Casebook European Data Law: Ten Years of the GDPR – A Milestone in EU Data Regulation

Prof. Dr. Rolf Schwartmann; RA Dr. Marek Steffen Jansen LL.M.; Dr. jur. Moritz Köhler

doi:10.5771/9783748971290

Summary

For ten years, the GDPR has shaped the protection of privacy in Europe and beyond. As a globally recognised benchmark for data protection, it has set enduring standards. Marking its 10th anniversary, this English-language casebook brings together around 50 renowned authors from industry, legal practice, public authorities, the judiciary, and academia. Through selected landmark decisions and regulatory guidelines, the contributors analyse the key developments shaping European data law. The chapters offer concise, authoritative guidance on the core principles and their practical application. The volume will be presented at the 2nd EuDIR-Symposium, held in cooperation with the Cologne Research Centre for Media Law on 20 May 2026 at TH Köln.

Search publication

Bibliographic data

Edition: 1/2026
Copyright Year: 2026
ISBN-Print: 978-3-7560-4175-6
ISBN-Online: 978-3-7489-7129-0
Publisher: Nomos, Baden-Baden
Language: English
Pages: 572
Product Type: Edited Book

1. Preface No access
2. Eurpean Parliament No access
3. European Commission No access
4. Council of the European Union No access
5. 1. I. Legal acts of the European Union No access
  2. II. Legal acts of Germany No access
1. European data protection case law in numbers No access Pages 31 - 34
  Authors:
2. Authors:
  1. I. Case summary No access
  2. II. Key legal findings No access
  3. III. Systematic context and legal classification No access
  4. IV. Author’s analysis and commentary No access
  5. V. Recommended further reading No access
3. Authors:
  1. I. Case summary No access
  2. II. Key legal findings No access
  3. III. Systematic context and legal classification No access
  4. IV. Author’s analysis and commentary No access
  5. V. Recommended further reading No access
4. Authors:
  1. I. Case summary No access
  2. II. Key legal findings No access
  3. III. Systematic context and legal classification No access
  4. IV. Author’s analysis and commentary No access
5. Authors:
  1. I. Case summary No access
  2. 1. 1. The GDPR applies in principle to national parliaments No access
    2. 2. Exceptions must be interpreted strictly No access
    3. 3. Legislator is able to establish more than one supervisory authority No access
  3. III. Systematic context and legal classification No access
  4. 1. 1. Political and parliamentary activity falls within the competence of the Member States No access
    2. 2. Possible Reactions of the legislator No access
  5. V. Recommended further reading No access
1. Authors:
  1. I. Case summary No access
  2. II. Key legal findings No access
  3. III. Systematic context and legal classification No access
  4. IV. Author’s analysis and commentary No access
  5. V. Recommended further reading No access
2. Authors:
  1. I. Case summary No access
  2. II. Key legal findings No access
  3. 1. 1. a) Anonymous and pseudonymised data No access
      2. b) Nature of pseudonymised data for different entities No access
      3. c) Ties to prior case law No access
      4. d) Safeguarding the level of protection No access
    2. 3. The controller’s transparency obligations under Art. 15(1)(d) EUDPR No access
  4. III. Systematic context and legal classification No access
  5. 1. 1. Burden of proof No access
    2. 2. Processors vs controllers No access
    3. 3. Consequences of unlawfully obtained identification data No access
    4. 4. Transparency and recipient naming No access
  6. V. Recommended further reading No access
3. Authors:
  1. I. Introduction No access
  2. II. Case summary No access
  3. III. Key legal findings No access
  4. IV. Systematic context and legal classification No access
  5. 1. 1. Oral processing and material scope of the GDPR No access
    2. 2. Public access to official documents on criminal convictions No access
    3. 3. Practical implications and outlook No access
  6. VI. Recommended further reading No access
4. Authors:
  1. I. Case summary No access
  2. 1. 1. Concept of ‚processing‘ in test operation (preliminary question 4) No access
    2. 2. Interpretation of the term ‚controller‘ (preliminary question 1 to 3) No access
    3. 3. Joint responsibility (preliminary question 5) No access
