Recent European Court Judgements

Contact us

  • Court of Justice:

Case C-413/23 P: EDPS v SRB (Notion de données à caractère personnel)- 2025.09.04
  • The case centered on the definition of "personal data" in the context of pseudonymized information and the transparency obligations of data controllers under EU data protection law.

Facts of the Case:
  • The case originated from the 2017 resolution of Banco Popular Español, where the Single Resolution Board (SRB) initiated a "right to be heard" process for shareholders and creditors. Individuals submitted comments after registering, and the SRB subsequently hired the consulting firm Deloitte to analyze them. To protect the individuals' identities, the SRB pseudonymized the comments by assigning a unique alphanumeric code to each and removing direct identifying information before transferring the data to Deloitte. Crucially, the SRB retained the "key" that could re-identify the individuals, allowing them to link the codes back to the original registration data.
  • This process led to a dispute with the European Data Protection Supervisor (EDPS), who argued that the SRB had failed in its transparency obligations by not informing data subjects that their information would be shared with Deloitte. When the SRB challenged the EDPS's decision, the General Court (GC) ruled in favor of the SRB, concluding that the data was not personal data from Deloitte's perspective since Deloitte could not identify the individuals. The EDPS appealed this decision to the Court of Justice of the European Union (CJEU), contending that the pseudonymized comments were still personal data and that the SRB had an obligation to inform the individuals of the data transfer.

Salient Facts:
The court took into consideration several key legal principles and previous case law:
  • Broad Definition of Personal Data: The court reiterated that the definition of "personal data" under Regulation 2018/1725 and the GDPR is very broad and encompasses all kinds of information, including subjective information like opinions and assessments, as long as it "relates" to the data subject.
  • "Relates to" Criterion: Information is considered to "relate to" a person if, because of its content, purpose, or effect, it is linked to an identifiable person. The court emphasized that these criteria are linked by the conjunction "or," meaning that an examination of all three is not always necessary.
  • Subjective Information is Inherently Personal: The most critical point of the court's findings is that personal opinions or views are inherently linked to the person who expresses them. The court found that the GC erred in law by stating that the EDPS needed to do a further analysis of the comments beyond the fact that they were personal opinions. The court reasoned that an opinion is an expression of a person's thinking and is therefore, by its very nature, closely linked to that person. This interpretation is supported by previous case law, such as the Nowak case, where an examiner's comments were considered personal data of both the candidate and the examiner.

Decision:
  • The CJEU found that the GC had made an error of law. The CJEU ruled that the EDPS did not need to conduct an extensive examination of the content, purpose, or effect of the comments because it was already established that they expressed the personal opinions of their authors.
  • This ruling reinforces the principle that the data controller remains responsible for the protection of personal data, regardless of whether that data is pseudonymized when transferred to a third party. The judgment clarifies that the obligation to ensure transparency and provide information to data subjects lies with the original data controller, emphasizing that the relativity of what constitutes "personal data" does not absolve the controller of their core responsibilities under GDPR. This decision sets a clear precedent for how organizations must handle data transfers, particularly when using pseudonymization to share information with other entities.


Case C-655/23: IP v Quirin Privatbank – 2025.09.04
  • The case concerns the interpretation of the GDPR, specifically regarding a data subject's right to compensation for non-material damage and the relationship between such compensation and a prohibitory injunction.

Facts of the Case:
  • The case originated from a preliminary ruling request from a German court following a dispute between an individual, IP, and a bank, Quirin Privatbank. IP had applied for a job with the bank through a professional social network. During the recruitment process, a bank employee accidentally sent a message containing personal data, including salary expectations, to an unauthorized third party. IP felt humiliated and was concerned that this confidential information could circulate in his professional circle. He brought a legal action against the bank seeking two things: an order to prevent the bank from making a similar unauthorized disclosure in the future and compensation for the non-material damage he had suffered. The German courts had given divergent rulings, leading the Federal Court of Justice to refer several questions to the CJEU.

