The EU Court of Justice ruled that even a first personal data access request may be deemed abusive under the GDPR if it is made solely to generate compensation claims, allowing controllers to refuse such requests. An individual residing in Austria subscribed to the newsletter of a family-run optician company in Germany by entering his personal data in the registration form available on the company’s website. 

Thirteen days later, he sent a request for access under Article 15 of the GDPR. The company refused the request, considering it to be abusive. According to various reports and blog articles, the individual systematically subscribes to newsletters of various companies before submitting an access request and then a compensation claim. The individual maintained that his access request was legitimate and claimed compensation of at least 1,000 euros. 

 Stay up to date! Sign up to receive our fortnightly digest via email.

Main developments

Protecting children online: On 3 April, the Regulation on the Extension of Derogation from the ePrivacy Directive for the purpose of identifying Child Sexual Abuse Material (CSAM) online expired, digitalpolicyalert.org reports. The extension concerns an exemption from data protection regulations, which grants hundreds of providers offering number-independent interpersonal communication services, such as messaging services, the authority to use technologies for processing personal and other data to identify, report, and remove instances of online child sexual abuse on their platforms. In addition, providers must ensure that information regarding reports of detected online child sexual abuse submitted to authorities and the Commission is accessible in a structured format.

‘Legitimate interests’ analysis: The EDPB has published a One-Stop-Shop case digest on the legal basis of “legitimate interest”. It provides useful examples of how regulators analyse controllers’ reliance on this legal basis in specific contexts, providing positive and negative compliance examples. In particular, it explains and summarises how regulators apply the three-step test to assess whether a controller can lawfully rely on legitimate interests. Relevant cases before the CJEU and national courts are also mentioned. 

Back up!

On World Backup Day, 31 March, the German Federal Office for Information Security (BSI) called on consumers to back up important data. Data backup is not a complicated process: most operating systems guide users through the process. Nonetheless, only one-fifth of internet users regularly create backups. Backups can be performed in the cloud or on a physical storage medium, such as an external hard drive.

Those who opt for a physical storage medium should keep it in a different location than, for example, the source computer for the data being backed up.  

Human resources management

The CNIL has published a reference framework (in French) to help data controllers identify retention periods for their personnel management activities. This document is particularly useful for data protection officers, GDPR referents, but also for staff working in human resources departments or for the information systems department. This repository is organised by processing activities and includes:

• recruitment;
• administrative management of personnel;
• compensation management;
• the security of goods and people;
• the management of professional vehicles;
• listening to and recording telephone conversations in the workplace;
• the management of collective labour relations;
• the management of occupational accidents;
• the management of litigation and pre-litigation;
• the management of Whistleblowing. 

More official guidance

Cookies user guide: The Swiss regulator, FDPIC, has published a factsheet on the use of cookies (in English) that explains how users can retain control over their own data and minimise the digital footprint they leave behind while browsing. Although cookies and similar technologies can enhance the online browsing experience, for example, by saving the contents of a shopping basket or certain preferences, they can also enable third parties to track users’ online activities. 

AI red lines: The Future of Privacy Forum continues its series of publications on Red Lines under the EU AI Act. This time, it pays attention to the prohibition on biometric categorisation for “certain sensitive characteristics” to deduce or infer race, political opinions, trade union membership, religious or philosophical beliefs, etc. The risks associated with biometric categorisation also reflect broader concerns under EU data protection legislation, as sensitive characteristics may themselves constitute special categories of personal data under the GDPR. 

Previous analysis by FPF also looked at prohibition and emotion recognition in the workplace and educational institutions.

Health data in the cloud: More and more organisations are using cloud solutions for processing health data. The Dutch data protection authority AP has therefore published an updated and broadened version of AP’s practice guide on patient data in the cloud. The practice guide now focuses not only on patient data within the treatment relationship, but on health data in a broader sense. 

In other news

Police biometric data: A police authority may,in a criminal investigation, collect biometric data solely because the collection is strictly necessary. The Maltese data protection agency looked at a recent ruling by the CJEU, which stated that the gathering of identification data may not be required systematically and clear reasons must be given for it, failing which the criminal penalty laid down for refusing to consent to that gathering will be invalid.

In a related case, a person was detained in Paris for organising a demonstration without prior notice and for disobedience. While he was in police custody, he refused to consent to the gathering of identification data (fingerprints and photo). That refusal resulted in his being charged, even though he was acquitted of the offence forming the basis of the envisaged gathering of identification data. 

Credit information checks should be free of charge: The Finnish data protection ombudsman considers that the regular practice of the credit information company Dun&Bradstreet, in which a person has only been able to check their own credit information once a year, free of charge, is not in accordance with data protection legislation. Customers had been regularly charged a fee if they had requested information more than once within a year. The company also had shortcomings in responding to requests for personal data. 

According to the law, a fee can only be charged in situations where the request is manifestly unfounded or unreasonable, for example, if the same information is requested repeatedly. 

More enforcement decisions

OKCupid data sharing: In the US, the Federal Trade Commission is taking action against OkCupid and its affiliate Match Group Americas over allegations that it deceived users of its dating app by sharing their personal information, including photos and location information, with an unrelated third party, contrary to OkCupid’s privacy promises. OkCupid provided the third party with access to nearly three million OkCupid user photos as well as location and other information without placing any formal or contractual restrictions on how the information could be used. 

The FTC also alleged that, since September 2014, Match and OkCupid took extensive steps to conceal their wrongdoing, including by trying to obstruct the FTC’s investigation.

Unauthorised access to banking information: The Italian data protection authority Garante has fined Intesa Sanpaolo 31.8 million euros for serious shortcomings in personal data security. The investigation found that an employee accessed, without justification, the banking information of 3,573 customers, making over 6,600 inquiries between February 21, 2022, and April 24, 2024. These unauthorised accesses were not detected by internal control systems, highlighting significant weaknesses in the monitoring and prevention mechanisms. 

And Finally

Wearables: The Swiss FDPIC has published practical advice on smartwatches and fitness trackers, which monitor your physical activity and bodily functions, and are now widely used. Smart glasses, which make it easy to take and share photos and videos, are also gaining in popularity. As all these body-worn devices pose a particular threat to privacy, users should exercise particular caution when using them. 

Before making their choice, buyers should check how the manufacturer has configured it and whether the product allows for privacy-friendly settings, where collected data is stored, and whether the processing of such data is comprehensible overall.

Fraudulent websites: Reportedly, phishing remains one of the largest forms of online crime. To better protect internet users against this, several Dutch public and private parties have jointly tested a new approach. The so-called Anti Phishing Shield demonstrates that the approach works: since the start of the pilot in July 2025, over two million attempts to visit phishing and fraudulent websites have been blocked among a group of over 200,000 users. Internet providers can easily connect to the tool and use it to protect their customers. And users must give their prior explicit consent via a so-called ‘opt-in’. 

Read the original publication to see how the Anti Phishing Shield works.

The post Data protection digest 3 April 2026: abusive access request, human resources management & patient data in the cloud  appeared first on TechGDPR.

On 10 February, the EDPB and EDPS, in a joint opinion, strongly welcomed the regulatory solution to address cookie fatigue and the proliferation of consent banners. This follows the  European Commission’s proposal to switch to automated, machine-readable indications of data subjects’ choices under the Digital Omnibus package. The EU regulators welcome that, pursuant to the proposed Article 88b of the GDPR, harmonisation standards will be developed. 

Such standards should cover the communication of data subjects’ choices, from browsers to websites, from mobile phone applications to web services, and ensure that all involved actors use the same automated machine-readable indications and are not simply repackaging consent in a new technical format. 

 Stay up to date! Sign up to receive our fortnightly digest via email.

Anticipating the need of data controllers and browser providers in the near future to be able to accept and enable automated signals, TechGDPR publishes Conditional Consent, an open concept paper proposing what automated signalling should look like for meaningful user control, based on three dimensions:

• Cookie purpose
• Website category
• Third-party processing

The concept paper contains the main principles, legal basis and exceptions, technical specifications, along with a comparison with existing tools, and a proposed implementation solution, all available at conditionalconsent.com.

Main developments 

Prohibited AI practices: A Future of Privacy Forum analysis draws “red lines” under prohibited practices in the new EU AI Act. They concern harmful manipulation and deception, social scoring, individual risk assessment, untargeted scraping of facial images, emotion recognition, biometric categorisation, and real-time remote biometric identification for law enforcement. Prohibited AI practices are regulated by Article 5 of the AI Act, which became applicable in February 2025. Plus, starting on 2 August 2025, this provision also became enforceable. 

AI-generated images: The EDPB has signed a Joint Statement on AI-Generated Imagery and the Protection of Privacy. The statement, coordinated by the Global Privacy Assembly, represents the united position of 61 authorities across the world. The statement addresses serious concerns about AI systems that generate realistic images and videos depicting identifiable individuals without their knowledge or consent. The co-signatories are especially concerned about potential harm to children and other vulnerable groups, such as cyber-bullying and/or exploitation. Fundamental principles should guide all organisations developing and using AI content generation systems, including:

• Implement robust safeguards to prevent the misuse of personal information.
• Ensure meaningful transparency about AI system capabilities, safeguards, acceptable uses and the consequences of misuse. 
• Provide effective and accessible mechanisms for individuals to request the removal of harmful content involving personal information and respond rapidly to such requests. 
• Address specific risks to children through implementing enhanced safeguards and providing clear, age-appropriate information to children, parents, guardians and educators

Digital Omnibus legal study

The European Parliament published a study identifying interlinks and possible overlaps between different legal acts in the field of digital legislation. It analyses the European Commission’s Digital Omnibus package proposals published on 19 November 2025, distinguishing administrative simplification from more substantive recalibration of safeguards across data, privacy, cybersecurity and AI areas. The study highlights key areas of controversy (legal certainty, enforcement capacity, and impacts on rights) and sets out areas for consideration for parliamentary scrutiny, including:

• Debate over the definition of personal data in the GDPR
• Integrating ePrivacy into GDPR (cookie fatigue)
• Concerns about restricting data access rights
• Data Act consolidation
• Centralised incident notification submission SEP
• AI timelines, burden reduction and centralisation.

Ransomware statistics

In 2025, 65 ransomware incidents were reported to the police in the Netherlands. Incident response companies responded to 40 incidents. Access is usually gained through exploiting vulnerabilities and account takeovers. In a ransomware attack, computer systems and data are locked with a code containing malicious software. Hard drives, databases, backups, USB drives, and cloud data can also be affected. The victim is blackmailed. The attacker offers this code for payment. 

Reporting the incident is crucial if you, as a business or individual, have been a victim of ransomware. Even if the criminals have already been paid, filing a report provides the police with vital information. A report can contain missing information that police can use to unlock the system. It also helps them identify suspects. 

More from supervisory authorities

GDPR survey in Germany: The North Rhine-Westphalia data protection commissioner has used a recent survey by the business association Bitkom as an opportunity to reject discussions about the complete or partial centralisation of data protection supervision.

The survey of 603 companies clearly shows that businesses in the state primarily view data protection laws as too complicated. 85 % of the companies surveyed in Germany want more understandable data protection regulations. 79 % are calling for a reform of the GDPR, and 69 % demand better coordination with other regulations. 

Just 33 % believe that decision-making processes would be faster within a federal agency, while 44 % are concerned about losing proximity to their local supervisory authority and thus a direct contact person (which implies the need for additional staff to handle a sharply increasing number of complaints and consultation services). 

Session replay tools: The French data protection regulator CNIL is launching a public consultation on its draft recommendation concerning session replay tools that allow the monitoring and analysis of users’ online behaviour. The objective is to support the actors who design these tools and those who use them in their compliance. Session replay tools are used to reconstruct the complete browsing path of an Internet user on a website or a mobile app. They can, for example, be used to detect and fix bugs or optimise the structure or ergonomics of a website or mobile application. 

More official guidance

GDPR certification criteria: The North Rhine-Westphalia data protection commissioner also approved a nationwide catalogue (available in English and German) of criteria for IT solutions. Companies that meet these criteria will receive a certificate confirming their compliance with European data protection law, which they can then use for advertising purposes. The catalogue was developed by TÜV Nord Group. This is the third such approval issued by the NRW regulator.

Specifically, it addresses so-called information processing services – online banking, accounting, and AI systems, as well as search engines. The certification process, conducted by a specialised certification body, typically involves a detailed audit of the processing operations within the respective company. This audit verifies the technical and organisational measures in place, as well as compliance with the principles of the GDPR. 

