The EU Court of Justice (CJEU) has ruled that a supplier of luxury goods can, by contract, prohibit its authorised distributors from selling those goods on third-party internet platforms such as Amazon. The CJEU held that such a prohibition is appropriate; does not in principle go beyond what is necessary to preserve the luxury image of the goods; and is not necessarily an unlawful restriction of competition (Coty Germany GmbH v Parfümerie Akzente GmbH (Case C-230/16)).
Continue Reading CJEU rules suppliers of luxury brands can lawfully prohibit resale via third party internet platforms

The EU Court of Justice (CJEU) has ruled that a candidate’s exam script is “personal data”, as it constitutes information that is linked to him or her. The CJEU held that the use of the expression “any information” in the definition of the concept of personal data in the Data Protection Directive 95/46/EC (the Directive) reflects the aim of the EU legislature to assign a wide scope to the concept, potentially encompassing all kinds of information provided that it relates to the data subject. As the GDPR contains a similar definition of “personal data” to that in the Directive, namely “any information relating to an identified or identifiable natural person”, the CJEU’s broad interpretation of the concept of personal data will continue to apply post-25 May 2018 when the GDPR comes into force.
Continue Reading The expanding scope of ‘personal data’ – CJEU delivers judgment in Nowak

The Article 29 Working Party (WP29) has published Guidelines on Administrative Fines. While the GDPR gives national supervisory authorities discretion in deciding which corrective measure to impose and if a fine, the level of that fine, the guidelines emphasise the need for supervisory authorities across the EU to work together to achieve consistent enforcement of the data protection rules. The WP29 recommends the creation of a sub-group attached to the European Data Protection Board to support this ongoing activity.

Go to publication
Continue Reading WP29 Guidance on Fines

The UK High Court recently found supermarket chain Morrisons vicariously liable for the actions of an ex-employee who leaked payroll data of almost 100,000 employees. The claim was brought by 5,518 employees of Morrisons. This is an important decision as it is the first class-action case for a personal data breach in the UK, and demonstrates how an employer can be liable for an employee’s data breach.
Continue Reading UK High Court rules on class action claim for data breach

On 12 December, 2017, the Article 29 Working Party (WP29) published its Guidelines on Transparency. The guidance should assist controllers in understanding the obligation of transparency concerning the processing of personal data under the GDPR. The schedule to the guidance contains a list of the mandatory transparency information that must be provided to a data subject, and this note focuses on the WP29’s recommendations in regard to the provision of that information to data subjects.

Go to publication
Continue Reading WP29 publishes Guidelines on Transparency

A&L Goodbody has launched a new GDPR Ireland App.  The App is an essential resource for businesses who will have to comply with increased data protection obligations under the GDPR. The easy to navigate App provides guidance on the substantial changes introduced by the GDPR, and links to regulatory guidance. The A&L Goodbody GDPR Ireland App is part of a suite of GDPR resources which have been developed by the Firm over the past year.  We will be keeping the App up-to-date with developments at Irish and European level.

The App is free to download to iPhone and iPad from
Continue Reading A&L Goodbody launches new GDPR Ireland App

On 12 December, 2017, the Article 29 Working Party (WP29) published its Guidelines on Consent under the GDPR.  Consent is one of the lawful grounds on which personal data processing may be based. The guidance considers the extent to which the GDPR requires controllers to change their consent requests/forms.

Go to publication
Continue Reading WP29 publishes Guidance on Consent

Heading into the Christmas period, festive shoppers may notice an increasing number of retailers are offering receipts via email (e-receipts) rather than the traditional paper docket. Providing a receipt through email has a number of advantages for retailers and consumers. There is the obvious environmental benefit and it provides an easier means for customers to store and find receipts than an over-stuffed wallet.

However, new guidance from the Data Protection Commissioner (DPC) has stressed the need for retailers to ensure that when customers provide their details for the purpose of receiving e-receipts, they should be fully informed and consent to how that data may be used. Of central concern is the retailers’ use of email addresses for subsequent direct marketing.Continue Reading DPC publishes guidance on e-receipts

The new Consumer Protection Cooperation Regulation (CPC) was passed on 14 November 2017, with the goal of providing enforcement authorities with additional powers to combat unlawful online practices. The CPC will also help harmonise consumer protection law across the EU. While the CPC is sure to aid compliance, it remains to be seen how far-reaching some of the powers will become, in particular, the website-blocking power referred to below.
Continue Reading Consumer Protection Cooperation Regulation introduced to combat unlawful online practices

We have updated our GDPR Guide for Businesses to take account of new EU regulatory guidance. The guide is a ‘living document‘, which we will expand as more regulatory guidance is published.

The EU Article 29 Working Party has published guidance on a number of key changes introduced by the GDPR, including: administrative fines, mandatory breach notification, data protection officers, lead supervisory authority, data portability, profiling, and data protection impact assessments.

More regulatory guidance is expected shortly, as well as publication of the new Irish Data Protection Bill, which will give effect to, and provide for derogations from, the
Continue Reading Whats New? – A&L Goodbody GDPR Guide For Businesses