I. The latest from the data protection authorities and current topics
1. EU Commission: Digital Omnibus
In November this year, the European Commission published its "Digital Omnibus" proposal aimed at simplifying the system of European digital regulation, including its frameworks on data, artificial intelligence (AI), cybersecurity and platforms, without reducing the level of protection. It is also expected that changes will be made, for example, to the GDPR and the Data Governance Act. An overview of the implications of the Digital Omnibus can be found here. The AI Act is to be amended in addition. An overview of the most significant planned changes to the AI Act can be found here. The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) announced their intention to issue a joint opinion.
2. EDPS: Guidance for Risk Management of Artificial Intelligence systems
On 11 November 2025, the EDPS published Guidance for Risk Management of Artificial Intelligence systems. These guidelines aim at providing insights and practical recommendations to help identify and mitigate common technical risks associated with AI systems. This should help protect personal data. The EDPS guidelines provide a checklist for each phase of the AI development cycle.
3. EDPB: Topic of coordinated action for 2026
After the right to erasure under Article 17 GDPR was the subject of the coordinated action of the data protection authorities this year, the EDPB announced the topic of the coordinated action for 2026 on 14 October 2025. This will concern compliance with the transparency and information obligations set out in Article 12 to Article 14 GDPR. These provisions of the GDPR ensure, among other things, that data subjects are informed when their data are processed. The aim of the coordinated actions is to assess the implementation of the GDPR by companies and authorities. In addition, the data protection authorities hope to gain an overview of best practices by controllers.
4. EDPB: Recommendations on the legal basis for acquiring user accounts on e-commerce websites
In December of this year, the EDPB presented Recommendations 2/2025 on the legal basis for requiring the creation of user accounts on e-commerce websites. These are the subject of a public consultation. The EDPB recommends that e-commerce websites generally allow their users to shop without creating an account, for example via a guest mode. According to the EDPB, the mandatory creation of a user account is only justified in a few exceptional cases, such as for subscriptions or exclusive offers. The aim is to promote data-minimising and GDPR-compliant processes and to ensure a user-friendly online shopping experience.
5. Data Protection Conference: Guidance on the data protection implications of generative AI systems using the RAG method
The Conference of Independent Data Protection Supervisory Authorities in the Federal and State Governments (Data Protection Conference) has published version 1.0 of its Guidance on the data protection implications of generative AI systems using the Retrieval Augmented Generation (RAG) method. RAG systems combine large language models with targeted access to proprietary knowledge sources to provide context-specific responses and increase the accuracy and reliability of AI output, e.g. internal chatbots that access current business data. This allows companies and public authorities to leverage the advantages of modern AI while reducing risks to data subject rights, provided that transparency and purpose limitation are maintained. However, data protection challenges such as transparency and the evaluation of individual processing operations remain and require ongoing technical and organisational measures (TOMs).
6. Saxony-Anhalt: Checklist for data protection and data security standards
Article 40 (4) Digital Services Act obliges providers of very large online platforms or very large online search engines to provide authorised researchers who meet the requirements of Article 40 (8) DSA, at the reasoned request of the Digital Services Coordinator of establishment and within a reasonable period specified in that request, access to data for the purpose of conducting research. Article 40 (8) DSA sets out the requirements for the security of personal data that researchers must meet. The State Commissioner for Data Protection of Saxony-Anhalt provides a Checklist for data protection and data security standards for these data access requests, which is intended to help ensure compliance with the requirements of data protection law.
II. New GDPR fines
Get an overview of the fining practices of data protection authorities in the 6th edition of our CMS Enforcement Tracker Report 2025.
1. Croatia: EUR 4.5 million fine for non-compliance with the general principles of data processing
In Croatia, the data protection authority imposed a GDPR fine of EUR 4.5 million in November of this year, due in part to the lack of standard contractual clauses (SCC). The controller transferred personal customer data to a processor in the Republic of Serbia, with the transfers being based on SCC from 16 April 2020 until 27 December 2022 at the latest. After this date, transfers continued without SCC or equivalent safeguards, despite Serbia lacking an adequacy decision. The controller was also accused of other GDPR violations, such as failing to carry out a risk assessment for the transfer and failing to inform the data subjects.
2. Netherlands: EUR 2.7 million fine for insufficient legal basis
In October of this year, the Dutch data protection authority imposed a GDPR fine of EUR 2.7 million. The controller, a company that determines individuals' creditworthiness and sells this information, processed personal data without a sufficient legal basis. The controller also failed to inform the data subjects about the processing of their data.
3. France: EUR 1.5 million fine for insufficient legal basis
At the end of November 2025, the French data protection authority imposed a fine of EUR 1.5 million on a credit card provider for insufficient legal basis. The controller used excessive cookies on its website. In addition, the controller failed to adequately inform the data subjects about them.
