Authors: Iurie Cojocaru, Eduard Rașcă
Our top judgements of the Court of Justice of the European Union
(26 MAY 2025 – 25 MAY 2026)
1. Judgement in the Case C-526/24 – Brillen Rottler
What the Court mainly said: The CJEU held, amongst others, that a data subject access request may, in certain circumstances, be regarded as abusive even where it formally complies with the GDPR requirements, where it is made not for the purpose of obtaining information on the processing of personal data and verifying its lawfulness, but with the intention of artificially generating conditions for obtaining an advantage, such as a compensation claim. In this regard, the Court indicated that a pattern of repeated access requests followed by similar compensation claims against multiple controllers may be considered when assessing abusive intent.
What are the practical implications: Organisations may, in certain circumstances, treat a data subject access request as abusive where they assess that it is not made to obtain information on the processing, but to artificially generate conditions for obtaining an advantage, such as a compensation claim. However, any refusal to comply with a data subject access request on the grounds that it is abusive must be carefully documented and assessed with arguments on a case-by-case basis.
2. Judgement in the Case C-492/23 – Russmedia
What the Court mainly said: The CJEU held, amongst others, that an operator of an online marketplace qualifies as a controller in relation to the personal data contained in user-generated advertisements published on its platform, as it determines the purposes and means of making such content accessible online, and is therefore directly subject to GDPR obligations. In this context, the Court places particular emphasis on the controller’s proactive responsibility to implement appropriate measures, including identifying advertisements that contain special categories of personal data within the meaning of Article 9 GDPR and verifying whether the user placing the advertisement is the person whose special categories of personal data appear in that advertisement. If this is not the case, the operator should refuse publication, unless the user demonstrates that a valid safeguard for sensitive data under Article 9(2) GDPR is applied.
What are the practical implications: Organisations operating online marketplaces, as well as other organizations carrying out similar activities, should be particularly vigilant in relation to user-generated advertisements published on their platforms. Since the Court indicated that such organizations qualify as controllers in relation to the personal data contained in user-generated advertisements published on their platform, they must ensure GDPR compliance through a proactive approach. This may include prior checks of potentially unlawful or privacy-infringing content before publication and the implementation of appropriate measures, particularly where advertisements contain special categories of personal data within the meaning of Article 9 GDPR.
3. Judgement in the Case C-422/24 – Storstockholms Lokaltrafik
What the Court mainly said: According to the Court, data collected via body-worn cameras is considered “collected from the data subject” (in the meaning of Art. 13 GDPR), even where individuals do not actively provide the data, as it is obtained through real-time observation of their behavior. The Court clarified that direct collection covers any situation where data is obtained straight from the data subject, without an intermediary source, and does not require any active involvement from the individual. By contrast, collection otherwise than directly from the data subject (governed by Art. 14 GDPR) applies where the controller obtains the data from a third party or another source. Consequently, when data is collected directly from the data subject, the controller must provide the required data processing-related information at the time of collection.
What are the practical implications: While this interpretation was to some extent expected, as it is consistent with the approach reflected in the guidelines issued by the Article 29 Working Party and endorsed by the European Data Protection Board, it is nevertheless useful to have confirmation from the CJEU as the authoritative interpreter of EU law. As a result, organizations that have so far relied on a different qualification of data collected via bodycams may need to reassess their approach, including as regards the content of the privacy notice and the timing of the information provided to data subjects, given that Articles 13 and 14 GDPR regulate different scenarios and impose different transparency requirements in this respect.
4. Judgement in the Case C-654/23 – Inteligo Media
What the Court mainly said: According to the CJEU, in situations where a user creates a free account on an online publication platform in order to access a limited number of free articles and receive a free daily newsletter via an e-mail containing summaries of new legislation discussed in the articles from the publication and hyperlinks to the publication’s articles, while additional articles and analyses are available for a fee, the newsletter may constitute the use of electronic mail for direct marketing purposes in relation to similar products or services within the meaning of Article 13(2) of the e-Privacy Directive.
