On 13 March 2024, the European Parliament and the Council adopted Regulation (EU) 2024/900 on the transparency and targeting of political advertising (the Regulation). The Regulation is now in force, however, the majority of its provisions will not take effect until October 2025.

This article aims to provide a summary of the key provisions of the Regulation under the following headings:

  1. Scope of the Regulation
  2. Transparency and due diligence obligations 
  3. Targeting and ad delivery of online political advertising
  4. Supervision and enforcement
  1. Scope of the Regulation

The Regulation is intended to provide harmonised rules on transparency and related due diligence

Continue Reading Political Advertising Regulation

In Doolin v DPC [2020], the High Court held that an employer’s use of CCTV footage in an employee’s disciplinary proceedings constituted unlawful further processing. It concluded that the Data Protection Commission (DPC) had made an “error of law” in their finding that no further processing of the CCTV footage had occurred. The Court found that the CCTV footage was lawfully collected for security purposes. However, the CCTV footage was then unlawfully further processed for the purpose of the disciplinary proceedings, which was incompatible with the original purpose for which the CCTV footage was processed. The decision shows the importance of only using personal data, particularly CCTV footage, for the purpose for which it was collected.
Continue Reading Use of CCTV footage in disciplinary proceedings breached employee’s data protection rights

The CJEU in Joined Cases C-141/12 and C-372/12 has clarified the scope of a data subject’s right of access to a copy of their personal data. The CJEU’s ruling may serve to lighten the burden of access requests on organisations. It confirms that the Data Protection Directive 1995 (the Directive) does not establish a right of access to any specific document or file in which personal data are listed or used, nor does it specify the material form in which personal data must be made accessible. Member States enjoy a margin of discretion to determine the form in which to make personal data accessible, so long as it is intelligible. Accordingly, the CJEU found that the Dutch authorities, in this case, had met their legal obligations under data protection law by extracting from the relevant documents the personal data relating to the data subject.Continue Reading CJEU clarifies scope of right of access to personal data