2025 data protection CJEU case round-up

The first quarter of 2025 has brought several key rulings from the Court of Justice of the European Union (CJEU) that are shaping GDPR compliance and enforcement. Here is our first CJEU case round-up of the year.

Dun and Bradstreet Austria C-203/22

Transparency in Automated Decision-Making

Case summary:

The CJEU held that under Article 15 of the GDPR, data subjects have the right to receive meaningful information about automated decision-making (ADM) in a concise and easily accessible form, ensuring transparency and enabling challenges to such decisions.

Background:

In Austria, a mobile operator denied a contract to a customer based on an automated credit assessment by Dun & Bradstreet Austria. The customer requested information about the logic behind the decision, to no avail, and subsequently lodged a complaint with the Austrian DPA. The DPA ordered Dun & Bradstreet to disclose this information but the company appealed the decision, before the Viennese Administrative court which led to a referral to the CJEU for a preliminary ruling.

Key Findings:

Controllers must explain how an automated decision was reached in a way that enables the data subject to challenge it.
The mere disclosure is not sufficient. Controllers must describe the ADM process clearly.
Trade secrets cannot justify withholding essential transparency rights.

Key takeaways:

Transparency beyond black-box AI is a fundamental right: simply stating that an algorithm was used isn’t enough. Controllers must describe the actual procedure and principles applied and demonstrate how variations in input data would have changed the decision.
Verification rights: if there is a significant gap between a risk score and the actual decision, or if the explanation provided is insufficient, the decision may be unlawful under GDPR. Individuals must be able to verify both the accuracy of the data used and the logic of the ADM process, as well as be given the possibility to challenge it.
Trade secrets don’t justify opacity: while trade secrets are protected, they cannot override the right to a meaningful explanation. Supervisory Authorities and courts may review the logic behind ADM to ensure compliance.

CJEU Amt der Tiroler Landesregierung C-638/23

Public bodies as data controllers

Case Summary:

The case clarified that public bodies, even without legal personality can be data controllers data controllers under Article 4(7) of the GDPR and must ensure compliance with GDPR obligations.

Background:

During the COVID-19 pandemic, an Austrian administrative body (Amt der Tiroler Landesregierung) (“the Office”), sent ‘vaccination reminder letters’ to all adults in the Austrian province of Tyrol who had not yet been vaccinated against that virus, using patient data from national registers.

A recipient filed a complaint with the DPA against the Office alleging unlawful processing of personal data. The Office was found to be in breach of the GDPR for unlawful access to the patient index, lost the appeal before the Austrian federal administrative court, and ultimately appealed to the Austrian supreme court, which referred the case to the CJEU for a preliminary ruling on the status of the Office as a controller within the meaning of Article 4(7) GDPR.

Key Findings:

Public bodies such as a public authority, an agency or a body, can be controllers even if they lack legal personality under national law.
The chief obligation of any body, irrespective of whether or not is has legal personality, is to demonstrate accountability with the obligations and duties under the GDPR of a controller.
Where national law designates such bodies as controllers, such entities do not need to determine processing purposes and means themselves.

Key takeaways:

Public authorities cannot evade GDPR obligations due to lack of legal personality. This case brings helpful clarity for lawmakers around the scope of Article 4(7), and underlines that considerations relating to legal personality are not paramount when considering the attributes of a data controller – responsibility and accountability for the processing operations will be key.
National laws designating controllers must ensure clear accountability structures.
Organisations engaging public-sector partners should ensure GDPR compliance even in cases of delegated processing.

ILVA A/S C-383/23

Parent company liability for GDPR fines

Case Summary:

The CJEU ruled that when calculating GDPR fines for a subsidiary’s non-compliance, the total turnover of the parent company should be considered. This decision underscores the principle that financial penalties should reflect the economic reality of corporate groups, reinforcing the broad liability of parent companies under the GDPR.

Background:

ILVA A/S, a Danish furniture retailer, was fined for GDPR violations concerning the processing of customer data. The company challenged the fine, arguing that it should be calculated based only on its own turnover, rather than the broader financial resources of its corporate group. The Danish DPA, however, determined that the fine should be assessed in line with the total annual turnover of the parent company, in accordance with GDPR Article 83(4)–(6). The case was escalated to the Danish courts, which referred key questions to the CJEU regarding the scope of financial liability under GDPR.

