GDPR Enforcement is Alive and Well – Key Considerations in 2025

Alert
By David Senter and Hunter Bruton

As 2025 progresses, one thing is clear—GDPR enforcement is not slowing down. In fact, regulators across Europe are intensifying their scrutiny, handing out significant fines and even warning executives of potential personal liability. If your business operates in or interacts with the EU, staying ahead of these enforcement trends is more crucial than ever.

Independent national data protection authorities (DPAs) from the 27 EU Member States actively oversee compliance and enforcement of GDPR within each Member State. Any business that processes the personal data of EU residents and is either established in the EU or offers goods and services to EU residents should be familiar with the data protection obligations under GDPR, as well as the enforcement trends of those regulators tasked with ensuring compliance. Risk of non-compliance includes not only reputational harm and operational disruption but also the imposition of fines and penalties up to €20 million or 4% of global revenue, whichever is greater.

A look back at three major enforcement actions from 2024 by the Dutch DPA, the Netherlands’ supervisory authority for GDPR, provides key lessons for businesses looking to mitigate risk in 2025.

Privacy Statements: Ensure Transparency or Risk Hefty Fines

In November 2024, the Dutch DPA fined a well-known online streaming service €4.75 million for failing to provide clear and complete information in its privacy statement/notice. Specifically, the DPA found after a five-year investigation, that the company’s privacy statement lacked transparency on:

  • The purposes and legal bases for collecting and using personal data;
  • What personal data was shared with others and why;
  • Data retention periods; and
  • Security measures when transferring data outside of Europe.

The case underscores the importance of regularly reviewing privacy statements to ensure they are accurate, clear, and aligned with business practices. Companies must not treat privacy statements as a one-time formality but as a critical, living compliance document.

Personal Liability: Executives Beware—Accountability is Rising

In another significant case, an artificial intelligence company was fined €30.5 million for collecting and using special categories of personal data without proper notice or consent. However, the fine wasn’t the only consequence. The Dutch DPA Chairman warned that company leadership could be held personally liable if they knew of the violation, had the authority to stop it and failed to act.

This signals a broader regulatory trend: GDPR compliance is no longer just a corporate responsibility—it is becoming a direct accountability issue for executives and board members. The case aligns with other EU privacy and security laws, such as the NIS-2 Directive, which emphasize the need for corporate leadership to actively oversee compliance efforts. Boards and C-suite executives must ensure they have sufficient oversight into data protection practices to avoid personal liability.

Data Transfers: Getting It Wrong Can Cost You Millions

In July 2024, the Dutch DPA imposed a €290 million fine on a ride-sharing app for improperly transferring personal data, including sensitive information, from the EU to the United States without appropriate safeguards.

The company had removed standard contractual clauses (SCCs) from its data-sharing agreements, relying instead on non-binding guidance from the European Commission suggesting SCCs were unnecessary in its case. The Dutch DPA, however, disagreed, ruling that the company had failed to implement sufficient safeguards to protect EU personal data.

This case highlights two crucial lessons for businesses:

  1. Do not assume non-binding guidance is sufficient protection. Companies must independently assess data transfer mechanisms to ensure compliance.
  2. Confirm appropriate safeguards before transferring any personal data outside the EU. Common mechanisms include adequacy decisions and SCCs, both of which require careful implementation.

Key Takeaways for Businesses

  • Regularly review and update privacy statements to ensure accuracy and full transparency.
  • Company leadership must take an active role in GDPR compliance—personal liability is on the rise.
  • Verify that appropriate data transfer mechanisms are in place before transferring EU personal data abroad.

Act Now to Stay Ahead of GDPR Enforcement in 2025

2024 enforcement trends make one thing clear: businesses can’t afford to take a reactive approach to GDPR compliance. Now is the time to evaluate privacy policies, reinforce data protection measures and ensure leadership is engaged in oversight. Smith Anderson’s Data Privacy team is here to help you navigate these challenges—reach out to David SenterHunter Bruton or a team member today to safeguard your business for 2025 and beyond.

Professionals

Jump to Page

This website uses cookies to enhance your browsing experience and improve functionality. To learn more, you may view our Privacy Policy. By continuing to browse Smith Anderson's website, you are accepting our use of cookies in accordance with our privacy policy.