Personal data protection should be the cornerstone of risk assessments for organisations. The Polish regulator UODO came to this conclusion after investigating a ransom attack in a children’s clinical hospital in Białystok. Access to IT systems was blocked, which resulted in a breach of confidentiality and availability of personal data of approximately 2,000 employees, including the possibility of obtaining unauthorized access to them. In the circumstances of this case, the risk assessment was conducted on the basis of a flawed procedure – from the perspective of the hospital as an organisation, and not from the perspective of protecting data subjects. 

The documents, which were supposed to prove that the risk analysis had been conducted, were inconsistent and full of ambiguities. The hospital did not indicate which processes it was analysing, nor did it link these processes to identified threats, vulnerabilities and the final risk assessment. When explaining what technical measures it used to secure its IT systems, the administrator referred to an audit conducted for compliance with the act on the national cybersecurity. However, this act focuses primarily on ensuring a safe and uninterrupted system for providing services, and not – as is the case with the GDPR – on protecting the rights and freedoms of natural persons.

The hospital did not implement an appropriate procedure for performing and documenting recovery tests, and did not apply appropriate security measures for the backup copies created, which could have contributed to the fact that the hospital was unable to fully restore the data lost as a result of the attack.

Stay up to date! Sign up to receive our fortnightly digest via email.

Other legal developments

From 19 June, the Data Use and Access Act 2025 (DUAA) amends, but does not replace, the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA) and the Privacy and Electronic Communications Regulations (PECR), to promote innovation (eg, commercial scientific research, automated decision-making) and economic growth. Whilst it still protects people and their rights, the DUAA simplifies personal data usage in the following ways: 

• New ‘recognised legitimate interests’ lawful basis of data processing (from public safety to direct marketing)
• Assumption of compatibility for some data reuses
• ‘Soft opt-in’ (eg, for charities)
• More flexible requirements on cookies
• Reasonable and proportionate subject access requests, etc.

At the same time, if you provide an online service that is likely to be used by children, the DUAA explicitly requires you to take their needs into account. The data subject complaints must also be facilitated by offering electronic complaint forms and respecting the 30-day legal time frame for acknowledgement and response. The changes will be phased in between June 2025 and June 2026. More summaries of changes can be found here and here.

GDPR enforcement ease: The Council of the European Union and the Parliament have reached a deal to make cross-border GDPR enforcement work better for citizens. Once adopted, the regulation will speed up the process of handling cross-border GDPR complaints, and any follow-up investigations.  The co-legislators agreed on an overall investigation deadline of 15 months, which can be extended by 12 months for the most complex cases. The early resolution mechanism will allow data protection authorities to resolve a case before triggering the standard procedures for handling a cross-border complaint. This may be the case where the company or organisation in question has addressed the infringement and where the complainant has not objected to the early resolution of the complaint.

AI and web scraping

The GDPR, in many cases, applies to AI models trained on personal data, due to their memorisation capabilities. To that end, a French CNIL guide specifies the conditions for using legitimate interest in the development of AI in the case of web scraping.  In line with the opinion adopted by the EDPB in December 2024, the CNIL considers that the development of AI systems does not systematically require the consent of individuals. Legitimate interest is a possible legal basis for the development of AI systems, subject to strong safeguards. 

The guide offers examples of concrete safeguards adapted to the different types of AI systems: exclusion of certain data from collection, increased transparency, facilitation of the exercise of data subject rights, etc. For example, the reuse of future conversations of users with a chatbot for the improvement of the AI model can be based on legitimate interest provided that certain strong guarantees are put in place: information for individuals, right to object, restriction of processing towards pseudonymised/anonymised data, etc. 

More from supervisory authorities worldwide

COPPA update: In the US, the amended Children’s Online Privacy Protection Rule took effect on 23 June. It includes a new definition for a mixed audience website or online service that is intended to provide greater clarity regarding an existing sub-category of child-directed services. The amendments also modify operators’ obligations concerning direct and online notices; information security, deletion, and retention protocols; annual assessment, disclosure, and reporting requirements. It also adopts rules related to parental consent requirements, methods of obtaining verifiable parental consent, and exceptions. 

Biometric identifiers vs biometric data: The JDSupra legal blog explains the differences between the two categories, specified in the Colorado Privacy Act, which went into effect on July 1: Biometric identifiers is data generated by the technological processing, measurement, or analysis of a consumer’s biological, physical, or behavioral characteristics which can be processed for identification. Biometric data is a subset of biometric identifiers which are used or intended to be used for identification purposes. It does not include digital or physical photographs, audio or voice recordings, or any data generated from a digital or physical photograph or an audio or video recording unless any of these are used for identification purposes. Both categories can be considered sensitive data and can require a privacy notice and consent. 

