed that the Commission published two different kinds of SCC that day. The other set of SCC (the DPA-SCC)