I. The latest from the data protection authorities and current topics
1. Data Act applicable since 12 September 2025
The obligations under the Data Act have been in force since 12 September 2025, but in Germany the national laws transposing it are still in the draft stage. The Data Act aims to create a comprehensive legal framework that harmonises access to and use of data across the EU. Among other things, users of IoT products have a right to access the data generated by the use of their products and services. The EU Commission has issued updated FAQs on the Data Act, which coincide with the date it takes effect. We also provide an up-to-date overview of the transposition status in a blog post. Data Act: The obligations are binding from 12 September 2025. You can also find everything you need to know in our video series on the most important provisions of the Data Act.
2. EDPB: Guidelines on the DSA and the GDPR
In September this year, the European Data Protection Board (EDPB) adopted guidelines on the interplay between the Digital Services Act (DSA) and the European General Data Protection Regulation (GDPR), as the DSA contains a number of provisions that provide for the processing of personal data by of intermediary service providers. The guidelines assist in the interpretation and application of how the GDPR should be applied in the context of the obligations under the DSA. Further guidelines on the interplay between the Digital Markets Act (DMA) and the GDPR as well as the AI Act and EU data protection laws are expected.
3. Draft bill: AI Market Surveillance and Innovation Promotion Act
The new draft for an "AI Market Surveillance and Innovation Promotion Act" (KI-MIG) was published on 12 September 2025 and builds on the draft from last year. The KI-MIG provides guidance on how Germany could structure its supervisory framework and organise its authorities to implement the AI Act. For all areas without an existing or legally assigned supervisory authority, the German Federal Network Agency will be the competent market surveillance authority and notifying authority. It also provides for provisions on cooperation and collaboration between the competent market surveillance authorities and the involvement of other authorities. This concerns, in particular, the national data protection authorities. They take a critical view of the draft and express this in various press releases. Here is an example of the press release from Berlin's Commissioner for Data Protection and Freedom of Information.
4. Data Protection Conference: guidance on data transfers to third countries for scientific research for medical purposes
In September 2025, the Conference of Independent German Federal and State Data Protection Supervisory Authorities (DSK) published guidance on the requirements for data transfers to third countries in the context of scientific research for medical purposes. The guidance refers to various legal bases for the transfer of personal data such as health data or personal data contained in biomaterials to third countries and provides controllers with steps for assessing international research projects.
II. New GDPR fines
Get an overview of the fining practices of data protection authorities in the 6th edition of our Enforcement Tracker Report 2025.
1. Poland: EUR 4.3 million fine for insufficient legal basis
In August 2025, the Polish data protection authority imposed a fine of EUR 4,323,250.00 on a bank. The controller had scanned the ID documents of all customers and potential customers without having a sufficient legal basis to do so. The controller began this procedure after a law to combat money laundering was introduced. However, the controller had failed to check the necessity of the data processing in each individual case.
2. Estonia: EUR 3 million fine for insufficient technical and organisational measures (TOMs)
In Estonia, the data protection authority imposed a GDPR fine of EUR 3 million in September of this year. The controller had failed to take appropriate technical and organisational measures (TOM) to ensure data security. This led to a data breach that affected the personal data of 750,000 people, including children and other vulnerable groups.
3. Finland: EUR 1.8 million fine for insufficient technical and organisational measures (TOMs)
In September, the Finnish data protection authority imposed a fine of EUR 1.8 million on a company. Due to a software error, customers of the controller were able to log into bank accounts of other customers, which led to financial losses.
4. France: EUR 100,000 fine for failure to comply with data protection principles
In September of this year, the French data protection authority imposed a GDPR fine of EUR 100,000 for surveillance cameras disguised as smoke detectors that were used to monitor employees after several data thefts had occurred at the company in question. The cameras were installed without consulting the data protection officer and were not part of the existing surveillance system. After the "test cameras" were dismantled, there were still SD cards with recordings; this constitutes a data protection breach that the controller did not report to the data protection authority.
5. Spain: EUR 5,400 fine for insufficient data processing agreement
The Spanish data protection authority imposed a GDPR fine of EUR 5,400. The controller appointed a processor and failed to conclude an adequate data processing agreement (DPA). The original fine of EUR 9,000 was reduced because it was paid immediately and responsibility was acknowledged.
III. Recent case law
1. EGC: Action for annulment of the framework for the transfer of personal data between the EU and the USA dismissed
The General Court has dismissed the action for annulment of the EU adequacy decision on the transfer of personal data between the EU and the USA (judgment of 3 September 2025 - T-553/23). It confirmed that the USA guaranteed an adequate level of data protection at the time of the decision. The Data Protection Review Court (DPRC) was assessed by the Court as independent and as having sufficient safeguards for its members. However, the Commission monitors compliance with the legal framework on an ongoing basis and can intervene in the event of changes.
2. CJEU: Clarification of the concept of personal data
In its judgment of 4 September 2025, the Court of Justice of the European Union (CJEU) clarified the scope of the concept of personal data in the context of the transfer of pseudonymised data to third parties in case C-413/23 P. In its decision, the CJEU clarifies that pseudonymised data does not automatically constitute personal data for all recipients. Rather, it depends on whether third parties can identify the person concerned with reasonable effort. The relevant perspective for the assessment of identifiable nature of data is that of the data controller at the time the data is collected. The circumstances of the individual case are always decisive. Hamburg's Commissioner for Data Protection and Freedom of Information classifies the judgment as "another milestone in a highly controversial legal issue".
