03 Data protection

Chris Bollard Partner, Technology

2025 AT A GLANCE

  • Major regulatory action included a €530m fine against TikTok for insufficient data transfer protections.
  • The Irish courts provided clarity on the process for claiming non-material damages under GDPR and the Data Protection Commission’s discretion to decline to investigate a data subject complaint.
  • The EU’s Court of Justice provided further guidance on a number of topics including, how GDPR fines should be calculated, the data subject’s entitlement to receive information on automated decisions, and the effect of pseudonymising personal data.

REGULATORY ACTIVITY 2024

In June 2025, the Irish Data Protection Commission (the DPC) published its Annual Report for 2024 (the Report). The Report details the DPC’s general regulatory activity throughout 2024, which saw the DPC impose fines in excess of €652m, as well as issue multiple reprimands and compliance orders.

Key highlights of the Report include:

  • Case numbers: The DPC processed 11,091 new cases in 2024, only slightly down on the 2023 figure of 11,200.
  • Complaints: Following a similar pattern to previous years, the top three categories of complaints received under the GDPR concerned: (i) the right of access (34%); (ii) fair processing (17%); and (iii) the right to erasure (14%).
  • Data breach notifications: In 2024, the DPC received 7,781 valid GDPR data breaches. This represents an 11% increase on the numbers reported in 2023.
  • Inquiries: The DPC concluded four large scale inquiries in 2024. As of 31 December 2024, it had 89 ongoing statutory inquiries.

DPC DECISIONS AND GUIDANCE

As of the end of November 2025, the DPC has published fewer decisions than in previous years. However, it has several major statutory inquiries ongoing, suggesting that a number of significant decisions may be published in early 2026.

€530m fine issued to TikTok in respect of data transfers

On 2 May 2025, the DPC issued a decision following its inquiry into the data processing operations of TikTok Technology Limited (TikTok), concerning data transfers to China. The DPC found that TikTok’s transfers of EEA users’ personal data to China infringed article 46 GDPR, because it failed to demonstrate that the personal data transferred was afforded a level of protection essentially equivalent to that guaranteed in the EU. It also found that TikTok had failed to provide adequate information in its privacy policy in respect of such transfers, infringing article 13 GDPR.

The decision shows that the DPC is willing to carefully scrutinise the data transfer arrangements that companies have in place and furthermore, it is willing to issue substantial fines in instances where it considers that such measures fail to meet the required standards under the GDPR.

Guidance Note on handling Subject Access Requests (SARs)

On 7 March 2025, the DPC published guidance on handling SARs, advising specifically on the application of article 15 GDPR in circumstances where third-party personal data is also contained in documents that fall within the scope of a data subject access request.

DPC ACTIONS IN THE IRISH COURTS

Supreme Court clarifies process for claiming non-material damages under GDPR

In July 2025, the Supreme Court clarified the law on the interaction between non-material damages claims under the GDPR and Ireland’s personal injuries legislation. In Dillon v Irish Life Assurance PLC [2025] IESC 37, the Supreme Court overruled the High Court in determining that emotional distress or upset as a result of an infringement of the GDPR does not constitute a “personal injury” within the meaning of the Personal Injuries Assessment Board Act 2003 (as amended). As a result, such claims do not require prior authorisation from the Personal Injuries Resolution Board (PIRB) before proceedings can be issued.

This decision brings some welcome clarity to the process of instituting claims of non-material damages for distress or anxiety caused by an infringement of the GDPR. The Court noted that only a “very, very modest” level of award should be expected in respect of non-material damages claims which fall outside the PIRB regime.

High Court declines to judicially review DPC refusal to investigate

McShane v Data Protection Commission [2025] IEHC 191 concerned a judicial review application in which an employee of the Health Service Executive (HSE) sought to challenge the DPC’s decision not to investigate a personal data breach complaint. The applicant used a work mobile phone for personal use and alleged that, as a result of the cybersecurity breach at the HSE, he suffered a personal data breach and personal loss.

