The EDPB and EDPS adopted a Joint Opinion on the European Commission’s Proposal for a European Biotech Act. It aims to strengthen Europe’s biotechnology and biomanufacturing sectors, including streamlining the regulatory framework and updating the rules for clinical trials (in the form of proposed amendments to the Clinical Trials Regulation). The privacy regulators welcome the aim to establish a single legal basis for the processing of personal data by sponsors and investigators in the context of clinical studies. The opinion provides several recommendations to ensure that the proposed simplifications do not lower the level of protection for clinical trial participants:

• Clarifying the controller roles of the actors involved in funding and conducting clinical trials, jointly and severally
• Limiting data retention for various personal data collected throughout the clinical trial (except master files storage requirements)
• Further processing for other clinical trials and scientific research
• Coherence with the AI Act
• Appropriate technical and organisational measures (the use of pseudonymisation)
• Regulatory sandboxes

Stay up to date! Sign up to receive our fortnightly digest via email.

Main developments 

Transparency enforcement action: On 18 March, the EDPB launched its Coordinated Enforcement Framework (CEF) action for 2026. Following a year-long coordinated action on the right to erasure in 2025, the CEF’s focus this year will shift to compliance with the obligations of transparency and information under the GDPR. The GDPR ensures that individuals are informed when their data is being processed (under Art. 12, 13 and 14). This right to be informed is a core element of transparency and ensures that individuals have more control over their data. Participating authorities will soon contact controllers from different sectors across Europe.

European Blockchain sandbox: The European Commission has published the results of the third edition of the ‘European Blockchain Sandbox‘, an initiative in which European data protection agencies participate along with other authorities. Following the publication of the selected projects, which cover all EU/EEA regions and represent a wide range of sectors and issues, and once the stage of confidential regulatory dialogues was completed, the report of good practices will follow, the same process as the first two editions.

Other legal updates

Data Brokers EU study: The Belgian data protection agency and the EDPB commissioned a study to gain greater insights into the ecosystem of data brokerage. In particular, several types of data brokers and providers were identified: personal data brokers, AI platforms integrating personal data, business data brokers, data pools and cleanrooms, data marketplaces, self-generated data providers, data brokers with user control, and aggregated data providers with re-identification risk.

The study shows that the data broker and provider market in Belgium is highly diverse, with varying levels of risk associated with the use of personal data. More than 40 data brokers and providers active in Belgium were identified in the study.

Big Tech compliance with the EU DMA: The gatekeepers designated in 2023, Alphabet, Amazon, Apple, ByteDance, Meta and Microsoft, have submitted reports on their updated compliance measures under the Digital Markets Act (DMA), outlining the changes they have implemented and measures they have taken during the past year. The gatekeepers also submitted to the Commission updated, independently audited reports on consumer profiling techniques. The public versions of the updated compliance reports will shortly be available here and here.

US privacy laws development: DLA Piper publishes a list of recently introduced comprehensive privacy bills, state by state (Alabama, Arizona, Iowa, Illinois and more). They are reflecting a continued trend toward expanding individual privacy rights and creating new compliance obligations on businesses that collect and process personal data, including consent requirements, data minimisation, data brokers, child data, geolocation, biometrics and other types of sensitive data.

More from supervisory authorities

Age assurance guide: The Australian Information Commissioner (OAIC) has published new guidance on age assurance technologies to assist entities in ensuring Australians’ privacy is protected when they encounter age checks online. Three months on from the commencement of the Social Media Minimum Age (SMMA) scheme, the OAIC has observed significant growth in age checks taking place in Australia to allow people access to other online services. The guidance calls on entities to: 

• establish whether age checks are needed and take a privacy-by-design approach
• undertake due diligence to ensure the security of the entity’s age assurance ecosystem
• assess risk and choose age-assurance methods that are proportionate and data minimising
• ensure clear consent requests are used for the collection of sensitive information (such as biometric templates) or for secondary use or disclosure
• be transparent in privacy notices and ensure meaningful support is available to individuals, through simple and easy to access complaints processes

IT security in the health sector: The IT security of software products in the healthcare sector has room for improvement. This is a recent conclusion reached by Germany’s Federal Office for Information Security (BSI) after testing the standard configurations of various healthcare software products. As part of the project, four exemplary practice management systems (PMS) vulnerabilities were examined using penetration tests. The results included: the lack of encryption methods for data transmission and the use of outdated and therefore insecure encryption algorithms. 

AI systems monitoring criteria

AI outputs are typically non-deterministic, meaning the AI may exhibit a range of behaviours under the same input conditions. To that end, America’s NIST publishes much needed analysis of post-deployment AI system monitoring aimed at improving their reliability. The study introduces the six monitoring categories to support a more organised discussion: 

• Functionality: Does the system continue to work as intended? 
• Operational: Does the system maintain consistent service across its infrastructure? 
• Human Factors: Is the system transparent to humans and of high quality?
• Security: Is the system secure against attacks and misuse? 
• Compliance: Does the system adhere to relevant regulations and directives? 
• Large-Scale Impacts: Does the system promote human flourishing?

Web filtering proxy

The French privacy regulator CNIL promotes cybersecurity solutions that comply with the GDPR, both in their use and in their design. To this end, it publishes a recommendation to support users and providers of filtering web proxies – a device or service used to secure internet access by filtering web content for security and compliance reasons. Web filters can help meet the data security obligation (Art. 32 of GDPR). However, they are themselves based on data processing that must also be ensured to comply with the GDPR. CNIL recommendations aim in particular to inform data controllers:

• on compliance with the principles of the GDPR in the use of a web filtering proxy, including the determination of a legal basis, the minimisation of the data collected, the retention periods and the respect of the exercise of rights by the data subjects;
• on the points of attention relating to the use of HTTPS decryption and the implementation of a list of exceptions;
• on the deployment modalities;
• on the security of the access filtering and logging solution.

In other news

Account deletion and purchase history: The Privacy Commissioner of Canada has issued its findings in an investigation into complaints against Loblaw Companies (the biggest Canadian food retailer) related to the PC Optimum Loyalty Program. Several complainants alleged that Loblaw did not delete their PC Optimum accounts after they requested it, and/or that it had not responded to inquiries about their deletion requests.

The investigation found that, while Loblaw had mechanisms in place for customers to request an account deletion or to raise privacy concerns, it took an unreasonable amount of time to address the requests, and also failed to respond to some privacy-related inquiries. The investigation also found that Loblaw retained PC Optimum members’ purchase history after their account had been deleted, and that the removal of personal identifiers such as names and email addresses was an insufficient measure to have in place.

Age assurance technology fine: The Spanish AEPD fined Yoti 950,000 euros following an investigation into its role as an intermediary in identity and age-verification processes. The fine includes 500,000 euros for processing special category biometric data without a valid exemption under Article 9 of the GDPR, 200,000 euros for obtaining consent for research and analytics through pre-ticked boxes in breach of Article 7, and 250,000 euros for retaining data, including biometric and geolocation information, for longer than necessary in violation of the storage limitation principle under Article 5(1). 

The AEPD required Yoti to demonstrate within six months that its processing of biometric data, consent mechanisms, and data retention practices comply with the GDPR, digitalpolicyalert.org reports.

More enforcement decisions

Amazon Italy ban: The Italian Data Protection Authority Garante ordered Amazon Italia Logistica to immediately stop processing the personal data of more than 1,800 employees at its Passo Corese (RI) site. The ban concerns workers’ sensitive information, which Amazon systematically collected and stored throughout their employment and retained for up to ten years after they left the company, using an internal platform linked to the attendance tracking system and accessible to numerous managers.

The information was recorded on the platform following interviews conducted when employees returned from periods of absence. It included details about medical conditions such as Crohn’s disease, herniated discs, and pacemaker implants, as well as participation in strikes and trade union activities. In some cases, notes referred to alleged misuse of leave. Personal and family matters were also documented, including references to a terminally ill parent, a sibling with brain cancer and marital separations, according to the Maltese data protection agency analysis.

Intesa Sanpaolo fine: Garante also fined Intesa Sanpaolo 17.628 million euros for unlawful personal data processing. Intesa Sanpaolo had profiled approximately 2.4 million customers identified as “predominantly digital customers” through automated processing of personal data, including age, use of digital channels, absence of investment products, and financial balances below 100,000 euros. This profiling lacked a valid legal basis. The regulator determined that informed consent under Article 6(1) of the GDPR was the only applicable legal basis, and that such consent had not been obtained, digitalpolicyalert.org sums up. 

Foreign service providers and the choice of jurisdiction

A DLA Piper analysis looks at a case in California demonstrating the expanding reach of personal jurisdiction over foreign companies operating online platforms. It relates to an appellate court’s decision to reverse a district court’s dismissal of a class action against an Estonian software company for lack of personal jurisdiction. The plaintiffs brought a class action in the Northern District of California against 3Commas Technologies, an Estonian private limited company that provides software services for cryptocurrency trading, based on an alleged data breach. 

In the above case, the foreign company collected IP addresses, billing addresses, and location data that could reveal users as California residents, contacted them, and interacted with them for cryptocurrency trades. The appeal court also decided that including specific references to California privacy rights can be construed as evidence of intentionally targeting California consumers. Finally, the choice of law and forum selection clauses in vendor contracts may be used as evidence, too.

And Finally

Data altruism: The French CNIL also publishes FAQs on Recognised Data Altruism Organizations in the EU. The Data Governance Regulation (DGA) creates an EU-recognised Data Altruism Organisation (DAO) status. These altruistic organisations voluntarily share data for general interest and non-profit purposes. In particular, Article 18 of the DGA sets out the various general conditions for registration:

• conducts altruistic data activities
• be a legal person pursuing objectives of general interest under national law
• operates on a not-for-profit basis and is legally independent of any entity operating for profit
• conducts its data altruism activities through a structure that is functionally separate from its other activities
• complies with a set of common European rules, known as the ‘compendium of rules’, in a transparent, secure and interoperable manner 

AI agents and data security: A Krebs-on Security law blog looks at AI-based assistants, autonomous programs that have access to the user’s computer, files, online services and can automate virtually any task. In particular, their popularity is growing among developers and IT workers. These powerful new tools are rapidly shifting the security priorities for organisations, while blurring the lines between data and code, trusted co-worker and insider threat. The article explains various vulnerabilities for users, including the case where exposing a misconfigured AI agent web interface to the Internet allows external parties to read the bot’s complete configuration file, including every credential, from API keys and bot tokens to signing keys. Another experiment showed how easy it is to create a successful supply chain attack through a public repository of downloadable “skills” that allow AI agents to integrate with and control other applications.

The post Data protection digest 3-18 Mar 2026: Proposed EU Biotech Act strengthens clinical trial participants’ rights appeared first on TechGDPR.

On 10 February, the EDPB and EDPS, in a joint opinion, strongly welcomed the regulatory solution to address cookie fatigue and the proliferation of consent banners. This follows the  European Commission’s proposal to switch to automated, machine-readable indications of data subjects’ choices under the Digital Omnibus package. The EU regulators welcome that, pursuant to the proposed Article 88b of the GDPR, harmonisation standards will be developed. 

Such standards should cover the communication of data subjects’ choices, from browsers to websites, from mobile phone applications to web services, and ensure that all involved actors use the same automated machine-readable indications and are not simply repackaging consent in a new technical format. 

 Stay up to date! Sign up to receive our fortnightly digest via email.

Anticipating the need of data controllers and browser providers in the near future to be able to accept and enable automated signals, TechGDPR publishes Conditional Consent, an open concept paper proposing what automated signalling should look like for meaningful user control, based on three dimensions:

• Cookie purpose
• Website category
• Third-party processing

The concept paper contains the main principles, legal basis and exceptions, technical specifications, along with a comparison with existing tools, and a proposed implementation solution, all available at conditionalconsent.com.

Main developments 

Prohibited AI practices: A Future of Privacy Forum analysis draws “red lines” under prohibited practices in the new EU AI Act. They concern harmful manipulation and deception, social scoring, individual risk assessment, untargeted scraping of facial images, emotion recognition, biometric categorisation, and real-time remote biometric identification for law enforcement. Prohibited AI practices are regulated by Article 5 of the AI Act, which became applicable in February 2025. Plus, starting on 2 August 2025, this provision also became enforceable. 

AI-generated images: The EDPB has signed a Joint Statement on AI-Generated Imagery and the Protection of Privacy. The statement, coordinated by the Global Privacy Assembly, represents the united position of 61 authorities across the world. The statement addresses serious concerns about AI systems that generate realistic images and videos depicting identifiable individuals without their knowledge or consent. The co-signatories are especially concerned about potential harm to children and other vulnerable groups, such as cyber-bullying and/or exploitation. Fundamental principles should guide all organisations developing and using AI content generation systems, including:

• Implement robust safeguards to prevent the misuse of personal information.
• Ensure meaningful transparency about AI system capabilities, safeguards, acceptable uses and the consequences of misuse. 
• Provide effective and accessible mechanisms for individuals to request the removal of harmful content involving personal information and respond rapidly to such requests. 
• Address specific risks to children through implementing enhanced safeguards and providing clear, age-appropriate information to children, parents, guardians and educators

Digital Omnibus legal study

The European Parliament published a study identifying interlinks and possible overlaps between different legal acts in the field of digital legislation. It analyses the European Commission’s Digital Omnibus package proposals published on 19 November 2025, distinguishing administrative simplification from more substantive recalibration of safeguards across data, privacy, cybersecurity and AI areas. The study highlights key areas of controversy (legal certainty, enforcement capacity, and impacts on rights) and sets out areas for consideration for parliamentary scrutiny, including:

• Debate over the definition of personal data in the GDPR
• Integrating ePrivacy into GDPR (cookie fatigue)
• Concerns about restricting data access rights
• Data Act consolidation
• Centralised incident notification submission SEP
• AI timelines, burden reduction and centralisation.