    4. 4. Conditions for the imposition of administrative fines (preliminary question 6) No access
  3. 1. 1. Conditions for the imposition of administrative fines No access
    2. 2. Interpretation of the term ‘controller’ / joint responsibility No access
5. Authors:
  1. 1. 1. ECJ 5.6.2018 – case C-210/16, ECLI:EU:C:2018:388 – Wirtschaftsakademie No access
    2. 2. ECJ 10.7.2018 – case C-25/17, ECLI:EU:C:2018:551 – Jehovan todistajat No access
    3. 3. ECJ 29.7.2019 – case C-40/17, ECLI:EU:C:2019:629 – FashionID No access
  2. 1. 1. ECJ 5.6.2018 – case C-210/16, ECLI:EU:C:2018:388 – Wirtschaftsakademie No access
    2. 2. ECJ 10.7.2018 – case C-25/17, ECLI:EU:C:2018:551 – Jehovan todistajat No access
    3. 3. ECJ 29.7.2019 – case C-40/17, ECLI:EU:C:2019:629 – FashionID No access
  3. III. Systematic context and legal classification No access
  4. Although all three cases were brought to the Court under the DPD, they still are fully effective under the GDPR (Art. 4 no. 7 GDPR) because the concept of joint controllership remains the same. Thus, they have a lasting effect under the GDPR until today. No access
  5. 1. 1. ECJ 5.6.2018 – case C-210/16, ECLI:EU:C:2018:388 – Wirtschaftsakademie No access
    2. 2. ECJ 10.7.2018 – case C-25/17, ECLI:EU:C:2018:551 – Jehovan todistajat No access
    3. 3. ECJ 29.7.2019 – case C-40/17, ECLI:EU:C:2019:629 – FashionID No access
  6. 1. 1. ECJ 5.6.2018 – case C-210/16, ECLI:EU:C:2018:388 – Wirtschaftsakademie No access
    2. 2. ECJ 10.7.2018 – case C-25/17, ECLI:EU:C:2018:551 – Jehovan todistajat No access
    3. 3. ECJ 29.7.2019 – case C-40/17, ECLI:EU:C:2019:629 – FashionID No access
  7. V. Recommended further reading No access
6. Authors:
  1. I. Case summary No access
  2. II. Key legal findings No access
  3. III. Systematic context and legal classification No access
  4. IV. Author’s analysis and commentary No access
  5. V. Recommended further reading No access
1. Authors:
  1. I. Guidance summary No access
  2. 1. 1. Purpose specification as a prerequisite for lawful processing No access
    2. 2. Further processing and compatibility under Art. 6(4) GDPR No access
    3. 3. Limits of safeguards and governance measures No access
  3. III. Systematic context and legal classification No access
  4. IV. Author’s analysis and commentary No access
  5. V. Recommended further reading No access
2. Authors:
  1. I. Case summary No access
  2. 1. 1. Purpose limitation principle No access
    2. 2. Storage limitation principle No access
  3. 1. 1. Fundamental principles addressed in this ECJ Decision No access
    2. 2. Consequences of the ECJ Decision at a national level (Hungary) No access
    3. 3. Related previous guidelines/decisions No access
  4. 1. 1. Practical significance No access
    2. 2. Practical recommendations and implications No access
  5. V. Recommended further reading No access
3. Authors:
  1. I. Introduction No access
  2. 1. 1. Relationship with other data protection principles No access
    2. 2. Specification through case law No access
    3. 3. Substantive legal requirements No access
  3. III. Data minimisation throughout the processing lifecycle No access
  4. IV. Data minimisation in the context of modern technologies No access
  5. V. European regulatory initiatives No access
  6. VI. Data minimisation as a future-oriented principle No access
  7. VII. Recommended further reading No access
4. Authors:
  1. I. Case summary No access
  2. 1. 1. A cyber-attack does not automatically mean insufficient technical organisational measures, but the controller bears the burden of proof for appropriateness No access
    2. 2. Fear of possible misuse can be non-material damage, but the data subject needs to demonstrate actual damage No access
  3. 1. 1. Confidentiality and integrity No access
    2. 2. Risk-appropriate No access
    3. 3. Proof No access
    4. 4. Fear as non-material damage No access
  4. 1. 1. Standard risk management also for technical and organisational measures No access
    2. 2. Documentation is key No access
  5. V. Recommended further reading No access
5. Authors:
  1. I. Case summary No access
  2. II. Key legal findings No access
  3. III. Systematic context and legal classification No access
  4. IV. Author’s analysis and commentary No access
  5. V. Recommended further reading No access
1. Authors:
  1. I. Introduction No access
