The GDPR is often understood as granting strong and sometimes absolute rights to data subjects. Yet, a consistent reading of CJEU jurisprudence shows a more calibrated reality: rights are firmly recognized, but their enforcement is shaped by proportionality, competing fundamental rights, and operational feasibility.
This article does not analyses individual judgments in isolation. Instead, it distils recurring jurisprudential principles emerging from CJEU case law that are particularly relevant for privacy practitioners and DPOs.
1. Data Subject Rights Are Fundamental — Not Absolute
The CJEU consistently affirms data protection as a fundamental right under the EU Charter. At the same time, it repeatedly clarifies that GDPR rights must be exercised in balance with other protected interests, including:
- Freedom to conduct business
- Protection of trade secrets and intellectual property
- Public interest and statutory obligations
Practitioner insight: GDPR compliance is about reasoned justification, not automatic fulfilment.
2. Transparency Means Understandability, Not Full Disclosure
Across its jurisprudence, the Court has made clear that transparency obligations are satisfied when individuals can meaningfully understand how their data is used and how decisions affecting them are made.
However, this does not translate into a right to access:
- Source code
- Algorithms in technical detail
- Internal decision-making models
Practitioner insight: Explain the logic and impact of processing — not the mechanics.
3. The Right of Access Is Not a Discovery Tool
The CJEU’s reading of Article 15 GDPR confines access rights to personal data relating to the individual. Requests cannot be used to obtain:
- Internal legal opinions
- Controller–processor agreements
- Governance or compliance documentation
Practitioner insight: Access rights protect individuals, not transparency into corporate structures.
4. Remedies Exist, But Enforcement Pathways Are Contextual
While GDPR establishes rights to redress and compensation, the Court recognizes that enforcement mechanisms (procedural routes, interim relief, injunctions) remain largely within the competence of Member States.
Practitioner insight: GDPR harmonizes substance, not national procedural law.
5. No Identifiability, No GDPR Rights
The Court repeatedly ties the application of GDPR rights to the realistic possibility of identifying an individual using reasonable means. Where data is genuinely anonymized or robustly pseudonymized, GDPR — and its rights framework — may not apply.
Practitioner insight: Rights analysis should always start with an identifiability assessment.
6. Public Interest and Regulatory Duties Matter
In the public sector context, the CJEU has confirmed that GDPR must coexist with:
- Transparency obligations
- Regulatory disclosure duties
- Public administration requirements
Data protection does not automatically override lawful public interest processing.
Practitioner insight: GDPR is a governance framework, not a veto power.
Closing Reflection
CJEU jurisprudence sends a consistent message:
GDPR rights are real, enforceable, and fundamental — but they are not unconditional.
For privacy practitioners, this means mature compliance is not about mechanical rights fulfilment, but about balancing, documentation, and proportional decision-making.
Reference
- CJEU, Dun & Bradstreet Austria GmbH — transparency and automated decision-making (Article 15 GDPR) https://curia.europa.eu/juris/liste.jsf?num=C-203/22
- CJEU, IP v Quirin Privatbank AG — remedies and limits of harmonisation under GDPR. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:62023CJ0655
- CJEU, judgment on disclosure of personal data by public authorities — balancing GDPR with public interest obligations. https://curia.europa.eu/juris/document/document.jsf?text=&docid=297537&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=3977339
- CJEU, judgment on scope of “personal data” and identifiability — applicability of GDPR rights. https://curia.europa.eu/jcms/upload/docs/application/pdf/2025-09/cp250107en.pdf
- German Higher Administrative Court (VGH), decision on limits of Article 15 GDPR access rights. https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:62021CJ0487
Case references are provided for contextual guidance. Readers should consult the full judgements for authoritative legal interpretation.
