knowledge 28 January 2026 |

Signposts from Luxembourg: GDPR Judgments from EU Courts in 2025

Definition of Personal Data

EDPS v SRB (C-413/23), 4 September 2025: The ECJ explicitly held for the first time that data which is sufficiently pseudonymised by an organisation may continue to be personal data for the original controller, but be anonymised data for a recipient who cannot re-identify the individuals concerned.  This brought welcome clarity that the concept of personal data is not absolute.

Data Protection Principles

MOUSSE v CNIL and Others (C-394/23), 9 January 2025: The ECJ held that requiring customers to select a title such as “Mr/Mrs” when buying a train ticket online violated the principle of data minimisation under the GDPR.  In a decision that prompted many organisations to review the necessity of their data collection practices, the court determined that it was not objectively indispensable and therefore not necessary to the performance of a rail transport contract, or for the purpose of the legitimate interest in the circumstances.

Data Subject Rights

Dun & Bradstreet Austria (C-203/22), 27 February 2025: The ECJ clarified in relation to the requirement to provide meaningful information about automated decision making under Article 15 GDPR, that a controller must describe the procedure and principles actually applied in such a way that the data subject can understand which of his or her personal data have been used, and how they have been used in the automated decision making. Where the controller believes the information (such as an algorithm used in a credit assessment) involves trade secrets or third‑party data, it must provide that material to the competent authority or court to enable them to balance the competing rights and determine the extent of the right to access that information.

Ballmann v. EDPB (Case T-183/23), 16 July 2025: The General Court ruled that the EDPB's refusal to provide the applicant with access to files relating to a binding decision concerning their data subject complaint to the DPC was unlawful, confirming the data subject’s right to access the files which directly concerned her complaint. The ruling is currently under appeal to the ECJ.

Deldits (C‑247/23), 13 March 2025: The ECJ ruled that the right to rectification (Article 16 GDPR) requires a national authority to correct a person’s gender identity where it is shown to be inaccurate. The authority may require that person to provide relevant and sufficient evidence to establish that the information concerning their gender is inaccurate but may not go so far as to require proof of gender reassignment surgery.

Österreichische Datenschutzbehörde (Demandes excessives) (C‑416/23), 9 January 2025: The ECJ clarified the meaning of “excessive requests” to a data protection authority under Article 57(4) GDPR, stating that (1) excessiveness depends not only on the number of requests but also on their intent; and (2) data protection authorities are required to justify refusals or fees with a well‑reasoned and proportionate approach.

International Data Transfers

Latombe v Commission (Case T-553/23), 3 September 2025: The General Court dismissed an action seeking annulment of the European Commission’s adequacy decision in connection with the EU–U.S Data Privacy Framework, confirming its validity. The case is now under appeal before the ECJ.

Cross Border Supervision

Data Protection Commission (“DPC”) v European Data Protection Board (“EDPB”) (Case T-70/23 (Joined Cases T-70/23, T-84/23, T-111/23)), 29 January 2025: The General Court dismissed a challenge by the DPC to directions issued to it by the EDPB, endorsing the EDPB’s interpretation of its power to require a lead supervisory authority to broaden the scope of an investigation carried out under the one-stop-shop system.

Enforcement

ILVA A/S, (C-383/23), 13 February 2025: The ECJ confirmed that for the purposes of determining the maximum administrative fine under Articles 83(4)-(6) GDPR, the term “undertaking” corresponds to the concept of “undertaking” provided for in EU competition law under Articles 101 and 102 TFEU. The Court also confirmed that to ensure that the actual fine imposed is effective, proportionate and dissuasive as required under Article 83(1), the concept of “undertaking” must be taken into account to assess the actual or material economic capacity of the recipient of the fine.

Remedies

Bindl v Commission (Case T-354/22), 8 January 2025: The General Court ordered the European Commission to pay €400 in damages to an individual after transferring their personal data to the United States without implementing a valid data transfer mechanism under EU law. This marks the first time an EU court has recognised that individuals may be awarded non-material damages as a result of unlawful data transfers. The case is currently under appeal to the ECJ.

Quirin Privatbank (C-655/23), 4 September 2025: The ECJ held that the GDPR does not grant data subjects a right to seek an injunction against future unlawful data processing if they have not requested the erasure of the personal data concerned, however, national law may still provide for such relief. It further clarified that “non-material damage” under Article 82(1) includes emotional harm such as fear or annoyance arising from a breach, and that the controller’s fault is not relevant when assessing the level of compensation. An injunction under national law also cannot reduce or replace damages for non-material harm.

Comment

This set of 2025 judgments from Luxembourg offers a striking snapshot of the maturing EU data protection regime, one increasingly focused on the practical enforcement of individuals’ rights as well as institutional accountability. Together, these judgments signal an increasingly assertive and interpretively sophisticated data protection jurisprudence, with real implications for both enforcement authorities and regulated organisations in 2026 and beyond.

For further information, please contact one of the key contacts below.

Also contributed to by Isobel Murphy