GC - T‑354/22 - Bindl v Commission

Summary

The European General Court has ordered the European Commission to pay a data subject €400 in non-material damages. This decision stems from the transfer of the data subject's personal data, including IP address and browser information, to the United States via services like Amazon CloudFront and Meta Platforms Inc. The court found these transfers violated EU GDPR provisions concerning data protection adequacy and transfer mechanisms.

Full text

Help GC - T‑354/22 - Bindl v Commission: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 13:49, 24 March 2025 view sourceThomasB (talk | contribs)4 edits Tag: Visual edit← Older edit Latest revision as of 09:21, 24 June 2026 view source Bms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators117 edits Line 12: Line 12: |ECLI=ECLI:EU:T:2025:4|ECLI=ECLI:EU:T:2025:4 |Opinion_Link=|Opinion_Link=CJEU |Judgement_Link=https://curia.europa.eu/juris/document/document.jsf?text=&docid=294090&pageIndex=0&doclang=DE&mode=req&dir=&occ=first&part=1&cid=338866|Judgement_Link=https://curia.europa.eu/juris/document/document.jsf?text=&docid=294090&pageIndex=0&doclang=DE&mode=req&dir=&occ=first&part=1&cid=338866 Latest revision as of 09:21, 24 June 2026 GC - T‑354/22 Bindl v Commission Court: GC (European Union) Jurisdiction: European Union Relevant Law: Article 14 EU GDPRArticle 17 EU GDPRArticle 46 EU GDPRArticle 48 EU GDPR Decided: 08.01.2025 Published: 08.01.2025 Parties: EU Commission Thomas Bindl National Case Number/Name: T‑354/22 Bindl v Commission European Case Law Identifier: ECLI:EU:T:2025:4 Appeal from: Appeal to: Original Language(s): [[:Category:{{{Original_Source_Language_1}}}|{{{Original_Source_Language_1}}}]] [[Category:{{{Original_Source_Language_1}}}]] Original Source: [{{{Original_Source_Link_1}}} {{{Original_Source_Name_1}}} (in {{{Original_Source_Language_1}}})] Initial Contributor: ao The European General Court ordered the European Commission to pay a data subject €400 in non-material damages due to the transfer of personal data to the USA following two visits to one of the Commission’s websites. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources English Summary Facts In 2021 and 2022, the data subject visited the website on the “Conference on the future of Europe” which is managed by the European Commission. The data subject alleged that his personal data including his IP address and information on his browser and terminal were transferred to recipients in the United States on three occasions through this website. On the 30 March 2022, the data subject’s IP address and browser and terminal information were transferred to Amazon Web Services through the “Amazon CloudFront”. The “Amazon CloudFront” provided the basis for the website visited by the data subject. On the same day, in order to sign up for an event, the data subject used the option of signing in with his Facebook account as provided for by the Commissions authentication service. The data subject alleged that this transferred his personal data to the American company Meta Platforms Inc. The data subject again visited the website on the 8 June 2022 and again his data was transferred to Amazon CloudFront. Claim one for non-material damages valued at €400 The data subject brought forward that the United States does not provide an adequate level of protection of personal data and that his data was at risk of being disclosed to US security and intelligence services. The data subject claimed for compensation of €400 for the non-material damage he had suffered due to the data transfer in violation of Article 46 of Regulation (EU) 2018/1725 ("EUDPR") and Article 48(1)&(2)(b) EUDPR. In addition, the data subject sought the annulment of the transfer of his personal data. Claim two for non-material damages valued at €800 On the 1 April 2022, the data subject requested access to information from the Commission to which it responded on the 30 June 2022 via email. However, the data subject alleged that information provided in the email was insufficient. He therefore claimed that the Commission had failed to issue a position (inactivity claim) in response to the data subject’s request for information. Further, he alleged that no information on the data transfer to the United States was included in the privacy policy. For this, the data subject claimed €800 compensation for the infringement of his right to access to information in violation of Article 14(3)&(4) EUDPR and Article 17(1)&(2) EUDPR as well as the principle of transparency under Article 4(1)(a) EUDPR. Holding annulment of the transfer The court dismissed the data subjects application for annulment as inadmissible since the transfers at issue are not likely to have binding legal effects or are capable of affecting the interests of the data subject changing their legal position. Claim two for damages valued at €800 The court found that the unlawful conduct only established in the case was that the Commission failed to observe the one-month time limit stipulated in Article 14(4) EUDPR. However, the data subject's argument concerned the substance of the information rather than the procedural rule that was actually infringed. Therefore, the data subject failed to demonstrate any non-material damage resulting from said infringement. The court therefore discarded the data subject’s claim for damages due to an infringement of the Commission's information obligation and of his right to access to information under Article 14 EUDPR and Article 17 EUDPR. Claim one for damages valued at €400 Amazon CloudFront The court found that for the first data transfer to Amazon CloudFront, the data remained within the EU. In the second instance, the data was transferred to the United States due to a technical adjustment caused by the data subject. Since the transfer to the United States was caused primarily by the data subject's conduct the court found no sufficiently direct causal link between the Commission's allegedly unlawful conduct and the non-material damage claimed by the data subject. Facebook sign-in The court found that through the “sign-in with facebook” hyperlink displayed on the EU login webpage, the Commission created the conditions for the transfer of personal data to Meta Platforms, which is established in the United States. Therefore, the transfer of data was attributed to the Commission. The court stipulated that at the time of the transfer, there was no decision by the Commission showing that the United States ensure an adequate level of protection for personal data. The Commission neither showed that appropriate safeguards were in place nor that standard data protection clauses or contractual clauses protected the personal data. The court established that the “sign-in with facebook” function was administered entirely according to Meta’s terms and conditions and therefore without appropriate safeguards. Therefore, the Commission did not comply with the required conditions for transfer of personal data by an EU institution to a third country contrary to Article 46 EUDPR and Article 48 EUDPR. As the data subject found himself in a position of uncertainty as regards the processing of his personal data, in particular of his IP address, the court assessed that he had suffered non-material damage and ordered the Commission to pay him damages valued at €400. Comment Share your comments here! Further Resources An appeal was funded by both the EU Commission and the claimant, Thomas Bindl. Details can be found at https://eugd.org/bindl-commission-appeal/ The cases are filed under C-206/25 P and C-211/25 P at the CJEU. Retrieved from "https://gdprhub.eu/index.php?title=GC_-_T‑354/22_-_Bindl_v_Commission&oldid=51982" Categories: GC (European Union)European Union2025 This page was last edited on 24 June 2026, at 09:21. Content is available under Creative Commons Attribution-NonCommercial-ShareAlike unless otherwise noted. Privacy policy About GDPRhub Disclaimers

Indicators of Compromise

• url — https://curia.europa.eu/juris/document/document.jsf?text=&docid=294090&pageIndex=0&doclang=DE&mode=req&dir=&occ=first&part=1&cid=338866

Entities