2025 Data Protection Highlights
- Articles and memoranda
- Posted 27.01.2026
As we enter 2026, it is an opportune time to spotlight a selection of key data protection developments from 2025, including the renewal of the EU-UK adequacy decisions and notable judgments delivered by the Court of Justice of the European Union.
Our overview concludes with a table summarising the key takeaways from each judgment or event, allowing for a quick review of the 2025 highlights discussed below.
1. Transfer of personal data to third countries
Renewal of the EU-UK adequacy decisions
On 19 December 2025, the European Commission renewed its 2021 adequacy decisions for the United Kingdom (the “UK”), thus ensuring that personal data can continue to flow freely and securely from the European Union (the “EU”) to the UK.
This renewal followed a comprehensive assessment of the UK’s data protection framework, including recent amendments introduced by the UK Data (Use and Access) Act, and confirmed that the safeguards provided by the UK remain essentially equivalent to EU standards.
The new adequacy decisions will last for six years, until 27 December 2031, and will be subject to formal review in four years.
The European Commission will continue to monitor developments in the UK’s legal framework and retains the authority to amend or revoke the decisions if future changes compromise the level of protection required by EU law.
Judgment of the General Court of 3 September 2025 (T-553/23, Latombe v Commission): validation of the EU-US Data Privacy Framework
The General Court dismissed an action for annulment of the EU-US Data Privacy Framework (the “EU-US DPF”), which is the certification mechanism for the transfer of personal data from the EU to the United States of America (the “US”).
The action challenged the EU-US DPF on grounds of alleged non-compliance with the GDPR1 and the Charter of Fundamental Rights. The main concerns focused on the actual impartiality and independence of the Data Protection Review Court (the “DPRC”) as well as the existence of sufficient safeguards for bulk data collection.
Following a detailed assessment, the General Court found that the DPRC’s structure provides sufficient guarantees of independence and impartiality and that US law ensures adequate safeguards and oversight mechanisms for bulk data collection.
Consequently, the General Court upheld the validity of the EU-US DPF, confirming that the US offers an adequate level of protection for personal data transferred from the EU to organisations certified under this framework.
2. The concept of “non-material damage”
Judgment of the European Court of Justice (“ECJ”) of 4 September 2025 (C-655/23, IP v Quirin Privatbank AG)
In the context of unlawful processing of a data subject’s personal data (i.e. sending a message containing personal data such as salary expectations, name, or level of remuneration offered, to a wrong recipient), the ECJ clarified the requirements for compensation for non-material damage under Article 82 of the GDPR.
The ECJ ruled that the concept of “non-material damage” includes negative feelings, such as fear or annoyance, experienced by a data subject as a result of unauthorised disclosure, provided that these feelings and their negative consequences (loss of control over personal data, harm to reputation, etc.) result from a GDPR infringement. The causal link must be proved by the data subject.
The ECJ specified that the degree of fault of the controller is irrelevant when assessing the amount of compensation for such non-material damage.
This ruling also clarified that although the GDPR does not expressly grant data subjects a direct right to seek a preventive measure – such as an injunction – to halt future unlawful processing, Member States remain free to establish such remedies within their own legal systems.
The existence of a prohibitory injunction under national law cannot, however, be used to reduce or replace the financial compensation owed to the data subject in case of proven non-material damage resulting from a GDPR violation.
3. The evolution of the concept of pseudonymised data
ECJ’s judgment of 4 September 2025 (C-413/23P, EDPS v SRB)
In its ruling, the ECJ refined the concept of pseudonymised data in the context of a dispute involving the application of Regulation 2018/17252. The case arose after a controller shared pseudonymised comments from former shareholders and creditors of a Spanish bank with a third-party consultant, without informing these shareholders and creditors.
While pseudonymised data were previously considered personal data in all circumstances (as opposed to anonymised data, which fall outside the scope of personal data), a more nuanced approach is now recognised. Pseudonymised data remain personal data for the original controller who processed them. When such data are shared with a third party, they may no longer be regarded as personal data, provided that the recipient cannot, or can no longer, reasonably identify the individuals to whom the data pertain.
The ECJ also clarified that the controller’s obligation to inform data subjects of potential data recipients arises at the time of data collection, before any further transfer of these personal data, whether or not the data are pseudonymised.
4. The calculation of the fines for legal entities
ECJ’s judgment of 13 February 2025 (C-383/23, ILVA A/S)
In this ruling, the ECJ confirmed in relation to the rules on the administrative fines under Article 83(4) to (6) GDPR, that the term “undertaking” should have the same meaning as under EU competition law (Articles 101 and 102 of the Treaty on the Functioning of the European union). Therefore, “undertaking” under Article 83(4) to (6) GDPR refers to an economic unit even if it is composed of several legal entities.