Ransomware statistics

In 2025, 65 ransomware incidents were reported to the police in the Netherlands. Incident response companies responded to 40 incidents. Access is usually gained through exploiting vulnerabilities and account takeovers. In a ransomware attack, computer systems and data are locked with a code containing malicious software. Hard drives, databases, backups, USB drives, and cloud data can also be affected. The victim is blackmailed. The attacker offers this code for payment. 

Reporting the incident is crucial if you, as a business or individual, have been a victim of ransomware. Even if the criminals have already been paid, filing a report provides the police with vital information. A report can contain missing information that police can use to unlock the system. It also helps them identify suspects. 

More from supervisory authorities

GDPR survey in Germany: The North Rhine-Westphalia data protection commissioner has used a recent survey by the business association Bitkom as an opportunity to reject discussions about the complete or partial centralisation of data protection supervision.

The survey of 603 companies clearly shows that businesses in the state primarily view data protection laws as too complicated. 85 % of the companies surveyed in Germany want more understandable data protection regulations. 79 % are calling for a reform of the GDPR, and 69 % demand better coordination with other regulations. 

Just 33 % believe that decision-making processes would be faster within a federal agency, while 44 % are concerned about losing proximity to their local supervisory authority and thus a direct contact person (which implies the need for additional staff to handle a sharply increasing number of complaints and consultation services). 

Session replay tools: The French data protection regulator CNIL is launching a public consultation on its draft recommendation concerning session replay tools that allow the monitoring and analysis of users’ online behaviour. The objective is to support the actors who design these tools and those who use them in their compliance. Session replay tools are used to reconstruct the complete browsing path of an Internet user on a website or a mobile app. They can, for example, be used to detect and fix bugs or optimise the structure or ergonomics of a website or mobile application. 

More official guidance

GDPR certification criteria: The North Rhine-Westphalia data protection commissioner also approved a nationwide catalogue (available in English and German) of criteria for IT solutions. Companies that meet these criteria will receive a certificate confirming their compliance with European data protection law, which they can then use for advertising purposes. The catalogue was developed by TÜV Nord Group. This is the third such approval issued by the NRW regulator.

Specifically, it addresses so-called information processing services – online banking, accounting, and AI systems, as well as search engines. The certification process, conducted by a specialised certification body, typically involves a detailed audit of the processing operations within the respective company. This audit verifies the technical and organisational measures in place, as well as compliance with the principles of the GDPR. 

Health screening campaigns via phone are possible: In Italy, the data protection authority Garante has approved the use of telephone numbers for screening, provided that adequate safeguards are respected. Healthcare companies may use adult patients’ telephone numbers, provided during previous healthcare services, to promote participation in screening campaigns required by national or regional regulations, even if the information request did not expressly state this purpose at the time the data was collected.

Specifically, healthcare companies will be required to update their information, specifying that the most recent contact details collected for treatment purposes, subject to verification of their accuracy. It may be used exclusively for the promotion of public prevention programs and not for other purposes (for example, scientific research or administrative activities).

In other news

Employee data access rights: The LewisSilkin legal blog analyses a recent decision from the French Court of Appeal, which confirmed that employees cannot rely on their right of access to obtain copies of entire work email correspondence or business files, merely because their name or email address appears in them. Where the material contains no substantive personal data beyond identifying information, the right of access does not extend to wholesale document disclosure.

Furthermore, the right of access cannot be seen as a litigation discovery mechanism (e.g., employee dismissal as it appears in the above case). The court decision also reflects the ICO guidance on the Right of Access.  

Reddit fine: In the UK, Reddit was fined 14.47 million pounds for children’s privacy failures. The Information Commissioner’s investigation found that Reddit did not apply any robust age assurance mechanism. The company did not have a lawful basis for processing the personal information of children under the age of 13. It also failed to carry out a data protection impact assessment to assess and mitigate risks to children before 2025. In the past year, Reddit introduced age assurance measures that include age verification to access mature content and asked users to declare their age when opening an account. The commissioner once again informed Reddit that relying on self-declaration presents risks to children, as it is easy to bypass. 

Samsung consent case: The Texas Attorney General reached an agreement with Samsung Electronics America, concerning the collection of Automated Content Recognition (ACR) viewing data from Texas consumers through Samsung smart televisions. Under the agreement, Samsung must cease collecting or processing ACR viewing data without obtaining Texas consumers’ express consent and must update its smart televisions to implement clear and conspicuous disclosures and consent screens, digitalpolicyalert.org reports.

More enforcement decisions

Ransomware attack followed by privacy fine: In Spain, data protection agency AEPD fined Sprinter Megacentros del Deporte (a sporting goods retailer) 2.6 million euros for a data breach, DataGudance reports. A ransomware attack encrypted systems and exfiltrated data, affecting 6.3 million individuals. Notification of a data breach to data subjects was also not delivered ‘without undue delay’ and lacked specific mitigation information. 

Biometric data fine: The Italian Garante has fined eCampus University 50,000 euros for unlawfully processing the biometric data of numerous participants in its online courses. The investigations revealed the lack of a suitable legal basis to justify the use of biometric systems, especially given the availability of less invasive tools.

It also emerged that the University had not conducted a data protection impact assessment before implementing the system. The violations affected a very high number of participants, over 450 students for each lesson.

Data processing agreement fine: The Polish data protection authority UODO has fined DPD Polska more than 2.75 million euros after finding serious failures in how the courier company structured its relationships with external carriers, according to an analysis by grcreport.com. These carriers participated in loading and unloading parcels and had access to address labels containing personal data. In some cases, shipments were transported in vehicles not owned by DPD Polska and for which it had no other legal basis. Despite this third-party access, the company did not conclude personal data processing agreements with the carriers.

GDPR does not prevent authorities from being notified of social fraud

The Danish data protection regulator, Datatilsynet, explains that the GDPR does not contain a general prohibition on disclosing information to public authorities. On the contrary, the rules allow data to be disclosed when there is a lawful basis for processing. This may be if the disclosure is necessary to comply with a legal obligation. The question of whether, for example, an insurance company may or must disclose information on possible fraud to a public authority, therefore, depends on the specific legal basis in national legislation, including rules on confidentiality and sector-specific regulations. 

And Finally

AI models and GDPR audit tool:  The French CNIL, with other actors in the digital data domain, the ANSSI, the PEReN and Inria, are launching a call for expressions of interest to test an audit tool called PANAME that makes it possible to assess the confidentiality of AI models and their compliance with the GDPR. This project aims to develop a tool to audit the privacy of AI models. It will take the form of a library for performing data extraction and/or re-identification tests on AI models. 

For more than a decade, research has shown that it is possible to extract data, including personal data, from an AI model that was included in the training dataset. This extraction can be carried out via:

• statistical techniques at the model level, full or partial access to the model, 
• in the case of generative AI, by directly querying the model by instruction (prompt).

AI geolocation: Privacy International explains that one of the most concerning capabilities of the newest AI systems is to infer geographic location from images. Vision‑Language Models (VLMs) can now determine where in the world any given photo is taken with striking speed and accuracy. Most people are unaware that widely accessible AI tools can identify the location of their personal photos, even when Global Positioning System (GPS) metadata has been removed. Inferring location from images without GPS data may potentially support beneficial activities, such as robotics development or investigative journalism. But they are not privacy risk-free. 

The post Data protection digest 18 Feb – 2 Mar 2026: ‘Conditional Consent’ for meaningful user control over cookie preferences appeared first on TechGDPR.

Throughout 2025, 32 supervisory authorities across the EU/EEA launched coordinated investigations into controllers’ compliance with the right to erasure under the GDPR. Now, the EDPB has published a report of the findings. As the right to deletion is not absolute, some controllers face difficulties in assessing and applying the conditions for exercising this right, including in conducting the balancing tests between the right to erasure and other rights and freedoms. Many regulators raised concerns regarding controllers not having:

• internal procedure or practice in place to handle erasure requests, or having an incomplete or irregularly reviewed procedure,
• specific procedures and measures to handle erasure requests in the context of back-ups,
• staff training,  
• information provided to data subjects,
• legal certainty on the exceptions to deny erasure requests, and 
• data retention periods, etc.

Multiple regulators found that controllers relying on anonymisation for deletion have varying degrees of success in correctly implementing it. In some cases, they only apply basic pseudonymisation or partial masking, although such a process would not fulfil the requirements of the GDPR regarding deletion.

Stay up to date! Sign up to receive our fortnightly digest via email.

Interestingly, the majority of the polled controllers (out of 764) had not received a single request for erasure in the last two years. While controllers were often chosen due to being in certain particular situations (processing sensitive data, processing a very large amount of data, etc.), about 70% of controllers still received fewer than 10 requests per year. Also, it appears that certain profiles are less likely to exercise their rights (eg, applicants in public services, citizens toward public services, contractors, or job applicants/employees) while others seem less hesitant to do so (eg, potential customers).

Main developments 

Digital omnibus and GDPR simplification: The EDPB and EDPS issued a long-awaited statement on simplification of the digital legislative framework in the EU. Among many things, they advised against the proposed changes to the definition of personal data. The changes go far beyond a targeted modification of the GDPR, a ‘technical amendment’ or a mere codification of CJEU jurisprudence.

Defining what is no longer personal data directly affects and narrows the scope of application of EU data protection legislation and should not be addressed in an implementing act, say the regulators. The full opinion in the context of GDPR, AI Act, and ePrivacy Directive can be read here.

UK data reform: Meanwhile, in the UK, on 5 February, the main provisions of the Data Use and Access Act 2025  came into force, amending the UK GDPR and Data Protection Act 2018. These include: new ‘recognised legitimate interests’ legal basis for data controllers, cookie consent exemptions, data reuse permissions, the use of automated decision making, more relaxed transfers of personal data internationally, and sometimes limiting data subject access requests, etc. 

Age-appropriate code design

On February 5, South Carolina signed Age-Appropriate Code Design into law, after it was previously adopted by California, Maryland, Nebraska, and Vermont. According to JD Supra analysis, covered online services must exercise “reasonable care” in the use of a minor’s personal data and the design and operation of the covered online service. This includes features that:

•  Decrease minors’ time and activity on the service to prevent compulsive usage, severe psychological harm, and privacy intrusions. 
• Opt minors out of “personalisation recommendation systems” by default, and 
• Set personal data settings to the highest level of protection by default.
• Collect, use, share, or retain the minimum amount of a minor’s personal data “necessary” to provide the specific elements of the covered online service, etc.

More from supervisory authorities

DPO role: Under EU law, all EU institutions, bodies, offices and agencies (EUIs) are required to appoint a data protection officer (DPO). To strengthen the effectiveness and independence of this function, the EDPS has adopted two key documents clarifying the role and protection of DPOs within EUIs: 

• Supervisory Guidance on the role of DPOs in EUIs, and
• Rules on the application of the requirement of prior consent by the EDPS for the dismissal of DPOs 

They provide practical and up-to-date guidance on the designation of DPOs, their institutional positioning, the guarantees of independence attached to the function, and the responsibilities entrusted to them. 

Cybersecurity exercise: The ENISA offers a methodology to an end-to-end theoretical framework for planning, running and evaluating cybersecurity exercises. It ensures the right profiles and stakeholders are involved at the right time, and provides theoretical material based on lessons identified, industry best practices and cybersecurity expertise. Download the guide and the support toolkit templates here. 

Games age limitation: The French government, on 4 February, adopted a decree on the experimentation of games with monetisable digital objects. It requires, among other controls,  the refusal of the opening of a player account for any minor, or before verification of the identity and the age of the applicant. It requires the enterprise offering a game to document the arrangements used for verification, to carry out regular checks, and to be able to demonstrate the effectiveness and compliance of those arrangements to the National Gaming Authority. 

How to deal with data protection complaints

The updated UK ICO guidance reminds organisations what they need to do to meet the new requirements for people to open a data protection complaints process, as set out in the new Data Use and Access Act, although these requirements are not in force until 19 June 2026. At a glance, the law says organisations must:

• Give people a way of making data protection complaints;
• Acknowledge receipt of complaints within 30 days of receiving them;
• Without undue delay, take appropriate steps to respond to complaints, including making appropriate enquiries, and keep people informed;
• Without undue delay, tell people the outcome of their complaints.

Read practical advice on each of these points in the original publication.