III. Recent case law
1. CJEU: Responsibility of the operator of an online marketplace website within the meaning of Article 4 (7) GDPR
The Court of Justice of the European Union (CJEU) has ruled that the operator of an online marketplace website is responsible for the processing of personal data contained in advertisements published on its platform (CJEU, judgment of 2 December 2025 – C-492/23). In particular, the controller is required, before the publication of the advertisements, to identify those which contain sensitive data and to verify whether the advertiser is actually the person whose data is contained in the advertisement or whether the advertiser has the explicit consent of the data subject. If such consent has not been given, publication of the advertisement must be refused. According to the CJEU, the aforementioned obligations must be ensured by appropriate TOMs. The independent data protection commissioners of Berlin and Hamburg welcomed the CJEU's decision in a press release. This decision of the CJEU has far-reaching implications for operators of online marketplaces, as it considerably expands their data protection obligations and establishes clear guidelines for handling (sensitive) personal data. The CJEU is thus setting new standards for control and prevention on digital platforms and increasing the requirements for TOMs.
2. CJEU: "Soft opt-in"
With its judgment of 13 November 2025 in Case C-654/23, the CJEU issued an important ruling on the permissibility of newsletters in connection with the sale of a product or service, the so-called "soft opt-in". Firstly, the CJEU interprets the term "direct marketing" broadly, such that an email address is also deemed to have been obtained "in connection with the sale of a product or service" if the service is free of charge for the user but other paid services can be ordered via this service. The same applies if the service is financed by advertising. Secondly, the CJEU ruled in this case that, in particular, the conditions for the basis of processing set out in Article 6 GDPR do not apply (in parallel) to Article 13 (3) Directive on privacy and electronic communications, as this supersedes the GDPR as a more specific standard. According to the CJEU, the conditions for the lawfulness of processing set out in Article 6 (1) GDPR do not apply if the controller uses a user's email address to send them an unsolicited communication in accordance with Article 13 (2) Directive on privacy and electronic communications. Article 13 of this "ePrivacy Directive" was implemented in Germany in section 7 German Unfair Competition Act (UWG).
3. CJEU: Action for annulment of the framework for the transfer of personal data between the EU and the USA
After the General Court (EGC) dismissed the action for annulment of the EU adequacy decision on the transfer of personal data between the EU and the US in its judgment of 3 September 2025 (T-553/23) and, among other things, referred to the fact that the US guaranteed an adequate level of data protection at the time of the decision, it is now confirmed that the CJEU will rule on the matter. The MEP and claimant in the Latombe case has lodged an appeal with the CJEU against the decision of the General Court. The Latombe v. Commission case is now pending before the CJEU under case number C-703/25 P. What is noteworthy about the General Court's decision is that the Court did not rule on permissibility, namely the claimant's right to bring an action, but expressly left this matter open and ruled exclusively on the merits of the action. The right to bring an action is questionable in these proceedings, as an individual is challenging an adequacy decision. It remains to be seen how the CJEU will rule on the permissibility and merits of the action.
4. German Federal Court of Justice (BGH): Permissibility of transferring "positive data" to SCHUFA
Recently, the courts have been dealing with a large number of cases in which the claimants demanded compensation from a telecommunications company in accordance with Article 82 GDPR due to the disclosure of personal data by a telecommunications company to a credit agency. The majority of the claims were dismissed due to there being no GDPR violation and/or no damage (see our blog). In fact, most courts considered the processing to be covered by Article 6 (1) (1) (f) GDPR.
The German Federal Court of Justice (BGH) has now confirmed this assessment in its judgement of 14 October 2025 (VI ZR 431/24). The case decided by the German Federal Court of Justice (BGH) did not concern compensation in accordance with Article 82 GDPR, but rather the permissibility of data processing. The action was not brought by a data subject, but by a consumer organisation that objected to the transfer of positive data. Its action for an injunction was dismissed by the lower court, which was upheld by the German Federal Court of Justice (BGH). The German Federal Court of Justice (BGH) considers the transfer of the master data of consumers required for identity verification and the transfer of information that a contractual relationship has been established or terminated to the credit agency in accordance with Article 6 (1) (1) (f) GDPR to be justified. The defendant's legitimate interest is sufficient fraud prevention. This decision by the German Federal Court of Justice (BGH) will have an impact on compensation proceedings in similar cases.
5. Berlin Administrative Court: No joint responsibility of entrepreneur and address dealer in the "Lettershop" procedure
In its judgment of 14 October 2025 (1 K 74/24), Berlin Administrative Court ruled that a company for which an address trader sends direct marketing in the "Lettershop" procedure and for which the advertiser specifies customer categories, but does not obtain access to the addresses used, is not jointly responsible with the address trader under data protection law for data processing in the form of selecting and using the address data in accordance with Article 4 (7) and Article 26 (1) sentence 1 GDPR.
6. Review of GDPR compensation
This year, compensation in accordance with Article 82 GDPR has again been a topic of discussion in the courts. According to our analysis, approximately 120 of the nearly 180 cases included in our overview (German language) have been dismissed so far in 2025. The amount of compensation awarded ranges from EUR 100 to EUR 5,000.