This interpretation was already set out in the Guidelines 04/2022 on the calculation of administrative fines under the GDPR adopted by the European Data Protection Board on 24 May 2023.
Accordingly, when calculating the maximum amount of fines that can be applied following a GDPR violation (on the basis of a percentage), supervisory authorities must consider, when the infringer is part of a group of companies, the total worldwide annual turnover in the preceding financial year of the entire economic unit (i.e. the undertaking, the group of companies) rather than that of the individual entity at stake.
Taking into account the turnover of the whole economic unit allows for the calculation of a fine that is effective, proportionate and dissuasive.
5. Liability of online marketplace operators acting as controllers and the articulation with the liability exemptions for online intermediaries under the e-Commerce Directive
ECJ’s judgment of 2 December 2025 (Grand Chamber, C-492/23, Russmedia Digital v Inform Media Press)
The ECJ delivered a significant judgment addressing the liability of an operator of an online marketplace, after a third party published anonymously a false advertisement on its platform containing sensitive personal data and photographs of the claimant without her consent. Although the online marketplace (Russmedia) promptly removed the advertisement upon notification by the claimant, the content had already spread to other websites.
The claimant sought compensation for breaches of the GDPR, her right to image, right to honour and right to privacy, while the online marketplace sought protection under the intermediary liability exemption provided by Directive 2000/31/EC3 (the “e-Commerce Directive”).
The ECJ first held that the online marketplace and the advertiser qualify as joint controllers of personal data in user-generated advertisements, given Russmedia’s significant control over the content published on its platform. Indeed, the advertisement could not have been published on the Internet without Russmedia. Russmedia therefore participated in the determination of the means of that publication. Moreover, Russmedia’s general terms and conditions of use state that Russmedia retains the right to use the content of the advertisements published by users, including the right to copy it, distribute it, publish it, modify it, transfer it to partners or remove it at any time, without justification. Hence Russmedia can exploit the personal data related to the published content for its own advertising and commercial purposes. Russmedia therefore participated in the determination of the purposes of the processing of personal data contained in the publication at stake.
The ECJ further clarified that an operator of an online marketplace acting as a controller of personal data cannot rely on the liability limitations for intermediary providers under the e-Commerce Directive to avoid complying with the obligations laid down by the GDPR.
These GDPR obligations require the following, by means of appropriate technical and organisational measures:
- identifying advertisements containing sensitive data and verifying whether the user advertiser is the person whose personal data appear in the advertisement;
- verifying the explicit consent of that person prior to publication, or refusing the publication of the advertisements if consent or the application of another legal basis for sensitive data is not demonstrated;
- preventing the unlawful dissemination of such advertisements containing sensitive personal data on third-party websites.
| Topic | Event or Judgment | Date | Key Takeaways |
|---|---|---|---|
| Transfer of Personal Data to Third Countries | Renewal of EU-UK adequacy decisions | 19 December 2025 | Data can continue to flow freely from the EU to the UK until December 2031. |
| Transfer of Personal Data to Third Countries | General Court judgment (T-553/23, Latombe v Commission) | 3 September 2025 | EU-US Data Privacy Framework upheld. US offers adequate protection for personal data transferred to certified organisations under this framework. |
| Non-Material Damage under GDPR | ECJ judgment (C-655/23, IP v Quirin Privatbank AG) | 4 September 2025 | “Non-material damage” includes emotional harm (fear, annoyance) if linked to GDPR breach. Degree of controller’s fault is irrelevant for compensation. |
| Pseudonymised Data | ECJ judgment (C-413/23P, EDPS v SRB) | 4 September 2025 | Pseudonymised data may no longer be regarded as personal data for third parties/recipients if re-identification is impossible. Obligation to inform data subjects arises at data collection. |
| Calculation of Fines for Legal Entities | ECJ judgment (C-383/23, ILVA A/S) | 13 February 2025 | Fines must be based on turnover of the entire economic unit (group), not just the individual entity, ensuring effectiveness and deterrence. |
| Liability of Online Marketplace Operators | ECJ judgment (Grand Chamber, C-492/23, Russmedia Digital v Inform Media Press) | 2 December 2025 | Online marketplaces acting as controllers cannot rely on e-Commerce Directive liability exemptions. They must implement measures to protect personal data in user ads. |
| 1 | Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Legislation). | |||
| 2 | Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC. | |||
| 3 | Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market. | |||
