tick-gdpr-author-spacer

GDPR in Practice: Lessons from the Courts – July 2025

Sanjiv Sharma
July 4, 2025
On this page

1. Introduction

Understanding the GDPR isn’t just about reading the law — it’s about seeing how it’s applied in real situations. In this ongoing series, “GDPR in Practice: Lessons from the Courts,” I break down key court decisions from across Europe that shape how the GDPR is interpreted and enforced. Each post highlights a specific case, the legal questions it raised, what the courts decided, and what practical lessons we can learn — whether you’re a data protection officer, legal advisor, or privacy-conscious organization.

2. Understanding GDPR Access Rights: Lessons from a Recent Court Ruling Against a Tax Authority

In this section, we break down a recent important court decision on how individuals can enforce their data access rights under GDPR against public authorities like tax offices.

Background: What Happened?

A person requested personal data from a tax office under Article 15 of the GDPR — the right to access your personal data. While the tax office provided some information, it refused to send certain documents related to enforcement actions. The person asked again but was denied.

The individual then took the case to court, asking the judges to order the tax office to provide the full information. However, the court rejected the claim because it was filed too late and did not follow the right legal process.

Key Legal Questions

  • What is the proper way to enforce GDPR access rights against a public authority?
  • Is there a deadline to bring such a claim?
  • Do national court procedures apply to GDPR claims?
  • Do you need to make a new request before going to court?

What the Court Decided

  • The court ruled that if a public authority refuses to provide data under GDPR Article 15, the claimant must file a specific type of legal action called an obligation action.
  • There is a one-year deadline to file this claim, starting from when the refusal was notified. If you miss this deadline, your claim will be rejected as inadmissible.
  • This one-year limit is consistent with EU law principles; it doesn’t make enforcing GDPR rights impossible or too difficult.
  • Before going to court, you generally need to make a formal request to the authority. The court will usually not accept a lawsuit if no recent request was made after the refusal.
  • Simply put: you cannot wait indefinitely or repeatedly demand data without following these legal steps and time limits.

Why This Matters

This case highlights how GDPR rights interact with national court procedures. While GDPR guarantees your right to access your personal data, you must also respect procedural rules like deadlines and formal requests.

If you want to enforce your GDPR access rights, keep these points in mind:

  • Submit your data request clearly and in writing.
  • If refused, act promptly and understand there’s a legal time limit to challenge the refusal.
  • Follow up with legal advice if needed, and don’t delay your claim beyond the deadline.

Final Thoughts

Enforcing GDPR rights isn’t just about making a request — it also means understanding the legal process to protect your rights effectively. This case reminds us that knowing procedural rules is just as important as knowing your substantive rights under GDPR.

References

  • BFH, Judgment of 06.05.2025 – IX R 2/23
  • BFH, Judgment of 06.05.2025 – IX R 2/23, openJur 2025, 14587
  • https://openjur.de/u/2525245.html

3. Remembering not to remember is part of staying GDPR compliant

When someone makes a GDPR erasure or objection request, many businesses assume they need to delete everything — including the request itself. But that can actually lead to a GDPR violation.

Here’s why:

The Problem:

If you fully delete a data subject’s personal data and their deletion/objection request, you risk accidentally collecting or processing their data again in the future — which is exactly what happened in a real-world case where a company re-collected personal data after deletion, thinking they were compliant. The result? The Data Protection Authority ruled against them for unlawful processing.

The Solution: Keep a Suppression List

To comply with GDPR and avoid re-collecting deleted data:

  • Keep a minimal record of the person’s erasure or objection request.
  • This is often called a “suppression list” or “do-not-contact list.”
  • Only store what’s strictly necessary (e.g., a hashed email or identifier).
  • Use it only to prevent future processing — not for marketing or profiling.

Isn’t That a GDPR Violation?

No. GDPR allows you to keep minimal data if:

  • It serves a legitimate interest, like avoiding further contact.
  • It’s necessary to comply with legal obligations.
  • You follow data minimization and purpose limitation principles.

Best Practice:

  1. Log the objection/deletion request securely.
  2. Block future processing attempts using suppression logic.
  3. Avoid full “hard deletes” that wipe all history of the request.

4. GDPR Right of Access: What Timing Details Must Banks Provide? Insights from a Finnish Supreme Administrative Court Ruling

One of the more nuanced GDPR issues came under judicial spotlight recently: What exactly are data subjects entitled to when they request access to personal data under Article 15(1) GDPR—especially in the context of log data and the identity of employees who accessed that data?

Let’s break down the key facts and final outcome in plain terms.

Background: What Was the Dispute?

A customer requested detailed information from their bank about when exactly the bank accessed their personal data, specifically asking for the exact dates and times of these data inquiries. The bank’s user logs contained the dates and precise times of these accesses. However, the bank only provided information on the dates, not the exact times, arguing that the precise timing was not required to be disclosed under GDPR.

The key question:
Does the GDPR require the controller (bank) to provide the exact time of each data access in response to a right of access request?ice of the European Union (CJEU) for guidance.