  2. II. Case summary No access
  3. III. Key legal findings No access
  4. IV. Systematic context and legal classification No access
  5. V. Author’s analysis and commentary No access
2. Authors:
  1. I. Case summary No access
  2. II. Key legal findings No access
  3. III. Systematic context and legal classification No access
  4. IV. Author’s analysis and commentary No access
  5. V. Recommended further reading No access
3. Authors:
  1. I. Introduction No access
  2. II. Case summary No access
  3. 1. 1. Commercial interests can be legitimate interests No access
    2. 2. Necessity No access
    3. 3. Balancing of Interests No access
  4. IV. Author’s analysis and commentary No access
  5. V. Recommended further reading No access
4. Authors:
  1. I. Case summary No access
  2. II. Key legal findings No access
  3. III. Systematic context and legal classification No access
  4. IV. Author’s analysis and commentary No access
  5. V. Recommended further reading No access
5. Authors:
  1. I. Case summary No access
  2. II. Key legal findings No access
  3. III. Systematic context and legal classification No access
  4. IV. Author’s analysis and commentary No access
  5. V. Recommended further reading No access
6. Authors:
  1. I. Case summary No access
  2. II. Key legal findings No access
  3. 1. 1. Regarding Art. 9 GDPR No access
    2. 2. Regarding Art. 82 GDPR No access
  4. IV. Author’s analysis and commentary No access
  5. V. Recommended further reading No access
7. Authors:
  1. I. Case summary No access
  2. II. Key legal findings No access
  3. 1. 1. Relationship between the questions referred No access
    2. 2. Assessment of proportionality No access
    3. 3. Classification as ‘special categories of personal data’ No access
  4. 1. 1. Misplaced emphasis and allocation of argumentative resources No access
    2. 2. Weakness of the decisive argumentation No access
    3. 3. Consequence: Catastrophic legal uncertainty in Europe No access
  5. V. Recommended further reading No access
8. Authors:
  1. I. Case summary No access
  2. II. Key legal findings No access
  3. 1. 1. Children’s data protection content No access
    2. 1. a) Transparency and fairness No access
      2. b) Data Protection Impact Assessments (DPIA) No access
      3. c) Data minimisation and privacy by default No access
      4. d) Data protection by design No access
      5. e) Risk-based measures and accountability No access
      6. f) Lawfulness of the processing No access
  4. 1. 1. Significance of the DPC Decision No access
    2. 2. Compliance implications No access
    3. 3. Further developments on children’s privacy No access
  5. V. Recommended further readings No access
1. Authors:
  1. I. Case summary No access
  2. II. Key legal findings No access
  3. III. Systematic context and legal classification No access
  4. IV. Author’s analysis and comment No access
  5. V. Recommended further reading No access
2. Authors:
  1. I. Case summary No access
  2. 1. 1. BGH 28.1.2014 – VI ZR 156/13, ZD 2014, 306 No access
    2. 2. ECJ 7.12.2023 – case C-634/21, ECLI:EU:C:2023:957 – OQ v Land Hessen, SCHUFA No access
    3. 3. Facts of the ECJ ruling No access
    4. 1. a) Content of the right to information under Art. 15(1)(h) GDPR No access
      2. b) Handling of trade secrets and third-party data No access
      3. c) Result No access
    5. 1. a) Increased documentation and transparency requirements No access
      2. b) Relationship to Art. 22 GDPR and rights of control No access
      3. c) Handling of trade secrets and third-party data No access
      4. d) Impact on national regulations No access
      5. e) Outlook and recommendations No access
    6. 6. Conclusion No access
  3. 1. 1. Starting point: Categories and basic principles of the EDPB guidelines No access
    2. 2. Interfaces with the ruling No access
  4. IV. Recommended further reading No access
3. Authors:
  1. I. Case summary No access
  2. II. Key legal findings No access
  3. III. Systematic context and legal classification No access
  4. 1. 1. General requirements of the right to rectification No access
    2. 2. The Duty to Substantiate Inaccuracy and the Means of Proof No access
    3. 3. The Controller’s Independent Duty of Rectification No access
    4. 4. The Relationship between the GDPR and the European Convention on Human Rights (ECHR) No access