Key Findings:

Parent company turnover must be included when calculating fines for GDPR violations by subsidiaries.
The assessment of fines should consider the economic entity as a whole, rather than limiting it to the direct infringer.
The approach aligns with EU competition law principles, where corporate groups are treated as single economic units for penalty calculations.

Key Takeaways:

Parent companies cannot evade GDPR liability by isolating data processing activities within smaller subsidiaries.
Businesses operating as part of multinational groups must consider group-wide turnover when assessing potential GDPR penalties.
The decision reinforces the EU’s broader approach to financial penalties, ensuring that fines serve as effective deterrents across entire corporate structures.

European Data Protection Supervisor v Single Resolution Board (appeal case before the General Court of the EU) C-413/23

Personal data and pseudonymisation

Case Summary:

On 5 February 2025 Advocate General Spielman issued an Opinion stating that pseudonymised data shared with third parties should not automatically be considered personal data if re-identification risks are “non-existent or insignificant”. This Opinion follows an appeal by the European Data Protection Supervisor seeking to have set aside the Court’s judgment in an earlier case from 2023, SRB v EDPS (T-557/20). The Opinion clarifies the scope of personal data under the GDPR, particularly concerning data sharing and pseudonymisation practices.

Background:

The case arose from a dispute between the European Data Protection Supervisor (EDPS) and the Single Resolution Board (SRB), an EU agency responsible for handling bank failures. The SRB transferred bank resolution data in a pseudonymised form to third parties. The EDPS argued that such data should still be considered personal data, requiring full GDPR protections. The General Court previously ruled in favour of the SRB, holding that if the receiving party lacks the means to re-identify individuals, the data does not constitute personal data. The EDPS appealed the decision to the CJEU.

Key Findings:

Pseudonymised data does not automatically qualify as personal data under GDPR if re-identification risks are negligible.
The classification of data as personal depends on the “means reasonably likely to be used” by the recipient to re-identify individuals.
Context matters: Data protection obligations vary depending on who holds the data and their ability to link it to an identifiable person.

Key Takeaways:

Not all pseudonymised data must be treated as personal data, especially if safeguards prevent re-identification.
The decision reinforces that controllers must assess re-identification risks on a case-by-case basis.
Organisations using pseudonymisation may have greater flexibility when transferring data, provided that sufficient protections exist to prevent re-identification.

Data Protection Commission v European Data Protection Board (Joined cases T-70/23, T-84/23, T111/23)

CJEU upholds EDPB’s authority to order broader investigations in cross-border cases

Case Summary:

The CJEU confirmed that the European Data Protection Board (EDPB) has the authority to instruct national Data Protection Authorities (DPAs) to broaden their investigations in cross-border GDPR enforcement cases. This ruling reinforces the EDPB’s supervisory role and its power to ensure consistent enforcement across all EU member states.

Background:

The case originated from three binding decisions issued by the EDPB against Meta, directing the Irish Data Protection Commission (DPC) to expand its investigations into Meta’s data processing practices for Facebook, Instagram, and WhatsApp. The DPC challenged the EDPB’s authority, arguing that the EDPB exceeded its mandate by requiring further investigations beyond the scope of the initial complaints. The General Court of the EU dismissed the DPC’s arguments, affirming that the EDPB acted within its powers under the GDPR.

Key Findings:

The EDPB has the legal authority to require national DPAs to conduct additional investigations beyond the original complaint.
Cross-border enforcement requires a harmonised approach, and national DPAs cannot limit their inquiries to a narrow interpretation of complaints.
The EDPB’s binding decisions are enforceable, even when they direct a national regulator to expand the scope of an investigation

Key Takeaways:

The ruling confirms that the EDPB can intervene to ensure consistent enforcement of GDPR across EU Member States.
DPAs cannot ignore or restrict the scope of an investigation when directed by the EDPB to take further action.
Companies under regulatory scrutiny in one Member State – such as large tech companies - may face broader EU-wide investigations if the EDPB deems it necessary.