Health screening campaigns via phone are possible: In Italy, the data protection authority Garante has approved the use of telephone numbers for screening, provided that adequate safeguards are respected. Healthcare companies may use adult patients’ telephone numbers, provided during previous healthcare services, to promote participation in screening campaigns required by national or regional regulations, even if the information request did not expressly state this purpose at the time the data was collected.

Specifically, healthcare companies will be required to update their information, specifying that the most recent contact details collected for treatment purposes, subject to verification of their accuracy. It may be used exclusively for the promotion of public prevention programs and not for other purposes (for example, scientific research or administrative activities).

In other news

Employee data access rights: The LewisSilkin legal blog analyses a recent decision from the French Court of Appeal, which confirmed that employees cannot rely on their right of access to obtain copies of entire work email correspondence or business files, merely because their name or email address appears in them. Where the material contains no substantive personal data beyond identifying information, the right of access does not extend to wholesale document disclosure.

Furthermore, the right of access cannot be seen as a litigation discovery mechanism (e.g., employee dismissal as it appears in the above case). The court decision also reflects the ICO guidance on the Right of Access.  

Reddit fine: In the UK, Reddit was fined 14.47 million pounds for children’s privacy failures. The Information Commissioner’s investigation found that Reddit did not apply any robust age assurance mechanism. The company did not have a lawful basis for processing the personal information of children under the age of 13. It also failed to carry out a data protection impact assessment to assess and mitigate risks to children before 2025. In the past year, Reddit introduced age assurance measures that include age verification to access mature content and asked users to declare their age when opening an account. The commissioner once again informed Reddit that relying on self-declaration presents risks to children, as it is easy to bypass. 

Samsung consent case: The Texas Attorney General reached an agreement with Samsung Electronics America, concerning the collection of Automated Content Recognition (ACR) viewing data from Texas consumers through Samsung smart televisions. Under the agreement, Samsung must cease collecting or processing ACR viewing data without obtaining Texas consumers’ express consent and must update its smart televisions to implement clear and conspicuous disclosures and consent screens, digitalpolicyalert.org reports.

More enforcement decisions

Ransomware attack followed by privacy fine: In Spain, data protection agency AEPD fined Sprinter Megacentros del Deporte (a sporting goods retailer) 2.6 million euros for a data breach, DataGudance reports. A ransomware attack encrypted systems and exfiltrated data, affecting 6.3 million individuals. Notification of a data breach to data subjects was also not delivered ‘without undue delay’ and lacked specific mitigation information. 

Biometric data fine: The Italian Garante has fined eCampus University 50,000 euros for unlawfully processing the biometric data of numerous participants in its online courses. The investigations revealed the lack of a suitable legal basis to justify the use of biometric systems, especially given the availability of less invasive tools.

It also emerged that the University had not conducted a data protection impact assessment before implementing the system. The violations affected a very high number of participants, over 450 students for each lesson.

Data processing agreement fine: The Polish data protection authority UODO has fined DPD Polska more than 2.75 million euros after finding serious failures in how the courier company structured its relationships with external carriers, according to an analysis by grcreport.com. These carriers participated in loading and unloading parcels and had access to address labels containing personal data. In some cases, shipments were transported in vehicles not owned by DPD Polska and for which it had no other legal basis. Despite this third-party access, the company did not conclude personal data processing agreements with the carriers.

GDPR does not prevent authorities from being notified of social fraud

The Danish data protection regulator, Datatilsynet, explains that the GDPR does not contain a general prohibition on disclosing information to public authorities. On the contrary, the rules allow data to be disclosed when there is a lawful basis for processing. This may be if the disclosure is necessary to comply with a legal obligation. The question of whether, for example, an insurance company may or must disclose information on possible fraud to a public authority, therefore, depends on the specific legal basis in national legislation, including rules on confidentiality and sector-specific regulations. 

And Finally

AI models and GDPR audit tool:  The French CNIL, with other actors in the digital data domain, the ANSSI, the PEReN and Inria, are launching a call for expressions of interest to test an audit tool called PANAME that makes it possible to assess the confidentiality of AI models and their compliance with the GDPR. This project aims to develop a tool to audit the privacy of AI models. It will take the form of a library for performing data extraction and/or re-identification tests on AI models. 

For more than a decade, research has shown that it is possible to extract data, including personal data, from an AI model that was included in the training dataset. This extraction can be carried out via:

• statistical techniques at the model level, full or partial access to the model, 
• in the case of generative AI, by directly querying the model by instruction (prompt).

AI geolocation: Privacy International explains that one of the most concerning capabilities of the newest AI systems is to infer geographic location from images. Vision‑Language Models (VLMs) can now determine where in the world any given photo is taken with striking speed and accuracy. Most people are unaware that widely accessible AI tools can identify the location of their personal photos, even when Global Positioning System (GPS) metadata has been removed. Inferring location from images without GPS data may potentially support beneficial activities, such as robotics development or investigative journalism. But they are not privacy risk-free. 

The post Data protection digest 18 Feb – 2 Mar 2026: ‘Conditional Consent’ for meaningful user control over cookie preferences appeared first on TechGDPR.

The Digital Omnibus proposal, published in November 2025, introduces Article 88b to the GDPR. For the first time, EU law will require websites to accept automated, machine-readable consent signals from browsers. Users would set their preferences once, their browser would communicate those preferences to every site they visit, and controllers would be legally obliged to respect them. No more banners. No more clicking. No more dark patterns.

But here is the catch: the standards for how these signals should work have not been written yet. Article 88b delegates the technical specification to implementing acts and standardisation bodies. The decisions made in that process — what signals can express, who controls the interface, how much granularity users get — will shape consent for a generation of internet users.

That is why we published Conditional Consent: an open concept paper and technical specification proposing what Article 88b signalling should look like, designed from the user’s perspective.

The core idea: consent as conditions, not clicks

Today, consent is binary. Accept or reject, site by site, visit by visit. Conditional Consent proposes that users define rules across three dimensions:

• Cookie purpose: functional, analytics, advertising, social media, personalisation
• Website category: e-commerce, news, government, banking, healthcare
• Third-party processor: first-party only, exclude specific companies, allow named providers

A user might say: “Allow functional cookies everywhere. Allow analytics on shopping sites, first-party only. Deny all advertising cookies. Block any processing involving Meta.”

This level of granularity does not exist in any consent tool today. Current Consent Management Platforms offer purpose toggles at best. Global Privacy Control — the most successful browser privacy signal, now mandated in twelve US states — can only express a binary “do not sell.” The Advanced Data Protection Control specification developed by noyb and the Vienna University of Economics and Business came closest to what we propose, supporting granular purpose-based HTTP header signalling, but never achieved real-world adoption and lacks the website category and processor dimensions.

Conditional Consent builds on all of these. It proposes an open HTTP header protocol for Article 88b signalling, combined with automated CMP interaction as a fallback — so it works on existing websites from day one, without requiring website operators to change anything.

What we published

The concept paper sets out the problem, the legal basis in Article 88b, six core principles for user-centric consent signalling, a detailed comparison with existing tools (GPC, ADPC, Consenter, Consent-O-Matic, IAB TCF), and a proposed architecture for a browser extension MVP.

The technical specification (pending) goes deeper: browser extension architecture, a preference engine for evaluating conditional rules, an HTTP header protocol, a CMP automation layer, chatbot-guided onboarding, and a compatibility analysis with every relevant existing standard.

These are (or will be) published under CC BY 4.0 at conditionalconsent.com. They are designed to be forked, extended, critiqued, and adopted by anyone — browser vendors, CMP providers, privacy advocates, standardisation bodies.

Why now

Article 88b has a staged timeline. Controllers must accept automated signals within 24 months of entry into force. Browser providers must enable signalling within 48 months. But the implementing standards — the technical specifications that define what those signals can actually carry — need to be developed now. Once a standard is set, it will be extremely difficult to change.

The risk is that the advertising industry shapes these standards toward the simplest possible signal — a binary accept/reject that perpetuates the current model in machine-readable form. The opportunity is to establish that the standard should support genuine conditional granularity: rules that reflect how people actually think about their privacy.

What we are asking for

We are not launching a product. We are putting a proposal on the table — early, openly, and with full documentation — so that the conversation about Article 88b implementation includes a concrete, user-centric option.

If you work in privacy, policy, browser development, or consent management, we would like your input. Read the papers. Challenge the assumptions. Propose improvements. Tell us what we got wrong. The specification is deliberately open because getting this right requires more perspectives than any single consultancy can provide.

The concept paper and technical specification are available at conditionalconsent.com.

The post Conditional Consent: an Open Proposal for How Article 88b Consent Signalling Should Work appeared first on TechGDPR.

Throughout 2025, 32 supervisory authorities across the EU/EEA launched coordinated investigations into controllers’ compliance with the right to erasure under the GDPR. Now, the EDPB has published a report of the findings. As the right to deletion is not absolute, some controllers face difficulties in assessing and applying the conditions for exercising this right, including in conducting the balancing tests between the right to erasure and other rights and freedoms. Many regulators raised concerns regarding controllers not having:

• internal procedure or practice in place to handle erasure requests, or having an incomplete or irregularly reviewed procedure,
• specific procedures and measures to handle erasure requests in the context of back-ups,
• staff training,  
• information provided to data subjects,
• legal certainty on the exceptions to deny erasure requests, and 
• data retention periods, etc.

Multiple regulators found that controllers relying on anonymisation for deletion have varying degrees of success in correctly implementing it. In some cases, they only apply basic pseudonymisation or partial masking, although such a process would not fulfil the requirements of the GDPR regarding deletion.

Stay up to date! Sign up to receive our fortnightly digest via email.

Interestingly, the majority of the polled controllers (out of 764) had not received a single request for erasure in the last two years. While controllers were often chosen due to being in certain particular situations (processing sensitive data, processing a very large amount of data, etc.), about 70% of controllers still received fewer than 10 requests per year. Also, it appears that certain profiles are less likely to exercise their rights (eg, applicants in public services, citizens toward public services, contractors, or job applicants/employees) while others seem less hesitant to do so (eg, potential customers).

Main developments 

Digital omnibus and GDPR simplification: The EDPB and EDPS issued a long-awaited statement on simplification of the digital legislative framework in the EU. Among many things, they advised against the proposed changes to the definition of personal data. The changes go far beyond a targeted modification of the GDPR, a ‘technical amendment’ or a mere codification of CJEU jurisprudence.

Defining what is no longer personal data directly affects and narrows the scope of application of EU data protection legislation and should not be addressed in an implementing act, say the regulators. The full opinion in the context of GDPR, AI Act, and ePrivacy Directive can be read here.

UK data reform: Meanwhile, in the UK, on 5 February, the main provisions of the Data Use and Access Act 2025  came into force, amending the UK GDPR and Data Protection Act 2018. These include: new ‘recognised legitimate interests’ legal basis for data controllers, cookie consent exemptions, data reuse permissions, the use of automated decision making, more relaxed transfers of personal data internationally, and sometimes limiting data subject access requests, etc. 

Age-appropriate code design

On February 5, South Carolina signed Age-Appropriate Code Design into law, after it was previously adopted by California, Maryland, Nebraska, and Vermont. According to JD Supra analysis, covered online services must exercise “reasonable care” in the use of a minor’s personal data and the design and operation of the covered online service. This includes features that:

•  Decrease minors’ time and activity on the service to prevent compulsive usage, severe psychological harm, and privacy intrusions. 
• Opt minors out of “personalisation recommendation systems” by default, and 
• Set personal data settings to the highest level of protection by default.
• Collect, use, share, or retain the minimum amount of a minor’s personal data “necessary” to provide the specific elements of the covered online service, etc.

More from supervisory authorities

DPO role: Under EU law, all EU institutions, bodies, offices and agencies (EUIs) are required to appoint a data protection officer (DPO). To strengthen the effectiveness and independence of this function, the EDPS has adopted two key documents clarifying the role and protection of DPOs within EUIs: 

• Supervisory Guidance on the role of DPOs in EUIs, and
• Rules on the application of the requirement of prior consent by the EDPS for the dismissal of DPOs 

They provide practical and up-to-date guidance on the designation of DPOs, their institutional positioning, the guarantees of independence attached to the function, and the responsibilities entrusted to them. 