  5. V. Recommended further reading No access
4. Authors:
  1. I. Case summary No access
  2. II. Key legal findings No access
  3. III. Systematic context and legal classification No access
  4. IV. Author’s analysis and commentary No access
  5. V. Recommended further reading No access
5. Authors:
  1. I. Case summary No access
  2. 1. 1. Wording No access
    2. 2. Systematic approach No access
    3. 3. Telos No access
  3. III. Systematic context and legal classification No access
  4. 1. 1. Remaining unresolved questions No access
    2. 2. Transferability to other disputed GDPR topics No access
    3. 3. Practical relevance No access
  5. V. Recommended further reading No access
6. Authors:
  1. I. Case summary No access
  2. II. Key legal findings No access
  3. III. Systematic context and legal classification No access
  4. IV. Author’s analysis and commentary No access
  5. V. Recommended further reading No access
7. Authors:
  1. I. Case summary No access
  2. II. Key legal findings No access
  3. III. Systematic context and legal classification No access
  4. IV. Author’s analysis and commentary No access
  5. V. Recommended further reading No access
8. Authors:
  1. I. Case summary No access
  2. 1. 1. Establishment in the EU No access
    2. 1. a) Processor No access
      2. b) Controller No access
    3. 3. Dereferencing as an Alternative to Deletion No access
  3. III. Systematic context and legal classification No access
  4. IV. Author’s analysis and commentary No access
  5. V. Recommended further reading No access
9. Authors:
  1. I. Case summary No access
  2. II. Key legal findings No access
  3. III. Systematic context and legal classification No access
  4. IV. Author’s analysis and commentary No access
  5. V. Recommended further reading No access
10. Authors:
  1. I. Case summary No access
  2. II. Key legal findings No access
  3. III. Systematic context and legal classification No access
  4. IV. Author’s analysis and commentary No access
  5. V. Recommended further reading No access
1. Authors:
  1. 1. 1. Significance No access
    2. 2. Obligations under Art. 30 GDPR No access
  2. II. Case summary No access
  3. III. Key legal findings No access
  4. IV. Systematic context and legal classification No access
  5. V. Author’s analysis and commentary No access
  6. VI. Recommended further reading No access
2. Authors:
  1. 1. 1. Introduction No access
    2. 2. Starting point: GDPR No access
  2. II. Authorities' opinion on the interaction between the GDPR and the AI Act No access
  3. III. Architecture for an IT-supported DPMS in accordance with the GDPR with integrated data protection-related testing in accordance with the AI Act No access
  4. IV. Conclusion No access
3. Authors:
  1. I. Case summary No access
  2. 1. 1. Need for assessment of security measures on a case-by-case basis No access
    2. 2. The controller’s burden of proof No access
    3. 3. Liability of the controller for actions by a third party No access
    4. 4. Fear as non-material damage No access
  3. 1. 1. Accountability No access
    2. 2. Loss of control and non-material damage No access
    3. 3. Liability for damage caused by third parties No access
    4. 4. Burden of proof No access
  4. IV. Author’s analysis and commentary No access
  5. V. Recommended further reading No access
4. Authors:
  1. I. Introduction No access
  2. 1. 1. Scope and Addressees No access
    2. 2. Systematic Integration within the AI Act No access
    3. 3. Relationship with the Data Protection Impact Assessment (DPIA) No access
  3. III. Art. 35 GDPR, DPIA No access
  4. IV. Common Core Principles between FRIA and DPIA No access
  5. V. Art. 22 GDPR, Automated Decision Making No access
  6. 1. 1. Use Case Retrieval Augmented Generation No access
    2. 2. Use Case Automated Administrative Decisions No access
  7. VII. Conclusion No access
5. Authors:
  1. I. Case summary No access
  2. II. Key legal findings No access
  3. 1. 1. Relevant legal provisions No access
    2. 2. In the context of the Court’s existing case law No access
  4. 1. 1. Stricter national regulations No access
    2. 2. Members of a works council as data protection officers No access
  5. V. Recommended Further Reading No access
6. Authors:
  1. I. Case summary No access
  2. II. Key legal findings No access
  3. III. Systematic context and legal classification No access