The question remained whether this includes the exact time of day when the processing (data inquiry) took place.

Article 15(1) GDPR grants the right to access personal data and related information such as the purposes and timing of processing.

The Court of Justice of the European Union (CJEU) previously ruled (Case C-579/21) that the data subject has the right to information about the dates and purposes of processing their personal data.

What the Finnish Supreme Administrative Court Decided

The case returned to Finland, where the Supreme Administrative Court reviewed how much access detail the data subject is entitled to.

Key decision points:

  • The data subject is entitled to know the dates their personal data was accessed (as per the log files).
  • However, the person is not entitled to know the exact time of day (e.g., 2:34 PM), even if it’s technically available.
  • The court reasoned that providing just the dates is enough to assess the lawfulness of data processing and exercise GDPR rights.

In short, more precise information (like the exact time) is not required unless it adds meaningful value to the data subject’s ability to exercise their rights.

The court annulled the earlier ruling regarding the time-of-day detail and referred the matter back to the DPA for a new decision aligned with this interpretation.

Why This Ruling Matters

It clarifies boundaries on what controllers must disclose under access rights — an important guide for banks, financial institutions, and other organizations handling personal data.

It balances data subjects’ transparency rights with practical and privacy considerations for organizations.

It avoids forcing organizations to disclose overly granular log data (such as exact timestamps), which may risk security or operational concerns.

Data subjects still get meaningful information to monitor and verify how their data is processed (by date and purpose), fulfilling GDPR’s transparency goals without excessive burden on controllers.

Practical Takeaways

Organizations can rely on this ruling to provide balanced, GDPR-compliant responses without disclosing sensitive internal log details unnecessarily.

If you request your personal data access logs from a bank or similar institution, expect to receive information on dates of data access and the purposes but not necessarily the exact time of day.

The provided information should be sufficient to assess if your data was processed legally and to exercise your other GDPR rights.

If you believe your data rights are violated, you can escalate the matter to the Data Protection Officer or supervisory authority.

References

  • KHO (Supreme Administrative Court of Finland), Judgment of 12.06.2025, KHO:2025:51, ECLI:FI:KHO:2025:51
  • CJEU Judgment, Case C-579/21 Bank, ECLI:EU:C:2023:501
  • Regulation (EU) 2016/679 (General Data Protection Regulation), Articles 12(1), 15(1), 30(4), 58(2)(c)

5. WhatsApp, Facebook & GDPR: €420K Fine to Employer for Misusing Employee’s Private Messages

Autostrade per l’Italia S.p.A. has been fined €420,000 by the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) for unlawfully using private Facebook, WhatsApp, and Messenger messages to initiate disciplinary proceedings against an employee. This landmark case underscores the strict limits on how employers can use personal communications in workplace investigations under the GDPR.

What Happened?

An employee filed a complaint with the Garante after their employer:

  • Used private Facebook posts (shared only with friends),
  • Accessed Messenger and WhatsApp conversations,
  • And submitted this material to justify two formal disciplinary disputes.

The company claimed the data was provided by others and used under its “legitimate interest.”

What Did the Garante Find?

The Garante found that:

  • The employer violated several GDPR principles, including lawfulness, purpose limitation, and data minimization.
  • The company had no legal basis to process the messages, even if they were voluntarily shared by third parties.
  • The messages were protected under the right to private communication (Article 8 of the European Convention on Human Rights & Article 15 of the Italian Constitution).
  • The company’s conduct showed negligence, especially given its prior data protection violations.

As a result, the Garante:

  • Declared the data processing illegal.
  • Imposed a €420,000 administrative fine.
  • Ordered the publication of the decision on the Garante’s website due to the serious nature of the violations.

Key Lessons for Employers

1. Private ≠ Public Just Because It Was Shared

Even if someone else gives you private messages or screenshots, it doesn’t mean you’re allowed to use them. Confidentiality still applies.

2. Social Media Posts Are Not Automatically Fair Game

Posts shared in a closed group or visible only to “friends” are not public for GDPR purposes.

3. “Legitimate Interest” Requires Real Justification

You must document a balancing test under GDPR Article 6(1)(f):

  • Can you achieve the goal in a less invasive way?
  • Would the person reasonably expect this use of their data?
  • Are their rights outweighed by your interest?
4. Respect Employee Privacy in Disciplinary Actions

If you’re handling sensitive issues (e.g., employee conduct), the use of private communications must meet strict proportionality and necessity standards under:

  • GDPR Articles 5 & 6,
  • EDPB Guidelines 1/2024,
  • Article 8 ECHR,
  • Article 15 of the Italian Constitution.
5. A Prior Violation Makes Things Worse

The Garante considered it an aggravating factor that Autostrade had already been sanctioned (Measure No. 529/2023) for violating employee privacy rights.

What Should Employers Do?