Cybersecurity exercise: The ENISA offers a methodology to an end-to-end theoretical framework for planning, running and evaluating cybersecurity exercises. It ensures the right profiles and stakeholders are involved at the right time, and provides theoretical material based on lessons identified, industry best practices and cybersecurity expertise. Download the guide and the support toolkit templates here. 

Games age limitation: The French government, on 4 February, adopted a decree on the experimentation of games with monetisable digital objects. It requires, among other controls,  the refusal of the opening of a player account for any minor, or before verification of the identity and the age of the applicant. It requires the enterprise offering a game to document the arrangements used for verification, to carry out regular checks, and to be able to demonstrate the effectiveness and compliance of those arrangements to the National Gaming Authority. 

How to deal with data protection complaints

The updated UK ICO guidance reminds organisations what they need to do to meet the new requirements for people to open a data protection complaints process, as set out in the new Data Use and Access Act, although these requirements are not in force until 19 June 2026. At a glance, the law says organisations must:

• Give people a way of making data protection complaints;
• Acknowledge receipt of complaints within 30 days of receiving them;
• Without undue delay, take appropriate steps to respond to complaints, including making appropriate enquiries, and keep people informed;
• Without undue delay, tell people the outcome of their complaints.

Read practical advice on each of these points in the original publication.

In other news

СNIL sanctions statistics: Cookies, employee surveillance and data security were the main subjects of the penalties imposed by the French data protection authority CNIL, in 2025, the cumulative amount of which totalled 486,839,500 euros. Also, insufficient security of personal data, lack of cooperation with the CNIL and non-respect for the rights of individuals were the three main reasons for sanctions under the recently introduced simplified procedures. Numerous formal notices have targeted websites that allowed the deposit of cookies and other trackers without respecting the consent of individuals, either by not allowing them to refuse the deposit in a simple way, or by not taking into account the withdrawal of users’ consent.

In addition, the regulator often sanctioned the non-compliance with the obligations of the subcontractors concerning the data entrusted to them, in particular: 

• implementing appropriate technical and organisational measures to ensure an adequate level of security;
• only processing data on the instructions of the data controller;
• deleting the data at the end of their contractual relationship with the data controller.

OpenClaw AI: The Dutch data protection authority AP warns against the use of OpenClaw, an AI agent tool that has become popular since last year. The platform provides users with an AI assistant to install, which can perform tasks autonomously. For that, the user has to give full access to their computer and programs, including email, files and online services. The platform can also be vulnerable to hidden commands in websites, emails and chat messages. That can lead to taking over accounts, reading personal data and stealing access codes.

More enforcement decisions

Amazon Italy investigation: On 9 February, the Italian data protection authority Garante and the National Labour Inspectorate announced an investigation into Amazon regarding the processing of workers’ personal data and the use of video surveillance systems. The investigation will examine the company’s logistics hubs, with a particular focus on the distribution centres in Passo Corese and Castel San Giovanni, to determine the extent to which monitoring practices comply with the legal requirements stipulated within the Workers’ Statute, digitalpolicyalert.org reports. 

Dutch municipalities fined: The Dutch data protection AP authority fined 10 municipalities 250,000 euros for processing sensitive information without consent, according to DataGuidance. Violations included processing data on religious beliefs, family relationships, political views, and criminal or terrorism-related information. The municipalities processed this sensitive information (from an external research bureau, amid national counter-radicalisation efforts) without valid consent.

Swiss cookie redress case: Digitec Galaxus informed the Swiss privacy regulator FDPIC that it had implemented its formal recommendation that customers be given the option to object to the processing of their personal data for marketing purposes. Following criticism over excessive data processing, users can now disable personalisation with one click (one-click opt-out), whereby the corresponding cookies are automatically disabled. To that end, the registration form now explicitly mentions personalisation and the right to object, and the privacy policy has been updated accordingly.

And Finally

Data brokers warning in the US: The Federal Trade Commission sent letters to 13 data brokers warning them of their responsibility to comply with the Protecting Americans’ Data from Foreign Adversaries Act of 2024. It prohibits data brokers from selling, releasing, disclosing, or providing access to personally identifiable sensitive data about Americans to any foreign adversary, which includes North Korea, China, Russia, and Iran, or any entity controlled by those countries. 

The law defines personally identifiable sensitive data to include health, financial, genetic, biometric, geolocation, and sexual behaviour information, etc.

The post Data protection digest 3-17 Feb 2026: When using anonymisation for deletion, controllers have differing degrees of success – EDPB appeared first on TechGDPR.

The Israeli data protection authority published a technical guide to Privacy Enhancing Technologies, available in English. PETs are a diverse family of methods, processes, and digital tools that are appropriate for different stages in the information life cycle:

• Data collection and preparation for use: Obfuscating personal data and reducing its level of detail by removing identifiers, altering data values, or masking exact figures.
• Data use and processing: Reducing exposure of personal data during processing, and in some cases, enabling data use without the need for viewing it during processing.
• Control over data use: Defining rules and permissions for access to personal data and displaying data relating to the identity of the person accessing the data, the type of data, and the time of access. 

Stay up to date! Sign up to receive our fortnightly digest via email.

Main developments 

Brazil adequacy decision: On 28 January, the European Commission recognised that Brazil ensures an adequate level of protection for personal data under the EU GDPR. The enforced decision confirms that Brazil provides comparable levels of data protection, allowing the free transfer of personal data between the two jurisdictions without additional authorisations or safeguards. The Commission also recognises the independence of the Brazilian Data Protection Authority (ANPD), and the safeguards governing public authorities’ access to personal data for law enforcement and national security purposes. 

Data Privacy Framework: The EDPB has published a new version of the EU-US Data Privacy Framework FAQ for European individuals.  “European individuals” means any natural person, regardless of their nationality, whose personal data has been transferred to a US company under this framework. It applies to any type of personal data processed for commercial or health purposes, and human resources data collected in the context of employment, as long as the recipient company in the US is self-certified under the DPF. 

If you believe that a company in the US has violated its obligations or your rights under the EU-U.S. Data Privacy Framework, several redress avenues are available. 

Digital omnibus: The EDPB and EDPS also adopted a joint opinion on simplification of the implementation of harmonised rules on AI. Among other things, the EDPB and the EDPS recommend maintaining the standard of strict necessity currently applying for the processing of special categories of personal data for bias detection and correction in relation to high-risk AI systems. They also support the creation of EU-level AI regulatory sandboxes to promote innovation and help SMEs, as well as AI literacy obligations for systems providers and deployers. The full opinion can be read here. 

HIPAA Notice

In the US, if your company provides health benefits or qualifies as a covered entity under the Health Insurance Portability and Accountability Act (HIPAA), it is important to update your Notice of Privacy Practices (NPP) by 16 February to remain compliant. The notice must include new and more restrictive requirements related to protected health information (PHI) in particular, on the disclosure of patients’ substance use disorder records. The following steps may include assessing related policies, training, materials, and business associate agreements (BAAs) for consistency.

You can also read the latest epic.org report on the health data privacy crisis in the US here. 

More from supervisory authorities

M&A: Before a planned company sale, large amounts of data are often processed as part of a due diligence review. This can include personal data, particularly of employees, customers, and suppliers. The Liechtenstein Data Protection Authority has compiled information (in German) regarding which data protection regulations must be observed. This information does not replace an individual assessment and is not exhaustive. 

Camera surveillance in public transport: The Dutch data protection authority states that permanent camera surveillance at employees’ designated workstations is not permitted. Cameras may only be used when strictly necessary, for example, for safety during incidents, and not for systematic monitoring or evaluation of employees. For the data controller, this includes technical adjustments to cameras, adapting internal protocols, and providing clear instructions to employees.

AI tools safe usage: The Spanish AEPD has published the main principles of safe, responsible, and conscious use of AI. Among the recommendations, the privacy regulator advises against sharing personal data with AI – full name, address, telephone number, ID/NIE, images of people, or sensitive or delicate information – medical, financial or contractual details, geolocation. In the workplace, the agency emphasises the importance of following the information and security policies of each organisation and, in particular, of not including information that reveals confidential data of the entity, its staff or clients.

Digital identities ecosystem

Verifiable Digital Credentials (VDCs) can represent a wide range of data, from a driver’s license to a diploma to proof of age, explains America’s NIST. However, their interoperability requires a common set of standards and protocols for issuing, using, and verifying VDCs. As VDCs gain traction for both in-person and online identity verification, two key standards are helping to define this space:

• ISO/IEC 18013-5, which underpins mobile driver’s licenses and related mobile documents, and
• the World Wide Web Consortium’s Verifiable Credentials formats.

See their comparison in the original publication. 

In parallel, the German Federal Office for Information Security (BSI) has issued the updated Technical Guideline for Biometric Authentication Systems (in German), which can be used for significantly more use cases of facial and fingerprint recognition through smartphones or access control systems. 

Cookie policy

The Latvian data protection authority reminds us of the essentials of a cookie policy, which provides the user with clear information about how their data is processed when using cookies. A document published on any website must explain in a user-friendly way: a) what cookies the website uses; b) for what purpose they are used; c) who their recipients are.

The multi-layered approach ensures that the most important information about the use of cookies on the website is provided in a concentrated manner (in the cookie pop-up notification or banner), including an indication of where more detailed information can be found (cookie policy). Cookie policies are often confused with privacy policies (by briefly including information about cookies among what is described in the privacy policy). However, to ensure transparency, information should be provided to users separately – in two documents or at least in clearly separated “blocks” of information. 

Shopping cart reminder e-mail

According to the Saxony data protection commissioner, retailers often send a reminder email pointing out an incomplete purchase process. Despite regular complaints received about such communication, there are no data protection concerns regarding a one-time shopping cart status update via email. The automatically generated messages must be distinguished from unsolicited advertising and are considered technical support. 

Given the customer’s expectations and the recipient’s perspective, it is at least realistic to expect a technically triggered status update during the contract negotiation phase, in accordance with Art. 6 of the GDPR. At the same time, the data processing known as reminder emails is subject to information requirements and must be appropriately indicated in the notices pursuant to Art. 13 of the GDPR.

In other news

Excel file disclosure: The Romanian regulator ANSPDCP imposed fines totalling 15,000 euros against Continental Automotive Products SRL for breaches of the GDPR principles of data minimisation, accountability, and the security of processing. The investigation followed the controller submitting a personal data breach notification concerning the repeated internal distribution of an Excel file containing a consolidated list of employees, including medical data from medical certificates relating to numerous employees and former employees over a period of time. 

GM driver data ban: America’s Federal Trade Commission finalised an order against General Motors and its OnStar subsidiary after the automaker secretly collected and sold detailed driving data from millions of vehicles without consumer consent.  The final order approved by the Commission imposes a five-year ban on GM disclosing consumers’ geolocation and driver behaviour data to consumer reporting agencies. And for the entire 20-year life of the order, GM will be required to:

• obtain affirmative express consent from consumers before collecting, using, or sharing connected vehicle data, with some exceptions, such as for providing location data to emergency first responders;
• create a way for all US consumers to request a copy of their data and seek its deletion;
• give consumers the ability to disable the collection of precise geolocation data from their vehicles if their vehicle has the necessary technology; and
• provide a way for consumers to opt out of the collection of geolocation and driver behaviour data, with some limited exceptions.

Chromebook case

The Danish data protection authority decided in the Chromebook case regarding 51 municipalities’ use of Google’s products for teaching in primary schools. The regulator issues serious criticism and warns the municipalities about their setup of the programs in question and about the use of sub-processors outside the EU. In addition, it states that as a data controller, municipalities cannot legally use products that contain unclear processing constructs. Finally, they must have access to the necessary resources to ensure lawful processing of personal data, including in situations where the contractual basis for the product changes.

Microsoft 365 Education

The Austrian data protection authority upheld a complaint filed by a pupil, represented by the European Centre for Digital Rights (NOYB), against Microsoft regarding the use of tracking cookies in Microsoft 365 Education. The decision relates to the installation and use of non-essential cookies on the device of a minor using Microsoft 365 Education at an Austrian school.  The authority also found that no valid consent had been obtained, digitalpolicyalert.org reports.

