Judgments on the GDPR and national data protection law

Home » Judgments on the GDPR and national data protection law

Courts in the EU, and in particular the CJEU, repeatedly issue landmark judgments on the European General Data Protection Regulation (GDPR) and data protection law. We analyse these rulings and explain what they mean in practice.

CJEU ruling on compensation following a hacker attack

Nicole Kopp 3 July 2025

The CJEU rules on the conditions under which data subjects affected by a data protection breach or hacker attack can claim damages.

Is Art. 9 GDPR an independent legal basis?

David Weihbrecht 21 May 2025

What is the relationship between Art. 6(1) GDPR and Art. 9(2) GDPR – and is it sufficient to fulfil the latter in order to be allowed to process special categories of personal data?

Can a verbal disclosure constitute processing within the meaning of the GDPR?

Martin Röleke 6 May 2025

The CJEU rules on the concept of processing and the objectives of the GDPR.

Can competitors issue warnings for GDPR violations?

Michael Plankemann 26 February 2025

The CJEU rules on whether the GDPR has a blocking effect vis-à-vis national competition law. The consequences could be expensive for some companies – but are not the end of the world.

Do online retailers have to provide guest accounts and what are they allowed to use customer data for

Martin Röleke 22 November 2024

The Hamburg Regional Court clarifies key questions regarding the processing of personal data in online shops – at least for some providers.

CJEU defines data protection damages in the case of immaterial and hypothetical damage

David Weihbrecht 21 October 2024

Several judgements on the determination of immaterial damage and the assessment of such damage under the GDPR provide new certainties for data controllers.

Pseudonymisation of data can amount to anonymisation

Haykuhi Gevorgyan 9 September 2024

The EGC ruled on whether data protection law does not apply to the pseudonymisation of personal data if the recipient has no possibility of re-identification.

CJEU clarifies responsibility and the question of fault for the imposition of fines

Michael Plankemann 6 December 2023

In order to impose GDPR fines, it must be established who is responsible for the processing activity and whether and, if so, who must be at fault. The CJEU has now provided clarity.

CJEU defines right to a copy under Art. 15 GDPR

Venushon Thadchanamoorthy 30 November 2023

In what form and to what extent must copies of personal data be provided when data subjects exercise their data protection rights? The CJEU provides clarity and sets new standards.

The Federal Cartel Office may also find GDPR violations at Meta

Martin Röleke 25 July 2023

The CJEU has cast doubt on the voluntary nature of consent on Facebook, allowing national competition regulators to investigate data protection breaches in certain circumstances.

Why are judgments on the GDPR important?

The GDPR leaves room for interpretation in numerous places. Courts, and especially the CJEU, are called upon to ensure legal certainty. Probably the most prominent example of this is the CJEU’s rulings on third country transfers, respectively the EU-U.S. Privacy Shield and Safe Harbor.

In addition, the Member States can enact national data protection laws that supplement or concretise the provisions of the GDPR. However, there are also deviations which, in case of doubt, have to be decided by national court rulings.

For companies, it is important to be aware of the judgments on the GDPR and national data protection law, as these affect the company´s practical implementation of the law internally and externally.

Group Data Protection

AI Compliance

Whistleblower System

Special topics

Our Experts

Judgments on the GDPR and national data protection law

Munich

Berlin

Services

Resources

About

Group

Contact us!

Secure the knowledge of our experts!