  • Review your disciplinary procedures and make sure you’re not collecting or using employee data unlawfully.
  • Conduct a Legitimate Interest Assessment (LIA) before using personal communications.
  • Limit your access to private chats unless explicitly required and lawful.
  • Work with legal counsel or a DPO to assess proportionality and documentation needs.
  • Train HR teams on data protection risks in workplace investigations.
  • Decision Issued By: Garante per la Protezione dei Dati Personali
  • Company Sanctioned: Autostrade per l’Italia S.p.A.
  • Fine Amount: €420,000
  • Relevant Laws Violated:
    • GDPR: Articles 5(1)(a)–(c), 6(1)(f), 83(2), 83(5)(a)(d), 88
    • Italian Privacy Code: Article 113
    • Italian Constitution: Article 15
    • ECHR: Article 8
  • Case Reference: Italian DPA Decision (published under Art. 166, para. 7 of the Privacy Code)
  • Previous DPA Sanction Noted: Measure No. 529 of 16 November 2023
  • Relevant Case Law:
    • Cassazione Civile No. 5354/2025
    • Bărbulescu v. Romania (ECHR, 2017)
    • Copland v. UK (ECHR, 2007)
    • Saber v. Norway (ECHR, 2020)

6. AEPD Fines ALVEA €21,000 for Exposing Customer Data via Unsecured URLs

Background: What Happened?

A customer of ALVEA Soluciones Tecnológicas, S.L. received an email containing a URL link to a PDF invoice. Upon inspecting the link, they discovered that changing the ID parameter in the URL allowed access to other customers’ invoices—without any authentication or security barrier. These documents included personal and financial data.

After failing to receive a response from ALVEA, the customer escalated the issue to the Spanish Data Protection Agency (AEPD), which initiated an investigation.

Key Legal Questions

  1. Did ALVEA process personal data in accordance with the confidentiality principle under the GDPR?
  2. Were appropriate technical and organizational measures implemented to protect personal data?
  3. Did the company fulfill its obligations under Privacy by Design and by Default (Article 25 GDPR)?

What Went Wrong

  • Lack of Access Controls: PDF files were accessible by simply manipulating URL parameters—no login, token, or authorization required.
  • No Risk Assessment: The company failed to analyze the security risks of this delivery mechanism.
  • No Adequate Response: The complainant received no satisfactory reply from ALVEA upon reporting the vulnerability.
  • Reactive Fixing: ALVEA only disabled the insecure endpoint after the AEPD’s involvement—indicating a reactive, not proactive, data protection culture.

What the Court (AEPD) Decided

The AEPD found ALVEA in violation of Article 5.1.f of the GDPR, which requires data to be processed in a manner that ensures appropriate security and confidentiality.

A. Sanction Details:
  • Original Fine: €35,000
  • Final Fine (with reductions): €21,000
  • Legal Basis:
    • GDPR Article 5.1.f (Confidentiality and integrity)
    • GDPR Article 83.5.a (High-level infringements)
    • LPACAP Article 85 (Early payment and admission)
B. Corrective Measures Ordered:
  • Fix communication systems to prevent exposure of third-party data.
  • Conduct a Data Protection Officer (DPO) evaluation of all implemented controls.
  • Report compliance to AEPD within 6 months.

Why This Matters

This case highlights a recurring issue: data leaks via insecure direct object references (IDORs) in URLs—often overlooked by companies, but easily exploited.

The decision reinforces that:

  • Confidentiality is not optional, even for small or internal systems.
  • Regulators expect proactive risk management, not reactive fixes.
  • Controllers must embed data protection into system design, not bolt it on after incidents.

Key Takeaways

  • URLs are not secure by default – predictable identifiers can create massive vulnerabilities.
  • Authentication and authorization must be enforced for all sensitive content.
  • Early cooperation, acknowledgment of responsibility, and payment can reduce penalties.
  • DPO involvement is crucial in reviewing and approving security mechanisms.
  • The AEPD is increasingly willing to impose corrective measures, not just financial sanctions.

How ALVEA Could Have Improved Their System

To avoid such a breach, ALVEA should have adopted:

1. Privacy by Design (Article 25 GDPR)
  • Ensure personal data is accessible only when necessary, using built-in safeguards.
  • Design systems from the start with user authentication and role-based access.
2. Technical Measures
  • Tokenized or expiring URLs for document access.
  • Session-based access controls linked to authenticated users.
  • Rate-limiting or anomaly detection to block sequential URL tampering.
  • Audit logs to detect unauthorized access attempts.
3. Organizational Measures
  • Conduct periodic DPIAs (Data Protection Impact Assessments) for customer-facing tools.
  • Establish clear incident response protocols.
  • Ensure DPO review of system changes that involve personal data.
  • Provide staff training on secure data handling and development practices.

By applying these measures, ALVEA could have fulfilled the GDPR principles of integrity, confidentiality, and accountability.

References
Related Posts

Popular

Blog

Self Assessment

Features

Pricing

Company

Privacy Policy

Terms of Use

Contact Us

Social

© Prudent Professional Services