GDPR

CJEU's Feb 27, 2025 judgment in CK v Dun & Bradstreet clarifies GDPR provisions on access to personal data and automated decision-making. It mandates that data subjects must receive meaningful, concise explanations without full algorithm disclosure. Controllers must balance transparency with trade secret protection, sharing relevant information with supervisory authorities for cases involving trade secrets. The ruling rejects blanket legal exclusions for access rights based on trade secrets, requiring case-by-case assessments.

https://www.aoshearman.com/en/insights/ao-shearman-on-data/cjeu-issues-judgment-on-balancing-the-right-of-access-and-protecting-trade-secrets

CJEU ruling clarifies that trade secrets protection does not override GDPR disclosure obligations. Businesses may have to share algorithms used in automated decision-making if deemed necessary by courts or regulators to meet data subject access rights under GDPR. This ruling emphasizes the need for information provided to be clear and understandable, rather than merely technical.

https://www.pinsentmasons.com/out-law/news/cjeu-trade-secrets-gdpr-disclosure

1.3% of EU GDPR cases result in fines, contrary to initial fears of severe penalties for noncompliance. Noyb's report indicates low enforcement, allowing large companies to neglect access requests without consequences. Countries like Spain and France are strict enforcers, while others like the UK favor guidance over penalties.

https://www.complianceweek.com/regulatory-enforcement/measured-approach-or-light-handed-gpdr-noyb-reports-only-13-percent-of-eu-cases-result-in-fine/35860.article

CJEU clarifies GDPR rights regarding automated decision-making and trade secrets. On February 27, 2025, the court ruled that data controllers must give clear, accessible information about automated decisions impacting individuals, without sacrificing trade secrets. It emphasized the balance between data subject rights and commercial interests and stated national laws cannot broadly exclude access to data based on trade secrets. Companies must ensure transparency while still protecting proprietary information, aligning with the explainability requirements in the AI Act.

https://www.insideprivacy.com/gdpr/cjeu-clarifies-gdpr-rights-on-automated-decision-making-and-trade-secrets/

GDPR allows individuals to claim compensation for non-material damages, but quantifying these damages is challenging. A study of 255 court cases in Germany from 2018 to 2023 reveals that only 25% of claims are successful, with average claimed damages around €5,200 but awarded damages averaging €3,300. Sensitive personal data results in higher damage awards, indicating that companies face unpredictable liability risks.

https://www.taylorwessing.com/en/insights-and-events/insights/2025/02/gdpr-damages-claims