{"id":10461,"date":"2025-03-19T10:27:22","date_gmt":"2025-03-19T09:27:22","guid":{"rendered":"https:\/\/s8.tgin.eu\/?p=10461"},"modified":"2025-03-19T13:26:42","modified_gmt":"2025-03-19T12:26:42","slug":"data-protection-digest-19032025-combining-fria-with-dpia-is-possible-but-not-once-the-development-of-an-ai-system-has-begun","status":"publish","type":"post","link":"https:\/\/techgdpr.com\/blog\/data-protection-digest-19032025-combining-fria-with-dpia-is-possible-but-not-once-the-development-of-an-ai-system-has-begun\/","title":{"rendered":"Data protection digest 3-17 Mar 2025: Combining FRIA with DPIA is possible, but not once the development of an AI system has begun"},"content":{"rendered":"\n<p><strong>FRIA and DPIA: <\/strong>Before deploying a <a href=\"https:\/\/artificialintelligenceact.eu\/article\/6\/\">high-risk AI system<\/a>, the organisations shall assess the impact that the use of such a system may have on fundamental rights, explains the Croatian data protection regulator AZOP. For this purpose, private and public entities shall carry out an assessment containing:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>a description of the implementing entity&#8217;s processes in which the high-risk AI system will be used for its intended purpose;<\/li>\n\n\n\n<li>a description of the period and frequency of intended use;<\/li>\n\n\n\n<li>the categories of natural persons and groups likely to be affected in the specific context;<\/li>\n\n\n\n<li>the specific risks of harm likely to affect the categories of natural persons or groups of persons identified;<\/li>\n\n\n\n<li>a description of the implementation of human control measures;<\/li>\n\n\n\n<li>measures to be taken in the event of the materialisation of those risks, including internal governance arrangements and complaints mechanisms.<\/li>\n<\/ul>\n\n\n\n<p>If both a <a href=\"https:\/\/techgdpr.com\/blog\/difference-fundamental-rights-impact-assessment-dpia\/\">FRIA and a DPIA<\/a> need to be conducted, the regulator recommends combining these two analyses to complement each other. At the same time, FRIA is mandatory for introducing a high-risk AI system, while a <a href=\"https:\/\/azop.hr\/metodologija-za-provedbu-procjene-ucinka-na-ljudska-prava-fria\/\">DPIA must be carried out at the very beginning, before the development of an AI system.<\/a> A DPIA should also be carried out if it is not a high-risk AI system, but the processing of personal data within the AI \u200b\u200bsystem is considered to be high-risk.<\/p>\n\n\n\n<p>The regulator provides an example: A chatbot will in most cases be considered a medium-risk AI system. However, if the chatbot is used in a sensitive context, it may result in processing activities that would be classified as high-risk, even if the system itself would not be high-risk. Therefore, an FRIA may not be required, but a DPIA is required.<\/p>\n\n\n\n<p><a href=\"#newslettersignup\"><strong><em>Stay up to date! Sign on to receive our fortnightly digest via email.<\/em><\/strong><\/a><\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>EHD<\/strong>S<\/h4>\n\n\n\n<div class=\"wp-block-media-text has-media-on-the-right is-stacked-on-mobile\" style=\"grid-template-columns:auto 26%\"><div class=\"wp-block-media-text__content\">\n<p><\/p>\n\n\n\n<p>On 5 March, the <a href=\"https:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/?uri=OJ:L_202500327\">European Health Data Space Regulation<\/a> was officially published in the EU Official Journal. It enters into force on 26 March, marking the beginning of the transition phase towards its application in the next decade. The law is designed to benefit all EU residents, including patients, healthcare professionals, researchers, policymakers, and industry players. <\/p>\n<\/div><figure class=\"wp-block-media-text__media\"><img decoding=\"async\" src=\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXfBuhLF5ACDOsai9bsAGBtkbfjJ0lm31KbS0uvtVptoOXOZUsereYlrv7UYien_6ifREexd2UjbCuUBeEBAB_pN24IyJbARFutSZbPnLh_GiwAopDLDiiNfm_Yvk2BeuWnLWago?key=yjBKmxzdY_6XcHO8RQDBrTOe\" alt=\"FRIA\" \/><\/figure><\/div>\n\n\n\n<p>EHDS aims to establish <a href=\"https:\/\/health.ec.europa.eu\/ehealth-digital-health-and-care\/european-health-data-space-regulation-ehds_en\">fast and free access to electronic health data across systems and countries<\/a>, security and privacy protections by default, opt-out rights from secondary use, more cost-efficient access to high-quality health data for research, innovation and public health monitoring.&nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Parental control in app stores<\/strong><\/h4>\n\n\n\n<p>According to CNN, Utah approved a first-of-its-kind law in the US mandating that <a href=\"https:\/\/edition.cnn.com\/2025\/03\/13\/tech\/app-store-age-verification-meta-tension\/index.html?Date=20250313&amp;Profile=CNN&amp;utm_content=1741866109&amp;utm_medium=social&amp;utm_source=facebook\">app stores confirm users&#8217; ages and get parental approval before allowing children to download<\/a> programs to their devices. The legislation, which is pending the Utah Governor&#8217;s signature, is a victory for Meta and other platforms that have been under pressure to do more to protect minors online. It may significantly change how all users\u2014not just the young\u2014use app stores. Similar legislation has been presented in at least eight other states. However, Apple and Google provide other ideas including app shops and app developers sharing accountability for age verification.&nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>AI Code of Practice<\/strong><\/h4>\n\n\n\n<p><strong> <\/strong>The third draft of the General-Purpose AI Code of Practice was published by the European Commission. It is only relevant for a small number of providers of the most advanced general-purpose AI models that could pose systemic risks, by the classification criteria in Art. 51 of the AI Act. The first two sections of the draft Code detail transparency and copyright obligations for all providers of general-purpose AI models, with notable exemptions from the transparency obligations for providers of certain open-source models. The final Code should be ready in May, as a tool for general-purpose AI model providers to <a href=\"https:\/\/digital-strategy.ec.europa.eu\/en\/library\/third-draft-general-purpose-ai-code-practice-published-written-independent-experts\">demonstrate compliance with the AI Act<\/a>.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">More legal updates<\/h4>\n\n\n\n<div class=\"wp-block-media-text is-stacked-on-mobile\" style=\"grid-template-columns:26% auto\"><figure class=\"wp-block-media-text__media\"><img decoding=\"async\" src=\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXel2koaZRWNLzhZjCcmY7smMjdvcvuoXsB0nX726zMfb3qXMdk6zRs2zqkAfDQaRBc_Z0gdQRiKBECKfdHmbggu4BxQws4vA_gcTqSft1GU76DrDieo1PEo7OBZ95Dcyj4v6gqQJQ?key=yjBKmxzdY_6XcHO8RQDBrTOe\" alt=\"\" \/><\/figure><div class=\"wp-block-media-text__content\">\n<p><\/p>\n\n\n\n<p><strong>Whistleblowing rules in the EU: <\/strong>&nbsp;Five EU Member States, Germany, Luxembourg, the Czech Republic, Estonia and Hungary, have been ordered to pay <a href=\"https:\/\/curia.europa.eu\/jcms\/upload\/docs\/application\/pdf\/2025-03\/cp250029en.pdf\">financial penalties<\/a> for failing to transpose the <a href=\"https:\/\/eur-lex.europa.eu\/eli\/dir\/2019\/1937\/oj\">Whistleblowers directive<\/a>. Persons who work for a public or private organisation or are in contact with such an organisation in the context of their work-related activities are often the first to know about threats or harm to the public interest.<\/p>\n<\/div><\/div>\n\n\n\n<p>By reporting breaches of Union law that are harmful to the public interest, such persons act as \u2018whistleblowers\u2019 and thereby play a key role in exposing and preventing such breaches and safeguarding society&#8217;s welfare. However, potential whistleblowers are often discouraged from reporting their concerns or suspicions for fear of retaliation. Among many things, <a href=\"https:\/\/eur-lex.europa.eu\/eli\/dir\/2019\/1937\/oj\">respect for privacy and protection of personal data<\/a>, are areas in which whistleblowers can help to disclose violations of law.&nbsp;<\/p>\n\n\n\n<p><strong>The Data Act implementation:<\/strong> In Germany, with few exceptions, supervision of the processing of personal data by controllers in the non-public sector is the responsibility of the respective state data protection authorities. In contrast, responsibility for monitoring the application of the GDPR within the framework of the <a href=\"https:\/\/digital-strategy.ec.europa.eu\/en\/library\/commission-publishes-frequently-asked-questions-about-data-act\">Data Act<\/a> is to be transferred to the Federal Commissioner for Data Protection (BfDI). This results in the opposite of the intended simplification of responsibilities for companies, authorities, and data subjects. There is also a risk of <a href=\"https:\/\/www.datenschutz.sachsen.de\/folgeseite-news-und-veranstaltungen-7364-7364.html\">dual supervision<\/a> by a federal and a state authority for the same matter.&nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Union digital access rights<\/strong><\/h4>\n\n\n\n<p>The Ius Laboris law blog examines the limits of unions\u2019 freedom of association in Germany via the digital communication tools of the employer. Since the groundbreaking 2009 decision, the Federal Labour Court granted unions a digital right of access to the employer for the first time. Unions may use company email addresses as a means of communication for information and advertising purposes, and the employer must tolerate this as long as it does not lead to an impairment of the operational process or a disruption of industrial peace. <\/p>\n\n\n\n<p>Later on, for data privacy and security purposes following GDPR implementation, <a href=\"https:\/\/iuslaboris.com\/insights\/ruling-by-german-labour-court-limits-unions-digital-access-rights\/\">important prohibitions were set<\/a>, including:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>receiving all company email addresses of employees;&nbsp;&nbsp;<\/li>\n\n\n\n<li>accessing the group-wide communication platform;\u202fand&nbsp;<\/li>\n\n\n\n<li>receiving\u202fa\u202flink on the homepage of the company\u2019s intranet.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Video surveillance in Sweden<\/strong><\/h4>\n\n\n\n<div class=\"wp-block-media-text has-media-on-the-right is-stacked-on-mobile\" style=\"grid-template-columns:auto 26%\"><div class=\"wp-block-media-text__content\">\n<p><\/p>\n\n\n\n<p>Since 2018, certain businesses have had to apply for a permit from data protection regulator IMY for camera surveillance. The Riksdag has now decided that the <a href=\"https:\/\/www.imy.se\/nyheter\/fran-1-april-galler-nya-regler-for-verksamheter-som-kamerabevakar\/\">permit requirement will cease<\/a>. This can make it easier for those who want to use camera surveillance to prevent, deter or investigate crimes. At the same time, a great responsibility is placed on those who want to monitor to ensure that the surveillance is permitted under the GDPR &#8211; identify the legal basis and properly document the activity, and investigate whether other measures may be sufficient to create safety and security.&nbsp;<\/p>\n<\/div><figure class=\"wp-block-media-text__media\"><img decoding=\"async\" src=\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXdzUMCkTLCenovCAcSwJAvRAibikqZJ1vLh-qcO0rxa2hzujTK5qiHGPKpDVgg-0rwU4Tsk27UYY6tvPVEoo4607Nkd0GD55ygUj1FwbxQa27bERS_n-k2GpsarToKNkLOfwDkR0A?key=yjBKmxzdY_6XcHO8RQDBrTOe\" alt=\"\" \/><\/figure><\/div>\n\n\n\n<h4 class=\"wp-block-heading\">More from supervisory authorities<\/h4>\n\n\n\n<p><strong>What are the data processing operations that <\/strong><a href=\"https:\/\/www.dvi.gov.lv\/lv\/jaunums\/izstradats-saraksts-ar-apstrades-darbibam-kuram-nida-nav-javeic\"><strong>do not require a DPIA<\/strong><\/a><strong>?<\/strong> The Latvian data protection authority offers some suggestions:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Processing of employees&#8217; data only within the country, if no processing, profiling or systematic monitoring of biometric or genetic data is carried out.<\/li>\n\n\n\n<li>Processing of personal data of customers by companies for the provision of services and advertising within the country, if the company&#8217;s core business is not related to large-scale processing or special categories of data.<\/li>\n\n\n\n<li>Processing of member and donor data by associations and foundations.<\/li>\n\n\n\n<li>Processing carried out by apartment owners&#8217; associations and cooperatives related to the management of residential buildings, if it is not carried out on a large scale.<\/li>\n\n\n\n<li>Processing of collective applications by local governments, for example, when residents submit a collective application to the local government, etc.