More enforcement decisions

Employees’ geolocation: The Italian regulator Garante fined a company in the agricultural seed selection and production sector 120,000 euros for unlawfully processing the personal data of five employees. As part of a multinational group, at the direction of its Swiss parent company, it installed a device on its company vehicles that unlawfully collected data on employees’ business and private travel (time, mileage, fuel consumption, and driving style) for the purpose of assigning a monthly score. The collected data was retained for 13 months and used to evaluate employee driving behaviour and to implement any corrective measures. 

Access to a fired worker’s email: Garante also ruled that the content of emails, contact information, and any attachments fall within the definition of correspondence and are therefore protected by the right to confidentiality. In the related case, the regulator fined a company 40,000 euros for violating the confidentiality of a CEO’s email account after his employment ended. After receiving a disciplinary letter that resulted in dismissal,  he asked the company to disable the email account, forward any messages received in the meantime to his personal email address, and activate an automatic reply. However, this request remained unanswered. 

France Travail: The French CNIL, meanwhile, fined France Travail 5 million euros for failing to ensure the security of the data of job seekers. In 2024, attackers managed to break into the agency’s information system. They used social engineering techniques to usurp the accounts of CAP EMPLOI advisors, responsible for people with disabilities. The attackers accessed the data of all registered people, or those who have been registered over the past 20 years. However, the attackers did not gain access to the complete files of job seekers, which may include health data. 

And finally

Change your password:  According to the German BSI, a blanket password change is no longer an effective security measure. Frequent password changes often lead consumers to use weak, easily predictable passwords. Password managers help to keep track of passwords. However, even a complex password does not offer 100% protection. Instead, BSI recommends activating two-factor authentication (2FA). 

Australia child accounts ban: According to the Guardian, Snapchat banned or disabled the accounts of around 415,000 Australian users who were detected as being under the age of 16. This was done to comply with the new under-16s social media prohibition. In December, Snapchat was one of ten platforms that needed to restrict people (4,7 million accounts) under the age of 16 from using its services. However, other allegations have surfaced after the prohibition went into place, with some claiming that Snapchat’s facial age verification was easily overcome by teens.

The post Data protection digest 19 Jan – 2 Feb 2026: New PETs guide, Digital identities ecosystem & employees’ surveillance fine appeared first on TechGDPR.

As a general rule, users should have the option to engage with e-commerce websites, including the ability to make purchases, without creating an account. In such cases, the EDPB recommends that e-commerce websites offer a choice: either a ‘guest’ mode, allowing users make purchases without creating an account, or the option to voluntarily create an account. This approach minimises the collection and processing of personal data, and therefore aligns with the GDPR’s principle of data protection by design and by default. However, mandatory account creation can be justified in a limited number of cases, including for example, offering a subscription service or providing access to exclusive offers. 

Stay up to date! Sign up to receive our fortnightly digest via email.

Google antitrust investigation

The EU Commission has opened an investigation into possible anticompetitive conduct by Google in the use of online content for AI purposes – using the content of web publishers, as well as content uploaded on the online video-sharing platform YouTube. The investigation will notably examine whether Google is distorting competition by imposing unfair terms and conditions on publishers and content creators, or by granting itself privileged access to such content, thereby placing developers of rival AI models at a disadvantage. It should be noted that there is no legal deadline in the EU for bringing an antitrust investigation to an end. 

More legal updates

US AI national policy: On 11 December, President Trump signed an Executive Order on  establishing a national policy framework for AI and lifting barriers to innovation. According to digitalpolicyalert.org, the US Administration will work with Congress to establish a single national AI standard that avoids conflicting state legislation. This standard would override any state laws that contradict the policy and would include protections for children, respect for copyrights, prevention of censorship, and measures to keep communities safe. 

US immigration data: According to Privacy International, the US Government also intends to force visitors who are not required to get visas, such as British and French citizens, to submit their digital history and even DNA as the price of entry. With this much data AI tools will likely be deployed to unlock details of your life for border and immigration agencies. In particular, it wants to know all about: 

1. ‘telephone numbers used in the last five years’
2. ‘email addresses used in the last ten years’
3. ‘family number telephone numbers (sic) used in the last five years’
4. biometrics – face, fingerprint, DNA, and iris
5. business telephone numbers used in the last five years
6. business email addresses used in the last ten years.

If the proposed changes, published on 10th of December, are adopted after the 60-day consultation, travellers will have to use dedicated apps for their ESTA application, and to provide biometric proof of their departure. The latter will disclose the user’s location once they have left the US and run live detection on the selfie photo. 

Password managers

The German Federal Office for Information Security (BSI) examined this product category and investigated the IT security features of ten selected password managers. Three out of ten stored passwords in a way that theoretically allows manufacturers access. This increases the attack surface on the manufacturer’s side, which must be mitigated by additional compensatory measures. Users must trust these additional measures.

If the password manager stores data in the cloud, consumers should be informed about the storage location and data protection measures. This information can be included, for example, on the manufacturer’s website, in the terms and conditions for using the product, or in the privacy policy.

AI Training guidance

The Swedish data protection authority IMY has investigated the possibility of using personal data to create synthetic data for AI training purposes. Such data is created to resemble the original data without being able to be linked to individuals. It can be very positive from a privacy perspective, even though the synthesis itself means that personal data is processed, so it needs to comply with the GDPR. The particular project IMY investigated was about custody cases. It therefore involved a large amount of data of a very sensitive nature, which requires special considerations and measures. 

More from supervisory authorities

Medical research: The Hessian data protection commissioner has published a guide to data protection in medical research (in German). The guide presents four concrete use cases from the practice of medical research and classifies them from a data protection perspective. In particular, the cases describe the use of AI in cancer screening, pathology, intensive care, and the distinction between quality assurance and scientific research. The guide pays particular attention to the question of under what circumstances data can be considered anonymous. The use of anonymised data is especially relevant for medical research and the training of AI models. For research projects where anonymisation is not practical, the guide presents alternative legal bases under data protection law.

Consent forms: Consent is one of the lawful grounds for processing personal data. It means that a person freely, specifically and unambiguously agrees to the processing of their data for one or more purposes. Consent has to be verifiable so that the controller can demonstrate that it was received in accordance with the requirements. Therefore, in situations where consent is requested in person, a written form is useful, which provides clarity for both the organisation and the customer. It can include the minimum information that is most important at the time of consent, so as not to overload the information to be received, as well as not to delay the duration of the service or process itself. The consent form must state: 

• Who will process the data (company, individual entrepreneur), with their name
• Why is data needed
• What data is needed
• How to withdraw consent
• Customer ID (data subject’s first name, last name)
• Date, signature
• Information on where to find more information about data processing, including the duration of data storage and how to contact the controller

Cambridge Analytica compensations

Eligible Australian Facebook users impacted by the Cambridge Analytica affair have until 31 December to register under a payment program established in a landmark settlement. The 50 million dollars payment program was established by Meta Platforms as part of an enforceable undertaking the Australian Information Commissioner accepted from Meta in December 2024. This brings to an end 7 years of investigation and litigation related to the Cambridge Analytica matter in Australia.

Meta data access

The Austrian Supreme Court ordered Meta must provide full access to all personal users data requests within 14 days, including the sources, recipients and purposes for which each information was used, Privacy advocacy group NOYB reports. Meta’s claims of trade secrets or other limitations were rejected. The company claimed it would lead to unprecedented access to the inner systems of the platform. 

Meta must also ensure that sensitive information (political views, sexual orientation, or health) is not processed together with other data unless a valid legal basis according to Art. 9 GDPR applies, even if it was collected unintentionally or technically distinguishing it would be impossible. The case was brought by the NOYB activist Max Schrems in 2014 and laboured 11 years in Austrian courts and the CJEU. The plaintiff was awarded 500 euros in damages.

American Express cookie fine

The French privacy regulator CNIL fined American Express Carte France, the French subsidiary of the American Express group, 1.5 million euros for non-compliance with the rules applicable to cookies: a) by depositing trackers without having user consent, or b) despite their refusal to consent, or c) by continuing to read the trackers previously deposited despite subsequent consent withdrawal. 

In other news

Germany telecommunications fine: Due to massive violations of data protection rights, the North Rhine-Westphalia data protection commissioner has imposed a fine of 300,000 euros on a local telecommunications company. Since 2022, consumers have repeatedly contacted the regulator for the same reason: they received personalised ad letters promoting a contract for an internet and telephone connection. The recipients consistently stated that they had never had any prior contact with this company. However, the advertising letters were remarkably detailed. The recipients were only required to add their IBAN and sign the form.

Due to the design of the letters and the similarity of the name to very well-known telecommunications provider, many consumers were unaware that it wasn’t an offer for a different tariff with their existing provider, but rather an offer to switch providers. As a result, those affected often signed the contract documents. Only when they later realized they had switched providers did they cancel or revoke the contracts – and were then hit with a demand for a flat-rate compensation fee by the company. 

Direct marketing fine: The Italian data protection authority has fined Verisure Italia for unlawful processing of personal data for marketing purposes. The measure stems from a complaint from a former customer who continued to receive unwanted promotional text messages even after objecting to the processing of his data, and from a report from a potential customer who, after requesting a quote, began receiving promotional phone calls, emails, and text messages. The communications continued despite the exercise of the right to object provided for by the GDPR. Furthermore, the regulator deemed the retention period for potential customer data envisaged for telemarketing (12 months) to be excessive. 

More enforcement actions

Data processor breach: The French CNIL imposed a fine on Mobius Solutions, the processor behind a data breach affecting users of Deezer. The company was fined 1 million euros for failing to comply with the applicable rules regarding subcontracting. In 2022, Deezer reported that its users’ data had been posted on the dark web and that its former processor, Mobius Solutions, whose services it used to carry out personalised advertising campaigns for its customers, was involved.

The processor retained a copy of the data of more than 46 million DEEZER users after the end of their contractual relationship, despite its obligation to delete all such data at the end of the contract.

University data breach: The Dutch AP imposed a 175,000-euro fine on HAN University of Applied Sciences for breaching the GDPR data security rules.  A hacker used SQL injection through a web form to access HAN’s database. The individual threatened to make personal data, including addresses, names, passwords, and citizen service numbers, public and unsuccessfully demanded ransom from the university.

Password manager data breach: The UK Information Commissioner fined password manager provider LastPass 1.2 million pounds following a 2022 data breach that compromised the personal information of up to 1.6 million of its UK users. LastPass failed to implement sufficiently robust technical and security measures, which ultimately enabled a hacker to gain unauthorised access to its backup database. The incidents occurred when a hacker gained access first to a corporate laptop of an employee based in Europe and then to a US-based employee’s personal laptop on which the hacker implanted malware and was then able to capture the employee’s master password.

In case you missed it

Meta personalised ads: On 8 December, the European Commission acknowledged Meta’s undertaking to offer users in the EU an alternative choice of Facebook and Instagram services that would show them fewer personalised ads, to comply with the Digital Markets Act. This is the first time that such a choice is offered on Meta’s social networks. Meta will give users the effective choice between: 

• consenting to share all their data and seeing fully personalised advertising, or 
• opting to share less personal data for an experience with more limited personalised advertising. 

Meta will present these new options to users in the EU in January 2026. This follows a close dialogue between the Commission and Meta after the Commission found Meta in breach of the Digital Markets Act and issued Meta a non-compliance decision related to Meta’s “consent or pay” model in April 2025.

TikTok usage risks in the EU: The Dutch AP urges users and organisations to carefully consider whether they wish to continue using TikTok and other services that transfer personal data to countries outside the EU, including China. The Irish data protection authority DPC has previously ruled that this transfer is in breach of the GDPR. In addition, the Irish court required TikTok to better inform users on data processing activities. Users can still decide whether they want to continue using TikTok under these circumstances. If not, they can (temporarily) delete the app or deactivate an account.

The post Data protection digest 3-18 Dec 2025: E-commerce websites should offer a choice between ‘guest’ mode, or voluntary account creation appeared first on TechGDPR.

On 19 November, the European Commission presented proposals for amendments in the digital area legislation, including the GDPR, the Data Act, the EU AI Act, and the NIS 2 Directive. According to digitalpolicyalert.org analysis, the Digital Omnibus would amend the GDPR by:

• changing the definition of personal data to specify any entity that is reasonably likely to have the means to identify a person,
• exempting certain biometric data and data used by AI from the restrictions on processing special categories of personal data,
• clarifying on further processing of personal data in the public interest or for scientific research purposes, and
• specifying that processing of personal data that is necessary for the interests of a controller in the development or operation of an AI system can be pursued for ”legitimate interests”.