Child data: Also in the US, New York’s Child Data Protection Act (NYCDPA) went into effect on June 20. The Office of the Attorney General issues the practical guidance in advance concerning the application of NYCDPA to minors’ data and the federal COPPA Rules; operator responsibilities concerning user-provided age flags; requirements for schools, school districts, and their third-party contractors; parental requests for products and services, etc. The guidance refers to a website, online service, online application, mobile application, or connected devices directed at minors. 

DeepSeek AI

Germany’s data protection commissioner has asked Apple and Google to remove Chinese AI startup DeepSeek from their app stores in the country due to concerns about data protection, Reuters reports. According to its privacy policy, DeepSeek stores numerous pieces of personal data, such as requests to its AI or uploaded files, on computers in China. The commissioner took the decision after asking DeepSeek in May to meet the requirements for non-EU data transfers or else voluntarily withdraw its app. DeepSeek did not comply with this request. Across Europe the authorities have also been evaluating the app, but while Italy has completely blocked it on app stores, the UK government said that the use of DeepSeek remains a personal choice for members of the public. 

In other news

Data access requests: The Swiss FDPIC concluded its investigation into Cembra Money Bank AG. After receiving complaints, the privacy regulator contacted Cembra with a view to a low-threshold intervention. Cembra replied that due to staff shortages, responses to requests for information were delayed. The company was reminded of the legal deadline for responding to requests for information within 30 days. The regulator also ordered the bank to provide all persons who had previously received only a standardised response to their requests with the actual information on their personal processed data. 

Telemarketing and data subject rights: An organisation must provide the most important information about the processing of personal data immediately during the first direct marketing call, if it has obtained the person’s contact information from somewhere other than itself, states the Finnish data protection authority. If a person submits a request to delete their data to customer service, the request cannot be left unprocessed because it has not been submitted to the data protection officer.

The organisation must ensure that the request is transferred to the party that processes it. The same applies to the prohibition of direct marketing: If a person wants to prohibit direct marketing during a call, the request cannot be bypassed by giving instructions for prohibiting it. 

Unjust dismissal

The Italian regulator Garante fined Autostrade per l’Italia Spa 420,000 euros for having unlawfully processed the personal data of an employee, which was then used to justify her dismissal.  The authority’s intervention followed the complaint of the worker who had reported the use, by the company, of content extracted from her Facebook profile and private chats on Messenger and WhatsApp to justify the disciplinary proceedings  against her. The content used also included excerpts of comments and photo descriptions in quotation marks. 

The investigations revealed that the content had been used by the employer without a valid legal basis, through screenshots provided by some colleagues and a third party, present among the employee’s “friends” on Facebook and active in her private conversations on Messenger and WhatsApp. Furthermore, the communications concerned opinions and exchanges that took place in contexts outside the employment relationship, not relevant for the purposes of assessing professional suitability. 

AI prohibited practices in the gaming sector

The Maltese data protection authority IDPC warns us that AI systems used for player profiling, personalised gaming experiences and monetisation are not just subject to Art. 22 of the GDPR, which restricts automated decisions that carry legal or similarly significant implications for individuals, but are also high-risk under the AI Act so as to qualify them as prohibited practices. Manipulative AI deploys subliminal or deceptive techniques with the object of distorting player behaviour by impairing their ability to make an informed decision, causing them to take a decision they would have otherwise not taken, (for eg, AI powered algorithms which regulate emotion-triggered loot boxes which distort player behaviour). 

Other prohibited techniques in the gaming sector are exploitation of vulnerabilities and social scoring. 

In case you missed it 

Video integration into websites: Germany’s Federal Commissioner for Data Protection and Freedom of Information (BfDI) has carried out an automated website check for the first time and identified violations in the integration of YouTube videos on federal websites. YouTube videos can be used by public authorities and others on their websites in compliance with data protection regulations. However, this becomes problematic when videos are embedded directly. 

When the website is accessed, the user’s browser automatically connects to YouTube servers and transmits, among other things, IP addresses. This data transfer takes place without the user’s prior consent and thus violates the Telecommunications Digital Services Data Protection Act (TDDDG). For implementing video integration in compliance with data protection regulations, the BfDI offers two other options: 

• Self-hosting is the gold standard: Videos are hosted on your own servers and embedded on the website. This ensures complete control over data processing and user interactions.
• Two-click solutions: Users must actively click on a preview image before the connection to YouTube is established. (With this option, an equivalent alternative without a third-party provider should always be offered).