In other news

СNIL sanctions statistics: Cookies, employee surveillance and data security were the main subjects of the penalties imposed by the French data protection authority CNIL, in 2025, the cumulative amount of which totalled 486,839,500 euros. Also, insufficient security of personal data, lack of cooperation with the CNIL and non-respect for the rights of individuals were the three main reasons for sanctions under the recently introduced simplified procedures. Numerous formal notices have targeted websites that allowed the deposit of cookies and other trackers without respecting the consent of individuals, either by not allowing them to refuse the deposit in a simple way, or by not taking into account the withdrawal of users’ consent.

In addition, the regulator often sanctioned the non-compliance with the obligations of the subcontractors concerning the data entrusted to them, in particular: 

• implementing appropriate technical and organisational measures to ensure an adequate level of security;
• only processing data on the instructions of the data controller;
• deleting the data at the end of their contractual relationship with the data controller.

OpenClaw AI: The Dutch data protection authority AP warns against the use of OpenClaw, an AI agent tool that has become popular since last year. The platform provides users with an AI assistant to install, which can perform tasks autonomously. For that, the user has to give full access to their computer and programs, including email, files and online services. The platform can also be vulnerable to hidden commands in websites, emails and chat messages. That can lead to taking over accounts, reading personal data and stealing access codes.

More enforcement decisions

Amazon Italy investigation: On 9 February, the Italian data protection authority Garante and the National Labour Inspectorate announced an investigation into Amazon regarding the processing of workers’ personal data and the use of video surveillance systems. The investigation will examine the company’s logistics hubs, with a particular focus on the distribution centres in Passo Corese and Castel San Giovanni, to determine the extent to which monitoring practices comply with the legal requirements stipulated within the Workers’ Statute, digitalpolicyalert.org reports. 

Dutch municipalities fined: The Dutch data protection AP authority fined 10 municipalities 250,000 euros for processing sensitive information without consent, according to DataGuidance. Violations included processing data on religious beliefs, family relationships, political views, and criminal or terrorism-related information. The municipalities processed this sensitive information (from an external research bureau, amid national counter-radicalisation efforts) without valid consent.

Swiss cookie redress case: Digitec Galaxus informed the Swiss privacy regulator FDPIC that it had implemented its formal recommendation that customers be given the option to object to the processing of their personal data for marketing purposes. Following criticism over excessive data processing, users can now disable personalisation with one click (one-click opt-out), whereby the corresponding cookies are automatically disabled. To that end, the registration form now explicitly mentions personalisation and the right to object, and the privacy policy has been updated accordingly.

And Finally

Data brokers warning in the US: The Federal Trade Commission sent letters to 13 data brokers warning them of their responsibility to comply with the Protecting Americans’ Data from Foreign Adversaries Act of 2024. It prohibits data brokers from selling, releasing, disclosing, or providing access to personally identifiable sensitive data about Americans to any foreign adversary, which includes North Korea, China, Russia, and Iran, or any entity controlled by those countries. 

The law defines personally identifiable sensitive data to include health, financial, genetic, biometric, geolocation, and sexual behaviour information, etc.

The post Data protection digest 3-17 Feb 2026: When using anonymisation for deletion, controllers have differing degrees of success – EDPB appeared first on TechGDPR.

On 19 November, the European Commission presented proposals for amendments in the digital area legislation, including the GDPR, the Data Act, the EU AI Act, and the NIS 2 Directive. According to digitalpolicyalert.org analysis, the Digital Omnibus would amend the GDPR by:

• changing the definition of personal data to specify any entity that is reasonably likely to have the means to identify a person,
• exempting certain biometric data and data used by AI from the restrictions on processing special categories of personal data,
• clarifying on further processing of personal data in the public interest or for scientific research purposes, and
• specifying that processing of personal data that is necessary for the interests of a controller in the development or operation of an AI system can be pursued for ”legitimate interests”.

The Digital Omnibus would also exempt personal data processing from the cookie requirements under the ePrivacy Directive. Instead, it would amend the GDPR to maintain the consent requirement, while specifying that certain processing activities, such as electronic communications transmissions, service provision, audience measurement solely for an online service provider, and maintaining or restoring security, would be considered lawful. Websites and apps would have to allow data subjects to consent through automated, machine-readable mechanisms; browser manufacturers must likewise enable users to grant or refuse consent.

Finally, personal data breaches that are likely to result in a high risk to the rights and freedoms of natural persons would need to be reported to the single-entry point within 96 hours of becoming aware of them. Similarly, there would be unified lists of processing activities that do or do not require a Data Protection Impact Assessment, and create a standard DPIA template and methodology.

Stay up to date! Sign up to receive our fortnightly digest via email.

GDPR enforcement

On 17 November, the Council of the EU adopted new rules to improve cooperation between national data protection bodies when they enforce the GDPR to speed up the process of handling cross-border data protection complaints. Main elements of the new EU regulation include:

• Admissibility: Regardless of where in the EU a complaint is filed, admissibility will be judged based on the same information/conditions. 
• Rights of complainants and parties under investigation: Common rules will apply for the involvement of the complainant in the procedure, and the right to be heard for the company or organisation that is being investigated.
• Simple cooperation procedure: For straightforward cases, data protection authorities can decide, to avoid administrative burden, to settle actions without resorting to the full set of cooperation rules.
• Deadlines: In the future, an investigation should not take more than 15 months. For the most complex cases, this deadline can be extended by 12 months. In the case of a simple cooperation procedure between national data protection bodies, the investigation should be wrapped up within 12 months.

The regulation will enter into force 20 days after its publication in the Official Journal of the EU. It will become applicable 15 months after it enters into force.

More legal updates

The European Commission has launched a whistleblower tool for the AI Act. Whistleblowers can provide relevant information in any of the EU official languages and in any relevant format. The tool provides a secure means to report potential law violations that could compromise fundamental rights, health, or public trust. The highest level of confidentiality and data protection is guaranteed through certified encryption mechanisms. Anyone can access the AI Act Whistleblower Tool and read more information about the tool and the frequently asked questions. 

California privacy updates: California has enacted a bill which amends the state’s data breach notification law to establish strict new reporting timelines. Beginning January 1, 2026, businesses must notify affected California residents within 30 calendar days of discovering a security incident involving personal information. For incidents affecting more than 500 residents, notice to the California Attorney General must be provided within 15 calendar days of the consumer notice. The amendment allows limited exceptions for law enforcement needs or when necessary to determine the scope of the incident and restore system integrity, JD Supra lawblog reports. 

In parallel, starting Jan. 1st, 2027, California will prohibit a business from developing or maintaining a browser, as defined, that does not include functionality configurable by a consumer that enables the browser to send an opt-out preference signal to businesses with which the consumer interacts through the browser. The bill would require a business that develops or maintains a browser to make clear to a consumer in its public disclosures how the opt-out preference signal works and the intended effect. The bill would grant a business that develops or maintains a browser that includes this functionality immunity from liability for a violation of those provisions by a business that receives the opt-out preference signal. 

Child data protection in the EU

On 26 November, the European Parliament adopted a resolution on the protection of minors online as part of an own-initiative procedure on the topic. The resolution calls, among other things, for the implementation of an EU-wide harmonised digital minimum age of 16 for accessing social media, video-sharing platforms and AI companions without parental consent, with 13 as the minimum age for any social media use by children, even with parental consent. 

In parallel, the German Data Protection Conference, DSK, adopted a resolution calling for amendments to the GDPR to strengthen protections for children. It proposes a ban on children’s consent for profiling and advertising, limits on children’s ability to consent to special-category data processing, and clearer rights for children to access counselling and medical services privately. It also focuses on a prohibition on children consenting to automated decisions, attention to children in breach notifications, data protection by design and default, and consideration of children’s risks in data protection impact assessments, digitalpolicyalert.org sums up. 

Cloud computing

The European Commission has published non-binding Model Contractual Terms for data access and use and Standard Contractual Clauses for cloud computing contracts. They have been developed to help parties, especially SMEs, implement the provisions of the Data Act. Their use is voluntary and open to users’ possible amendments. Although they were mainly drafted for business-to-business contracts, they can also be used in relations between businesses and consumers, if relevant consumer protection rules are added. 

Three sets of Model Contractual Terms (MCTs) were drafted to cover the relationships where data sharing is mandatory, between data holders, users and data recipients of data generated when using connected products. Plus, proposed Standard Contractual Clauses (SCCs) translate the provisions of ‘cloud switching’ into ready-to-use contractual terms that can be inserted in data processing contracts:

• SCC Switching & Exit
• SCC Termination 
• SCC Security & Business continuity (including provider notification of significant incidents).

Email security

The German Federal Office for Information Security, BSI,  has published a White paper on requirements for the protection, transparency, and user-friendliness of webmails that systematically and future-orientedly increase consumer security. The paper considers not only technical security functions, but also usability, transparency and trust as essential components of digital sovereignty. A fundamental part of e-mail security currently still rests on the shoulders of users. They should be familiar with two-factor authentication, passkey and encryption. The BSI sees responsibility primarily with the providers: they must provide effective procedures regarding authentication, encryption, spam protection and account recovery that work without major user intervention.

Data Act implementation

The Data Act has been in effect since September 2025. This new European regulation is intended to give consumers within the EU more control over the use of their data. For instance, a car owner will have the right to access the data their car collects. If repairs are needed, they can share the data with a garage of their choice, explains the Dutch data protection agency AP, which will jointly oversee the implementation process at a national level, starting from 21 November.

The Data Act and the implementing laws do not override the rules of the GDPR. In the event of conflicting rules, the GDPR takes precedence. This means that any data sharing involving personal data must comply with the GDPR, stresses the regulator. 

More from supervisory authorities

Market research data processing: In Poland, the data protection regulator UODO approved the “Code of Conduct on the Processing of Personal Data by Private Research Agencies”. The reason for the development of the code was numerous discrepancies in the processing of the personal data of research participants. As a result, in the case of identical surveys, their participants, depending on the entity conducting the study, could receive divergent information, for instance, on the legal basis for the processing of personal data. Information obligations were also fulfilled differently. The Code also provides guidance to help carry out a risk assessment or, where justified, a data protection impact assessment.

It is worth noting that the code obliges all entities that join it to appoint a Data Protection Officer (DPO). 

Sound recording and CCTV: Organisations often choose to conduct video surveillance with sound recording. Sometimes, they also do not disable the camera manufacturer’s default audio function. As a result, the additional risks posed not only by image capture, but also by sound recording are not sufficiently assessed. In addition, the processing of personal data related to it is not always carried out legally: recording sound and image are two different data processing operations, so both audio and video require different legal bases. 

The processing of personal data by performing video surveillance with audio recording is not justified in most cases. There are rare situations where it is legal and permissible, mainly when it is associated with an increased risk to the essential interests of the organisation or society. Often, the legal basis for such processing can be found in the special regulatory framework applicable to a particular industry in which the organisation operates.

Employment clauses and personal data processing

Labour clauses are widely used by both public and private contracting authorities to ensure fair wages and working conditions for suppliers. Contracting entities often require the supplier to provide documentation of its compliance with the labour clauses, typically in the form of employees’ salaries and timesheets, and employment contracts. This gives rise to questions about the supplier’s legal basis for disclosing such personal data to the contracting authority, notes Denmark’s data protection agency. To that end, there will generally be an overriding legitimate interest that these may form the basis for the disclosure of the information in question.

TechSonar 2025-2026

EDPS’s latest guidance on new technology concentrating on the TechSonar report 2025-2026 explores six trends: agentic AI, AI companions, automated proctoring, AI-driven personalised learning, coding assistants and confidential computing. While each of these technologies serves a distinct purpose, they are deeply interconnected. Together, they illustrate how AI is progressively reshaping not only business processes or common daily tasks, but also the human experience of technology. Continue reading the full report here. 

In other news

Data security in cloud-based EdTech: The US Federal Trade Commission will require education technology provider Illuminate Education, Inc. (Illuminate) to implement a data security program and delete unnecessary data to settle allegations that the company’s data security failures led to a major data breach, which allowed hackers to access the personal data of more than 10 million students. 

Illuminate sells cloud-based technology products and collects and maintains personal information about students on behalf of schools and school districts. In its complaint, the FTC alleged that in 2021, a hacker used the credentials of a former employee, who had departed Illuminate three and a half years prior, to breach Illuminate’s databases stored on a third-party cloud provider. 

Medical data breach: The Norwegian data protection regulator upheld the fine on Argon Medical Devices. In 2023, it issued an American company Argon Medical Devices an infringement fee of approximately. 127,000 euros for violating the GDPR. In 2021, Argon discovered a security breach that affected the personal data of all of its European employees, including those in Norway. Argon sent the Norwegian regulator a notification of a breach long after the 72-hour deadline for reporting such breaches. 

Argon believed that they did not need to report the breach until they had a complete overview of the incident and all its consequences. This view was enshrined in their procedures, and this was the basis for the delay.  The case is an important reminder that controllers must have appropriate measures in place to determine whether a breach has occurred and to promptly notify the supervisory authority and the data subject.