The Digital Omnibus would also exempt personal data processing from the cookie requirements under the ePrivacy Directive. Instead, it would amend the GDPR to maintain the consent requirement, while specifying that certain processing activities, such as electronic communications transmissions, service provision, audience measurement solely for an online service provider, and maintaining or restoring security, would be considered lawful. Websites and apps would have to allow data subjects to consent through automated, machine-readable mechanisms; browser manufacturers must likewise enable users to grant or refuse consent.

Finally, personal data breaches that are likely to result in a high risk to the rights and freedoms of natural persons would need to be reported to the single-entry point within 96 hours of becoming aware of them. Similarly, there would be unified lists of processing activities that do or do not require a Data Protection Impact Assessment, and create a standard DPIA template and methodology.

Stay up to date! Sign up to receive our fortnightly digest via email.

GDPR enforcement

On 17 November, the Council of the EU adopted new rules to improve cooperation between national data protection bodies when they enforce the GDPR to speed up the process of handling cross-border data protection complaints. Main elements of the new EU regulation include:

• Admissibility: Regardless of where in the EU a complaint is filed, admissibility will be judged based on the same information/conditions. 
• Rights of complainants and parties under investigation: Common rules will apply for the involvement of the complainant in the procedure, and the right to be heard for the company or organisation that is being investigated.
• Simple cooperation procedure: For straightforward cases, data protection authorities can decide, to avoid administrative burden, to settle actions without resorting to the full set of cooperation rules.
• Deadlines: In the future, an investigation should not take more than 15 months. For the most complex cases, this deadline can be extended by 12 months. In the case of a simple cooperation procedure between national data protection bodies, the investigation should be wrapped up within 12 months.

The regulation will enter into force 20 days after its publication in the Official Journal of the EU. It will become applicable 15 months after it enters into force.

More legal updates

The European Commission has launched a whistleblower tool for the AI Act. Whistleblowers can provide relevant information in any of the EU official languages and in any relevant format. The tool provides a secure means to report potential law violations that could compromise fundamental rights, health, or public trust. The highest level of confidentiality and data protection is guaranteed through certified encryption mechanisms. Anyone can access the AI Act Whistleblower Tool and read more information about the tool and the frequently asked questions. 

California privacy updates: California has enacted a bill which amends the state’s data breach notification law to establish strict new reporting timelines. Beginning January 1, 2026, businesses must notify affected California residents within 30 calendar days of discovering a security incident involving personal information. For incidents affecting more than 500 residents, notice to the California Attorney General must be provided within 15 calendar days of the consumer notice. The amendment allows limited exceptions for law enforcement needs or when necessary to determine the scope of the incident and restore system integrity, JD Supra lawblog reports. 

In parallel, starting Jan. 1st, 2027, California will prohibit a business from developing or maintaining a browser, as defined, that does not include functionality configurable by a consumer that enables the browser to send an opt-out preference signal to businesses with which the consumer interacts through the browser. The bill would require a business that develops or maintains a browser to make clear to a consumer in its public disclosures how the opt-out preference signal works and the intended effect. The bill would grant a business that develops or maintains a browser that includes this functionality immunity from liability for a violation of those provisions by a business that receives the opt-out preference signal. 

Child data protection in the EU

On 26 November, the European Parliament adopted a resolution on the protection of minors online as part of an own-initiative procedure on the topic. The resolution calls, among other things, for the implementation of an EU-wide harmonised digital minimum age of 16 for accessing social media, video-sharing platforms and AI companions without parental consent, with 13 as the minimum age for any social media use by children, even with parental consent. 

In parallel, the German Data Protection Conference, DSK, adopted a resolution calling for amendments to the GDPR to strengthen protections for children. It proposes a ban on children’s consent for profiling and advertising, limits on children’s ability to consent to special-category data processing, and clearer rights for children to access counselling and medical services privately. It also focuses on a prohibition on children consenting to automated decisions, attention to children in breach notifications, data protection by design and default, and consideration of children’s risks in data protection impact assessments, digitalpolicyalert.org sums up. 

Cloud computing

The European Commission has published non-binding Model Contractual Terms for data access and use and Standard Contractual Clauses for cloud computing contracts. They have been developed to help parties, especially SMEs, implement the provisions of the Data Act. Their use is voluntary and open to users’ possible amendments. Although they were mainly drafted for business-to-business contracts, they can also be used in relations between businesses and consumers, if relevant consumer protection rules are added. 

Three sets of Model Contractual Terms (MCTs) were drafted to cover the relationships where data sharing is mandatory, between data holders, users and data recipients of data generated when using connected products. Plus, proposed Standard Contractual Clauses (SCCs) translate the provisions of ‘cloud switching’ into ready-to-use contractual terms that can be inserted in data processing contracts:

• SCC Switching & Exit
• SCC Termination 
• SCC Security & Business continuity (including provider notification of significant incidents).

Email security

The German Federal Office for Information Security, BSI,  has published a White paper on requirements for the protection, transparency, and user-friendliness of webmails that systematically and future-orientedly increase consumer security. The paper considers not only technical security functions, but also usability, transparency and trust as essential components of digital sovereignty. A fundamental part of e-mail security currently still rests on the shoulders of users. They should be familiar with two-factor authentication, passkey and encryption. The BSI sees responsibility primarily with the providers: they must provide effective procedures regarding authentication, encryption, spam protection and account recovery that work without major user intervention.

Data Act implementation

The Data Act has been in effect since September 2025. This new European regulation is intended to give consumers within the EU more control over the use of their data. For instance, a car owner will have the right to access the data their car collects. If repairs are needed, they can share the data with a garage of their choice, explains the Dutch data protection agency AP, which will jointly oversee the implementation process at a national level, starting from 21 November.

The Data Act and the implementing laws do not override the rules of the GDPR. In the event of conflicting rules, the GDPR takes precedence. This means that any data sharing involving personal data must comply with the GDPR, stresses the regulator. 

More from supervisory authorities

Market research data processing: In Poland, the data protection regulator UODO approved the “Code of Conduct on the Processing of Personal Data by Private Research Agencies”. The reason for the development of the code was numerous discrepancies in the processing of the personal data of research participants. As a result, in the case of identical surveys, their participants, depending on the entity conducting the study, could receive divergent information, for instance, on the legal basis for the processing of personal data. Information obligations were also fulfilled differently. The Code also provides guidance to help carry out a risk assessment or, where justified, a data protection impact assessment.

It is worth noting that the code obliges all entities that join it to appoint a Data Protection Officer (DPO). 

Sound recording and CCTV: Organisations often choose to conduct video surveillance with sound recording. Sometimes, they also do not disable the camera manufacturer’s default audio function. As a result, the additional risks posed not only by image capture, but also by sound recording are not sufficiently assessed. In addition, the processing of personal data related to it is not always carried out legally: recording sound and image are two different data processing operations, so both audio and video require different legal bases. 

The processing of personal data by performing video surveillance with audio recording is not justified in most cases. There are rare situations where it is legal and permissible, mainly when it is associated with an increased risk to the essential interests of the organisation or society. Often, the legal basis for such processing can be found in the special regulatory framework applicable to a particular industry in which the organisation operates.

Employment clauses and personal data processing

Labour clauses are widely used by both public and private contracting authorities to ensure fair wages and working conditions for suppliers. Contracting entities often require the supplier to provide documentation of its compliance with the labour clauses, typically in the form of employees’ salaries and timesheets, and employment contracts. This gives rise to questions about the supplier’s legal basis for disclosing such personal data to the contracting authority, notes Denmark’s data protection agency. To that end, there will generally be an overriding legitimate interest that these may form the basis for the disclosure of the information in question.

TechSonar 2025-2026

EDPS’s latest guidance on new technology concentrating on the TechSonar report 2025-2026 explores six trends: agentic AI, AI companions, automated proctoring, AI-driven personalised learning, coding assistants and confidential computing. While each of these technologies serves a distinct purpose, they are deeply interconnected. Together, they illustrate how AI is progressively reshaping not only business processes or common daily tasks, but also the human experience of technology. Continue reading the full report here. 

In other news

Data security in cloud-based EdTech: The US Federal Trade Commission will require education technology provider Illuminate Education, Inc. (Illuminate) to implement a data security program and delete unnecessary data to settle allegations that the company’s data security failures led to a major data breach, which allowed hackers to access the personal data of more than 10 million students. 

Illuminate sells cloud-based technology products and collects and maintains personal information about students on behalf of schools and school districts. In its complaint, the FTC alleged that in 2021, a hacker used the credentials of a former employee, who had departed Illuminate three and a half years prior, to breach Illuminate’s databases stored on a third-party cloud provider. 

Medical data breach: The Norwegian data protection regulator upheld the fine on Argon Medical Devices. In 2023, it issued an American company Argon Medical Devices an infringement fee of approximately. 127,000 euros for violating the GDPR. In 2021, Argon discovered a security breach that affected the personal data of all of its European employees, including those in Norway. Argon sent the Norwegian regulator a notification of a breach long after the 72-hour deadline for reporting such breaches. 

Argon believed that they did not need to report the breach until they had a complete overview of the incident and all its consequences. This view was enshrined in their procedures, and this was the basis for the delay.  The case is an important reminder that controllers must have appropriate measures in place to determine whether a breach has occurred and to promptly notify the supervisory authority and the data subject.

Mobile app gaming company fine

California’s Attorney General settled with Jam City, Inc., resolving allegations that the mobile app gaming company violated the state’s Consumer Privacy Act (CCPA) by failing to offer consumers methods to opt out of the sale or sharing of their personal information across its popular gaming apps. Jam City creates games for mobile platforms, including games based on popular franchises such as Frozen, Harry Potter, and Family Guy. In addition to 1.4 million dollars in civil penalties, Jam City must provide in-app methods for consumers to opt out of the sale or sharing of their data and must not sell or share the personal information of consumers under 16 years old without their affirmative “opt-in” consent.

Data brokers fine

The Belgian data protection authority GBA, meanwhile, has imposed a 40,000 euros fine on data broker Infobel for illegally reselling data for marketing purposes, cybernews.com reports. A consumer complained to the GBA after getting a marketing brochure in the mail from a firm with which he was not a customer. The complainant asks how the corporation received his information. The customer was informed that his information had been given by a media agency. The agency obtained his information via Infobel, a data broker that received it from a telecom operator. 

Infobel said it had permission to sell the complainant’s information to the media agency since it had secured approval from data subjects. However, the data protection authorities claimed that there was no explicit, informed, or unambiguous consent. 

Cookie consent fine

On November 20, the French regulator CNIL fined the French company Conde Nast Publications 750,000 euros for non-compliance with the rules applicable to cookies deposited on the terminals of users visiting the “vanityfair.fr” site. In particular, cookies subject to consent were placed on the terminals of users visiting the “vanityfair.fr” site as soon as they arrived on the site, even before they interacted with the cookie banner to express a choice. Also, when a user clicked on the “Refuse all” button in the banner, or when they decided to withdraw their consent to the registration of trackers on their terminal, new cookies subject to consent were nevertheless deposited, and other cookies, already present, continued to be read. 

And finally…

Meta multi-million file: A Spanish court has ordered Meta to pay 479 million euros to Spanish digital media outlets for unfair competition practices and infringing the GDPR, a ruling the company will appeal, Reuters reports. The settlement, which will be given to 87 digital press publishers and news organisations, is related to Meta’s use of personal data for behavioural advertising.

The complaint filed by the Spanish outlets centred on Meta’s shift in the legal basis for processing personal data after the GDPR went into effect in May 2018. Meta changed “user consent” to “performance of a contract” to support behavioural advertising. Later, regulators judged that it was insufficient. Meta returned to consent as its legal foundation in 2023. The judge assessed that Meta generated at least 5.3 billion euros in advertising income during those five years.

Personal data monetisation: The French CNIL commissioned a survey on the perception of the French people regarding the use of their personal data. From a representative sample of 2,082 people aged 15 and over, 65% of them say they are willing to sell their data. Of these, only 6% would be willing to sell it for less than 1 euro per month, while 14% preferred a fee of more than 200 euros per month. 

The most common valuation was between 10 and 30 euros per month, preferred by 28% of respondents. This coincides with the latest market research based on Meta services estimation, where, for a price of 5 euros, 20% of people would be willing to sell their data, and 90% of companies would be willing to buy it. Taken together, these results make it possible to approximate a market price for data that would be around 40 euros per month (and per subscribed service). 