  4. 1. 1. Operational implications for organisations No access
    2. 2. Practical recommendations No access
    3. 3. Regulatory policy and global perspective No access
    4. 4. Concluding remarks on legal development No access
  5. V. Recommended further reading No access
7. Authors:
  1. I. Opinions‘ summary No access
  2. II. Key legal findings No access
  3. III. Systematic context and legal classification No access
  4. IV. Author’s analysis and commentary No access
  5. V. Recommended further reading No access
1. Authors:
  1. 1. 1. C-311/18 – Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (‘Schrems II’) No access
    2. 2. T- 553/23 – Philippe Latombe v European Commission No access
  2. II. Key Legal Findings No access
  3. III. Systematic Context and Legal Classification No access
  4. 1. 1. Standing No access
    2. 2. Facts No access
    3. 3. Temporal scope No access
  5. V. Recommended Further Reading No access
2. Authors:
  1. I. Case summary No access
  2. II. Key legal findings No access
  3. III. Systematic context and legal classification No access
  4. IV. Author’s analysis and commentary No access
  5. V. Recommended further reading No access
3. Authors:
  1. I. Case summary No access
  2. 1. 1. Causal damage as a condition for liability under Art. 82 GDPR No access
    2. 2. No threshold of seriousness for non‑material damage No access
    3. 3. Assessment of the amount of compensation under national law subject to EU‑law constraints No access
  3. 1. 1. Three cumulative conditions: infringement – damage – causation No access
    2. 2. No threshold of seriousness for non‑material damage No access
    3. 3. Burden of proof No access
    4. 4. Quantification of damage under national law No access
  4. IV. Author’s analysis and commentary No access
  5. 1. 1. ECJ 20.6.2024 – Joined Cases C-182/22 and C-189/22, ECLI:EU:C:2024:531 – JU and SO v Scalable Capital GmbH No access
    2. 2. BGH 18.11.2024 – VI ZR 10/24, GRUR 2024, 1910 No access
    3. 3. ECJ 4.9.2025 – case C‑655/23, ECLI:EU:C:2025:655 – IP v Quirin Privatbank AG No access
4. Authors:
  1. I. Case summary No access
  2. II. Key legal findings No access
  3. III. Systematic context and legal classification No access
  4. IV. Author’s analysis and commentary No access
  5. V. Recommended further reading No access
5. Authors:
  1. I. Case summary No access
  2. II. Key legal findings No access
  3. III. Systematic context and legal classification No access
  4. IV. Author’s analysis and commentary No access
  5. V. Recommended further reading No access
6. Authors:
  1. I. Case summary No access
  2. 1. 1. Responsibility under the one-stop shop procedure No access
    2. 2. Main establishment and addressee of the lawsuit No access
    3. 3. Direct Right of Action under Art. 58 (5) GDPR No access
  3. III. Systematic context and legal classification No access
  4. 1. 1. Practical Relevance No access
    2. 2. Legal Implications No access
  5. V. Recommended further reading No access
7. Authors:
  1. I. Case summary No access
  2. II. Key legal findings No access
  3. 1. 1. Interaction between data protection supervision and competition supervision No access
    2. 2. ‘for an appropriate fee’ No access
  4. 1. 1. Coordination between supervisory authorities No access
    2. 2. Cooperation between authorities No access
    3. 3. Case study: ‘for an appropriate fee’ No access
1. Authors:
  1. I. Case summary No access
  2. II. Key legal findings No access
  3. 1. 1. a) Machine-based system No access
      2. b) Autonomy No access
      3. c) Adaptiveness No access
      4. d) Objectives No access
      5. e) Output and Environmental Influence No access
    2. 2. The inferencing requirement No access
    3. 3. Exclusions from the definition No access
  4. 1. 1. Strengths of the Guidelines No access
    2. 2. Remaining ambiguities No access
    3. 3. Practical implications No access
  5. V. Recommended further reading No access
2. Authors:
  1. I. Introduction and context No access
  2. 1. 1. a) Regulatory guidance and interpretation No access
      2. b) Practical analysis No access
    2. 1. a) Regulatory guidance and interpretation No access
      2. b) Practical analysis No access
  3. 1. 1. a) Regulatory guidance and interpretation No access
      2. b) Practical analysis No access
    2. 1. a) Regulatory guidance and interpretation No access
