The European Union General Data Protection Regulation (GDPR or EU Regulation 2016/679) continues to produce enforcement actions at a pace and scale that should concern any U.S. technology company processing data of EU residents. This includes companies whose primary market is the United States, but whose products, services, or supply chains touch European data subjects. The 2025 enforcement cycle produced several decisions with direct implications for technology companies in the embedded systems, automotive, and software sectors.
This post addresses the current enforcement trends, the specific obligations most commonly violated by technology companies, and the practical compliance steps that reduce exposure.
The Enforcement Landscape: Record Fines and Expanded Scope
GDPR enforcement fines have increased substantially each year since the regulation took effect in 2018. By 2025, total cumulative fines across all EU member state data protection authorities (DPAs) exceeded €5 billion, with the Irish Data Protection Commission (DPC) (which supervises most U.S. tech giants operating their EU headquarters in Ireland) accounting for a significant share.
More significant than the aggregate numbers is the expansion of enforcement scope. Early GDPR enforcement focused heavily on consumer-facing companies with large datasets of individual personal information. Recent enforcement has expanded to include: companies processing employee data; companies in the automotive sector collecting vehicle telemetry data linked to identifiable drivers; companies running connected devices that collect behavioral data; and B2B companies whose products process personal data on behalf of business customers.
This scope expansion is highly relevant for embedded systems and automotive companies. A vehicle that collects GPS traces, driving behavior data, biometric seat occupancy data, or communication system data is collecting personal data under GDPR if that data can be linked to an identifiable natural person. The vehicle original equipment manufacturer (OEM) and, in some enforcement interpretations, the Tier 1 (first-tier automotive supplier) supplier whose system collects the data may both be data controllers or processors subject to GDPR obligations.
The Data Transfer Problem: Schrems III on the Horizon
Transatlantic data transfers have been a recurring source of legal uncertainty since the Court of Justice of the European Union (CJEU) invalidated Safe Harbor in Schrems I (Case C-362/14, 2015) and Privacy Shield in Schrems II (Case C-311/18, 2020). The European Union–United States Data Privacy Framework (DPF), adopted in 2023, provided a new adequacy decision enabling transfers to DPF-certified U.S. companies. Max Schrems has publicly challenged the DPF, and a new CJEU review is anticipated.
For technology companies that rely on the DPF for their transatlantic data transfers, this legal uncertainty is not theoretical. If the CJEU invalidates the DPF, companies will again be required to implement alternative transfer mechanisms — Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or other GDPR Article 46 transfer tools — with all the contractual and operational complexity those mechanisms entail.
Companies that have not yet addressed their transatlantic transfer mechanisms — or that certified under DPF without implementing the underlying operational requirements — are exposed to enforcement by EU DPAs who have indicated they will not wait for the CJEU to act before investigating non-compliant transfers.
Automotive Telematics: The Emerging Enforcement Priority
Automotive telematics — the collection, transmission, and processing of vehicle and driver data — has become an emerging GDPR enforcement priority. Modern connected vehicles can collect hundreds of data points per second: location, speed, acceleration, braking patterns, steering inputs, seat occupancy, eye tracking for driver monitoring, and infotainment system usage. When correlated with other data, this information can reveal intimate details of an individual's daily life.
The GDPR obligations that arise from automotive telematics are complex: determining who is the data controller (OEM? connected services provider? fleet operator?); identifying the legal basis for each category of data collection; implementing data minimization principles that are in tension with the engineering value of comprehensive sensor data; providing meaningful notice and consent mechanisms in the vehicle human-machine interface (HMI); and enabling data subject rights (access, deletion, portability) for data stored in OEM cloud systems.
Automotive companies and their Tier 1 suppliers developing telematics systems, advanced driver-assistance systems (ADAS) with driver monitoring, or connected vehicle platforms should be conducting GDPR data protection impact assessments (DPIAs) as part of their product development process — not as an afterthought during homologation.
The Accountability Principle and Documentation
One of GDPR's core principles is accountability: companies must not only comply with GDPR but must be able to demonstrate compliance to supervisory authorities. This documentation requirement has practical implications for technology companies.
Records of processing activities (GDPR Article 30 records of processing activities), data protection impact assessments, data processing agreements with processors and sub-processors, and records of data subject requests and responses — all of these are documentation obligations that enforcement authorities expect to find when they investigate. Companies that process personal data systematically and at scale but have not built the documentation infrastructure to demonstrate GDPR compliance are exposed to enforcement findings based on the absence of documentation alone, separate from any substantive violation.
guibert.law Insight
For U.S. embedded systems and automotive companies with EU market presence: GDPR is not a compliance exercise you complete once. It is an ongoing operational program that must be built into product development, supply chain management, and organizational governance. The companies that integrate privacy-by-design into their engineering process — rather than retrofitting privacy compliance onto finished products — face significantly lower enforcement risk and lower compliance cost.
Attorney advertising. The information in this post is provided for general informational purposes and does not constitute legal advice. Prior results do not guarantee a similar outcome. © 2026 guibert.law