The post Data protection digest 18 Nov-2 Dec 2025:  “Digital omnibus” package latest & market price of personal data already estimated appeared first on TechGDPR.

Consumer loan checks can reveal people’s lifestyles. The Dutch Data Protection Authority AP concluded this after reviewing a bill concerning consumer loans. It believes that lenders can assess a person’s ability to meet payment obligations with less information about them. It’s unlikely that all the information in a bank statement, including sender, recipient, or description, is always necessary. 

The bill introduces stricter rules for a consumer loan under 200 euros, (services like “buy now, pay later,” credit cards, and bank overdrafts). For these relatively small loans, the ability to pay the bill on time will also be checked, and whether there is a risk of default. People who use such loans will also be registered with the Credit Registration Office. The AP emphasises that the new rules need to be further developed for better data control and minimisation. 

Stay up to date! Sign up to receive our fortnightly digest via email.

EU Digital Omnibus package latest

The privacy advocacy group NOYB warns that the so-called Digital Omnibus, which is being prepared by the European Commission, brings fast-track deregulation, including ‘massive’ reform of the GDPR and e-Privacy legislations. Following the draft proposal, the Commission envisages changes to core elements like the definition of personal data, consent requirements, and data subjects’ rights, as well as lesser protections for special categories of data under the GDPR. In parallel, AI companies could also benefit from easier access to European personal data through the implementation of the ‘legitimate interests’ legal basis for processing.  

ETIAS and data protection

As the clock ticks down to the launch of a new EU large-scale border management system, the European Travel Information and Authorisation System (ETIAS) in autumn 2026, momentum is building to prepare it for entry into operation and ensure its compliance with data protection laws. The EDPS follows the implementation of ETIAS at close quarters. To help mitigate the risks, legislators have established an ETIAS Fundamental Rights Guidance Board. 

Composed of representatives of the EDPS, EDPB, EU Fundamental Rights Agency, Frontex Fundamental Rights Office and Frontex Consultative Forum, the EFRGB is mandated to issue guidance on the fundamental rights impacts of processing ETIAS applications. A critical concern for individuals required to apply for an ETIAS is ensuring access to an effective judicial remedy. For instance, refusal of a travel authorisation could result from a data processing error.

Brazil draft adequacy decision

The EDPB also adopted an opinion regarding the European Commission draft implementing decision on Brazil’s adequacy. The General Data Protection Law in Brazil, LGPD, together with Presidential decrees and binding regulations issued by Brazil’s Data Protection Authority, ANPD, establish requirements, including in relation to the principles, data subject rights, transfers, oversight and redress, closely aligned with the GDPR and case law of the CJEU. At the same time, the EDPB invites the Commission to clarify further how certain exemptions and specific limitations of data subject rights in the LGPD correspond to the adequate level of data protection regarding:

• national security purposes relating to the collection and sharing of data between the public entities within the Brazilian intelligence systems
• personal data processing for criminal law enforcement purposes
• rights of information and access to the data 
• accountability principle and the requirements for the data protection impact assessment

More legal updates

NIS2 implementation in Germany: On 13 November, the law implementing the European Network and Information Systems (NIS) 2 Directive, passed in the German Bundestag. The directive increases the cybersecurity requirements for certain companies and the federal administration. The Federal Office for Information Security (BSI) occupies a key position in both areas. It will become the supervisory authority for the companies affected by the directive; in addition, in the role of Chief Information Security Officer (CISO), it will be the central body for the cybersecurity of the federal administration. 

Affected companies must register with the BSI, report significant security incidents, and implement technical and organisational risk management measures. It includes an amendment to the BSI Act, which previously covered approximately 4,500 entities in the economic area: operators of critical infrastructure, providers of digital services, and companies of particular public interest. With the entry into force of the NIS2, this scope is expanded to include the categories of “important institutions” and “particularly important institutions,” meaning that the BSI will supervise approximately 29,500 institutions in the future. 

NIS upgrade in the UK: In parallel, on 12 November, the Cyber Security and Resilience Bill was introduced to the UK Parliament. The Bill will update the NIS Regulation from 2018 by expanding the regulatory scope to include a broader range of essential and digital service providers, including online marketplaces, cloud computing services, and search engines, as well as managed service providers (eg, data centres will be designated as essential services). It also places the Secretary of State in charge of maintaining consistency in implementation across sectors.

AI solutions legal basis

At the request of the Danish Agency for Higher Education and Science, the Danish Data Protection Agency has assessed whether the agency has the authority to develop and operate an AI solution that will function as support in the assessment of applications for disability allowance. The Danish Data Protection Authority assessed that the processing of personal data that takes place during the development and operation of an AI solution can, as a rule, be carried out based on what is necessary for reasons of substantial public interest – GDPR Art. 9(2)(g).

However, it requires a so-called supplementary national legal basis. In relation to the duty of information towards citizens whose historical cases are included in the training dataset, the Danish Agency for Higher Education and Science has, among other things, pointed out: 

• There is a large number of citizens (approx. 3,000).
• It would be resource-intensive to inform citizens individually.
• The processing of personal data is limited.
• The purpose of the processing is to improve case processing time.
• The treatment is not assessed to have direct consequences for citizens.

GDPR ready-to-use templates

The EDPB invites experts to participate in a public consultation aimed at proposing practical templates to help organisations comply with their obligations under the GDPR. The EDPB identified the need to develop standardised tools that could serve as guidance for both controllers and processors. The public consultation aims to find out which types of templates would be most beneficial in practice, for instance:  

• privacy notice,
• records of processing activities,
• data protection impact assessment,
• notification of a personal data breach.

It is possible to participate in the public consultation from November 5 to December 3, 2025. Experts, organisations, and individuals can submit their suggestions through this page.

More from supervisory authorities

Australia child privacy updates: From 10 December, platforms like Facebook, Instagram, Snapchat, TikTok, YouTube, X, Threads, Reddit and Kick must take reasonable steps to prevent under-16s from holding accounts on their services. Failure to do so will expose these platforms to fines of up to 49.5 million dollars. These services currently meet the criteria for under 16 restrictions as specified in the Social Media Minimum Age legislation, in particular the key requirement that their “sole or significant purpose is to enable online social interaction”.

Health data warehouses (EDS): The CNIL’s Digital Innovation Laboratory (LINC) has published a map of health data warehouses in France. An EDS, explains the CNIL, is a database built up over a long period of time and intended to be reused mainly for steering (management, control and administration of the activity) and research, studies and evaluations in the field of health. They can be set up by both public (such as a public healthcare institution) and private entities (such as a data broker or a startup), provided that they comply with the applicable legal framework.

AI risk assessment: The EDPS has published a new guidance document to help data controllers carry out data protection risk assessments when developing, acquiring and deploying AI systems. Although the new guidelines are aimed at EU institutions, organisations in both the public and private sectors that use or plan to adopt AI systems can use them as a valuable starting point. It focuses on the risk of non-compliance regarding: fairness, accuracy, data minimisation, security and certain data subjects’ rights. The list of risks and countermeasures is not exhaustive, but merely reflects some of the most pressing issues that controllers must address when procuring, developing and deploying AI systems. 

In other news

Cyber attack mitigation tools: The Dutch AP has issued recommendations for a strong data processing agreement in the event of a cyber attack. Organisations that collaborate with service providers must enter into a data processing agreement regarding the sharing and use of personal data. This agreement outlines agreements, for example, regarding security and the roles and responsibilities in the event of incidents such as data breaches. To that end, to limit the damage from cyber attacks, organisations can:

• Make agreements as concrete as possible
• Maintain control over the entire supply chain
• Give more priority to drafting and maintaining data processing agreements

Therefore, the regulator sums up, negotiate agreements carefully and promptly. And review agreements and appendices regularly to ensure they remain relevant in practice. Employee awareness and knowledge of the GDPR play a crucial role in this.

Misleading cookie banners: The AP also reports that three-quarters of websites modified misleading cookie banners after an investigation was launched on more than 200 websites in the Netherlands starting in April. The AP is now taking enforcement action against organisations that haven’t updated their cookie banners. The easiest way to respect this is to not use tracking software. In that case, a cookie banner isn’t necessary. Where organisations do use tracking software, they must adhere strictly to the rules and inform visitors honestly and clearly.

Biometric processing

In New Zealand, the Privacy Commissioner has issued a Biometric Processing Privacy Code that creates specific privacy rules for agencies (businesses and organisations) using biometric technologies to collect and process biometric information. The Code, which is now law made under the Privacy Act, will help make sure agencies implementing biometric technologies are doing it safely and in a way that is proportionate. Guidance has also been developed to support the Code. 

Direct marketing and free-of-charge services

On 13 November, the CJEU released its ruling in Inteligo Media SA v ANSPDCP (Romanian data protection regulator) (C-654/23), where a media website provided information about new legislation in Romania, Bird&Bird law blog reports.  Six articles per month could be viewed completely free of charge. Users might also subscribe for free to an additional two articles and a daily newsletter. They could also pay for unlimited access and a fuller newsletter. ANSPDCP claimed that Inteligo could only process subscriber registration details and deliver the free newsletter if it had approval, which it did not. 

Inteligo argued it was covered by the soft opt-in exception. The ePrivacy Directive does demand that organisations obtain consent before sending direct marketing emails, but there is an exception: where the organisation acquires the subscriber’s information after selling a product or service, and the direct marketing is for that organisation’s similar product or service. The top EU court concluded that the free subscription did constitute a sale: a sale requires payment in exchange for goods or services, as well as remuneration. However, the reimbursement might be indirect, when a particular customer does not have to pay, but it is rather covered by the premium version of the subscription. 

Continue reading the original analysis here. 

Telecommunications multimillion fine

Following ex officio proceedings, the Croatian data protection agency imposed an administrative fine on a telecommunications operator, in its capacity as controller, for the total amount of 4.5 million euros for violations of the GDPR. The infringements concerned the transfer of personal data to third countries without a valid transfer instrument and without transparent information to data subjects, the processing of copies of employees’ identity cards and certificates of no criminal proceedings without a legal basis, as well as the failure to carry out appropriate prior checks of a processor.

Customer service fine

The EDPB sums up a recent enforcement case in Italy, when a customer, who was the victim of fraud, contacted their bank to obtain recordings of calls made to customer service, which would be useful in contesting a transfer of approximately 10,000 euros and reconstructing what had happened. Having received no satisfactory response, they complained to the privacy regulator Garante. Only after the authority had opened proceedings did the bank provide the recordings, but by then the 30-day deadline set by the GDPR had already passed. Garante imposed an administrative fine of 100,000 euros, taking into account the bank’s turnover, its cooperation during the investigation and the absence of previous infringements.

 In case you missed it

Children’s data lifecycle: Privacy International states that in England’s schools, children are tracked from birth through a vast, opaque network of digital systems that turn education into a lifelong exercise in data collection and surveillance. Children’s data in education starts from the day they are born until they are 25 years old:

• during pre-school, with personal data submitted by legal guardians during the school admissions process 
• every child is assigned a unique pupil record and a unique pupil number that stays with them forever
• the student’s educational setting gets added to the record, which includes its religious character and location, etc.

The next layer of data added to those records is created by school staff – absence and attendance records, assessments, etc. Separately, children’s data can be generated and collected by the EdTech tools used by staff. Some schools use a broad range of tools, such as behaviour tracking apps, which can take the form of scores but also of more complex profiles and predictions in relation to a child. Further personal data is collected and added to the National Pupil Database (NPD), and is kept indefinitely. 

Keep reading the original analysis here.

Agentic AI explained: The JD Supra law blog outlines the rise of “agentic AI”. Unlike traditional AI systems, which are designed to perform specific, narrowly defined tasks (generating text or images or analysing inputs) and rely on human input and oversight, agentic AI systems can complete far more complex, multi-step tasks autonomously and make context-dependent decisions. The emergence of these systems could transform a wide range of industries and business functions, including: a) consumer-facing systems, b) customer support, c) internal operations, and d) sales and marketing.

The post Data protection digest 3-17 Nov 2025: Consumer loan checks can reveal people’s lifestyle data  appeared first on TechGDPR.

The European Data Protection Board (EDPB) announced the topic for Coordinated Enforcement Action 2026 on transparency and information obligations. Articles 12, 13, and 14 of the GDPR require that individuals be informed when their personal data is processed, ensuring transparency and enabling greater control over personal information. Participating data protection authorities will join this action voluntarily in the coming weeks, with enforcement activities scheduled to launch during 2026. 