      2. b) Practical analysis No access
  4. 1. 1. a) Regulatory guidance and interpretation No access
      2. b) Practical analysis No access
    2. 1. a) Regulatory guidance and interpretation No access
      2. b) Practical analysis No access
  5. V. Recommended further reading No access
3. Authors:
  1. I. Case summary No access
  2. II. Key legal findings No access
  3. III. Systematic context and legal classification No access
  4. IV. Author’s analysis and commentary No access
  5. V. Recommended further reading No access
4. Authors:
  1. I. Case summary No access
  2. 1. 1. Legal basis and special category data No access
    2. 2. Transparency and reasonable expectations No access
    3. 3. Data subject rights No access
  3. III. Systematic context and legal classification No access
  4. 1. 1. Training AI models and compliance approach to special category data No access
    2. 2. Analogy to search engines No access
    3. 3. Transparency and data subject rights No access
    4. 4. Conclusion No access
  5. 1. 1. Position papers from supervisory authorities No access
    2. 2. Academic Art. or book chapters No access
5. Authors:
  1. I. Case summary No access
  2. 1. 1. GDPR, in particular Art. 6(1)(f) GDPR No access
    2. 2. Digital Omnibus No access
  3. III. Copyright limitations No access
  4. IV. Provisions in copyright law as lex specialis to Art. 6(2), (3) GDPR No access
  5. V. Conclusion: What is permitted under copyright law cannot be prohibited under data protection law, can it? No access
  6. VI. Recommended further reading No access
6. Authors:
  1. I. Introduction No access
  2. 1. 1. Accountability and demonstrability under Art. 5(2) GDPR No access
    2. 2. Organisational measures and internal understanding under Art. 24 GDPR No access
    3. 3. Security of processing and instruction under Art. 32 GDPR No access
  3. 1. 1. Training is a relevant organisational measure following a data breach No access
    2. 2. Literacy measures and staff training cannot just be superficial or reactive No access
    3. 3. Literacy also encompasses proper processing instructions and correctly interpreting legal principles No access
  4. IV. From data protection literacy to AI literacy No access
  5. V. Conclusion No access
7. Authors:
  1. I. The transformation of the connected vehicle No access
  2. II. EDPB Guidelines 01/2020 on the processing of personal data in connection with connected vehicles and mobility related applications No access
  3. III. CNIL recommendation project on location data in connected vehicles No access
  4. 1. 1. Personal reference in the vehicle No access
    2. 2. Consent as a legal basis No access
    3. 3. Technical requirements and competitiveness No access
  5. V. Conclusion No access
  6. VI. Recommended further reading No access
1. Authors:
  1. I. Position summary No access
  2. II. Key statements No access
  3. 1. 1. Developments in data protection law in the DA during the legislative process No access
    2. 2. Current developments following completion of the legislative process No access
  4. 1. 1. Challenges for those applying the law No access
    2. 2. Possible solutions No access
  5. V. Recommended further reading No access
2. Authors:
  1. I. Introduction No access
  2. 1. 1. The EU Commission’s 2018 Decision No access
    2. 2. The GC‘s Findings No access
  3. 1. 1. The U.S. District Court’s Decision No access
    2. 2. The EU’s and the US’ approach in comparison No access
  4. IV. The Android Judgements Implications for Data Law and Governance No access
  5. V. Conclusion No access
1. Authors:
  1. I. Introduction No access
  2. II. Legislative and historical background No access
  3. III. Judicial cases No access
  4. IV. Practical Observations on Artistic Creativity No access
  5. V. Conclusion No access
2. Authors:
  1. 1. 1. C-34/21 – Hauptpersonalrat der Lehrerinnen und Lehrer No access
    2. 2. C-65/23 – K-GmbH No access
  2. II. Key legal findings No access
  3. III. Systematic context and legal classification No access
  4. 1. 1. Scope of application: The concept of ‘employee’ under Art. 88 GDPR No access
    2. 2. Defining ‘more specific rules’ No access
    3. 3. Judicial review of collective agreements No access
  5. V. Recommended further reading No access
Overview No access Pages 553 - 558
Author profiles No access Pages 559 - 572