Court of Justice of the European Union
Index of the main cases:
2025
| Date | Case | Subject |
|---|---|---|
| 04/09/2025 | C-413/23 P | Judgment of the Court in Case C-413/23 P - EDPS v SRB - The Court of Justice clarifies the scope of the concept of personal data in the context of a transfer of pseudonymised data to third parties The Court of Justice sets aside the judgment of the General Court which had annulled the decision of the European Data Protection Supervisor Following the resolution of Banco Popular Español, on 7 June 2017, the Single Resolution Board (SRB) adopted a preliminary decision on whether or not it was necessary to grant compensation to the former shareholders and creditors of that bank as a result of that resolution. Since that decision was adopted without hearing those persons, the SRB subsequently organised a procedure to enable them to submit comments on that preliminary decision. In the context of that procedure, the SRB transferred some of those comments, in the form of pseudonymised data, to Deloitte, an auditing and advisory company tasked by the SRB with carrying out a valuation of the effects of the resolution procedure on shareholders and creditors. |
| 03/09/2025 | T-553/23 | Judgment of the General Court in Case T-553/23 - Latombe v Commission - Data Protection: the General Court dismisses an action for annulment of the new framework for the transfer of personal data between the European Union and the United States - The Charter of Fundamental Rights of the European Union and the Treaty on the Functioning of the European Union (TFEU) enshrine the right of every person to the protection of his or her personal data. On the basis of those legal instruments, and to avoid compromising the level of protection conferred within the European Union, EU secondary legislation lays down the rules applicable to international transfers of personal data. In accordance with those rules, if the European Commission considers that a third country ensures an adequate level of protection, transfers of personal data to that country may take place without further authorisation, on the basis of the adequacy decision adopted by the Commission. Such a framework, established by the adequacy decision adopted by the Commission on 10 July 2023 (’the contested decision’), exists between the European Union and the United States of America. In the past, in the judgments in Schrems I and Schrems II, the Court of Justice declared the two previous adequacy decisions concerning the United States to be invalid, on the ground that they did not ensure a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed by EU law. |
| 09/01/2025 | C-394/23 | Judgment of the Court in Case C-394/23 - Mousse - GDPR and rail transport: a customer’s gender identity is not necessary data for the purchase of a transport ticket. The collection of data regarding customers’ titles is not objectively indispensable, in particular where its purpose is to personalise commercial communication. The association Mousse challenged, before the French data protection authority (the CNIL), the practice of the French railway undertaking SNCF Connect whereby the latter systematically requires its customers to indicate their title (‘Mr’ or ‘Ms’) when purchasing transport tickets online. That association takes the view that that requirement infringes the General Data Protection Regulation (GDPR), in particular in the light of the principle of data minimisation, since an indication of the title, which corresponds to a gender identity, does not appear to be necessary for the purchase of a rail transport ticket. In 2021, the CNIL decided to reject that complaint, finding that that practice did not constitute an infringement of the GDPR. |
2024
| Date | Case | Subject |
|---|---|---|
| 21/03/2024 | C-61/22 | Judgment of the Court in Case C-61/22 - Landeshauptstadt Wiesbaden - The mandatory insertion in identity cards of two fingerprints is compatible with the fundamental rights to respect for private life and to the protection of personal data. However, since the regulation laying down that measure was adopted on an incorrect legal basis, the Court of Justice declares it invalid, while maintaining its effects until, at the latest, 31 December 2026, so that the EU legislature may adopt a new regulation on the correct legal basis. The Court finds that the obligation to insert two complete fingerprints into the storage medium of identity cards constitutes a limitation of the fundamental rights to respect for private life and to the protection of personal data, guaranteed by the Charter of Fundamental Rights of the European Union. However, that insertion is justified by the objectives of general interest of combating the production of false identity cards and identity theft, as well as ensuring the interoperability of verification systems. It is indeed appropriate and necessary to achieve those objectives and is not disproportionate in relation to them. |
| 14/03/2024 | C-46/23 | Judgment of the Court in Case C-46/23 - Újpesti Polgármesteri Hivatal - Protection of personal data: the supervisory authority of a Member State may order the erasure of unlawfully processed data, even in the absence of a prior request by the data subject. Such erasure may cover both data collected from that person and data originating from another source. The Hungarian court asks the Court of Justice to interpret the GDPR. In its judgment, the Court of Justice replies that the supervisory authority of a Member State may order, of its own motion, that is to say even in the absence of a prior request by the data subject submitted to that end, the erasure of unlawfully processed data where such a measure is necessary for it to carry out its task of monitoring full compliance with the GDPR. Where that authority finds that processing of data does not comply with the GDPR, it must remedy the infringement found, and that even in the absence of a prior request by the data subject. Indeed, requiring such a request would mean that the controller could, in the absence of a request, retain the data at issue and continue to process them unlawfully. |