Experian credit checks fine

As the background example of the above transparency obligations, the Dutch data protection authority AP last week imposed a 2.7 million euro fine on Experian Nederland. Experian provided credit ratings on individuals to its customers until 2025. The company collected data on factors such as negative payment behavior, outstanding debts, and bankruptcies. The AP found that Experian violated the GDPR by improperly using personal data, and failed to adequately inform individuals about this.

Experian created credit reports on individuals at the request of clients such as telecom companies, online retailers, and landlords. People started contacting the AP after they could no longer pay installments or because they suddenly had to pay a high deposit when switching energy suppliers. Only afterward did it become clear that this could be due to Experian’s credit scores. Because people weren’t aware of the credit check, they couldn’t check in time whether the information was accurate. Experian collected data about people from various sources, both public and private, and failed to adequately explain why this data collection was necessary.

Experian acknowledged violating the law and will not appeal the fine. It has ceased operations in the Netherlands and will delete the database containing all personal data.

Stay up to date! Sign up to receive our fortnightly digest via email.

More legal updates

DMA and GDPR: The EDPB and the European Commission endorsed joint guidelines on the interplay between the Digital Markets Act (DMA) and the GDPR. The DMA and the GDPR both protect individuals in the digital landscape, but their goals are complementary as they address interconnected challenges: individual rights and privacy in the case of the GDPR and fairness and contestability of digital markets under the DMA. However, several activities regulated by the DMA entail the processing of personal data by gatekeepers and refer to definitions and concepts included in the GDPR (eg, on how to lawfully combine or cross-use personal data in core platform services). 

Italy’s new AI law: On 10 October, the Italian law on Provisions and Delegation to Government on Artificial Intelligence, including an age verification requirement, entered into force. It is the first comprehensive legislation adopted by an individual EU member state on research, testing, development, adoption, and application of AI systems and models, with a human-centric approach. The government has appointed the Agency for Digital Italy and the National Cybersecurity Agency to enforce the legislation, which received its final approval in the parliament after a year of debate. The enforcement measure imposes even prison terms on those who manipulate technology to cause harm, such as generating deepfakes. 

US Bulk Data: The US Department of Justice’s Sensitive Data Bulk Transfer Rule is in effect as of October 6, JD Supra law blog reports. This means if your organisation transfers US sensitive data (from demographic data to cookie data) that hits the bulk thresholds, you need to develop and implement a compliance program, either a stand-alone program or as part of the compliance program (through due diligence and audit procedures). 

Electronic patient files

In Germany, the electronic patient record (ePA) for everyone has been tested in model regions since January 2025. Since 29 April, it has been available for use nationwide by practices, hospitals, and pharmacies, among others. As of 1 October, it is generally mandatory for practices and other medical facilities to fill out the records. At the same time, the information (eg, on ongoing or further treatment) can only be included in the ePA for everyone if the insured person has not fundamentally objected to this with their health insurance provider.

Finally, special consent requirements apply to information from genetic testing for diagnostic purposes, as well as on children and adolescent records.

California privacy updates

At the end of September, California finalised regulations to strengthen consumer privacy that go into effect on 1 January, 2026. However, there is additional time for businesses to comply with some of the new requirements, namely cybersecurity audits, risk assessments, and requirements for automated decision-making technologies, as well as updates to existing CCPA regulations. The final regulations and supporting materials will be posted on the regulator’s website as soon as they are processed.

ISO/IEC 27701

On 14 October, ISO released ISO/IEC 27701:2025, the latest version of the global Privacy Information Management System (PIMS) standard. For the first time, ISO/IEC 27701 is now a standalone standard, no longer just an extension of ISO/IEC 27001. The standard is designed for personally identifiable information (PII) controllers and processors, who hold responsibility and accountability for processing PII to:

•  Strengthen data privacy and protection capabilities
•  Help demonstrate compliance with global privacy regulations such as the GDPR
•  Support trust-building with partners, clients and regulators
•  Align with existing ISO/IEC 27001 systems to streamline implementation
•  Facilitate accountability and evidence-based privacy management

Cookie updated guidance

The Swiss FDPIC published an updated version of its cookie guidelines, which contains specific clarifications and additions intended to improve the comprehensibility of the text and clarify practical issues. In particular, the FDPIC found it useful to clarify why the use of cookies for the purpose of delivering personalised advertising may require the consent of the data subjects. This is the case when the website operator provides third parties with access to visitors’ personal information in return for payment by integrating third-party cookies or similar technologies, and these third parties are embedded in several websites. As the latter are enabled to carry out high-risk profiling, this constitutes a particularly intensive intrusion into the privacy of the data subjects.

AI systems development guidance

In Germany, the Data Protection Conference (DSK) publishes guidance on AI systems with Retrieval Augmented Generation (RAG). It provides legal and technical information on how to harness the potential of such AI systems while simultaneously reducing the risks for those affected. RAG is an AI technology that augments large language models with targeted access to company or government agency knowledge sources to deliver context-specific answers. 

Typical application examples include in-house chatbots that access current business data and scientific assistance systems that leverage research databases. 

Thus, RAG use must be designed in compliance with data protection by design and by default. Controllers must ensure transparency, purpose limitation, and the protection of data subjects’ rights at all times. Controllers wishing to implement such RAG systems must conduct data protection assessments of the various processing operations on a case-by-case basis and always keep their technical and organisational measures up to date. 

More from supervisory authorities

Union membership: The Latvian data protection authority DVI explains whether an employer needs to know about a worker’s union membership. The answer is that the employer cannot request such information from the employee at any time. The most appropriate justification for processing such data is when such rights are established for the employer by law; however, there is also the possibility of obtaining the employee’s consent or finding out this information when the employee has disclosed it themself. 

Such a question should not be asked during a job interview, when drawing up an employment contract or during an employment relationship, as long as the employer does not intend to terminate the employment relationship with the employee in question. If an employee is to be dismissed, asking about union membership is important because union members may have special protections, such as the need to obtain the union’s consent to termination. 

Commercial robocalls: The DVI also explains what a company should consider if it wants to use commercial robocalls. The regulatory framework stipulates that the use of automated calling systems, which operate without human intervention for the purpose of sending commercial communications, is permitted only if the recipient of the service has given their prior free and explicit consent. Thus, sending commercial communications in this way is lawful only if the person concerned has previously (before making the call) given their free and explicit consent to be disturbed by automated calling devices. 

Google Analytics fine confirmed by court

In 2023, Sweden’s data protection authority IMY decided after an inspection that Tele2 (mobile network provider) must pay a penalty fee of SEK 12 million because they violated the GDPR. The Court of Appeal has now ruled in favor of IMY. The violation concerned the fact that the company, in connection with the use of Google Analytics, transferred personal data to the US without adequate protection.

IMY assessed that the data transferred to the US via Google’s statistical tool was personal data, since the data transferred could be linked with other data that Google had access to and thus enabled Google to distinguish and identify specific persons. 

Minors’ data in the EU

On 16 October, the European Parliament’s Committee on the Internal Market and Consumer Protection adopted its report on the Protection of minors online. The report calls for an EU-wide digital minimum age of 16 for accessing social media, video-sharing platforms and AI companions without parental consent, and a minimum age of 13 for any social media use. It urges the European Commission to strengthen enforcement of the Digital Services Act and to swiftly adopt guidelines on measures ensuring a high level of privacy, safety, and security for minors. The Parliament is expected to vote on the final recommendations during the November plenary session.

Microsoft use of children data

The Austrian data protection authority ruled on a complaint regarding Microsoft’s handling of children’s data under the GDPR. It found that the Federal High School and the Federal Ministry for Education, acting as joint controllers, violated the complainant’s right of access and right to be informed. They failed to provide complete and timely information on data processed through Microsoft Education 365, including cookies and third-party data transfers, (content, log, and cookie data). Microsoft was also found to have infringed the complainant’s right of access by not providing complete information on cookie data, its own processing purposes, and transfers to third parties such as LinkedIn, OpenAI, and Xandr, digitalpolicyalert.org reports. 

Doping scandals and personal data

A CJEU Advocate General has ruled on the publication of the name of professional athletes who have infringed anti-doping rules. In the related case in Austria, four athletes concerned submit that that publication contravenes the GDPR. Such publication is provided for by law. It aims, first, to deter athletes from committing infringements of the anti-doping rules and thus to prevent doping in sport.

Second, it aims to prevent circumvention of the anti-doping rules by informing all persons likely to sponsor or engage the athlete in question that he or she is suspended. In that context, the Austrian court asked the Court of Justice to interpret the GDPR. The first opinion was that such practice is contrary to EU law. The principle of proportionality requires account to be taken of the specific circumstances of each individual case. In the Advocate General’s view, publishing the relevant name, but limited to the relevant bodies and sports federations, accompanied, for example, by pseudonymised publication on the internet, would make it possible to achieve both those objectives.

In other news

Clearview AI fine confirmed: On 7 October, the UK Upper Tribunal confirmed that Clearview AI’s facial recognition business is subject to the EU and UK GDPRs. Clearview had argued that its scraping of billions of online images to produce facial recognition services for sale to foreign law enforcement agencies placed it outside of GDPR’s material and territorial scope. The tribunal rejected the claim and made it clear that Clearview’s activities involve ‘behavioural monitoring’. Clearview sought a narrow interpretation of the GDPR, but the tribunal rightly adopted a broader one that clearly encompasses automated processing.

This decision follows the Information Commissioner and Privacy International’s appeal against a 2023 First Tier Tribunal ruling that had quashed Clearview’s 7,552,800 pounds fine. Clearview trawls through sites like Instagram, YouTube and Facebook, as well as personal blogs and professional websites. It uses facial recognition technology to extract the unique features of people’s faces, effectively building a gigantic biometrics database. Clearview has previously been found to be in breach of the GDPR in France, Italy, Austria and Greece, resulting in fines totalling 65,200,000 euros.

Meta AI bots: The Guardian reports that parents will be able to block their children’s interactions with Meta’s AI character chatbots. The social media company is adding new safeguards to its “teen accounts”, which are a default setting for under-18 users, by letting parents turn off their children’s chats with AI characters. These chatbots, which are created by users, are available on Facebook, Instagram and the Meta AI app. Parents will also be able to block specific AI characters and get “insights” into the topics their children are chatting about with AI. Meta said the changes would be rolled out early next year, initially to the US, UK, Canada and Australia. 

In case you missed it

AI for everyday tasks: As more and more companies are using their users’ personal data to train AI models, the French data protection regulator CNIL explains how to oppose it for the main platforms. The practical cases include: Google – Gemini, Meta – Meta AI, Open AI – ChatGPT, Microsoft – Copilot, X – Grok, DeepSeek, Mistral – The Cat, Anthropic – Claude, and LinkedIn.

‘Self-aware’ AI: Guernsey’s data protection authority meanwhile publishes its observations on how AI has formed the basis of a number of companion apps and the creation of numerous digital friends and partners. It is important to remember, for all of us, personally and professionally, that such products are not ‘living beings’, while more and more news stories continue to emerge of tragic outcomes in which a digital companion played a part. Individuals have the right not to be subject to automated decision making which is at the core of such products, without appropriate safeguards being in place. And for organisations functioning as data controllers, these are vested with the responsibility on any decisions AI makes or advice it provides to people. 

The post Data protection digest 4-18 Oct 2025: Transparency the GDPR’s 2026 enforcement goal, and the Experian case as a model NOT to follow appeared first on TechGDPR.

As of 12 September, the Data Act has become directly applicable in the EU. It offers harmonised rules on fair access to and use of data. The new rules cover manufacturers, users, data holders, data recipients, public sector bodies, and data processing services. It is designed to empower users, both consumers and businesses, by giving them greater control over the data generated by their connected devices (and related services), such as cars, smart TVs, industrial machinery and much more:

• It ensures that connected devices on the EU market are designed to allow data sharing
• Gives consumers the possibility to choose more services, without having to rely on the manufacturer of the device 
• Provides business users in industries like manufacturing or agriculture access to data about the performance of industrial equipment, opening up opportunities to enhance efficiency and optimise operations
• Allows consumers to easily transfer data and switch between cloud providers
• Prohibits unfair contracts that could prevent data-sharing

The Data Act does not exclude or replace the GDPR

On the contrary, it is fully compliant with data protection rules. In one example, where the user is not the data subject whose data is being requested, personal data can only be made available if there is a valid legal basis (eg, consent). This is an important consideration as the co-generated data often contains both personal and non-personal data, which may be difficult to separate.  Additionally, the Data Act includes a non-exhaustive list of measures to remedy situations where a third party or user has unlawfully accessed or used data.  The infringing party will be obliged to cease production of the product in question, destroy the data it has unlawfully obtained, or pay compensation. 