Mobile app gaming company fine

California’s Attorney General settled with Jam City, Inc., resolving allegations that the mobile app gaming company violated the state’s Consumer Privacy Act (CCPA) by failing to offer consumers methods to opt out of the sale or sharing of their personal information across its popular gaming apps. Jam City creates games for mobile platforms, including games based on popular franchises such as Frozen, Harry Potter, and Family Guy. In addition to 1.4 million dollars in civil penalties, Jam City must provide in-app methods for consumers to opt out of the sale or sharing of their data and must not sell or share the personal information of consumers under 16 years old without their affirmative “opt-in” consent.

Data brokers fine

The Belgian data protection authority GBA, meanwhile, has imposed a 40,000 euros fine on data broker Infobel for illegally reselling data for marketing purposes, cybernews.com reports. A consumer complained to the GBA after getting a marketing brochure in the mail from a firm with which he was not a customer. The complainant asks how the corporation received his information. The customer was informed that his information had been given by a media agency. The agency obtained his information via Infobel, a data broker that received it from a telecom operator. 

Infobel said it had permission to sell the complainant’s information to the media agency since it had secured approval from data subjects. However, the data protection authorities claimed that there was no explicit, informed, or unambiguous consent. 

Cookie consent fine

On November 20, the French regulator CNIL fined the French company Conde Nast Publications 750,000 euros for non-compliance with the rules applicable to cookies deposited on the terminals of users visiting the “vanityfair.fr” site. In particular, cookies subject to consent were placed on the terminals of users visiting the “vanityfair.fr” site as soon as they arrived on the site, even before they interacted with the cookie banner to express a choice. Also, when a user clicked on the “Refuse all” button in the banner, or when they decided to withdraw their consent to the registration of trackers on their terminal, new cookies subject to consent were nevertheless deposited, and other cookies, already present, continued to be read. 

And finally…

Meta multi-million file: A Spanish court has ordered Meta to pay 479 million euros to Spanish digital media outlets for unfair competition practices and infringing the GDPR, a ruling the company will appeal, Reuters reports. The settlement, which will be given to 87 digital press publishers and news organisations, is related to Meta’s use of personal data for behavioural advertising.

The complaint filed by the Spanish outlets centred on Meta’s shift in the legal basis for processing personal data after the GDPR went into effect in May 2018. Meta changed “user consent” to “performance of a contract” to support behavioural advertising. Later, regulators judged that it was insufficient. Meta returned to consent as its legal foundation in 2023. The judge assessed that Meta generated at least 5.3 billion euros in advertising income during those five years.

Personal data monetisation: The French CNIL commissioned a survey on the perception of the French people regarding the use of their personal data. From a representative sample of 2,082 people aged 15 and over, 65% of them say they are willing to sell their data. Of these, only 6% would be willing to sell it for less than 1 euro per month, while 14% preferred a fee of more than 200 euros per month. 

The most common valuation was between 10 and 30 euros per month, preferred by 28% of respondents. This coincides with the latest market research based on Meta services estimation, where, for a price of 5 euros, 20% of people would be willing to sell their data, and 90% of companies would be willing to buy it. Taken together, these results make it possible to approximate a market price for data that would be around 40 euros per month (and per subscribed service). 

The post Data protection digest 18 Nov-2 Dec 2025:  “Digital omnibus” package latest & market price of personal data already estimated appeared first on TechGDPR.

Consumer loan checks can reveal people’s lifestyles. The Dutch Data Protection Authority AP concluded this after reviewing a bill concerning consumer loans. It believes that lenders can assess a person’s ability to meet payment obligations with less information about them. It’s unlikely that all the information in a bank statement, including sender, recipient, or description, is always necessary. 

The bill introduces stricter rules for a consumer loan under 200 euros, (services like “buy now, pay later,” credit cards, and bank overdrafts). For these relatively small loans, the ability to pay the bill on time will also be checked, and whether there is a risk of default. People who use such loans will also be registered with the Credit Registration Office. The AP emphasises that the new rules need to be further developed for better data control and minimisation. 

Stay up to date! Sign up to receive our fortnightly digest via email.

EU Digital Omnibus package latest

The privacy advocacy group NOYB warns that the so-called Digital Omnibus, which is being prepared by the European Commission, brings fast-track deregulation, including ‘massive’ reform of the GDPR and e-Privacy legislations. Following the draft proposal, the Commission envisages changes to core elements like the definition of personal data, consent requirements, and data subjects’ rights, as well as lesser protections for special categories of data under the GDPR. In parallel, AI companies could also benefit from easier access to European personal data through the implementation of the ‘legitimate interests’ legal basis for processing.  

ETIAS and data protection

As the clock ticks down to the launch of a new EU large-scale border management system, the European Travel Information and Authorisation System (ETIAS) in autumn 2026, momentum is building to prepare it for entry into operation and ensure its compliance with data protection laws. The EDPS follows the implementation of ETIAS at close quarters. To help mitigate the risks, legislators have established an ETIAS Fundamental Rights Guidance Board. 

Composed of representatives of the EDPS, EDPB, EU Fundamental Rights Agency, Frontex Fundamental Rights Office and Frontex Consultative Forum, the EFRGB is mandated to issue guidance on the fundamental rights impacts of processing ETIAS applications. A critical concern for individuals required to apply for an ETIAS is ensuring access to an effective judicial remedy. For instance, refusal of a travel authorisation could result from a data processing error.

Brazil draft adequacy decision

The EDPB also adopted an opinion regarding the European Commission draft implementing decision on Brazil’s adequacy. The General Data Protection Law in Brazil, LGPD, together with Presidential decrees and binding regulations issued by Brazil’s Data Protection Authority, ANPD, establish requirements, including in relation to the principles, data subject rights, transfers, oversight and redress, closely aligned with the GDPR and case law of the CJEU. At the same time, the EDPB invites the Commission to clarify further how certain exemptions and specific limitations of data subject rights in the LGPD correspond to the adequate level of data protection regarding:

• national security purposes relating to the collection and sharing of data between the public entities within the Brazilian intelligence systems
• personal data processing for criminal law enforcement purposes
• rights of information and access to the data 
• accountability principle and the requirements for the data protection impact assessment

More legal updates

NIS2 implementation in Germany: On 13 November, the law implementing the European Network and Information Systems (NIS) 2 Directive, passed in the German Bundestag. The directive increases the cybersecurity requirements for certain companies and the federal administration. The Federal Office for Information Security (BSI) occupies a key position in both areas. It will become the supervisory authority for the companies affected by the directive; in addition, in the role of Chief Information Security Officer (CISO), it will be the central body for the cybersecurity of the federal administration. 

Affected companies must register with the BSI, report significant security incidents, and implement technical and organisational risk management measures. It includes an amendment to the BSI Act, which previously covered approximately 4,500 entities in the economic area: operators of critical infrastructure, providers of digital services, and companies of particular public interest. With the entry into force of the NIS2, this scope is expanded to include the categories of “important institutions” and “particularly important institutions,” meaning that the BSI will supervise approximately 29,500 institutions in the future. 

NIS upgrade in the UK: In parallel, on 12 November, the Cyber Security and Resilience Bill was introduced to the UK Parliament. The Bill will update the NIS Regulation from 2018 by expanding the regulatory scope to include a broader range of essential and digital service providers, including online marketplaces, cloud computing services, and search engines, as well as managed service providers (eg, data centres will be designated as essential services). It also places the Secretary of State in charge of maintaining consistency in implementation across sectors.

AI solutions legal basis

At the request of the Danish Agency for Higher Education and Science, the Danish Data Protection Agency has assessed whether the agency has the authority to develop and operate an AI solution that will function as support in the assessment of applications for disability allowance. The Danish Data Protection Authority assessed that the processing of personal data that takes place during the development and operation of an AI solution can, as a rule, be carried out based on what is necessary for reasons of substantial public interest – GDPR Art. 9(2)(g).

However, it requires a so-called supplementary national legal basis. In relation to the duty of information towards citizens whose historical cases are included in the training dataset, the Danish Agency for Higher Education and Science has, among other things, pointed out: 

• There is a large number of citizens (approx. 3,000).
• It would be resource-intensive to inform citizens individually.
• The processing of personal data is limited.
• The purpose of the processing is to improve case processing time.
• The treatment is not assessed to have direct consequences for citizens.

GDPR ready-to-use templates

The EDPB invites experts to participate in a public consultation aimed at proposing practical templates to help organisations comply with their obligations under the GDPR. The EDPB identified the need to develop standardised tools that could serve as guidance for both controllers and processors. The public consultation aims to find out which types of templates would be most beneficial in practice, for instance:  

• privacy notice,
• records of processing activities,
• data protection impact assessment,
• notification of a personal data breach.

It is possible to participate in the public consultation from November 5 to December 3, 2025. Experts, organisations, and individuals can submit their suggestions through this page.

More from supervisory authorities

Australia child privacy updates: From 10 December, platforms like Facebook, Instagram, Snapchat, TikTok, YouTube, X, Threads, Reddit and Kick must take reasonable steps to prevent under-16s from holding accounts on their services. Failure to do so will expose these platforms to fines of up to 49.5 million dollars. These services currently meet the criteria for under 16 restrictions as specified in the Social Media Minimum Age legislation, in particular the key requirement that their “sole or significant purpose is to enable online social interaction”.

Health data warehouses (EDS): The CNIL’s Digital Innovation Laboratory (LINC) has published a map of health data warehouses in France. An EDS, explains the CNIL, is a database built up over a long period of time and intended to be reused mainly for steering (management, control and administration of the activity) and research, studies and evaluations in the field of health. They can be set up by both public (such as a public healthcare institution) and private entities (such as a data broker or a startup), provided that they comply with the applicable legal framework.

AI risk assessment: The EDPS has published a new guidance document to help data controllers carry out data protection risk assessments when developing, acquiring and deploying AI systems. Although the new guidelines are aimed at EU institutions, organisations in both the public and private sectors that use or plan to adopt AI systems can use them as a valuable starting point. It focuses on the risk of non-compliance regarding: fairness, accuracy, data minimisation, security and certain data subjects’ rights. The list of risks and countermeasures is not exhaustive, but merely reflects some of the most pressing issues that controllers must address when procuring, developing and deploying AI systems. 

In other news

Cyber attack mitigation tools: The Dutch AP has issued recommendations for a strong data processing agreement in the event of a cyber attack. Organisations that collaborate with service providers must enter into a data processing agreement regarding the sharing and use of personal data. This agreement outlines agreements, for example, regarding security and the roles and responsibilities in the event of incidents such as data breaches. To that end, to limit the damage from cyber attacks, organisations can:

• Make agreements as concrete as possible
• Maintain control over the entire supply chain
• Give more priority to drafting and maintaining data processing agreements

Therefore, the regulator sums up, negotiate agreements carefully and promptly. And review agreements and appendices regularly to ensure they remain relevant in practice. Employee awareness and knowledge of the GDPR play a crucial role in this.

Misleading cookie banners: The AP also reports that three-quarters of websites modified misleading cookie banners after an investigation was launched on more than 200 websites in the Netherlands starting in April. The AP is now taking enforcement action against organisations that haven’t updated their cookie banners. The easiest way to respect this is to not use tracking software. In that case, a cookie banner isn’t necessary. Where organisations do use tracking software, they must adhere strictly to the rules and inform visitors honestly and clearly.

Biometric processing

In New Zealand, the Privacy Commissioner has issued a Biometric Processing Privacy Code that creates specific privacy rules for agencies (businesses and organisations) using biometric technologies to collect and process biometric information. The Code, which is now law made under the Privacy Act, will help make sure agencies implementing biometric technologies are doing it safely and in a way that is proportionate. Guidance has also been developed to support the Code. 

Direct marketing and free-of-charge services

On 13 November, the CJEU released its ruling in Inteligo Media SA v ANSPDCP (Romanian data protection regulator) (C-654/23), where a media website provided information about new legislation in Romania, Bird&Bird law blog reports.  Six articles per month could be viewed completely free of charge. Users might also subscribe for free to an additional two articles and a daily newsletter. They could also pay for unlimited access and a fuller newsletter. ANSPDCP claimed that Inteligo could only process subscriber registration details and deliver the free newsletter if it had approval, which it did not. 

Inteligo argued it was covered by the soft opt-in exception. The ePrivacy Directive does demand that organisations obtain consent before sending direct marketing emails, but there is an exception: where the organisation acquires the subscriber’s information after selling a product or service, and the direct marketing is for that organisation’s similar product or service. The top EU court concluded that the free subscription did constitute a sale: a sale requires payment in exchange for goods or services, as well as remuneration. However, the reimbursement might be indirect, when a particular customer does not have to pay, but it is rather covered by the premium version of the subscription. 

Continue reading the original analysis here. 

Telecommunications multimillion fine

Following ex officio proceedings, the Croatian data protection agency imposed an administrative fine on a telecommunications operator, in its capacity as controller, for the total amount of 4.5 million euros for violations of the GDPR. The infringements concerned the transfer of personal data to third countries without a valid transfer instrument and without transparent information to data subjects, the processing of copies of employees’ identity cards and certificates of no criminal proceedings without a legal basis, as well as the failure to carry out appropriate prior checks of a processor.