Salient Points of the Case:

The court took into consideration several key legal principles:
  • Non-Material Damage under GDPR: The court clarified what constitutes non-material damage under Article 82(1) of the GDPR. It held that negative feelings such as fear, stress, anxiety, or dissatisfaction can qualify as compensable damage. There is no minimum threshold of severity required for such harm, as long as the data subject can prove that the feelings are a direct result of the GDPR violation.
  • Non-Compensatory Function of Injunctions: The court examined the relationship between a data subject's right to an injunction (a court order to stop a specific action) and their right to compensation. It held that these two remedies serve different purposes. A prohibitory injunction is preventative, aiming to stop future violations, whereas compensation is exclusively compensatory, intended to remedy the harm already suffered.
  • Fault and Compensation: The CJEU also addressed whether the degree of fault of the data controller should be a factor in determining the amount of compensation for non-material damage. The court ruled that the seriousness or intentionality of the controller's conduct is irrelevant to the amount of compensation. The aim is to fully compensate the victim for the proven harm, not to punish the company.

The Court's Decision and Effects:
  • The CJEU ruled that the mere existence of negative feelings like fear or dissatisfaction, if proven, can be considered non-material damage for which a data subject can claim compensation. It also held that the granting of an injunction to prevent future violations cannot be used to reduce or replace the financial compensation for non-material harm already suffered. This is because the two remedies are separate and cumulative.
  • This ruling significantly lowers the threshold for claiming compensation for non-material damages under the GDPR, strengthening the rights of individuals. It clarifies that a victim does not need to prove financial or property damage to seek compensation. The decision also sets a clear precedent that the existence of a preventative measure (an injunction) does not lessen the data controller's obligation to provide a remedy for harm that has already occurred.


Case C-249/24: RT and ED v Ineo Infracom – 2025.09.04
  • The case concerns the interpretation of the EU's Collective Redundancies Directive (98/59/EC), specifically addressing whether dismissals following an employee's refusal of a geographical reassignment under a collective mobility agreement should be classified as "redundancies" for the purposes of collective redundancy calculations and mandatory consultation procedures.

Facts of the Case:
  • The dispute involves two employees, RT and ED, and their employer, Ineo Infracom, a public works company. After losing a contract in 2013, Ineo Infracom offered temporary reassignments to 82 employees, including RT and ED. The two employees refused the new assignments and sought judicial termination of their contracts, claiming employer fault.
  • Subsequently, Ineo Infracom and trade unions concluded a collective internal mobility agreement. RT and ED were again offered new positions under this agreement, but they refused and were consequently made redundant on economic grounds. The employees challenged their dismissals, arguing that the company should have applied the procedures for collective redundancies since more than 10 employees were affected. The national courts issued conflicting judgments, leading the French Court of Cassation to refer questions to the CJEU regarding the interpretation of Directive 98/59/EC.

Salient Points of the Case
The court's analysis focused on two main questions:
  • Definition of 'Redundancy': The court clarified that the term "redundancy" under EU law is an autonomous concept that must be interpreted broadly to protect workers. A termination of a contract can be considered a redundancy if it is initiated by the employer for reasons not related to the individual worker. The court held that this includes situations where an employer makes a unilateral and substantial change to an essential element of an employee's contract, such as the place of work. It is up to the national court to determine if the proposed change was substantial, considering factors like whether the change was temporary or permanent and the distance involved.
  • Sufficiency of Consultation: The court addressed whether the consultation process for a collective mobility agreement could fulfill the consultation obligations required for collective redundancies. The court ruled that if an employer negotiates such an agreement while simultaneously contemplating collective redundancies, the consultation procedure from the directive must be followed. The employer must provide workers' representatives with all relevant information, including the number and categories of employees affected and the reasons for the redundancies. Therefore, general consultation about a mobility agreement is only sufficient if it meets these specific informational requirements.