3. CJEU: Negative feelings as immaterial damage
In response to a referral from the German Federal Court of Justice (BGH, decision of 26 September 2023 – VI ZR 97/22) the CJEU ruled on 4 September 2025 (C-655/23)that the term "non-material damage" within the meaning of Article 82 GDPR could include negative feelings experienced by the data subject as a result of the unauthorised transfer of their personal data to a third party, such as worry or annoyance caused by a loss of control over this data, its possible misuse or damage to reputation. However, according to the CJEU, this presupposes that the data subject proves that they have such feelings and the negative consequences, due to the relevant GDPR infringement. The degree of fault should not be taken into account when calculating the amount.
The underlying case concerned a bank erroneously forwarding applicant data to an uninvolved third party during the job application process. The applicant was not informed promptly that the data had been forwarded erroneously. In the proceedings, the claimant asserted that he had not only suffered an abstract loss of control over the data, but that the data had been passed on to a third person known to him and working in the same industry. In the first instance, Darmstadt Regional Court (judgment of 26 May 2020 - 13 O 244/19) awarded the data subject EUR 1,000, while Frankfurt a.M. Higher Regional Court (judgment of 2 March 2022 - 13 U 206/20) dismissed the action in the next instance.
4. Advocate General: opinion on Article 12 and Article 82 GDPR
In its decision of 31 July 2024 (42 C 434/23), Arnsberg District Court referred various questions on Article 82 GDPR to the CJEU. The questions concern Article12 (5), 2nd sentence and Article 82 (1) GDPR. The proceedings are based on an action for a declaratory judgment brought by the controller against the data subject for the assertion of a claim for compensation pursuant to Article 82 GDPR due to an unfulfilled request for information. The controller refused to provide information due to an abuse of rights pursuant to Article 12 (5), 2nd sentence (b) GDPR, as the data subject subscribed to a newsletter in order to request information two weeks later and then assert a claim for compensation. The Advocate General's opinion on the case has been available since 18 September 2025.
It recommends interpreting Article 12 (5), 2nd sentence GDPR as meaning that "a first request for information made [...] to a controller may be classified as "excessive" if the latter proves, on the basis of all relevant circumstances of the individual case that the data subject acts with abusive intent, whereby such an intent can be established if this person has consented to the processing of their personal data in order to be able to make this request for information and subsequently claim compensation". However, such a claim could not be categorised as "excessive" for the sole reason that the information being publicly available suggests that the data subject has asserted their right to compensation against a controller in a large number of other cases involving breaches of data protection law.
According to the Advocate General, Article 82 GDPR must be interpreted to the effect that damage caused to the data subject as a result of a breach of the GDPR "is also eligible for compensation if it was not caused as a result of the processing of that person's personal data". It remains to be seen whether the CJEU will agree with the Advocate General's view.
5. German Federal Labour Court: Compensation for not complying with the obligation to provide information
In its judgment of 5 June 2025 (8 AZR 117/24), the German Federal Labour Court (BAG) upheld the decision of the lower court Düsseldorf Labour Court (judgment of 10 April 2024 – 12 Sa 1007/23) and ruled that in the case in question the compensation in accordance with Article 82 GDPR, as awarded by the lower court, was sufficient. The case to be judged by the German Federal Labour Court concerned information that was not properly provided to an applicant who was rejected by the company. The potential employer had found out about the applicant's criminal conviction (which was not yet final and absolute) through a search in a search engine, but had not informed him about this. According to the German Federal Labour Court, the claimant had not proven any loss beyond the EUR 1,000 already awarded by the lower court.
6. Lübeck Regional Court: Request for preliminary ruling from the Court of Justice of the European Union on Article 82 GDPR
In the large number of proceedings in which claimants claim compensation from a mobile phone company pursuant to Article 82 GDPR due to the disclosure of positive data to a credit agency, a referral has now been made to the CJEU. While most national courts had previously dismissed the claims on the assumption that the transfer was covered by Article 6 (1) (f) GDPR or that no damage had occurred in any case, Lübeck Regional Court referred the question to the CJEU in its decision of 4 September 2025 (15 O 12/24) as to whether Article 6 (1) (f) GDPR applies to these cases and whether this provision should be interpreted as meaning that it "cannot justify the transfer of positive data from mobile phone companies to credit agencies organised under private law without the consent of the data subjects, at least if the credit agencies then also use the transferred data for profiling (scoring).".
Another question referred by Lübeck Regional Court concerns Article 82 GDPR. The Regional Court would like to know from the CJEU whether Article 82 (1) and (2) GDPR are to be interpreted to the effect that a loss of control can also exist "if positive data was transmitted by mobile phone companies to credit agencies organised under private law without the consent of the data subject and not deleted there until after well over a year at the earliest and the consumer concerned was informed of the data transmission when the contract was concluded". Now the CJEU has to decide on the proceedings. The Advocate General's opinion remains to be seen.
