As we progress through 2025, it’s essential to reflect on the significant data protection developments from the past year. Here, we provide a summary of the most important data protection news, legal precedents, and decisions by the Data Protection Ombudsman from 2024.

News Highlights

Oral Processing of Personal Data: In March 2024, the Court of Justice of the European Union (CJEU) ruled that oral disclosure of personal data constitutes processing under the GDPR if the data is part of a register or intended to be included in a register. This decision came after Endemol Shine Finland requested information on a competition participant’s criminal convictions from the South Savo District Court, which was denied. The ruling emphasizes that GDPR obligations apply to oral processing of personal data, and companies must ensure compliance even when sharing information verbally.

Draft Guidelines on Legitimate Interest: In October 2024, the European Data Protection Board (EDPB) published draft guidelines clarifying the concept of legitimate interest under the GDPR. The guidelines outline three key requirements: the existence of a legitimate interest, the necessity of processing for that interest, and a balancing test to ensure that individuals’ interests or fundamental rights do not override the legitimate interest. Companies should review their processing activities based on legitimate interest to ensure compliance with these guidelines.

Use of Meta Pixels on Websites: In June 2024, the Swedish Data Protection Authority (IMY) imposed a fine of 15 million SEK (approximately 1.3 million EUR) on a bank for using Meta pixels on its website and app without adequate technical and organizational measures to protect personal data. The Meta pixels collected and transferred data, such as customers’ securities holdings and account numbers, to Meta Platforms Inc. Companies must ensure that all analytics and marketing tools comply with the GDPR and protect personal data.

Consent for Cookie Use: The Helsinki Administrative Court upheld Traficom’s decisions requiring two companies to change their cookie policies. The companies were initially interpreting that certain cookies were necessary and did not require user consent. Traficom mandated that personalization, delivery, and chat cookies require active user consent and that consent management tools allow users to refuse non-essential cookies easily. The Supreme Administrative Court did not grant leave to appeal, making the decision final. Companies must ensure their cookie policies and consent management tools comply with legal requirements.

It is crucial for companies to stay updated on data protection regulations and ensure compliance. Lexia is here to help you, and your company navigate data protection regulations and ensure compliance. If you have any questions do not hesitate to contact us.

Counsel Erika Leinonen, email: [email protected], tel: +358 45 7820 0310

Senior Associate Marko Moilanen, email: [email protected], tel: +358 40 517 0002

More information

Oral Processing of Personal Data: gdprhub.eu and eur-lex.europa.eu

Legitimate Interest: EDPB’s statement and guidelines  and Data Protection Ombudsman’s statement.

Use of Meta Pixels: Integritetsskyddsmyndigheten, IMY

Consent for Cookie Use: Helsinki Administrative Court