Customer service fine

The EDPB sums up a recent enforcement case in Italy, when a customer, who was the victim of fraud, contacted their bank to obtain recordings of calls made to customer service, which would be useful in contesting a transfer of approximately 10,000 euros and reconstructing what had happened. Having received no satisfactory response, they complained to the privacy regulator Garante. Only after the authority had opened proceedings did the bank provide the recordings, but by then the 30-day deadline set by the GDPR had already passed. Garante imposed an administrative fine of 100,000 euros, taking into account the bank’s turnover, its cooperation during the investigation and the absence of previous infringements.

 In case you missed it

Children’s data lifecycle: Privacy International states that in England’s schools, children are tracked from birth through a vast, opaque network of digital systems that turn education into a lifelong exercise in data collection and surveillance. Children’s data in education starts from the day they are born until they are 25 years old:

• during pre-school, with personal data submitted by legal guardians during the school admissions process 
• every child is assigned a unique pupil record and a unique pupil number that stays with them forever
• the student’s educational setting gets added to the record, which includes its religious character and location, etc.

The next layer of data added to those records is created by school staff – absence and attendance records, assessments, etc. Separately, children’s data can be generated and collected by the EdTech tools used by staff. Some schools use a broad range of tools, such as behaviour tracking apps, which can take the form of scores but also of more complex profiles and predictions in relation to a child. Further personal data is collected and added to the National Pupil Database (NPD), and is kept indefinitely. 

Keep reading the original analysis here.

Agentic AI explained: The JD Supra law blog outlines the rise of “agentic AI”. Unlike traditional AI systems, which are designed to perform specific, narrowly defined tasks (generating text or images or analysing inputs) and rely on human input and oversight, agentic AI systems can complete far more complex, multi-step tasks autonomously and make context-dependent decisions. The emergence of these systems could transform a wide range of industries and business functions, including: a) consumer-facing systems, b) customer support, c) internal operations, and d) sales and marketing.

The post Data protection digest 3-17 Nov 2025: Consumer loan checks can reveal people’s lifestyle data  appeared first on TechGDPR.

The French data protection regulator CNIL has studied the economic benefits of the presence of a Data Protection Officer within companies. Statistical analysis shows that it is often profitable, especially for companies taking a positive approach to GDPR compliance. The two most represented sectors were research, IT and consulting, and banking, insurance and mutual insurance companies. There are different types of benefits related to the DPO function – leverage to win calls for tenders, avoidance of sanctions, avoidance of data leaks and rationalisation of data management. Here are some examples:

• The DPO is the point of contact for the supervisory authority and the persons whose data is processed. As such, they can take charge of organising the processing of people’s requests to exercise their rights so that a complete response is provided within the set deadlines.
• The DPO contributes to a better knowledge of the company’s information assets. In doing so, their action helps to facilitate the use of data by centralising information and avoiding duplicates or data silos. This makes it easier for teams to access relevant data, which improves the efficiency of internal processes and decision-making.
• A DPO ensures the main GDPR principles of purpose limitation, data minimisation, and limitation of retention, which leads to operational savings in terms of storage space (as well as fewer entry points for cybercriminals).
• Finally, DPOs advise companies on the security measures to be put in place and participate in privacy impact assessments. They can carry out checks and audits and alert managers when security flaws are found.

Stay up to date! Sign up to receive our fortnightly digest via email.

There is also a return on investment in the sense that DPOs who have more time to dedicate to their function have better conditions to ensure the company’s compliance, which reduces the likelihood of being sanctioned. However, these benefits are not received by all companies with DPOs. They are better realised by large companies and by those that are most invested in GDPR compliance and consider compliance as a lever and less as a constraint. The adoption of certain good practices can make it possible to generate economic gains for the DPO function: 

• Involving DPOs in certain executive committee meetings allows them to articulate compliance with the company’s overall strategy. 
• Integrate GDPR compliance with the CSR strategy and the ISS strategy to promote consistent planning and operations. 
• Try to quantify the economic benefits linked to the role of the DPO in the company, informally or through internal consultations.
• Increase other business lines’ understanding of the importance of compliance concerns in the organisation’s strategy, acknowledge a DPO as a value creator, and coordinate their efforts with those of other departments.

EU-UK data transfers

According to a draft document released by the European Commission on 22 July, the UK maintains an adequate level of protection for EU-UK data transfers under the new Data Use and Access Act 2025 (DUAA), aligning with the EU GDPR and the Law Enforcement Directive. While the scope of the DUAA, which amends the UK GDPR and the DPA 2018, goes well beyond the protection of personal data, it provides for limited changes to several aspects of the data protection regime:

a) the rules on data processing for purposes of scientific research, b) the legal bases for data processing, c) the rules relating to the purpose limitation principle, and d) the conditions for automated decision-making.  In addition, the DUAA makes amendments to the governance structure of the ICO. Once implemented, these measures will replace the ICO with a new entity, the Information Commission. The role and functions of the regulator will remain unchanged in the UK. The Act also introduces new enforcement powers for the regulator. 

More legal updates

UK children’s data: On 25 July, the Protection of Children Code of Practice for regulated search services came into force, as required under the Online Safety Act 2023. The code imposes specific duties on search service providers to implement measures addressing content that is harmful to children, including requirements for governance and accountability arrangements, search moderation systems, content reporting mechanisms, complaints procedures, user support functionalities, and publicly available safety statements, digitalpolicyalert.org reports. 

EU AI Act provisions: Provisions of the EU AI Act on general-purpose AI models entered into force on 2 August. These mean clearer information about how AI models are trained, better enforcement of copyright protections and more responsible AI development. The Commission has also confirmed that the GPAI Code of Practice, developed by independent experts, is an adequate voluntary tool for providers of GPAI models. Providers who sign and adhere to the Code will benefit from a reduced regulatory burden and increased legal certainty. Providers must comply with transparency and copyright obligations when placing GPAI models on the EU market. Models already on the market must ensure compliance by 2 August 2027.

AI Act implementation in Germany: EU member states were required to designate competent market surveillance authorities to oversee the AI Act by 2 August. This deadline has been missed by Germany, according to the Hamburg Data Protection Commissioner HmbBfDI. The regulator is therefore appealing to the federal government to promptly designate the AI market surveillance authorities stipulated by the AI Regulation, which, at least in some areas, also include the data protection supervisory authorities. Due to the delay, companies and authorities now lack a reliable contact person for questions about the AI regulation. This is also a disadvantage for Germany as a centre of AI innovation.

Web filtering

A web filtering gateway, often referred to as a web proxy, is a device or service used to control and monitor internet access by filtering web content according to predefined policies. Its main role is to block access to certain websites or categories of content for security and compliance reasons.

Web filtering gateways can help organisations meet their data security obligations (Art. 32 of the GDPR). However, they are based on data processing that must also be ensured to comply with the GDPR. To that end, the French data protection regulator CNIL opened to public consultation a draft guideline (in French) to promote such cybersecurity solutions that comply with the GDPR, both in their use and in their design.  The draft document targets data controllers, who, as employers, deploy a filtering web gateway (URL filtering and detection and blocking of malicious payloads) to secure internet browsing on their information system. This applies to the browsing of employees, agents, service providers or external visitors. It does not deal with the use of web filtering gateways by data controllers providing internet access via a public Wi-Fi, as is the case with retailers, media libraries or other public or private organisations. 

More from supervisory authorities

Human intervention in automated decisions: The Dutch data protection authority AP has developed guidelines for meaningful human intervention in algorithmic decision-making for organisations (in Dutch only). Art. 22 of the GDPR prohibits a decision based solely on automated processing that produces legal effects for data subjects or significantly affects them in another way.  For example, if an employee is hindered, or a credit application is assessed under time pressure or an unclear automated system, this can impact the outcome of any decision. The recommendations have been written as practically as possible to best address the questions organisations have.  

Profiling online: The UK ICO prepared a draft of guidelines on Profiling Tools for Online Safety. This guidance applies to any organisations that carry out profiling, as defined in the UK GDPR, as part of their trust and safety processes. It is aimed at user-to-user services that are using, or considering using, profiling to meet their obligations under the Online Safety Act 2023. But it also applies to any organisations using, or considering using, these tools for broader trust and safety reasons. 

However, due to the Data Use and Access Act (DUAA) coming into law on 19 June 2025, this guidance is under review and may be subject to change. 

Data to train AI models

The European Commission presents a template for General-Purpose AI model providers to summarise the data used to train their model (under Art. 53 of the EU AI Act). General-purpose AI models are trained with large quantities of data, but there is only limited information available regarding the origin of this data. The public summary will provide a comprehensive overview of the data used to train a model, list the main data collections and explain other sources used. This template will also assist parties with legitimate interests, such as copyright holders, in exercising their rights under Union law, test particularly powerful models with systemic risk for vulnerabilities and risks, report serious security incidents, etc. 

The template is part of a broader initiative linked to the EU-wide rules for general-purpose AI models kicking in on 2 August 2025. It complements the guidelines on the scope of the rules for general-purpose AI models, published on 18 July, and the General-Purpose AI Code of Practice released on 10 July. Also, France’s CNIL offers a guide on how best model makers should ensure their systems comply (in French). It also suggests solutions for companies to avoid using personal data when training their models.

Public disclosure of personal data

The UK ICO released guidelines for public bodies managing Freedom of Information requests and organisations answering Subject Access Requests, which can involve a lot of personal data. It includes simple checklists and how-to videos, covering topics such as:  

• Deciding on an appropriate format for disclosure to the public 
• Finding various types of hidden personal information, including hidden rows, columns and worksheets, metadata and active filters 
• Converting documents to simpler formats to reveal hidden data  
• Avoiding using ineffective techniques to keep information secure 
• Using software tools designed to help identify hidden personal information (such as Microsoft Document Inspector)  
• Reviewing the circumstances of a breach to prevent a recurrence 
• Removing and redacting personal information effectively 

Data protection complaints increase

In the first half of 2025, significantly more people complained to the Lower Saxony State Commissioner for Data Protection about possible data protection violations than in the same period of the previous year. The authority recorded 1,689 data protection complaints from January to June 2025, compared to 1,186 in the same period of the previous year. This represents a sharp increase of approximately 42 per cent. The authority also noted significant increases in complaints from the health, social services, and municipal sectors, as well as from the real estate industry, credit reporting agencies, and the financial sector. One reason for the high number of data breaches and complaints is the increasing digitalisation of business and administration – more personal data flows, and the risk of data protection violations also increases. 

Similarly, the Lithuanian regulator VDAI counted that in the first half of 2025, most data breaches occurred due to human error, as well as due to actions that cannot be protected from by normally applied technical and organisational measures and other reasons (IT system errors, improperly performed programming work, etc.). Also, it was found that a third of data security breaches occurred due to cyber incidents (data encryption and ransomware attacks, unauthorised access to IT systems, social engineering attacks, login data and Brute Force attacks, and SQL injection and system disruption). 

In other news

Temporary password fine: In Croatia, the personal data protection agency imposed an administrative fine of 320,000 euros on HEP-Toplinarstvo (an Electric utility company). The agency received a report from a respondent that when requesting a change of a forgotten password on the HEP District Heating “My Account” portal, the user was sent a temporary password by e-mail, which was actually the last password set by the user. Also, all the passwords of users of the “My Account” portal (almost 16,000 of them) were stored in the controller’s database in readable form. This meant that the controller knowingly chose a solution that did not include basic data security measures, such as generating a temporary password or using data encryption methods, did not take into account the risks to the security of personal data, nor did they conduct an assessment of the risks of processing users’ data. 

McDonald’s fine: The Polish UODO has fined McDonald’s Polska approximately 3,9 mln euros after a personal data breach. The shared file in the public directory contained data on McDonald’s employees and its franchisees: first and last names, passport numbers, McDonald’s restaurant number, work start date and time, work end date and time, number of hours worked, position, days off, type of day, and type of work. 

McDonald’s entrusted the processing of personal data of its restaurant chain’s employees to an external company to manage work schedules. The controller did not have the authority to manage the resources and configuration of the IT system containing the employee schedule module. Only the processor had such authority. At the same time, the provisions of the personal data processing agreement, particularly those related to audits and inspections, were not implemented. The controller failed to exercise proper oversight over the entrusted personal data.

In case you missed it 

Agentic AI: The move to AI assistants and agents risks a sea change in privacy and security, states Privacy International. These services’ usefulness increases with the quantity and quality of the data they have access to, and the temptation will be to lower the friction of data controls to allow the processing of personal data. In one example, ChatGPT’s agent uses ‘connectors’ to interface with third-party applications, such as cloud data stores, calendars, email accounts, etc.

This allows ChatGPT’s agent to search data on those services, conduct deeper analysis, and sync data. This seems analogous to Anthropic’s ‘Model Context Protocol’, which provides context data from applications to LLMs. Consequently, Privacy International is worried that:

• the AI tools would generate new datasets on you that create new risks
• could access and share your data at unprecedented levels, and
• will store this data beyond your reach, across their services and in the cloud.

Bias in AI systems: The Federal Office for Information Security in Germany issued a white paper on Bias in Artificial Intelligence (in German). The term “bias” describes the resulting unequal treatment of individuals or organisations. This can have various causes. The document outlines bias identification and mitigation as a continuous process. It describes 11 different forms of bias, such as historical bias and automation bias. Along with 13 mitigation strategies that include pre-processing to post-processing methods, it highlights bias as a cybersecurity issue that compromises availability, confidentiality, and integrity.

