The European and German courts kicked off February with a series of significant rulings on data protection matters. In February 2025, several key decisions were made, addressing issues ranging from corporate fines under the General Data Protection Regulation (GDPR) to transparency in automated decision-making and the handling of consumer data. This article provides an overview of the most significant rulings and their potential implications for businesses and individuals alike. 

A. ECJ Judgement of February 13, 2025 – Case C-383/23 

On February 13, 2025, the European Court of Justice (ECJ) delivered an important ruling in Case-383/23, addressing key issues related to the calculation of fines for data protection violations under GDPR. 

I. Background

The case involved ILVA, a Danish furniture company within the Larsen Group, which had been fined DKK 100.000 for a GDPR violation concerning the storage of former customer´s data. The fine was calculated based on ILVA’s revenue, but the case was suspended following an appeal and referred to the ECJ for clarification.

II. Undertaking = business unit

The key questions referred to the ECJ were whether the term ‘undertaking’ in Article 83 (4) – (6) of the GDPR should be interpreted in the same way as it is within the meaning of Art. 101 and 102 of the Treaty on the Functioning of the European Union (TFEU), meaning it refers to any economic unit, including multiple legal or natural persons, and whether the worldwide turnover of the entire corporate group should be used to determine the upper limit of the fine. 

In its ruling, the ECJ confirmed that the term ‘undertaking’ under the GDPR should indeed be understood in the same way as in Art. 101, 102 of the TFEU, covering the entire economic unit, even if it consists of multiple legal entities. Consequently, the maximum amount for fines for data protection violations should be based on the worldwide turnover of the entire corporate group, even though the fine will be imposed on the company responsible for the violation. This interpretation was previously upheld by the ECJ in its judgment on December 5, 2023, in the Deutsche Wohnen case (C-807/21).

However, the court clarified that determining this upper limit is distinct from calculating the actual amount of the fine. The court emphasized that any fine must be proportionate, taking into account the company’s financial capacity as well as the severity of the violation, ensuring that the penalty is effective but not disproportionate. This ruling impacts the fine calculation of various regulatory frameworks, highlighting the need for businesses to maintain strong compliance systems. 

B. ECJ Judgement of February 27, 2025 – Case C-203/22

On February 27, 2025, the ECJ issued another judgment that clarified the right to information under Article 15 (1) (h) of the GDPR. This ruling specifically addresses the need for transparency in automated decision-making processes.

I. Background

The case originated from a complaint by CK, who was denied a mobile phone contract based on an automated credit check by data scoring company (D&B). 

CK sought access to the criteria and calculations behind the scoring decision but was denied due to trade secret claims. After the Austrian data protection authority ruled in CK’s favor, D&B appealed and the case was referred to the ECJ.

II. Controller has to inform about automated decision-making

The ECJ ruled that companies must disclose the 'logic' behind automated decisions in a manner that is both meaningful and understandable. Providing a complex mathematical formula or a detailed description of individual steps is therefore not necessary and/or sufficient. Instead, the process must be described in a way that the affected person can comprehend. Controllers may think about a simplified, intelligible explanation in simple words.

The Court also addressed the issue of the preservation of confidentiality of trade secrets, emphasizing that companies cannot withhold information solely on the basis of trade secrets. A balance of interests is required. While there may be situations where disclosure could potentially compromise business interests, companies are required to take additional measures to ensure a balance between transparency and confidentiality. This could imply the involvement of authorities or courts in order to demonstrate the confidentiality of trade secrets.

This judgement highlights the right to transparency in automated decision-making under the GDPR and companies are required to adjust their processes to provide clear explanations of how decisions are made, while carefully balancing transparency with business interests. 

C. BGH on Art. 82 GDPR damages

On January 28, 2025, the Federal Court of Justice (BGH) addressed the application of Article 82 of the GDPR in two significant rulings, which were only published in February.

I.  BGH Judgement of January 28, 2025 – Case VI ZR 183/22 

In the first case, a claimant was awarded EUR 500 in immaterial damages at a Higher Regional Court (HRC) for a GDPR violation related to a credit-scoring decision (so called “SCHUFA-lawsuit”). The claimant sought further compensation, totaling EUR 6.000. The Federal Court of Justice (BGH) dismissed the claim, noting that although the HCR´s decision contained legal errors, these did not disadvantage the claimant.

The BGH decided that the HCR court had incorrectly assumed a deterrent or punitive function for Article 82 GDPR. Had the court correctly focused solely on the compensatory function of Article 82, the awarded damages would have been lower. However, due to procedural reasons, the BGH could not reduce the compensation amount. Consequently, the awarded damages remained at EUR 500.

II. BGH Judgement of January 28, 2025 – Case VI ZR 109/23

In the second case, a claimant sought damages for receiving unsolicited advertising emails. The court did not determine whether a GDPR violation had occurred, as there was no immaterial damage, particularly no loss of control. The claimant argued that the email caused anxiety due to the misuse of personal data, but the BGH ruled that this was insufficient for compensation. The court emphasized that a unsolicited email does not equate to a loss of control over data, especially without evidence of data sharing with third parties. Additionally, the lack of response from the seller did not contribute to any immaterial damage.

D. Conclusion

The recent rulings by the European and German courts in February 2025 underscore the evolving landscape of data protection law and its significant implications for businesses. The ECJ's decisions on the calculation of fines under the GDPR and the transparency requirements in automated decision-making processes highlight the need for companies to reassess their compliance strategies. Additionally, the BGH's rulings on GDPR damages emphasize the importance of understanding the compensatory nature of Article 82 and the possible risk of privacy litigation.

At Reed Smith's Emerging Technologies group, we’re here to help you navigate these challenges. Stay informed on the latest developments in privacy and platform litigation by subscribing to our authors and following #TechLitigationNews.