| 07/03/2024 | C-604/22 | Judgment of the Court in Case C-604/22 - IAB Europe - Auctioning of personal data for advertising purposes: the Court clarifies the rules under the GDPR. When a user consults a website or application containing advertising space, companies, brokers and advertising platforms, which represent thousands of advertisers, can bid in real time, behind the scenes, to acquire that advertising space in order to display advertisements there which are tailored to the user’s profile (Real Time Bidding). In its judgment, the Court of Justice confirms that the TC String contains information concerning an identifiable user and therefore constitutes personal data within the meaning of the GDPR. Indeed, where the information contained in a TC String is associated with an identifier, such as, in particular, the IP address of the user’s device, it may make it possible to create a profile of that user and to identify him or her. |
| 05/03/2024 | C-755/21 | Appeal - Cooperation of law enforcement services - Regulation (EU) 2016/794 - Article 49(3) and Article 50 - Protection of personal data - Unlawful processing of data - Criminal proceedings brought in Slovakia against the appellant - Technical analysis carried out by the European Union Agency for Law Enforcement Cooperation (Europol) for the purposes of the investigation - Extraction of data from mobile telephones and from a USB storage medium belonging to the appellant - Disclosure of those data - Non-material damage - Action for compensation - Nature of non-contractual liability - Europol and the Member State in which damage occurred as a result of unlawful data processing that took place in the context of cooperation between them are jointly and severally liable for that damage. |
| 30/01/2024 | C-118/22 | Reference for a preliminary ruling - Directive (EU) 2016/680 - Article 4(1)(c) and (e), read in conjunction with Articles 5 and 10, Article 13(2)(b) and Article 16(2) and (3) of that directive, and in the light of Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, must be interpreted as meaning that it precludes national legislation which provides for the retention by the police authorities, for the purposes of preventing, detecting, investigating and prosecuting criminal offences or executing criminal penalties, of personal data, in particular biometric and genetic data, relating to persons who have been the subject of a final criminal conviction for an intentional offence subject to public prosecution, until the death of the data subject, even in the event of his or her rehabilitation, without imposing on the controller the obligation to review periodically whether such retention is still necessary, nor granting that person the right to erasure of those data once their retention is no longer necessary in the light of the purposes for which they were processed or, where appropriate, the right to restriction of their processing. |
| 25/01/2024 | C-687/21 | Reference for a preliminary ruling - Regulation (EU) 2016/679 - 1. Articles 5, 24, 32 and 82, read together, must be interpreted as meaning that, in the context of an action for compensation based on that Article 82, the fact that employees of the controller handed over by mistake a document containing personal data to an unauthorised third party is not sufficient, in itself, to consider that the technical and organisational measures implemented by the controller concerned were not ‘appropriate’, within the meaning of those Articles 24 and 32; 2. Article 82(1) must be interpreted as meaning that the right to compensation provided for in that provision, in particular in the case of non-material damage, fulfils a compensatory function, in that financial compensation based on that provision must allow the damage actually suffered as a result of the infringement of that regulation to be compensated in full, and does not fulfil a punitive function; 3. Article 82 must be interpreted as meaning that it does not require the degree of seriousness of the infringement committed by the controller to be taken into account for the purposes of compensation for damage on the basis of that provision; 4. Article 82(1) must be interpreted as meaning that the person seeking compensation under that provision is required to establish not only an infringement of provisions of that regulation, but also that that infringement caused him or her material or non-material damage; 5. Article 82(1) must be interpreted as meaning that, in the case where a document containing personal data has been handed over to an unauthorised third party who, it is established, did not become aware of those data, the mere fact that the data subject fears that, as a result of that disclosure - which made it possible to make a copy of that document before it was returned - a dissemination or even a misuse of his or her data may occur in the future does not constitute ’non-material damage’. |
2023
| Date | Case | Subject |
|---|---|---|
| 23/11/2023 | C-710/23 | Request for a preliminary ruling - 1. Whether the disclosure of information on the acts performed by a legal person, which also includes information relating to a natural person, entails the processing of personal data of legal persons only or also of natural persons and, 2. Whether the disclosure of information may be made subject to a condition going beyond the GDPR |
| 14/11/2023 | C-683/23 | Request for a preliminary ruling - Transfer of personal data not based on the consent of the data subject or on EU or Member State law |
| 7/11/2023 | C-655/23 | Request for a preliminary ruling - Whether the data subject may exercise his or her rights to obtain an injunction |
| 2/11/2023 | C-654/23 | Request for a preliminary ruling - Questions on certain legal aspects of information society services, in particular electronic commerce |
| 26/10/2023 | C-307/22 | Right of access of the data subject |
| 24/10/2023 | C-638/23 | Request for a preliminary ruling - Questions on the controller |
| 07/09/2023 | C-162/22 | Data retained by providers of electronic communications services |
| 04/07/2023 | C‑252/21 | Principle of sincere cooperation |
| 22/06/2023 | C‑579/21 | Right of access of the data subject |
| 04/05/2023 | C‑300/21 | Compensation for damage |
| 04/05/2023 | C-487/21 | Right of access of the data subject |
| 07/04/2023 | T-183/23 | Application for annulment of EDPB binding decision 3/2022 on Meta’s Facebook service |
| 26/04/2023 | T-557/20 | Right of access of the data subject |
| 12/01/2023 | C-154/21 | Recipients |
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.