<\/li>\n<\/ul>\n\n\n\n<p><strong>Differential privacy guide: <\/strong>America\u2019s NIST meanwhile finalized guidelines for evaluating <a href=\"https:\/\/www.nist.gov\/news-events\/news\/2025\/03\/nist-finalizes-guidelines-evaluating-differential-privacy-guarantees-de\">differential privacy guarantees to de-identify data<\/a>. Differential privacy works by adding random \u201cnoise\u201d to the data in a way that obscures the identity of the individuals but keeps the database useful overall as a source of statistical information. However, noise applied in the wrong way can jeopardize privacy or render the data less useful. To help users avoid these pitfalls, <a href=\"https:\/\/csrc.nist.gov\/pubs\/sp\/800\/226\/final\">the document includes interactive tools, flow charts, and even sample computer code<\/a> that can aid in decision-making and show how varying noise levels can affect privacy and data usability.&nbsp;<\/p>\n\n\n\n<p><strong>AI human oversight:<\/strong> The Dutch AP initiated a public consultation on tools for meaningful human intervention in algorithmic decision-making, which will be open until 6 April. The document focuses on meaningful human intervention in automated decision-making, distinguishing between substantive and symbolic human oversight under the GDPR and the Law Enforcement Directive. The consultation process is <a href=\"https:\/\/digitalpolicyalert.org\/event\/28026-data-protection-authority-opened-consultation-on-tools-for-meaningful-human-intervention-in-algorithmic-decision-making\">open to contributions from data protection officers, data controllers, and other relevant stakeholders<\/a>.<\/p>\n\n\n<div id=\"newslettersignup\"><\/div>\n<div id=\"role-block_03366eee7819bfc051c163ca15a6cade\" class=\"text-t-black bg-t-pink p-6 md:p-12 rounded-tr-50 rounded-bl-50 mb-4 lg:mb-12 text-center role\">\n  \n      <h2 class=\"text-xl lg:text-2xl max-w-screen-lg mx-auto text-t-black font-display mb-4\">\n      Receive our digest by email     <\/h2>\n        <h3 class=\"text-base max-w-screen-lg mx-auto text-t-black font-body mb-4\">Sign up to receive our digest by email every 2 weeks<\/h3>\n  \n  <div id=\"rmOrganism\">\n    <div class=\"rmEmbed rmLayout--vertical rmBase\">\n      <div data-page-type=\"formSubscribe\" class=\"rmBase__body rmSubscription\">\n                  <form method=\"post\" action=\"https:\/\/mailing.techgdpr.com\/145\/6351\/5e9fc3cdda\/subscribe\/form.html?_g=1698845230\" class=\"rmBase__content\">\n                  <div class=\"rmBase__container mx-auto max-w-screen-sm\">          \n            <div class=\"rmBase__section\">\n              <div class=\"text-left rmBase__el rmBase__el--input rmBase__el--label-pos-none\" data-field=\"email\">\n                <label for=\"email\" class=\"rmBase__compLabel rmBase__compLabel--hideable hidden\">\n                  Email address\n                <\/label>\n                <div class=\"rmBase__compContainer mb-2\">\n                  <input type=\"text\" name=\"email\" id=\"email\" placeholder=\"Email\" value=\"\" class=\"p-4 border rounded border-gray-400 w-full rmBase__comp--input comp__input\">\n                  <div class=\"rmBase__compError text-left font-display font-bold text-xs\"><\/div>\n                <\/div>\n              <\/div>\n            <\/div>\n            <div class=\"rmBase__section mb-4\">\n              <div class=\"rmBase__el rmBase__el--consent\" data-field=\"consent_text\">\n                <div class=\"rmBase__comp--checkbox\">\n                  <label for=\"consent_text\" class=\"flex space-x-2 items-baseline text-left vFormCheckbox comp__checkbox\">\n                    <input type=\"checkbox\" value=\"yes\" name=\"consent_text\" id=\"consent_text\" class=\"vFormCheckbox__input\">\n                    <div class=\"vFormCheckbox__indicator hidden\"><\/div>\n                    <div class=\"vFormCheckbox__label\">\n                                              I consent to the processing of my data, and to receiving regular updates from TechGDPR. Data is processed according to our <a href=\"https:\/\/techgdpr.com\/privacy-policy\/\"> Privacy Notice<\/a>.                                          <\/div>\n                  <\/label>\n                <\/div>\n                <div class=\"rmBase__compError text-left font-display font-bold text-xs\"><\/div>\n              <\/div>\n            <\/div>\n            <div class=\"rmBase__section\">\n              <div class=\"rmBase__el rmBase__el--cta\">\n                <button type=\"submit\" class=\"inline-flex items-center justify-center px-8 py-3 text-white visited:text-white font-bodybold rounded-md bg-t-navy border-3 border-t-navy hover:border-t-navy hover:bg-transparent hover:text-t-navy transition-all hover:text-white cursor-pointer rmBase__comp--cta\">\n                  Subscribe\n                <\/button>\n              <\/div>\n            <\/div>\n          <\/div>\n        <\/form>\n      <\/div>\n      <div data-page-type=\"pageSubscribeSuccess\" class=\"rmBase__body rmSubscription hidden\">\n        <div class=\"rmBase__content\">\n          <div class=\"rmBase__container\">\n            <div class=\"rmBase__section\">\n              <div class=\"rmBase__el rmBase__el--heading\">\n                <div class=\"rmBase__comp--heading\">\n                  Thank you for your subscription!