The European Courts started into the year 2025 with a bang. In the second week of January 2025, they issued three highly relevant decisions on data protection. This article offers an initial overview of the key aspects of these judgements.

A. CJEU Judgment of January 9, 2025 – Case C-394/23 

In its judgment dated January 9, 2025, the Court of Justice of the European Union (CJEU) addressed whether the request for a preferred form of address, and thereby indirectly the indication of gender, when purchasing train tickets online through the website and apps of the transport service provider, is compatible with Article 6 (1) (b) and (f) GDPR. 

I. Background

The case originated from the requirement for customers to specify their form of address by selecting  ‘Monsieur’ or ‘Madame’ (‘Mr’ or ‘Ms’) when purchasing tickets. This mandatory information was used by the transport service provider to personalize business communication with customers in line with accepted practices in this area. Additionally, the transport service provider claimed a legitimate interest in processing the address data for personalized direct marketing purposes.

II. Request not necessary

The CJEU ruled that such communication does not necessarily need to be personalized based on the gender identity of the customer. Instead, a personalized address could rely on general and inclusive forms of politeness that do not relate to the assumed gender identity of the customers. Furthermore, the legitimate interest of the transport service provider in processing the address data was not communicated to the customers. The CJEU considered this information, required at the time of data collection under Article 13 (1) (d) GDPR (e.g., through a privacy notice), as a prerequisite (!) for lawfulness. Without this information, the collection cannot be based on a legitimate interest.

Moreover, for personalized direct marketing, the first and last names of the customer are sufficient. The use of forms of address is not necessary. The legitimate interest of the transport service provider does not outweigh the impairment of the fundamental rights and freedoms of the customers. Therefore, the indication of gender when purchasing train tickets online is not compatible with Article 6 (1) (b) and (f) in conjunction with Article 5 (1) (c) GDPR.

B. CJEU Judgment of January 9, 2025 – Case C-416/23 

In another judgment dated January 9, 2025, the CJEU addressed the interpretation of the term "excessive request" under Article 57 (4) GDPR. 

I. Background

The background involved over 77 complaints of data subject under Article 77 (1) GDPR within approximately 20 months, where the complainant alleged violations of Article 15 GDPR to the competent authority. Additionally, the complainant regularly contacted the responsible authority by phone to report further issues and make additional requests. Consequently, the competent authority refused to process the last complaint based on Article 57 (4) GDPR, claiming it was an excessive request.

II. Many requests are not necessarily excessive

The CJEU affirmed that the term "request" under Article 57 (4) GDPR also includes complaints under Article 77 (1) GDPR, reasoning that the term "request" is broadly defined in ordinary language, potentially encompassing any request directed at an institution by a person. The subsequent question was when a request is considered excessive. The CJEU stated that a request is not excessive solely based on the number of requests within a certain period. Instead, it depends on the intent to abuse by the requesting person. If a request is deemed excessive, the competent authority must justify the refusal of the complaint, considering all relevant circumstances and ensuring that the refusal is appropriate, necessary, and proportionate. 

This issue is distinct from when controllers can reject excessive requests from a data subjects (e.g., DSARs). Such a case is also pending before the CJEU resulting from a referral of the German District Court of Arnsberg, which we have previously discussed in a Tech Litigation News post.

C. ECG Judgment of January 8, 2025 – Case T-354/22

On January 8, 2025, the European General Court issued a judgment specifically addressing the lawfulness of data transfers to US companies in 2022 with the requirements of Regulation 2018/1725, particularly regarding the lack of an adequacy decision and appropriate contractual guarantees. The court also examined whether the Commission's actions or inactions violated its obligations. Additionally, the General Court addressed key questions regarding the admissibility of an annulment action against a data protection measure by the Commission and the declaration of a violation of the right to information by the Commission in response to the plaintiff's request.

The court ordered the European Commission to pay €400 in non-material damages under Regulation 2018/1725 due to the unlawful transfer of an IP address to the United States. The European Commission had offered a login via a hyperlink to a US social media network on one of its websites. The plaintiff clicked on this hyperlink, and his data was thus transferred to the US. 

The decision is of extreme relevance to almost all European companies. We have therefore discussed the judgement in detail together with our colleague Friederike Wilde-Detmering in a separate blog post. You can find the link to the blog here.