What are the practical implications: Under the e-Privacy Directive and national transposition laws, such as Law No. 506/2004 in Romania, unsolicited direct marketing communications sent by electronic means, such as email, must, as a rule, be based on consent. As an exception, consent is not required in situations where a person uses electronic contact details obtained in the context of the sale of a product or service for direct marketing of its own similar products or services, provided that the other applicable requirements are met. Since the legislation does not define the notion of “similar products or services”, the clarification provided by the CJEU is particularly useful, so the organizations may document internally the reasons they believe the conditions from this CJUE case are also met in their case.
Our top upcoming judgements of the Court of Justice of the European Union
1. Judgement in the Case C-676/25 – VIVA Credit
What the matter mainly refers to: The Court must consider whether the right of access under Article 15 GDPR and the right to data portability under Article 20 GDPR entitles a data subject to obtain complete copies of terminated loan agreements concluded with a consumer credit company, or only the personal data contained in those agreements. In essence, the matter concerns the distinction between access to “personal data” and access to entire contractual documents containing such data.
What are the practical implications: While the Court has already addressed the distinction between a “copy of personal data” and a “copy of a document” in its case Österreichische Datenschutzbehörde and CRIF [C-487/21], it remains to be seen whether this new case will introduce further nuances or even a shift in approach. Additional clarification on this issue could also help organisations better structure and document their internal handling of data subject requests based on the rights of access and data portability.
2. Judgement in the Case C – 594/25 – Vodafone
What the matter mainly refers to: The Court must consider, amongst others, whether legitimate interest may constitute a sufficient legal basis, without the need to rely on consent, for large-scale transfers of positive data (i.e., contractual information not relating to payment defaults or other breaches) from mobile phone operators to credit reference agencies for subsequent profiling and scoring activities.
What are the practical implications: The case highlights once again that the identification of an appropriate legal basis under the GDPR requires a careful assessment of the specific processing operations and the interests at stake. Where controllers seek to rely on legitimate interest, they should ensure that the balancing exercise is thoroughly documented in a Legitimate Interest Assessment (LIA). If the Court confirms that legitimate interest may constitute a valid legal basis in such scenarios, the reasoning and criteria developed by the Court could provide valuable support for organisations in substantiating and documenting their LIAs.
3. Judgement in the Case – C-317/25 – Groupe Canal+ v CNIL
What the matter mainly refers to: The Court is asked to assess whether references in the direct marketing consent form to broad categories of recipients, such as “partners”, are sufficiently specific and informed, or whether each recipient whose identity was unknown to the data subject at the time of consent collection must obtain fresh consent before carrying out its own marketing activities as a separate controller.
What are the practical implications: Depending on the approach adopted by the Court, organisations engaged in data sharing arrangements for marketing purposes may need to revisit and potentially redesign their consent forms and consent collection mechanisms. In particular, if the Court requires a higher degree of specificity regarding the identity of recipients, broad references to “partners” or similarly vague categories may no longer be sufficient for valid consent.
4. Judgement in the Case C-185/25 – Waldfelber
What the matter mainly refers to: The Court must consider, amongst others, the scope of the obligation under Article 15(1)(g) GDPR to provide any available information as to the source of personal data where the data was not collected directly from the data subject. In particular, the Court is asked to clarify whether this obligation extends only to identifying the author of an e-mail containing personal data, or also to identifying third parties with whom the author of the e-mail may have previously discussed the data subject.
What are the practical implications: Depending on the Court’s approach, the judgment may significantly influence how organisations handle access requests concerning the source of personal data. A broad interpretation of Article 15(1)(g) GDPR could require organisations to disclose more detailed information regarding individuals involved in generating or discussing personal data, potentially extending beyond formally recorded sources. This may require organisations to reassess their internal documentation practices, data governance procedures and approaches to balancing transparency obligations against the rights and expectations of third parties.