\n      <!-- this linebreak is important, don't remove it! this will force trailing linebreaks to be displayed -->\n                  <br>\n                <\/div>\n              <\/div>\n            <\/div>\n            <div class=\"rmBase__section\">\n              <div class=\"rmBase__el rmBase__el--text\">\n                <div class=\"rmBase__comp--text\">\n                  We have sent you an email &#8211; please confirm your email address by clicking the activation link in it.\n      <!-- this linebreak is important, don't remove it! this will force trailing linebreaks to be displayed -->\n                  <br>\n                <\/div>\n              <\/div>\n            <\/div>\n          <\/div>\n        <\/div>\n      <\/div>\n    <\/div>\n  <\/div>\n\n      <script src=\"https:\/\/mailing.techgdpr.com\/form\/145\/6069\/8a53c9178b\/embedded.js\" async><\/script>\n  \n<\/div>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Weather camera<\/strong><\/h4>\n\n\n\n<div class=\"wp-block-media-text is-stacked-on-mobile\" style=\"grid-template-columns:26% auto\"><figure class=\"wp-block-media-text__media\"><img decoding=\"async\" src=\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXcUy5de2NHUO7-Nsn5WPCxYEXx4FxutBtSStFlv2oaSW8thYiwMY0f1-NgNF1gMYx6X-LzV-d1zhVVnuo8ID5y5pVeu2wAvwNWSD5Hh-2s9ryg6BkxJN_iQj9cp9yjS8G1qldaHNg?key=yjBKmxzdY_6XcHO8RQDBrTOe\" alt=\"FRIA\" \/><\/figure><div class=\"wp-block-media-text__content\">\n<p><\/p>\n\n\n\n<p>The Austrian data protection authority in a recent case observed that the operation of a weather camera violated a homeowner&#8217;s fundamental right to data protection. The recordings could be viewed by anyone online. The camera was mounted on a roof and offered an overview of the town. The owner of a house, which is visible in the images, complained. <\/p>\n<\/div><\/div>\n\n\n\n<p>The operator of the weather camera argued that the recordings were for tourism purposes so that people could find out about the weather. This was countered by the homeowner&#8217;s interest in not having their presence and absence visible to everyone online. The decisive factor for the regulator was that this <a href=\"https:\/\/dsb.gv.at\/aktuelles\/information-der-datenschutzbehoerde-zu-einer-entscheidung-betreffend-wetterkameras\">purpose could also be achieved without the (worldwide accessible) recording of the house<\/a>.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Online retailers and guest access<\/strong><\/h4>\n\n\n\n<p>In a complaint-independent review, the Hamburg data protection regulator HmbBfDI examined relevant online shops in Hamburg and found that a large <a href=\"https:\/\/datenschutz-hamburg.de\/news\/gastzugang-im-onlinehandel\">online clothes retailer did not offer the option to order as a guest<\/a>. Purchases were therefore only possible after creating a permanent customer account. The HmbBfDI requested that the company allow guest orders in the future to comply with data protection requirements.&nbsp;&nbsp;<\/p>\n\n\n\n<p>In principle, it is incompatible with data protection law to create permanent customer profiles if customers may only wish to place a one-time order. The principle of data minimisation stipulates that only as little data as necessary should be processed \u2013 customer accounts, on the other hand, often contain more extensive information. Creating password-protected access via the internet also exposes the entered data to the risk of hacker attacks \u2013 a risk that not all customers are willing to take.