The post Data protection digest 18 Jul – 1 Aug 2025: DPO as a value creator and return on investment for companies appeared first on TechGDPR.

The State Commissioner for Data Protection of Lower Saxony has ruled that the “Reject all” button is a must on the first level of the consent banner for cookie preferences when an “Accept all” option is available. Consent banners may not specifically encourage consent and discourage the rejection of cookies. Otherwise, the consents obtained in this way are invalid, which constitutes a violation of the Telecommunications Digital Services Data Protection Act and the GDPR in Germany.  The background to the proceedings was an order issued by the Commissioner, (confirmed by the Hanover Administrative Court recently), against a Lower Saxony media company on the findings that: 

• Rejecting cookies was much more complicated than accepting them
• Users were pressured to consent by constantly repeating banners
• The “optimal user experience” and “accept and close” labels were misleading
• The number of partners and third-party services involved was not apparent
• References to the right to withdraw consent and data processing in third countries outside the EU were only visible after additional scrolling on the page, etc.

Stay up to date! Sign up to receive our fortnightly digest via email.

GDPR simplification

The European Commission has published its final proposal aiming to simplify and clarify the derogation from the record-keeping obligation under Art. 30 of the GDPR. The scope of the derogation in the amending regulation will be broadened to include SMCs and organisations with fewer than 750 employees.

The proposal will also clarify that SMCs are exempted from the record-keeping obligation, unless their processing is likely to result in a ‘high risk’ to data subjects, defined in Art. 35 of the GDPR, and that the processing of special categories of personal data by Art. 9(2)(b) does not, as such, trigger the obligation to maintain the records.

Meta AI training in the EU will proceed

Concerning Meta’s AI models training using social network user data, the Hamburg data protection regulator, in agreement with the German data protection authorities, has decided against being the only EU supervisory body to issue a national provisional injunction against Meta’s AI training. Given the planned evaluation of Meta’s approach by the EU supervisory authorities, and following the decision of the Cologne Higher Regional Court, (the use of data for AI training is lawful under Article 6(1)(f) of the GDPR without requiring user consent, citing Meta’s legitimate purpose), an isolated emergency procedure for Germany is not the appropriate instrument to clarify the existing assessment differences across Europe.

More legal updates

CJEU decision on Meta’s “Pay or Ok” model: At the same time, the European Court of Justice (CJEU) has ruled in the case of Meta Platforms Ireland Ltd v. European Data Protection Board (EDPB). The case concerned the Board’s opinion focused on the circumstances under which so-called “pay or consent” models – where users of large online platforms are invited to either consent to the processing of personal data for behavioural advertising or to pay for the service to avoid such processing – can be considered to meet the conditions for valid consent under the GDPR. 

The EDPB considered that in most cases, it was unlikely that large online platforms could ensure valid consent when users were given only two options: to consent to the processing of all their data for marketing purposes or to pay. The EU top court rejected Meta’s claim, holding that since the opinion was advisory, it did not have a legally binding effect on third parties and could therefore neither be annulled nor give rise to a claim for damages. 

China facial recognition: According to digitalpolicyalert.org, the Cyberspace Administration of China’s rules on the secure use of face recognition technology go into effect on 1 June. Except for research and algorithm training, the rule covers organisations that process this data in China. It proposes express consent, transparency, carrying out impact assessments, security measures in place, and purpose limitation. Additionally, it stipulates that face recognition cannot be the only verification technique when there are other options and that its application in public areas is restricted to public safety, excluding private areas.

Personal data breach handling

According to the GDPR, there is a general obligation for data controllers to report personal data breaches to a supervisory authority, unless the breach is unlikely to result in a risk to the rights or freedoms of natural persons. At the same time, data controllers must notify data subjects if the personal data breach is likely to result in a high risk to their rights and freedoms. The obligation of data controllers to report personal data breaches entails several advantages, as reporting breaches is, among other things, a tool that contributes to the ongoing improvement of data protection.

For failing to report the incident, the authority may make use of its corrective powers. To that end, the Danish data protection authority has just updated the remaining parts of its guidance on handling personal data breaches (in Danish). 

More from supervisory authorities

Employer obligations: The IDPC of Malta published a useful set of FAQs relating to the employment sector. These FAQs seek to address common questions which employers may have about their data protection obligations under the GDPR, particularly about how to handle the personal data of their employees. The FAQs cover questions relating to biometric data processing, police conduct certificates, pre-employment medical checks, employee monitoring, management of employee email accounts, and data retention. You can read the FAQs available in English here. 

AI impact assessment standard: The International Standards Organisation has published ISO/IEC 42005 guidance for organisations conducting AI system impact assessments. These assessments focus on understanding how AI systems — and their foreseeable applications — may affect individuals, groups, or society at large. The standard supports transparency, accountability and trust in AI by helping organisations identify, evaluate and document potential impacts throughout the AI system lifecycle. 

Age assurance online: The Vermont Legislature passed the Vermont Age-Appropriate Design Code (AADC). The Vermont AADC joins several other states’ efforts in protecting kids’ privacy, autonomy, and online safety by prohibiting abusive data and design practices. The bill now awaits the Governor’s approval. According to EPIC legal analysis, significant provisions in it include:

• Requiring covered businesses to configure minors’ default privacy settings to the highest level of privacy.
• Providing minors with the ability to limit unwanted adult contact.
• Regulating how minors’ data is used to ensure that personalised feeds are not driven by surveillance data, but instead by minors’ expressed preferences.  
• Requiring companies to be transparent about how they use minors’ data.
• Requiring the Attorney General to update rules prohibiting abusive data processing or design practices that “lead to compulsive use or subvert or impair user autonomy, decision making, or choice”, etc.

Email security

Germany’s Federal Office for Information Security (BSI) issued a cybersecurity recommendation to upgrade your email security. This guide is aimed at all companies that send and receive emails within their domain. Using concrete, practical examples, such as Microsoft Exchange Online and Google Workspace with Gmail, it demonstrates how the cybersecurity of email communication with customers, other companies, or third parties can be improved. Often, states the regulator, this requires only a few steps, such as adjusting the configuration of the groupware used by the company or more careful implementation of the SPF, DKIM, and DMARC standards.

Legitimate interest

The Estonian data protection agency meanwhile answers the questions on legitimate interest: when and how to rely on it in data processing? While other legal bases for data processing such as consent, contract or contract negotiations require the person’s own will or initiative, (eg, consent to receive campaign offers, submitting a CV for a job), the legitimate interest is always the data controler’s initiative, whether for their benefit or the benefit of a third party. However, to use legitimate interest as a basis for data processing operations, a legitimate interest analysis must also be carried out, which should be in writing, verifiable and traceable, detailing how the result was reached. Three conditions must be met simultaneously:

• The controller or the third party, or third parties receiving the data, have a lawful legitimate interest in the processing.
• The processing of personal data is necessary for the exercise of a legitimate interest.
• The fundamental rights and freedoms of the data subject are to be protected.

Additionally, the public sector cannot rely on legitimate interest unless it has an activity that is not related to its main task, which arises from the law. And it cannot be relied on when processing special types of data (eg, health data).

AI and personal data

Finland’s privacy regulator published guidelines on taking data protection into account in the development and use of artificial intelligence systems (in Finnish). An organisation must choose a suitable basis for processing personal data. It is also required when personal data is used to train an artificial intelligence system. The guidance describes in more detail the applicability of the different processing legal bases. Any organisation must also assess the data protection risks of the AI ​​system even before personal data is processed. The risks must be assessed from the perspective of the people whose data is being processed. Based on the risk, the organisation must decide, for example, on the necessary security measures. Organisations are given guidance on how to comply with the data protection principles set out in the GDPR, such as data minimisation, purpose limitation and information obligation. 

IT systems’ new security measures

The Danish data protection agency is adding two new measures to its catalogue of measures with a focus on preventing security breaches through hacking.  The two new measures have the following titles: a) Security management and maintenance of software, and b) Network segmentation. The regulator notes that there is nothing revolutionary about the new measures, but many of the breach cases it receives could have been avoided by following what is described in these measures. For instance, several breaches related to IoT, where software in surveillance cameras does not seem to be handled with the same attention as other IT equipment, even though this very equipment can provide an easy access route to the internal network.

Lufthansa data breach

The Hungarian data protection agency announced a data breach involving Lufthansa Group. An unauthorised access occurred in a system operated by an external service provider that handles hotel accommodation for passengers on cancelled flights. As a result, unauthorised persons had access to data such as the passenger’s name, gender, mobile phone number, flight number, reference to travelling with a small child, and the date of the hotel reservation. Lufthansa said no payment details were affected and there was no evidence of any data being publicly disclosed. 

The incident may affect those who received hotel vouchers for cancelled flights between November 2, 2019 and January 22, 2024. The company has since taken the necessary security measures and notified data protection authorities. Passengers are advised to be cautious, especially when receiving calls and messages from unknown sources.

Aggressive real estate brokerage

The Italian regulator Garante spotlighted a new and worrying phenomenon of aggressive telemarketing that has emerged in the real estate brokerage sector. Thousands of potential sellers and buyers were contacted via phone calls and WhatsApp messages, without having given valid consent to receive promotional communications, by real estate agencies that used very detailed lists provided by a service company. The lists used constituted a real mass mapping of the territory and were “enriched” with telephone numbers (landline and mobile), and cadastral information was also obtained. Each owner residing in a specific area of ​​commercial interest for the agencies was subjected to a real filing.

Similar investigations were concluded by the French CNIL, which resulted in a fine against CALOGA and SOLOCAL MARKETING SERVICES for canvassing prospects without their consent and transmitting their data to partners without their consent. Companies acquired prospects’ data mainly from other data brokers, publishers of competition and product testing sites (so-called ‘first-time collectors’). They used this data to canvass people by e-mail, on behalf of their advertising clients. They could also transmit some of this data to their customers, so that they could carry out prospecting themselves.

In other news

Excel spreadsheet: The UK ICO reprimanded the London Borough of Hammersmith and Fulham (the local council) after it left exposed the personal information of 6,528 people for almost two years.  The personal data breach occurred when the council responded to a freedom of information request made via the WhatDoTheyKnow.com (WDTK) website in 2021. The council’s response included an Excel spreadsheet which contained 35 hidden workbooks. The information was immediately removed. In total 6,528 people were affected, with 2,342 being children. The personal information relating to the children was classed as sensitive as it included details of children in care and unaccompanied asylum-seeking children. 

Dutch municipalities: The Dutch data protection authority AP will be visiting municipalities on a random basis in the coming months. These inspections aim to check how municipalities deal with the personal data and privacy of citizens and to guide municipalities in the right direction, where necessary. During the visits, the AP will be looking at:

• Do municipalities have a complete and up-to-date overview of everything they do with the personal data? 
• Do municipalities properly identify potential privacy risks before they use personal data for something? 
• Do municipalities have their internal privacy supervision properly arranged? 
• Do municipalities have a data protection officer who can act freely and independently?

Spanish fines statistics: The Spanish AEPD received 19,000 complaints in 2024, with AI, data spaces, and neurodata among its priority challenges. The most frequent complaints relate to video surveillance, internet services, commerce, transportation and hospitality. The areas of activity with the highest amount of fines are related to energy/water companies, financial institutions/creditors, internet services, telecommunications, and fraudulent contracting. The agency also led 22 cross-border cases as the lead authority and has cooperated as a stakeholder in 348. The year closed with almost 120,000 data protection officers reporting to the agency. 

In case you missed it 

Bank data: The Swedish data protection authority, together with SEB, Nordea, Swedbank and Handelsbanken, has looked at some of the legal conditions for increasing information sharing between banks to combat money laundering, terrorist financing and fraud. The project has, among other things, investigated whether there is a legal basis for a bank to share information about customers within the framework of another bank’s customer due diligence process and risk assessment.

The regulator concluded that legislative amendments were likely needed to enable the sharing of personal data that the banks wish to implement within the framework of the current project.

Replika AI fine: The Italian regulator Garante imposed a 5 million euro fine on a US-based company Luka Inc., which manages the chatbot Replika, and launched an independent investigation to assess whether personal data is being properly processed by the generative AI system behind the service. The chatbot features both a written and voice interface, allowing users to ‘generate a virtual companion’ that can take on the role of a confidant, therapist, romantic partner, or mentor. The authority also found that the company had not implemented any age verification mechanisms—either at registration or during use of the service—despite having declared that minors were excluded from potential users.

Corporate digital responsibility: Germany’s Federal Office for Information Security (BSI) has published a white paper on “Corporate Responsibility in Digital Consumer Protection” (in German).  A central component of the white paper is the aspect of information security in consumers’ everyday use of digital offerings. Various fields of action are highlighted, including education, awareness-raising, product safety throughout its entire life cycle, communication in the event of a crisis or incident, and ecological sustainability.  Interested parties are therefore invited to actively participate in the discussion and provide feedback.

The post Data protection digest  17 May – 1 June 2025: The ‘reject all’ button is a must; legitimate interest as the data controller’s initiative appeared first on TechGDPR.