The post Data protection digest  17 Jun – 1 Jul 2025: protecting individuals, not organisations, should be the focus of risk assessment appeared first on TechGDPR.

Crucial to AI Act is that organisations using high-risk AI systems must conduct a comprehensive Fundamental Rights Impact Assessment (FRIA). This assessment proactively identifies and mitigates potential harms to individuals. Notably, the FRIA shares similarities with the Data Protection Impact Assessment (DPIA) mandated under the GDPR. This underscores the intersection of data protection and fundamental rights in the context of AI systems.

What is a Fundamental Rights Impact Assessment (FRIA)?

While the EU AI Act does not expressly define the FRIA, it explains what the objective of the assessment is. The Act also states what the assessment must contain. Recital 96 of the AI Act states that “The aim of the fundamental rights impact assessment is for the deployer to identify the specific risks to the rights of individuals or groups of individuals…”. Moreso, the FRIA helps to “identify measures [to take] in the case of a materialisation of those risks”. Orgnaisations must conduct the FRIA “prior to deploying the high-risk AI system”. They are also required to update it “when ... any of the relevant factors have changed”.

In other words, a FRIA is an evaluation of the risks high risk AI systems present in relation to individuals’ rights. It is also the determination of remediation strategies to manage and mitigate the risks in case they occur.

What should a Fundamental Rights Impact Assessment contain?

According to Article 27(1) of the EU AI Act, the Fundamental Rights Impact Assessment should contain the following information:

Interestingly, Article 27(4) of the EU AI Act states that if organisations meet “any of the obligations laid down in this Article […] through the data protection impact assessment conducted pursuant to Article 35 of [the GDPR]…, the fundamental rights impact assessment referred to in paragraph 1 of this Article shall complement that data protection impact assessment”. Essentially, the fundamental rights impact assessment should complement the data protection impact assessment.

Intersection between Fundamental Rights Impact Assessment and Data Protection Impact Assessment

Article 35 of the GDPR states that a DPIA evaluates the impact of processing operations on the protection of personal data. This is especially where the processing operations make use of new technologies and is likely to result in a high risk to the rights and freedoms of natural persons. Based on this, it appears that the FRIA and DPIA relate to the impact, rights and protection of personal data for high risk AI systems and high risk processing operations respectively.

The table below offers a quick overview of the minimum information requirement for the FRIA and DPIA:

FRIA and DPIA in practice

The minimum requirements for FRIA and DPIA differ. Although in practice, both assessments often include additional information, making them quite similar. For example, Article 35 of the GDPR does not mandate the inclusion of data subject categories in the DPIA. However, organisations logically include such details to identify risks to individuals’ rights and freedoms. Similarly, the EU AI Act does not explicitly require the purpose and proportionality of processes in the FRIA. Yet organisations naturally include them when describing the processes and the necessity of the AI system.

What are the differences?

The major difference between the Fundamental Rights Impact Assessment and the Data Protection Impact Assessment is their focus point. The FRIA focuses on how the AI system directly impacts the rights of individuals. The DPIA focuses on how the processing operation impacts the protection of personal data and the rights of individuals.

The table below provides an overview of the major differences between the FRIA and the DPIA:

Summary

The major takeaway is that the Fundamental Rights and Data Protection Impact Assessment play a complementary role. At least, this is the intent of the EU AI Act according to Article 27(4). Therefore, organisations deploying high risk AI systems processing personal data, will have to conduct both assessments. If your organisation is a provider of high risk AI systems, there is no requirement to conduct the FRIA. However, providers must make information available to deployers of the AI system to make the conduct of the FRIA possible. This is because a substantial part of the assessment relies on the information presented by AI providers.

Given that the EU AI Act is new, organisations may struggle with identifying their role in the AI value chain. Orgnaisations may also struggle to comply with requirements based on that role. At TechGDPR, we assess your processing operations, the information provided by AI providers as well as the envisaged implementation of the AI system to help determine what requirements apply under the EU AI Act. We can help you correctly classify the AI system(s) your organization plans to manufacture or deploy, ensuring early detection of any outright prohibitions. This will prevent your organisation from wasting valuable resources on systems not allowed within the EU.

The post Difference between Fundamental Rights Impact Assessment & Data Protection Impact Assessment appeared first on TechGDPR.