The High Court rejected the application on the basis that the DPC’s decision was rational and within its lawful authority. The DPC had declined to investigate the complaint on the ground that the HSE was not the data controller of the relevant personal data, because using the phone for personal purposes was contrary to the HSE’s electronics policy. The complainant’s use of the device for personal use was therefore unauthorised.

The decision serves as an important reminder for employers to ensure they have appropriate data management policies in place in respect of work devices.

DECISIONS OF THE COURT OF JUSTICE OF THE EU (CJEU)

Note: The CJEU is made up of two courts: the Court of Justice and the General Court. References to ‘the Court’ in this section should be read as the Court of Justice (the higher court) unless otherwise stated.

Calculating GDPR fines for companies in group structures

Under the GDPR, certain infringements are subject to fines based on a percentage of an undertaking’s worldwide annual turnover. In the case of ILVA (Case C-383/23), a Danish company (ILVA A/S) was fined for data breaches relating to customer data. ILVA sought to challenge how the fine was calculated, which turned on the interpretation of “undertaking” to be applied when calculating fines under the GDPR. In calculating ILVA’s fine, the Danish regulatory authority based the amount of the fine not only on the turnover of ILVA, but also on the overall turnover of the group to which it belongs. The key issue in the case was whether the regulator was correct to do so.

As it did in the Deutsche Wohnen case in December 2023, the Court applied the competition law understanding of 'undertaking' as an economic unit. The Court held that the group’s turnover is therefore relevant in establishing the maximum amount of a fine under the GDPR. When determining the actual fine, the Court held that this concept of undertaking “must also be taken into account in order to assess the actual or material economic capacity of the recipient of the fine and thus to ascertain whether the fine is at the same time effective, proportionate and dissuasive”.

This decision is broadly in line with the approach to calculating fines being taken to-date, but there is still some ambiguity around how precisely national authorities are approaching the calculation of GDPR fines for individual group companies.

Entitlement to rationale for an automated decision on creditworthiness

In Dun & Bradstreet Austria (Case C-203/22), a customer asked for “meaningful information” (under article 15(1)(h) GDPR) after her application was rejected following an automated credit assessment. Dun & Bradstreet refused to provide some of this information, claiming it was a trade secret.

The Court found that, in order to provide sufficiently meaningful information, the data controller must describe the decision-making procedure in a way that allows data subjects to understand which of their personal data have been used and how. In the context of profiling (such as credit scoring), it may be sufficient to explain how “a variation in the personal data taken into account would have led to a different result”. However, the Court held, the mere communication of an algorithm or a “detailed description of all the steps in automated decision making” will not, by itself, be sufficient.

The Court further found that controllers cannot rely on the defence of trade secrets to refuse all data subject information requests. If a controller believes information forms part of a trade secret, they must present it to the competent court or supervisory authority, and it is for that body to determine the scope of information to be provided.

This decision emphasises that the controller’s obligation to provide “meaningful information” to data subjects in respect of processing operations will be carefully scrutinised, and overly broad, blanket refusals on the basis of intellectual property rights will not be accepted.

What constitutes personal data in cases of pseudonymisation?

In September 2025, the Court delivered its decision in EDPS v SRB (Case C‑413/23 P), a case concerning whether pseudonymised data are to be considered "personal data" within the meaning of Regulation (EU) 2018/1725 (the GDPR-equivalent regulation governing data protection within EU institutions and bodies).

The background to this case was the collection, by the EU’s Single Resolution Board (the SRB), of the comments of shareholders from a Spanish bank undergoing a resolution. The SRB developed a pseudonymisation process to aggregate the comments. Some of these comments were later sent to Deloitte in its capacity as an independent valuer. The SRB retained the capacity to link the pseudonymised comments to separate, identifying data, but the identifying data set was not provided to Deloitte.

Five shareholders subsequently lodged a complaint with the European Data Protection Supervisor (the EDPS), alleging that the transfer of comments to Deloitte was a violation of their rights under Regulation 2018/1725, as they believed they had not been appropriately informed about the transfer of their personal data. The SRB claimed that the data were not personal data and therefore the notification obligations under Regulation 2018/1725 did not apply.