IAB Europe and Belgium’s data protection authority have each claimed a ‘partial victory’ in the latest court decision over whether the IAB is liable for personal data processing over the online ad tools the industry group provides for the market, Telecompaper reports. The Belgian Market Court has annulled the regulator’s 2022 decision due to procedural irregularities, notably the fact that the regulator failed to adequately justify why it considered TCF (Transparency and Consent Framework) Strings as personal data. Nevertheless, the 250,000 fine against IAB Europe was upheld.

In IAB Europe’s view, the court has rejected that it is a joint controller together with TCF participants for their own respective processing of personal data for digital advertising, in line with the CJEU judgment from 2024. The court upheld only part of the decision, namely that IAB Europe is a joint controller together with TCF participants solely regarding the creation and use of TC Strings by publishers and vendors. The IAB said it has a solution to the concerns expressed by the court that is ready for implementation.

The Belgian regulator takes a different view, believing that the court ruling means that the TC String is personal data within the meaning of the GDPR and that IAB Europe acts as a joint data controller for the processing of user preferences within the TCF. However, the court annulled the decision from 2022 on procedural grounds. The ruling should have a lasting impact on the online ad industry and its real-time bidding systems in the EU, the regulator added. The Irish Council for Civil Liberties has even suggested that tracking-based advertising by Google, Microsoft, Amazon, and X, across Europe, now has no legal basis for personal data processing. 

Stay up to date! Sign up to receive our fortnightly digest via email.

More official guidance

Schools’ data: The education sector processes a lot of personal data: school registrations, an extensive digital work environment, and pedagogical follow-up of students. This data can be subject to data breaches, and news reports show that schools are not spared from these incidents. Over the past five years, the CNIL has only been notified of about thirty data breaches per year in the first and second degrees. However, during its interventions in the field, the regulator noted that this figure does not reflect the daily reality of educational establishments. The CNIL has identified several reasons that may explain this under-declaration:

• It is not always easy to identify what constitutes a “data breach”.
• The procedure to follow in the event of a data breach is sometimes unknown to operational personnel.
• The system of responsibility for processing implemented in the national education sector is complex.

To that end, the French CNIL offers two new guides (in French) for data protection officers, school principals, school heads and administrative staff to help them react in the event of a personal data breach.

GDPR and AI equation: The Swiss data protection regulator FDPIC reminds us that, because of the rapid increase in AI-supported data processing, regardless of future regulations, the data protection provisions already in force must be complied with. In particular, the Federal Data Protection Act, which has been in force since 1 September 2023, is directly applicable to AI-supported data processing. The FDPIC alerts manufacturers, providers and users of such applications that, when developing new technologies and planning their use, they are required by law to ensure that data subjects have the highest possible degree of digital self-determination. 

NIS2 guidance

The European Union Agency for Cybersecurity has developed the European Vulnerability Database as provided for by the NIS2 Directive. The EUVD service now openly provides aggregated, reliable, and actionable information such as mitigation measures and exploitation status on cybersecurity vulnerabilities affecting Information and Communication Technology (ICT) products and services. The aggregated information of the database is displayed through dashboards: for critical vulnerabilities, for exploited ones, and for EU-coordinated ones. The EU Coordinated Vulnerabilities lists the vulnerabilities coordinated by European CSIRTs and includes the members of the EU CSIRTs network.

Cookie consent

The Norwegian data protection authority summarises the main steps for companies to follow in order to meet the requirements for voluntary, explicit, informed, and unambiguous consent. The list also outlines what companies must and should not do. The Norwegian Storting passed a new Electronic Communications Act that came into force on 1 January 2025. The rules set clearer requirements for businesses that use cookies and similar technologies: 

• Provide unambiguous information in the consent box
• Fill out the consent banner with complete information
• Do not make access to the website or service conditional on consent
• Let the user choose which purposes they will consent to or not
• Don’t use pre-ticked boxes or acceptance by inaction
• Don’t make opting out of consent require extra clicks or be more laborious
• Don’t hide the option to decline consent, or give it a lower attention value
• Use clear and simple wording in buttons or similar design solutions
• Make it easy to withdraw consent and inform about this.

More from supervisory authorities

AI literacy: The European Commission has published an AI Literacy Q&A. Art. 4 of the AI Act requires providers and deployers of AI systems to ensure sufficient AI literacy of their staff and other persons dealing with AI systems on their behalf. The implementation plan for organisations may be built on the following steps: 

• In which sector and for which purpose/service is the AI system being used? What are its opportunities and dangers?
• Consider the role of the organisation: is my organisation developing AI systems or just using AI systems developed by another organisation?
• What do employees need to know when dealing with such AI system? What are the risks they need to be aware of, and do they need to be aware of mitigation?

EU Merger: The Commission also seeks feedback on the review of EU merger guidelines dating from 2004 and 2008. It should reflect the economic changes such as digitalisation, globalisation, innovation, as well as the case practice and the case law developed over the past 20 years by the Court of Justice of the EU. Any interested citizen, business or association can contribute by replying to the general public consultation questionnaire available here until 3 September. 

Space systems security: In Germany, the Federal Office for Information Security, in collaboration with representatives of the national information security and space industries, has developed the second part of the Technical Guideline, (BSI TR -03184), on securing space systems. A space system comprises the space and ground segments. The focus of this publication is on the ground segment. Business processes across the entire life cycle of a ground segment, from conception to decommissioning, were considered. It identifies hazards for various future space mission processing and assigns risk management measures. 

GDPR simplification plans

The European Commission has consulted the EDPB and EDPS on a proposal to introduce further exemptions from the GDPR’s obligation to keep records of personal data processing for SMEs. The exemption, which currently applies to companies with fewer than 250 employees, is proposed to be extended to companies with fewer than 500 employees. The EDPB and EDPS shared the opinion that, at this stage, they could express preliminary support to this targeted simplification initiative, bearing in mind that this would not affect the obligation of controllers and processors to comply with other GDPR obligations. In parallel, the EU is already working on finalising a new law to speed up the procedural rules for privacy regulators to coordinate on major GDPR cases in Big Tech. 

Data brokers

The UK Department for Science, Innovation and Technology closed a call for evidence on data brokers and their impact on national security. This inquiry concerns the activities involved in facilitating access to UK data (including data on UK persons, businesses, infrastructure, etc). This is via data brokerage, where pre-packaged or bespoke datasets can be obtained at speed and scale. To support policy development, the government wanted to identify several main points: a) the definition and services of data brokers, b) national security risks associated with the data broker industry, c) the effectiveness of data brokers’ security and governance frameworks, and d) a breakdown of brokers’ customer base. 

Record year for data breaches

The Australian Information Commissioner stated that businesses and government agencies reported more than 1,100 data breaches to the regulator and the public in 2024 – the highest annual total since mandatory data breach notification requirements started in 2018, and a 25% increase from 2023. Malicious and criminal attacks have been the main source of breaches. Health service providers and the Australian government again reported the most data breaches of all sectors, (20% and 17% of all breaches, respectively), highlighting that both the private and public sectors are vulnerable. The report also shows that the public sector continues to lag behind the private sector in the time taken to identify and notify data breaches, despite some improvements in timeliness.

Road cameras

The Estonian Data Protection Inspectorate sent an appeal to the Ministry of the Interior, drawing attention to the inadequacy of the legal basis for the license plate recognition cameras used in the preventive activities of the Police and Border Guard Board. In the regulator’s opinion, the processing of personal data using these cameras is not based on a sufficiently clear and specific legal basis. The Inspectorate has initiated a supervisory procedure to clarify how data is processed in the police database POLIS and whether it meets data protection requirements. 

In other news

Workers’ data: Bird&Bird research examines the German Federal Labour Court’s judgment to award an employee non-material damages of 200 euros after the employer put additional personal data into the “Workday” HR management software outside the agreed-upon limitations of a completed work agreement. The parties specified which data might be submitted for testing purposes. Because the agreed-upon restrictions had been exceeded, the employer could not rely on the work agreement as the legal basis.

Aggressive telemarketing: The Italian privacy regulator Garante has imposed millions of euros in fines and stringent corrective measures against Acea Energia Spa and a network of agencies and companies. All were involved in a massive system of procurement of contracts for the activation of electricity and gas supplies based on aggressive telemarketing practices and illicit processing of personal data. The investigations revealed significant evidence of illicit activities carried out through the use of lists of users who had recently changed energy suppliers. The call-centre operators contacted these users, mentioning non-existent technical problems in switching between suppliers and, fearing risks of economic damage, induced them to activate a new supply.

Geolocating remote workers: An employer cannot geolocate employees in smart working. This was also stated by the Italian Garante in imposing a fine of 50 thousand euros on a company that detected the geographic position of about one hundred employees during the work activity carried out in agile mode. The investigation revealed that the company monitored its employees to verify the exact correspondence between their geographic location and the address declared in the individual smart working agreement. These checks were then followed by disciplinary proceedings by the company. This all took place in the absence of an appropriate legal basis and adequate information, in addition to the consequent interference in the private lives of employees.

In case you missed it 

NOYB vs Meta AI: The privacy advocacy group NOYB has sent Meta a formal settlement proposal, ‘cease and desist’ letter, over Europe-wide AI training. After this, if the injunctions are filed and won under the new EU Collective Redress Directive, Meta may also be liable for damages to consumers. Damages could reach billions. Meta has announced it will use EU personal data from Instagram and Facebook users to train its new AI systems from 27 May onwards. Instead of asking consumers for opt-in consent, Meta relies on an alleged ‘legitimate interest’ and offers users the possibility to object to the processing before the training has started. 

Facebook data leak compensation: Meanwhile, Facebook users in Germany whose data was affected by the data breach that came to light in 2021 can now join the class action lawsuit filed by the German Federation of Consumer Organisations. This follows a ruling by the Federal Court of Justice in November 2024, according to which the mere loss of control over personal data can justify a claim for damages regardless of any other disadvantages. The court considers an amount of 100 euros to be appropriate for this purpose. In serious cases, for example, when sensitive data such as date of birth, relationship status, or email address has been made public, the consumers can seek compensation of up to 600 euros. Those affected can use a dedicated complaint form to see if participation is an option for them and register the complaint. 

The post Data protection digest 3 – 16 May 2025: ‘divided’ court ruling on IAB Europe, data brokers and national security appeared first on TechGDPR.

E-commerce businesses process large amounts of personal data, including contact details, payment information, and browsing history, requiring data protection. By implementing strong data protection practices and security measures like encryption and access controls, businesses could reduce the risks of breaches and cyberattacks. 

GDPR compliance for e-commerce businesses demonstrates commitment to protecting customer privacy, and encouraging continued customer relationships, giving businesses a competitive advantage over those that are not GDPR-compliant.

Here are seven actionable steps that may help e-commerce businesses navigate GDPR compliance effectively.

Conduct a data audit 

When deciding to work towards GDPR compliance in e-commerce, it is important to start by conducting a comprehensive inventory of data collection processes. 

The steps to carry out the audit could include:

• Identify all personal data categories collected, such as contact details, payment details, and activity logs, and the granular purposes this collection serves. Determining the retention period is important, as the GDPR does not allow indefinite retention.
• Review how and where personal data is collected and stored, whether on cloud servers, local databases, or third-party platforms. Regularly review third parties and minimize retention periods, with clear specifications on when data will be securely deleted. Additionally, document the security measures implemented to protect the data.

Access consent management

Access to customer data can be limited to authorized employees, IT administrators, and secure third-party providers based on a need to know basis.

Consent for cookies can be effectively implemented through a cookie banner, allowing users to manage or withdraw consent anytime. Use clear opt-in mechanisms for newsletters, cookies, and marketing, avoiding pre-checked boxes. Maintain consent logs for audit compliance, ensuring each data use has separate, revocable consent without affecting core services.

Review and update privacy notice

A companies’ privacy notice should be clear, easily understood, and transparent to ensure GDPR compliance and build customers’ trust. The privacy notice should clearly state:

• What data you collect and why (e.g., personal details, payment information, browsing behaviour),
• How data is being used,
• Explain purposes of data collection and processing, and
• How customers can exercise their rights, such as requesting data deletion or correction.

It is important to regularly review and update one’s privacy notice in order to reflect any changes in data collection, processing, or legal regulations to maintain compliance.

Enhance security to protect customer information

With the rise of cyber attacks worldwide, protecting  personal data is an essential aspect of GDPR compliance for e-commerce businesses. Customers trust businesses with sensitive information, payment details, address, and browsing history. Implementing good data security measures will help reduce data breaches. Implementing strong data security measures reduces breaches, while a structured response plan ensures quick recovery and minimizes damage.

To minimize security risks, e-commerce businesses may implement:

• End-to-end encryption: Encrypting sensitive customer data both in transit at rest may prevent unauthorized  access. This ensures that unauthorized individuals cannot read the data, even if intercepted, without the correct encryption key. It could be a standard protocol for all online transactions.
• Multi-factor authentication (MFA): Access control may require additional verification steps, such as one-time passwords (OTP) or biometric authentication. This process will reduce unauthorized logins.
• Regular security audits: This could be conducted to identify vulnerabilities through routine system checks. These assessments may help prevent data leak and ensure GDPR compliance.
• Access control & monitoring: Role-based access control (RBAC) which restricts users based on predefined role, to ensure that only authorised personnel have access to sensitive personal data.

