Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (“DORA”) contains a number of requirements for ICT service providers, which will become binding on January 17, 2025. Therefore, 2024 will be a year of intensive work on the part of service providers to ensure compliance with the new, demanding regulation.

Under the GDPR, data subjects may claim compensation if they suffered damages because the controller infringed his obligations under the GDPR. Does a data theft by cybercriminals mean that the controller has not adopted appropriate data security measures meaning that he failed to comply with his data protection obligations? Can the data subject claim compensation if his only damage is the fear that his personal data was misused? The Court of Justice of the European Union answered these questions in a fresh decision which will be analysed in this short article.

Although gender identity does not constitute sensitive data under the GDPR, its legal protection is nevertheless very robustly designed. Companies that choose to disregard it may face claims for damages and fines.