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Right to be forgotten<\/strong><\/h4>\n\n\n\n<p><strong> <\/strong>The EDPB has launched another coordinated action for 2025. Following the action on the right to information in 2024, this year&#8217;s focus is on implementing another key data protection right, namely the right to erasure, (the &#8220;right to be forgotten&#8221;), under Art. 17 of the GDPR. 32 data protection authorities from across Europe will participate in this initiative. The <a href=\"https:\/\/www.datenschutzstelle.li\/aktuelles\/europaeische-initiative-zum-recht-auf-loeschung\">authorities will soon contact several companies and organisations from various sectors<\/a> \u2013 either by initiating formal inspections or to collect information. In the latter cases, further follow-up measures could also be taken if necessary.&nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Swiss cyberattacks<\/strong><\/h4>\n\n\n\n<div class=\"wp-block-media-text has-media-on-the-right is-stacked-on-mobile\" style=\"grid-template-columns:auto 26%\"><div class=\"wp-block-media-text__content\">\n<p><\/p>\n\n\n\n<p> Reporting cyberattacks on critical infrastructure in Switzerland will be mandatory from 1 April. Operators of critical infrastructures will be r<a href=\"https:\/\/www.admin.ch\/gov\/en\/start\/documentation\/media-releases\/media-releases-federal-council.msg-id-104400.html\">equired to report cyberattacks to the National Cyber Security Centre within 24 hours of discovery<\/a>. This reporting obligation is under certain circumstances also relevant for non-Swiss entities. The Federal Council has decided to implement the relevant legislation for fines on 1 October to give those concerned sufficient time to prepare for the new reporting obligation.&nbsp;<\/p>\n<\/div><figure class=\"wp-block-media-text__media\"><img decoding=\"async\" src=\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXcaw2aQ2hlm5vvIkMKCN4z4aHr6Du_O_pd_P1jhQ5gcA1Nme48IsuR-8mKOsAQY-apbt0wXtLjO-cSK5hiqiRSYs5-noZZZPsK_OVlbBbdWBmvZWb8pzAElfi-isoR1BAuOUe5Lxw?key=yjBKmxzdY_6XcHO8RQDBrTOe\" alt=\"\" \/><\/figure><\/div>\n\n\n\n<p>The regulator recommends entities check if they fall under the rather broad term of \u201ccritical infrastructures\u201d before the deadline.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">More enforcement decisions<\/h4>\n\n\n\n<p><strong>Wrong recipient fine: <\/strong>Vitallaw.com legal blog reports the case by the Spanish data protection authority AEPD that has <a href=\"https:\/\/www.aepd.es\/documento\/ps-00540-2024.pdf\">fined Ibermutua Mutua Colaboradora 600,000 euros<\/a>. Over 3,395 people&#8217;s data was impacted by the breach, and 354 recipients\u2014including businesses and consultants working with Ibermutua\u2014received the data.<\/p>\n\n\n\n<p>The fine came after people complained that they had received <a href=\"https:\/\/www.vitallaw.com\/news\/spain-fines-insurance-firm-over-gdpr-violations\/cspd017357253dd90a47e5b56e67b81d1f6a61\">a notification from Ibermutua&#8217;s data protection officer<\/a> stating that their data, including health data, had been transferred to other organisations because of a computer fault. Ibermutua contacted the companies to request that the personal data be deleted and took technical, organisational measures, including:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>correcting the error in programming and undertaking a series of exhaustive tests to ensure correct functioning;&nbsp;<\/li>\n\n\n\n<li>restriction of attachments to prohibit the sending of multiple attachments in a single e-mail;&nbsp;<\/li>\n\n\n\n<li>verification of the identity of the attachment with the corresponding recipient;<\/li>\n\n\n\n<li>testing before sending e-mail remittances;<\/li>\n\n\n\n<li>implementing training for staff, and&nbsp;<\/li>\n\n\n\n<li>launching an external audit.<\/li>\n<\/ul>\n\n\n\n<p>Finally,<strong> Telenor ASA, <\/strong>(telecommunication company), in Norway has been sanctioned approx. 342,000 euros for <a href=\"https:\/\/www.datatilsynet.no\/aktuelt\/aktuelle-nyheter-2025\/telenor-asa-er-ilagt-sanksjoner-for-mangler-ved-personvernombudsordning-og-internkontroll\/\">deficiencies in its data protection officer scheme and internal controls<\/a>. In particular, the company had not carried out all necessary assessments and documentation of the role of the DPO, including their independence and possible conflicts of interest. There was also no established and documented direct reporting line for the DPO to the highest management level.