Investing in robust data security could create a security plan which protects customers and also ensures GDPR compliance in all operations.

Offer employees training

Employees are first in line of defence when talking about data protection. Regular comprehensive GDPR training is important for e-commerce businesses. Breaches occur due to human error, such as mishandling sensitive data or falling for phishing scams. The employer is responsible for ensuring that employees are well-trained on data protection and compliance requirements.

Businesses should provide ongoing training and workshops to regularly update the employees knowledge on data protection, evolving threats, and regulatory changes to raise awareness within the organization.

Establish data subject rights procedure

Under the GDPR, data subjects have rights, including access, erasure, rectification, and objection to control of their personal data.

E-commerce must have clear procedures on how to handle and respond to these requests efficiently. GDPR compliance requires a response within one month-delays or non compliance can lead to fines.

To ensure compliance, businesses may:

• Appoint a data protection officer (DPO) according to the European commission or an internal team with the guidance of a DPO to monitor compliance and data protection issues. “It is much easier and cost effective” to appoint an external DPO.
• Create a clear and accessible process for handling data subject requests, such as an email address or request form on the website.
• Implement automated tools to manage and track data subject requests within the required time frame.
• Keep records of all requests to demonstrate compliance if audited.

Review third-party agreements

E-commerce businesses sometimes utilize third-party vendors, such as payment processors, cloud storage providers, and marketing platforms, to handle customer data. Therefore, it’s crucial to ensure these vendors comply with data protection regulations to safeguard customer information and avoid potential risks.

Under the GDPR, having a data protection agreement with a third party vendor is required  to comply with data protection regulations if the vendor processes personal data on your behalf.

Here are steps that could be considered to manage risks associated with third-party vendors:

• Identify all third party vendors that process customer data and assess their data security measures.
• Ensure that all vendors handling personal data have existing supplier agreement, outlining responsibilities, security measures, and data processing activities.
• If a vendor transfers data outside the EU/EEA, ensure they follow GDPR requirements
• Regularly review vendor policies, conduct security audits, and ensure that the vendors comply with GDPR requirements.

Conclusion

By implementing these seven actionable steps, e-commerce can mitigate risk, protect customer data, avoid penalties, and build trust.

Hiring an external DPO officer in the absence of an internal data protection team or to advise and provide competent GDPR support to the internal DPO, will ensure  proper compliance in line with the GDPR, and gain a competitive advantage in the market.

The post Seven Actionable Steps to Achieve GDPR Compliance for E-Commerce Businesses appeared first on TechGDPR.

Upon termination of a processing agreement, the controller is obliged to monitor the deletion of personal data held by the processor. Such was a ruling by the Higher Regional Court of Dresden, Germany, closely looked at by a DLA Piper analysis. The plaintiff was a user of the online music streaming service run by the controller. A data breach at a former external, (non-EU), processor of the controller in 2022, involving the personal data of clients, set off the case (hackers offered this data for sale on the dark web). The controller-processor relationship came to an end several years before the data breach, in 2019. As per the terms of the data processing agreement, the controller had the option to either delete or return the data once processing was complete. However, the controller never exercised this right. 

Stay up to date! Sign up to receive our fortnightly digest via email.

Data subject rights under the DSA

On 21 April, the European Commission established internal regulations limiting certain data subjects’ rights, (information, access, rectification, erasure, and notification of breaches), under the Digital Services Act. It encompasses the personal data of suspects, victims, whistleblowers, informants, witnesses, and staff of undertakings, under the Commission’s supervisory, investigative, enforcement, and monitoring activities. The Commission must publish a data protection notice and inform affected individuals where appropriate. 

TikTok fine

The Irish privacy regulator DPC has fined TikTok 530 million euros after an inquiry into transfers of EEA users’ data to China, (enabling storage and access to it). The inquiry also examined whether providing information to users about such transfers met TikTok’s transparency requirements as required by the GDPR. TikTok first informed the DPC that it did not store EEA user data on servers located in China. However, later on, TikTok informed the DPC that it provided inaccurate information to the Inquiry. Whilst TikTok has informed the DPC that the data has now been deleted, the regulator is considering whether further regulatory action, in consultation with peer EU Data Protection Authorities, may be warranted.

COPPA Rule

On 22 April, the US Federal Trade Commission adopted final amendments to the Children’s Online Privacy Protection Rule to enhance content moderation and data protection for children under 13. The amendments will take effect on 23 June, with full compliance required by 22 April 2026. It introduces a new definition for “mixed audience website or online service.” It also requires operators to implement age screening methods that are neutral and to avoid collecting any personal information before determining the user’s age, with few exceptions.

In the meantime, the first US state, Arkansas, approved the Children and Teens’ Online Privacy Protection Act, which was modelled after the pending federal law known as COPPA 2.0. Consent requirements, data minimisation, targeted advertising restriction, data subject rights, and data security are all applicable to any for-profit operator of a website, online service, or app that targets children or teenagers or knows that it is gathering their data. 

More from supervisory authorities

The Data Act: The European Data Act will take effect on September 12. Manufacturers of internet-enabled devices will then be required to share the data sent by connected devices with third parties, explains the Hamburg data protection authority. Machines, household appliances, and vehicles connected to the internet generate large amounts of data every day. Those wishing to take advantage of the act should familiarise themselves with access rights. Those subject to the obligations of the act must prepare for access requests and develop strategies for protecting personal data and trade secrets. 

To that end, the regulator offers the manual “The Data Act as a Challenge for Data Protection” (in German). 

Multi-device consent: The French CNIL launches a public consultation on its draft recommendation (in French). The guidance concerns actors who plan to collect cross-device consent only when users are authenticated to an account. When a user accesses a website or a mobile app, they express their choices about the use of cookies or other trackers on a device connected to their account. These choices would be automatically applied to all devices connected to their account. This includes, but is not limited to, their smartphone, tablet, computer or connected TV, as well as the browser or app used.   

Children’s code: In the UK, Ofcom issued a draft Protection of Children Code of Practice for search services under the Online Safety Act 2023. Implementing the list of recommended measures set out in this Code will inevitably involve the processing of personal data. The Information Commissioner’s Office has already set out that it expects service providers to take a ‘data protection by design and by default’ approach when implementing online safety systems and processes. Over time, Ofcom might update the Codes to take account of technological developments.

Customer data

What should merchants consider when recording telephone conversations with customers? The Latvian data protection regulator explains. A voice recording becomes personal data when it can be linked to a specific person. Therefore, such data processing must be carried out under the requirements of the GDPR:

• An appropriate and as specific as possible purpose must be defined for such data processing, (eg, improve the quality of the advice or service provided and thus to communicate with customers, as well as possibly to promote sales).  
• The recordings may only be used to achieve the specified purpose and not for other, unrelated purposes.
• A balancing test must be carried out to determine whether such processing would unduly prejudice the customers’ rights to data protection.
• Conversation recordings may only be kept for as long as necessary to achieve the goal. 
• Access to records should be limited to authorised persons whose tasks are directly related to the purpose of processing the records.
• When recording telephone conversations with customers, the merchant must inform them at the beginning of the conversation about the recording.

In parallel, the Estonian data protection agency issued new practical guidance to help online stores protect their customers’ data (in Estonian). It provides advice on ensuring data security, preventing cyber threats, and managing risks for both new and experienced online retailers, highlighting, among other things, the importance of strong authentication, encryption and log management, as well as the need to carefully evaluate cooperation with third-party service providers, data breach response and employee training.

Synthetic data generation

The Spanish AEPD has published the Spanish translation of the Guide to synthetic data generation, prepared by the Singapore data protection authority.  Synthetic data is artificially generated to simulate real data and must retain its essential statistical characteristics to be useful without compromising personal data. Its generation must be carefully planned, falling along a spectrum ranging from completely random data to real data. The guide includes practical case studies on the best practices for generating synthetic data and reducing residual re-identification risks.  

More official guidance

NIST cybersecurity guide: America’s NIST has updated its Privacy Framework, tying it to recent Cybersecurity Guidelines. It is intended to help organisations manage the privacy risks that arise from personal data flowing through complex IT systems. Furthermore, failure to manage these risks effectively can directly affect individuals and society, potentially damaging organisations’ brands, bottom lines and prospects for growth. Following the comment period, (until 13 June), the NIST will consider additional changes and release a final version later this year.

Domestic cameras are not excluded from GDPR: The Liechtenstein data protection agency has supplemented its guide on video surveillance with information on surveillance within one’s own home. This means that data protection does not stop in your living room, at least not if the purpose of data collection is not exclusively for personal or family activities. This is particularly the case if the purpose is to ensure security or perform quality control, for example, the observation of staff or external third parties, (cleaners, gardeners, babysitters, etc.). This applies equally to video surveillance and pure audio recordings. 

Large databases: Art. 5 and 32 of the GDPR require controllers and processors to process personal data in such a way as to ensure an appropriate level of security, in particular regarding the risks of massive data exfiltration, as the French CNIL reminds us. These measures in large numbers can be implemented via the following procedures:

• Secure external access to the information system via multi-factor authentication
• Log, analyse and set limits on the data flows that pass through the information system
• Consider humans as security actors: organise regular awareness-raising sessions adapted to user profiles (employees, developers, managers, subcontractors, etc.)
• Emphasise the data controller obligation to supervise data security with subcontractors.

More content from the CNIL on cybersecurity can be found on this page.

In other news

Apple and Meta fines: The European Commission imposed the first fines under its Digital Markets Act, punishing tech behemoths Apple and Meta for violating the EU’s new digital regulations. Apple was fined 500 million euros for violating the rules governing app stores ( “anti-steering” obligation). In comparison, Meta was fined 200 million euros for its “pay or consent” advertising approach, which charges EU users to use Facebook and Instagram without advertisements.

Worcado AI detector: America’s FTC requires Workado to stop advertising the accuracy of its AI detection products unless it shows that those products are as accurate as the claimed 98%, as independent testing showed the accuracy rate on general-purpose content was just 53%. The company says that its AI Content Detector was developed using a wide range of material, including blog posts and Wikipedia entries, to make it more accurate for the average user. The FTC alleges, however, that the AI model powering the AI Content Detector was only trained or fine-tuned to effectively classify academic content. 

Facial recognition at football matches

The Danish data protection agency has granted FC Copenhagen and the Danish Football Association permission to use automatic facial recognition during international football matches. The purpose is to support the enforcement of the rules on club quarantines and general quarantines in connection with football matches. The technology can therefore be used for access control to Parken Stadium. The impact assessment must be carried out before the processing begins.

Personal data processed as part of the facial recognition system must be transported to and stored encrypted on the server using up-to-date and widely recognised encryption algorithms. This also applies to the use of mobile devices at away matches. 

More enforcement decisions

Proof of consent for marketing calls: The UK’s ICO fined AFK Letters 90,000 pounds for making more than 95,000 unsolicited marketing calls to people registered with the Telephone Preference Service. Between January and September 2023, AFK used data collected through its website and a third-party telephone survey company to make mass marketing calls without being able to demonstrate valid and specific consent from the people contacted. Despite AFK claiming it could not provide evidence of consent because it deleted all customer data after three months, when challenged it was also unable to provide consent records for several calls made within a three-month timeframe. 

User tracking: The Hamburg data protection authority launched a large-scale automated review campaign in mid-April. Most of the 1,000 websites randomly selected comply with data protection regulations; however, deficiencies were identified on 185 local websites. Various third-party web services, (Google Analytics, Google Maps, Google Ads, YouTube, Facebook, Vimeo, MS advertising, Pinterest), were activated immediately upon accessing the site, resulting in users being tracked without the legally required consent. 

Email security analysis tool errors: In Romania, the data protection agency fined BITDEFENDER, (a software company), the equivalent of 10,000 euros. The investigation was initiated following the submission by the company of a personal data breach notification. Due to a programming or implementation error in the update operation of the email security analysis service, a significant amount of customers’ personal data was disclosed to third parties. The operator did not implement appropriate technical and organisational measures and did not carry out periodic testing, evaluation and assessment, including of the continued confidentiality, integrity, availability and resilience of systems and services.

In case you missed it 

Revolut staff tracking: According to The Guardian, the fintech company Revolut has been monitoring employee behaviour and awarding or deducting points on an internal “Karma” system. Revolut’s annual report described the practice as ‘successful’ while also revealing that last year’s profits had more than quadrupled. The 2020-launched system tracks how effectively employees adhere to risk and compliance regulations, awarding and deducting points that eventually impact compensation. After those points are added up at the team level, the ultimate bonus for each employee is either deducted or multiplied.

CJEU knowledge base on data protection: The EU’s top court has published a Fact Sheet document on the Protection of personal data, to present a selection of seminal rulings on the subject and rulings that have made a significant contribution to the development of this case-law. The document relates to sector-specific rules, particularly in the electronic communications sector and criminal law, but also aims to present a selection of judgments dealing with rules which are applicable across multiple areas.

The post Data protection digest 18 Apr – 2 May 2025: data controller obligation to monitor deletion or return of personal data held by the processor appeared first on TechGDPR.