2/25
New case law on data protection
New case law on data protection
At the CIT Data Protection Conference (see also the article CIT Data Protection Conference 2025 of this edition of the CIT News), Martin Leiter, Group Data Protection Officer at ÖBB Holding AG, gave an overview of decisions of the European Court of Justice (ECJ) of the last two years relevant to data protection law.
General information on the decisions of the ECJ
The ECJ plays a decisive role in ensuring the uniform application of EU law and therefore also the General Data Protection Regulation (GDPR) in all member states.
Several important issues have been resolved by the ECJ in the last two years. In addition to the cases that have already been decided, further proceedings are pending before the ECJ; in some of which the Advocate General has already issued opinions. These opinions provide important indications of the possible direction of the Court's decision, especially as the ECJ agrees with the Advocate General's opinion in most cases.
Overview of specific court proceedings
In a case (C-252/21), the ECJ clarified that breaches of data protection law do not have to be examined exclusively by data protection authorities, but that competition authorities may also examine data protection breaches as preliminary issues in competition proceedings. This paves the way for the data protection practices of large US providers (here: Meta) to be scrutinised under competition law without having to take a time-consuming diversion via a separate referral to the competent data protection authority.
The ECJ has clarified that, in the context of requests for information, the names of natural persons (employees) involved in internal processing operations do not have to be disclosed (C 579/21).
With regard to the ‘automated individual decision making’ under Art. 22 GDPR, the ECJ has ruled that the calculation of credit scores by a credit reference agency, which are transmitted to a lender, already constitute such an automated individual decision making, even if the actual credit decision is made by another controller - namely the bank (C-634/21).
With regard to technical and organisational measures, the ECJ stated that the mere fact that a data protection incident has occurred does not mean that the measures were insufficient per se. This decision (C-687/21) is also worth mentioning because the ECJ has confirmed its case law that the claim for damages is not punitive in nature but is only intended to compensate for the concrete damage that has occurred. This also means that there is no right to compensation without damage.
A decision of particular importance for Germany and Austria (C-807/21 - Deutsche Wohnen) clarifies that fault is always required for the imposition of a fine. However, the ECJ has ruled that national regulations stipulating that certain management bodies must be at fault are not compatible with EU law.
In its decision on case C-22/26, the ECJ ruled that private organisations may only store published insolvency data for the duration of the publication. The ECJ has thus created a kind of ‘right to be forgotten’ for public debtor directories.
Case C-203/22 represents an exciting decision in the area of conflict between trade secrets and the right to information: Here, the ECJ ruled that the data controller must disclose all information (in this case: for the calculation of credit scores) to the authority in the course of a request for information and that the authority should then forward the information relevant to the enquirer to the latter after weighing up the interests involved, but must withhold business secrets. The ECJ thus establishes the data protection supervisory authorities as a kind of information trustee. Whether the data protection authorities will also accept this role remains to be seen.
In decision C-604/22, the ECJ ruled that an industry association that sets precise technical specifications for its members regarding the processing of personal data (in this case for advertising purposes) is also a joint controller, even if it does not have access to this information itself. Under certain circumstances, this decision could also be of significance for the railway industry if, for example, international ticket control is handled using predefined standards and an international association reserves the right to have a far-reaching say in the standards.
In the remarkable decision C-621/22, the ECJ states that, under certain conditions, economic interests in relation to marketing can also be ‘legitimate interests’ within the meaning of Art 6(1)(f) GDPR. Until now, it was primarily the bodies of the national data protection authorities (EDPB and, before that, the Art 29 Group) that were of the opinion that consent was always required for the processing of data for purely commercial purposes.
On the issue of the oral disclosure of information, the ECJ (C-740/22) has ruled that oral information about stored data is also subject to data protection law and therefore requires a legal basis for the disclosure of information.
During the Data Protection Conference, there was a separate presentation on decision C-394/23 regarding the processing of rail passengers’ titles ("Madame" / "Monsieur"). It can only be noted that (from the personal point of view of the author of this article) data protection law is not suitable for resolving general socio-political issues - such as gender equality or civil status law.
Decision C-416/23 examines the question of when a data protection authority is authorised to reject complaints as ‘excessive’. The ECJ stated that an intention to abuse the procedure must be expressly established and that a large number of complaints alone does not constitute such an intention to abuse. Similar considerations will probably also have to be made in connection with repeated requests for access to data controllers.
A question that has not yet been decided - but on which the Advocate General has already issued an opinion - could be of fundamental importance in practice, namely whether pseudonymised data is also personal data (C-413/23). It should be borne in mind here that, on the one hand, the processor of pseudonymous data does not know the content of the data and therefore cannot misuse it in relation to specific persons, but on the other hand, pseudonymisation according to Art. 6 (4) lit. e and 32 (1) lit. a of the GDPR is only a security measure and is not suitable (as with anonymisation) to completely eliminate the personal reference. According to the Advocate General, a distinction must be made here as to whether the pseudonymisation is ‘robust’ enough to prevent the processor from gaining knowledge of the content of the data. This question was not referred to the ECJ by a national court, but an appeal against a decision of the Court of First Instance of the EU (CFI). The Advocate General has recommended that the case be referred back to the CFI for appropriate findings. If the ECJ follows this legal opinion, this would mean that controllers would not only not have to conclude agreements with processors of ‘robustly’ pseudonymised data in accordance with Art 28 GDPR, but that ‘robustly’ pseudonymised data would generally have to be regarded as non-personal data under certain circumstances.
Finally, a reference to a question that has been referred to the ECJ, but on which the Advocate General has not yet issued an opinion: in Case C-526/24, a data subject visited websites and subscribed to newsletters only to assert his rights and, based on this, also assert claims for damages. It should be borne in mind that many data protection organisations (such as NOYB) also visit websites on a large scale in order to bring abuses such as cookies set without consent before the authorities. This decision could therefore not only put a stop to escalating claims for damages as a private business model, but also significantly hinder data protection organisations in their activities.