In its judgment, the Court confirmed the position that pseudonymised data may not be personal data in all cases - it will depend on the measures used to pseudonymise the data and whether natural persons can be linked to the resulting data.

The decision emphasises the importance of context in respect of pseudonymised data. The Court found that, where pseudonymised information is transferred to a third party, such information may not constitute “personal data” from the third party’s perspective, if that third party does not have “means that are reasonably likely” to reverse the pseudonymisation process and re-identify the relevant data subjects. The key question is whether the third party has a realistic means of accessing that information and re-identifying the data subjects.

However, the Court held, if the controller who transferred the pseudonymised information retains the capacity to re-identify the data subjects, such information is personal data from that controller’s perspective. Accordingly, the controller must comply with its general obligation to inform data subjects of relevant third party transfers.

DPC loses challenge to EDPB’s powers

In January 2025, the General Court dismissed the DPC’s challenge to the powers being exercised by the European Data Protection Board (the EDPB) under the GDPR in Data Protection Commission v European Data Protection Board (Joined Cases T‑70/23, T‑84/23 and T‑111/23). The case came about following a DPC investigation into Meta Platforms Limited. When other European regulators raised objections to the outcome of the investigation, the EDPB issued determinations calling on the DPC to amend its draft decisions and carry out fresh investigations. The DPC challenged the EDPB's competence to require a data protection authority (DPA) to investigate further, arguing that the EDPB had exceeded its authority under article 65(1)(a) GDPR.

The General Court dismissed the DPC’s challenge, finding that the EDPB has the authority to require DPAs to conduct investigations that go beyond the original complaint and can make binding, enforceable decisions in that respect. The General Court found that this power is necessary to ensure full compliance with the GDPR.

Further developments on the right to non-material damages

The CJEU has continued to develop its jurisprudence in respect of the proper interpretation of the right to non-material damages under article 82 GDPR. In 2021, the Austrian Post judgment noted that there is no threshold of seriousness which GDPR damages must reach in order to be recoverable. Subsequent judgments have sought to caveat this position by repeatedly emphasising that non-material damages will only be awarded where “actual damage” has been suffered.

Then, in January 2025, the General Court published its decision in Bindl v European Commission (Case T-354/22). While not directly concerning the GDPR, the decision has generated new questions around the proper application of the law in this area. The General Court held that the European Commission must pay a data subject €400 in non-material damages for the incorrect transfer of his personal data (his IP address) to the US. The General Court did not find that the data subject had suffered any particular mental stress or anxiety as a result of the transfer. Instead, it stated that the data subject’s “loss of control of his data” and “uncertainty” regarding his personal data, of itself, constituted “actual and certain” non-material damage.

This seems slightly out of sync with the CJEU’s previous rulings that a purely hypothetical risk cannot give rise to compensation. Furthermore, it is unclear as to how the General Court determined that €400 was sufficient to compensate the data subject for this damage. Both the European Commission and Mr Bindl have appealed the General Court's judgment. The Commission argues that the General Court misinterpreted and misapplied the law, while Mr Bindl is appealing the level of damages.

In Quirin Privatbank (Case C-655/23), the Court further considered the right to non-material damages in September 2025. An employee whose salary expectations were mistakenly shared with a third party sought an injunction to prevent a future breach and compensation for the non-material damage allegedly suffered.

The Court found that the GDPR does not provide for an injunctive remedy to prevent controllers from carrying out unlawful processing in the future. However, the Court highlighted that Member States are not prevented from providing for such injunctive relief under local laws. The CJEU further affirmed that the concept of non-material damages under the GDPR encompasses “negative feelings”, such as fear or annoyance, which are caused by a loss of control over personal data. The data subject must demonstrate that they have such feelings, and their negative consequences, on account of the GDPR infringement.

The decision in OC v European Commission (Case T-384/20 RENV) in October 2025 is also noteworthy. The General Court granted the plaintiff the substantial award of €50,000 in non-material damages for harm to her reputation, professional career, and health caused by a press release from the European Anti-Fraud Office (OLAF) that unlawfully processed her personal data and conveyed false information about her. The case was taken under the EU’s internal data protection rules governed by Regulation 2018/1725 (discussed above).