Stay up to date! Sign up to receive our fortnightly digest via email.

The Act also includes requirements for international transfers of non-personal data. The data processing service providers are required to adopt technical, legal, and organisational measures to prevent international transfer or governmental access to non-personal data that would breach national or EU law. Furthermore, the Act includes protections for trade secrets and trade secret holders, aiming at preventing data breaches or data transfers to jurisdictions that don’t provide sufficient data protection and preventing other entities from accessing the data to reverse-engineer the services of their competitors.

Data subject rights under the Data Act

The Hamburg data protection authority explains that, from electronic toothbrushes to wind turbines, many consumer goods and machines send sensor data to their manufacturers via the internet. Starting September 12, consumers will benefit from new access rights to the data of such connected devices, as the Data Act allows both users of these devices and third parties to request it. This is provided that the eligibility requirements under the Data Act are met, data protection law does not conflict, and trade secrets are protected.

If the data to be transmitted is personal, European law appoints data protection authorities to supervise compliance with the provisions of the Data Act. This task follows directly from Art. 37(3) of the Data Act: a) Accessing personal data from the manufacturer; b) Changing the provider of data processing services (so-called cloud switching); c) Protection of confidentiality through technical and organisational measures at the receiving body; d) Transparency obligations. The data protection authorities can now enforce these rights by issuing orders. Violations can sometimes be punished with fines. Alternatively, claims can be pursued independently through civil law. Any natural or legal person can file a complaint. 

EU-US Data Privacy Framework maintained

On 3 September, the CJEU ruled on a case in which a French politician had brought an action against the Commission regarding the adequacy decision for the EU-US Data Privacy Framework. The case was brought with a claim that the adequacy decision should be annulled. According to the complainant, the newly established appeal body in the US, the Data Protection Review Court (DPRC), was not independent, and American legislation did not ensure adequate guarantees for the data subjects in connection with the mass collection of personal data by the intelligence services. 

The Court found no basis for concluding that the DPRC was not independent at the time of the decision. In this context, the Court recalled the Commission’s obligation to continuously monitor developments in the US and to act if changes in the legal framework might lead to a lower level of protection. With regard to the activities of the intelligence services, the Court also found that US legislation at the time of its adoption ensured a level of protection of personal data that was essentially equivalent to that existing within the EU.

On that basis, the court dismissed the lawsuit in its entirety.

Digital Services Act

The EU General Court, meanwhile, has ruled that the Commission failed to properly adopt the method it used to assess very large online platforms’ user bases under the Digital Services Act (DSA). As a result, the supervisory fees the Commission imposed on the largest platforms (Facebook, Instagram, TikTok and others), as calculated by reference to their user bases, were invalid (however, the effects of the annulled decisions are provisionally maintained). The Commission now has 12 months to rectify the situation. 

The EDPB has recently adopted guidance on the interaction between the Digital Services Act and the GDPR. The DSA aims to complement the rules of the GDPR to ensure the highest level of protection of fundamental rights in the digital space. It applies to online intermediary services, such as search engines and platforms. There are several provisions in the DSA which relate to the GDPR:

• Notice-and-action systems that help individuals or entities report illegal content
• Recommender systems used by online platforms to automatically present specific content to the users of the platform, with a certain relative order or prominence
• The provisions to ensure a high level of privacy, safety, and security of minors and to prohibit profile-based advertising using their data 
• Transparency of advertising by online platforms
• Prohibition of profiling-based advertising using special categories of data 

Pseudonymisation

In another ruling of September 4, the CJEU addressed various issues relating to personal data and pseudonymisation in connection with the transfer of this data to third parties: 

• Statements that reflect the personal opinions or views of the authors are information “about that person” because, as an expression of that person’s thoughts, they are necessarily closely linked to that person. 
• Pseudonymised data is not always considered personal data. Depending on the circumstances, pseudonymisation may actually prevent persons other than the controller from identifying the data subject, making them unidentifiable or no longer identifiable. 

The case concerned the obligation incumbent on controllers to inform data subjects, at the time of data collection, of the recipients or categories of recipients to whom their personal data are to be disclosed. Consequently, the identifiability of the data subject in such a case must be assessed from the perspective of the controller and not from that of the recipient. 

More from supervisory authorities

Brazil draft adequacy decision: On 4 September, the European Commission launched the process towards the adoption of a data protection adequacy decision with Brazil. The Commission has determined that Brazil ensures an adequate level of data protection, comparable to that of the EU. Once adopted, the decision would allow for free data flows for businesses, public authorities, and research projects between the EU and Brazil, one of the widest scopes possible for a data adequacy decision under the GDPR. The Brazilian authorities have also initiated a process to adopt an equivalent decision to allow for Brazilian data to flow freely to the EU.

Windows IT security guide for organisations: The German Federal Office for Information Security (BSI) provided recommendations for the secure configuration of Microsoft Office products for the Microsoft Windows operating system (in German). These recommendations were developed specifically for medium-sized to large organisations that manage their endpoints using Group Policies in an Active Directory environment. However, other experienced IT users can also apply the Group Policies locally. Implementing these policies offers the advantage of a wider range of configuration options compared to configuring them via the user interface. These recommendations are available for the Office applications Microsoft Access, Microsoft Excel, Microsoft Outlook, Microsoft PowerPoint, Microsoft Visio, and Microsoft Word.

Cybersecurity for teenagers: The BSI also published a comprehensive package to teach basic cybersecurity skills. It aims to support teachers and other educational professionals in raising young people’s awareness of digital risks at an early stage and teaching them how to use digital media safely. The media package includes educationally prepared worksheets, interactive activities, and background information for teachers and parents. It covers the three topics of smartphone and app security, cybercrime methods, and account protection. 

Personal recordings

Can recordings obtained for personal use be used for other purposes? The Latvian data protection regulator explains that such a recording is usually made without informing other people about it. In cases where the recording is planned to be used only for one’s own needs, without passing it on to others, the GDPR does not apply. However, before making a recording, you should consider whether it is not restricted by any other rules. For example, if the recording is made at a school event, you should make sure that the institution’s internal rules of procedure do not set any restrictions on the use of technical devices and the making of recordings. 

Over time, a person who has a recording made for personal purposes may want to use this information for other purposes. For example, it can serve as evidence in resolving a dispute or in detecting an offence. In this case, GDPR provisions must apply, in particular, when choosing the legal basis for processing, complying with fundamental principles in processing, including ensuring that the rights of the people heard and seen in the recordings are respected. 

Right to erasure

The EDPB launched a coordinated action earlier this year to examine how organisations handle the right to erasure (requests from individuals to have their personal data erased by the organisation). The Swedish Data Protection Authority IMY is now reporting its findings. Regarding the 20 Swedish businesses surveyed, despite handling large amounts of personal data, businesses have received few requests from individuals who want their data deleted. Among the problems and challenges that IMY has identified are: a) Lack of or inadequate internal routines and processes, b) Uncertainty about deletion in backups, and c) Difficulty verifying the identity of the person who wants their data deleted. IMY has identified examples of best practice for data deletion requests, such as:

• Create clear and updated procedures, control documents and checklists that specify who does what, how the assessment is carried out and what criteria apply for deletion
• Offer multiple channels to submit a deletion request, such as email, phone, web form, or physical visits
• Verify the individual’s identity only in cases of reasonable uncertainty
• Always provide a clear justification with reference to relevant provisions when rejecting a request

Google and Shein cookie fines

The French regulator CNIL fined Google 325 million and Shein 150 million euros, in particular for non-compliance with the rules on online trackers. The checks revealed that Google displayed, between the emails present in the ‘Promotions’ and ‘Social networks’ tabs of Gmail, advertisements in the form of emails. In the case of Shein, the CNIL noted that several trackers, particularly for advertising purposes, were deposited as soon as they arrived on the site, even before they interacted with the information banner to express a choice.

Also, when a user visiting the “shein.com” site clicked on the “Refuse all” button in the banner, or when they decided to withdraw consent to the registration of trackers on their terminal, new trackers were nevertheless deposited. 

Toymaker fine

America’s FTC  just settled with Apitor Technology, a Chinese toymaker, for allegations that the company violated the Children’s Online Privacy Protection Rule (COPPA). Apitor develops, markets, and distributes robot toys for kids ages 6-14. To program the robots, users need to download Apitor’s free companion app. It incorporated a third party’s software development kit (SDK), enabling app functionalities like push notifications and usage tracking. The SDK allowed the third party to collect geolocation data from children playing with the robot toys using an Android device. At the same time, companies providing online services directed at children must notify parents if they’re collecting, using, or disclosing personal information from juveniles. They also have to get parents’ verified consent to do so, even if a third party is the one collecting the data on a company’s behalf. 

Online banking authentication

In Finland, the data protection agency has imposed a penalty of 1.8 million euros on S-Bank for neglecting information security in online banking authentication. Due to a software error in the authentication service in 2022, it was possible to log in to online banking and online services using strong authentication with another customer’s credentials. The agency investigated the data breach based on a notification made by S-Bank in 2022. The bank had implemented a new login functionality in S-mobile. 

The bank had not tested the new software sufficiently before implementing it, and it had not identified vulnerabilities before the functionality was implemented. It also did not respond adequately to customer complaints about irregularities in online banking logins. A security vulnerability had been exploitable for more than three months. It affected a significant portion of the bank’s customers. Misuse of bank codes caused financial damage to customers. S-Bank has announced that it has compensated customers for direct losses.

In other news

Disney: Another settlement by the FTC with Disney alleges that it failed to properly designate their YouTube videos as directed to children. When Disney uploaded videos to YouTube, its policy was to set the audience at the channel level, rather than checking the audience for each video. As a result, some child-directed videos were incorrectly designated as “not made for kids.” Personal information of children viewing these videos was collected and used for targeted advertising without parental notice or consent as required under COPPA. Kids were also exposed to YouTube features not meant for kids: autoplay to other “not made for kids” videos and access to unrestricted public comments.

Recruitment agency: North Rhine-Westphalia data protection commissioner imposed a fine of over 35,000 euros on a Düsseldorf-based recruitment agency which had not only consistently ignored the data protection rights of job seekers, but also requests from the regulator. The focus was on requests from employees asking whether and which data the company had processed about them. Some of the individuals also demanded that their data be deleted.  

Health data: In Estonia, Allium UPI, the company that manages the Apotheka loyalty program, received a fine of 3 million euros for failing to protect customer data and using insufficient security measures. The company’s reckless attitude towards its customers’ data put the privacy of more than 750,000 people, including children and other vulnerable groups, at risk. A security incident occurred in the information system of the Apotheka loyalty program in early 2024.

The leaked files contained personal data and purchase history of those who joined the Apotheka customer program between 2014 and 2020: purchased medicines, health measurement services, and other sensitive pharmacy products, such as pregnancy and ovulation tests, hearing aid accessories, blood pressure supplements, intimate hygiene products, and medications for skin problems. 

In case you missed it

Football fans face recognition in Denmark:  The Danish Data Protection Authority has granted permission for the clubs in the Super League (season 2025/2026) to use automatic facial recognition during football matches, in order to support the enforcement of the rules on club quarantines. The permits for the Super League clubs state, among other things, that the processing must comply with the rules on the preparation of an impact assessment: it must be carried out before the processing begins.

Bossware in the UK: A third of UK companies use “bossware” to track employees‘ activities, according to an article in the Guardian. One in seven employers are monitoring or evaluating screen activity, and private organisations are the most likely to implement in-work surveillance, according to a UK-wide poll. The fact that about one-third of managers said their companies watch employees’ internet activity on company-owned devices, however, is likely an underestimation because the same percentage stated they had no idea what tracking their companies do. Preventing insider threats, protecting sensitive data, and identifying productivity declines are the goals of many monitoring systems. 

The post Data protection digest 1-15 Sep 2025: The Data Act is fully applicable, “bossware” takes over workspaces appeared first on TechGDPR.