\u00a0<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">In case you missed it<\/h4>\n\n\n\n<div class=\"wp-block-media-text is-stacked-on-mobile\" style=\"grid-template-columns:26% auto\"><figure class=\"wp-block-media-text__media\"><img decoding=\"async\" src=\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXds4ZU-pp_E5or7hVZoDSBQsb_iV7K95HUlSimpA4DYob99P4xBON3ilaup7jgprRlYlRx3xuL6ycjvYhKzBszPpOTVcIsn7MfKrYw0YceD8sU2O3YKowScsYg1knOOm7xj0og93A?key=yjBKmxzdY_6XcHO8RQDBrTOe\" alt=\"\" \/><\/figure><div class=\"wp-block-media-text__content\">\n<p><\/p>\n\n\n\n<p><strong>Device code phishing: <\/strong>A recent Microsoft cyber security blog explains the malicious technology behind device code phishing attacks, targeting governments, NGOs, and a wide range of industries in multiple regions. In device code phishing, t<a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/02\/13\/storm-2372-conducts-device-code-phishing-campaign\/\">hreat actors exploit the device code authentication flow to capture authentication tokens<\/a>, which they then use to access target accounts, and further gain access to data and other services that the compromised account has access to.&nbsp;<\/p>\n<\/div><\/div>\n\n\n\n<p>In one example, the phishing attack masquerades as Microsoft Teams meeting invitations delivered through email. When targets click the meeting invitation, they are prompted to authenticate using a threat actor-generated device code. The actor then receives the valid access token from the user interaction, stealing the authenticated session. Read more about <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/02\/13\/storm-2372-conducts-device-code-phishing-campaign\/\">queries to detect phishing attempts and email exfiltration attempts in the original article<\/a>.&nbsp;<\/p>\n\n\n\n<p><strong>\u2018Verify you are a human\u2019 malware deployment: <\/strong>Krebs on Security law blog describes another \u2018clever\u2019 malware deployment scheme first spotted in targeted attacks last year that has now gone mainstream. In this scam, dubbed \u201cClickFix,\u201d the <a href=\"https:\/\/krebsonsecurity.com\/\">visitor to a hacked or malicious website is asked to distinguish themselves from bots<\/a> by pressing a combination of keyboard keys that causes Microsoft Windows to download password-stealing malware. ClickFix attacks mimic the \u201cVerify You are a Human\u201d pop-up tests that many websites use to separate real visitors from content-scraping bots.&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>FRIA and DPIA: Before deploying a high-risk AI system, the organisations shall assess the impact that the use of such a system may have on fundamental rights, explains the Croatian data protection regulator AZOP. For this purpose, private and public entities shall carry out an assessment containing: If both a FRIA and a DPIA need [&hellip;]<\/p>\n","protected":false},"author":21,"featured_media":10470,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"categories":[94],"tags":[51,126,89,338,337,35],"class_list":["post-10461","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-data-protection-digest","tag-artificial-intelligence","tag-dpia","tag-dpo","tag-ehds","tag-fria","tag-gdpr"],"acf":[],"featured_image_urls":{"full":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/03\/technology-7173625_1280-1.jpg",1280,720,false],"thumbnail":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/03\/technology-7173625_1280-1-150x150.jpg",150,150,true],"medium":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/03\/technology-7173625_1280-1-300x169.jpg",300,169,true],"medium_large":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/03\/technology-7173625_1280-1-768x432.jpg",640,360,true],"large":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/03\/technology-7173625_1280-1-1024x576.jpg",640,360,true],"1536x1536":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/03\/technology-7173625_1280-1.jpg",1280,720,false],"2048x2048":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/03\/technology-7173625_1280-1.jpg",1280,720,false],"image-200-200":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/03\/technology-7173625_1280-1-200x200.jpg",200,200,true]},"post_excerpt_stackable":"<p>FRIA and DPIA: Before deploying a high-risk AI system, the organisations shall assess the impact that the use of such a system may have on fundamental rights, explains the Croatian data protection regulator AZOP. For this purpose, private and public entities shall carry out an assessment containing: a description of the implementing entity&#8217;s processes in which the high-risk AI system will be used for its intended purpose; a description of the period and frequency of intended use; the