The decision demonstrates a willingness to award substantial amounts in cases of non-material damages where it is demonstrated that a particularly egregious violation of data protection rights has occurred.

The case is also significant because it deals with a situation where a data subject was not named, but it was determined that it was “reasonably likely” that combining OLAF’s press release with additional information could be used as a way to identify the individual.

EDPB GUIDANCE AND OPINIONS

The EDPB has issued guidance on several important issues over the last few months, including:

  • Joint Guidelines on the Interplay between the Digital Markets Act and the General Data Protection Regulation
  • Guidelines 3/2025 on the interplay between the Digital Services Act (the DSA) and the GDPR
  • Guidelines 2/2024 on Article 48 GDPR
  • Guidelines 2/2025 on processing of personal data through blockchain technologies
  • Guidelines 1/2025 on Pseudonymisation

EU LEGISLATION

Data Act (Regulation 2023/2854/EU): The majority of the Data Act’s provisions became applicable on 12 September 2025. Applicable to both personal and non-personal data, the Data Act creates a wide range of obligations including in respect of (i) business-to-business data sharing agreements; (ii) requiring minimum standards of interoperability for data and data sharing mechanisms; and (iii) removing technical obstacles to allow businesses and consumers to switch between data processing services.

AI Act (Regulation 2024/1689/EU): Adopted last year, the AI Act is being implemented on a phased basis. See ALG's Guide to the AI Act for a detailed breakdown of this legislation. There have been two key application dates this year – 2 February 2025 (prohibited practices) and 2 August 2025 (application to general purpose AI models). The next key deadline is 2 August 2026, when the AI Act will apply to high-risk AI uses. This deadline now looks set to be pushed out to 2 December 2027 according to the proposals under the Digital Omnibus (discussed further below).

Cyber security: A major piece of cybersecurity legislation, the EU’s NIS2 Directive (2022/2555/EU) was supposed to be transposed into national law by 17 October 2024. Unfortunately, Ireland was among the many Member States who missed this deadline. In May 2025, the European Commission sent a reasoned opinion, the second stage in its infringement procedure, to Ireland and eighteen other Member States for their transposition failures. Continued failure could result in EU court action and the imposition of fines. The General Scheme of the National Cyber Security Bill 2024 was published in August 2024 and the Government’s Autumn Legislative Programme noted that pre-legislative scrutiny is “underway”.

Digital Omnibus: On 19 November 2025, the European Commission published its legislative amendment package which is focused on streamlining rules on AI, cyber security and data. The Omnibus proposes a number of significant changes to existing legislative frameworks including:

  • adjusted AI Act timelines and express recognition that the processing of personal data in the context of the development and operation of an AI system or model may be done on the basis of legitimate interests
  • streamlined cybersecurity reporting to allow a single-entry point for companies to report all cybersecurity incidents, consolidating obligations under laws like NIS2, the Digital Operations Resilience Regulation, and GDPR
  • clarification on the requirements for automated individual decision-making under article 22 GDPR

In a key change from earlier leaked versions of the Omnibus, the definition of "special category" data under the EU's privacy regime is no longer included as a proposed amendment.

LOOKING AHEAD

EU Regulation on GDPR cross-border enforcement: At the time of writing, agreement on this new regulation has been reached and it is awaiting publication in the Official Journal of the EU. The aim of the Regulation is to support the timely completion of the enforcement procedures in cases cross-border data processing through the implementation of definitive and harmonised rules. The Regulation will apply across the EU 15 months after it enters into force. It is therefore likely to become applicable during Q1, 2027.

Digital Omnibus: This legislation will progress through the EU legislative process in 2026.

Cyber security: Ireland must implement the NIS2 Directive as soon as possible to avoid further action being taken by the European Commission.

©2025 A&L Goodbody LLP

All rights reserved

Privacy

Cookies Policy

Manage cookies