The Court's Decision and Effects
  • The CJEU ruled that dismissals resulting from an employee's refusal of a geographical reassignment must be counted toward the threshold for a collective redundancy if the change constitutes a substantial modification to an essential element of the employment contract. Furthermore, it ruled that an employer's consultation with unions on a mobility agreement can only satisfy the requirements of the Collective Redundancies Directive if it occurs within a context where the employer is already contemplating redundancies and has provided all the information required by the directive.
  • This decision strengthens the rights of employees in cases of company restructuring involving a change in work location. It clarifies that employers cannot use collective mobility agreements as a way to bypass their obligations to consult with workers and their representatives when the changes are substantial and could lead to mass layoffs. It ensures that workers are properly informed and consulted before significant changes are imposed on their employment contracts. 


Case C-687/23: D.E. v Banco Santander (Résolution bancaire Banco Popular III) – 2025.09.11
  • The case concerns the interpretation of the EU's Bank Recovery and Resolution Directive (BRRD), specifically on whether the resolution of Banco Popular extinguished a shareholder's claim for damages and nullity that was initiated before the bank's resolution.

Facts of the Case:
  • The dispute involves an individual, D.E., who acquired convertible subordinated bonds from Banco Popular in 2009. These bonds were converted into shares in 2015. In 2016, D.E. filed a lawsuit against Banco Popular seeking a declaration of nullity of the bond purchase and compensation for damages due to a defect of consent and the bank's failure to provide accurate information.
  • In June 2017, while D.E.'s legal action was pending, Banco Popular entered into a resolution scheme, its share capital was written down to zero, and the bank was transferred to Banco Santander. As a result, D.E.'s shares became worthless. The Spanish Supreme Court, noting many similar disputes, sought a preliminary ruling from the CJEU to determine if D.E.'s claim, which was filed before the resolution, should be considered an "accrued" liability that survives the resolution and can be enforced against Banco Santander.

Salient Points of the Case
The court's analysis focused on the meaning of "accrued" liabilities within the BRRD and the impact of a bank's resolution on pending legal claims:
  • Definition of "Accrued" Claim: The court clarified that the term "accrued" in the BRRD must be given an independent, uniform interpretation across the EU. It determined that a claim can be considered "accrued" even if it hasn't been formalized in a final judgment. The court noted that a judicial claim filed before a bank's resolution is not a "subsequent proceeding" and therefore is not automatically extinguished by the resolution measures.
  • Impact of Pre-existing Claims on Resolution: The court distinguished claims brought before resolution from those brought after. Claims filed after a bank's resolution have a retroactive effect that could undermine the entire resolution process and its objectives, as they seek to recover capital that was written down to ensure financial stability. However, the court found that claims already pending before the resolution do not have this retroactive effect. The financial risks from these pending disputes should have been factored into the bank's valuation during the resolution process.
  • Proportionality and the Right to an Effective Remedy: The court considered the fundamental right to an effective remedy under the EU Charter of Fundamental Rights. While this right can be restricted to achieve a public interest, such as financial stability, the restriction must be proportionate. The court reasoned that extinguishing claims that were already pending before the resolution would be a disproportionate and unjustified restriction on this fundamental right, as it is not necessary to ensure the effectiveness of the resolution process.

The Court's Decision and Effects
  • The CJEU ruled that a claim for a declaration of nullity and for damages, arising from the marketing of financial products and filed before the resolution of a bank, must be considered an "accrued" obligation or claim. Consequently, this claim is not extinguished by the bank's resolution and is enforceable against the successor entity (Banco Santander).

This decision provides greater protection for investors, establishing that their legal actions filed before a bank's resolution survive the process. It clarifies that a bank resolution cannot simply nullify pending legal disputes and that the successor entity must face the financial obligations associated with those claims. The ruling reinforces the principle that while bank resolution is a powerful tool for financial stability, it cannot be used to disproportionately interfere with a data subject's right to judicial protection and an effective legal remedy.
 


Martina Galea, Legal Intern and Dr. Franklin Cachia Head of Legal


Contat our legal team


 

Key Contacts

Get in touch with our experts

Dr. Franklin Cachia BDO Malta

Dr. Franklin Cachia

Head of Legal
View bio

Related News

Take a look at our related news articles