categories of natural persons and groups likely to be affected in the specific context; the specific risks of harm likely to affect&hellip;<\/p>\n","category_list":"<a href=\"https:\/\/techgdpr.com\/blog\/category\/data-protection-digest\/\" rel=\"category tag\">Data Protection Digest<\/a>","author_info":{"name":"Olya Vasylyk","url":"https:\/\/techgdpr.com\/blog\/author\/olyav\/"},"comments_num":"0 comments","featured_image_urls_v2":{"full":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/03\/technology-7173625_1280-1.jpg",1280,720,false],"thumbnail":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/03\/technology-7173625_1280-1-150x150.jpg",150,150,true],"medium":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/03\/technology-7173625_1280-1-300x169.jpg",300,169,true],"medium_large":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/03\/technology-7173625_1280-1-768x432.jpg",640,360,true],"large":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/03\/technology-7173625_1280-1-1024x576.jpg",640,360,true],"1536x1536":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/03\/technology-7173625_1280-1.jpg",1280,720,false],"2048x2048":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/03\/technology-7173625_1280-1.jpg",1280,720,false],"image-200-200":["https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/03\/technology-7173625_1280-1-200x200.jpg",200,200,true]},"post_excerpt_stackable_v2":"<p>FRIA and DPIA: Before deploying a high-risk AI system, the organisations shall assess the impact that the use of such a system may have on fundamental rights, explains the Croatian data protection regulator AZOP. For this purpose, private and public entities shall carry out an assessment containing: a description of the implementing entity&#8217;s processes in which the high-risk AI system will be used for its intended purpose; a description of the period and frequency of intended use; the categories of natural persons and groups likely to be affected in the specific context; the specific risks of harm likely to affect&hellip;<\/p>\n","category_list_v2":"<a href=\"https:\/\/techgdpr.com\/blog\/category\/data-protection-digest\/\" rel=\"category tag\">Data Protection Digest<\/a>","author_info_v2":{"name":"Olya Vasylyk","url":"https:\/\/techgdpr.com\/blog\/author\/olyav\/"},"comments_num_v2":"0 comments","yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Data protection digest 3-17 Mar 2025: Combining FRIA with DPIA is possible, but not once the development of an AI system has begun - TechGDPR<\/title>\n<meta name=\"description\" content=\"TechGDPR\u2019s data protection review: Combining FRIA with DPIA is possible, but not once the development of an AI system has begun.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/techgdpr.com\/blog\/data-protection-digest-19032025-combining-fria-with-dpia-is-possible-but-not-once-the-development-of-an-ai-system-has-begun\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Data protection digest 3-17 Mar 2025: Combining FRIA with DPIA is possible, but not once the development of an AI system has begun - TechGDPR\" \/>\n<meta property=\"og:description\" content=\"TechGDPR\u2019s data protection review: Combining FRIA with DPIA is possible, but not once the development of an AI system has begun.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/techgdpr.com\/blog\/data-protection-digest-19032025-combining-fria-with-dpia-is-possible-but-not-once-the-development-of-an-ai-system-has-begun\/\" \/>\n<meta property=\"og:site_name\" content=\"TechGDPR\" \/>\n<meta property=\"article:published_time\" content=\"2025-03-19T09:27:22+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-03-19T12:26:42+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/03\/technology-7173625_1280-1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1280\" \/>\n\t<meta property=\"og:image:height\" content=\"720\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Olya Vasylyk\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@techgdpr\" \/>\n<meta name=\"twitter:site\" content=\"@techgdpr\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Olya Vasylyk\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"12 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/data-protection-digest-19032025-combining-fria-with-dpia-is-possible-but-not-once-the-development-of-an-ai-system-has-begun\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/data-protection-digest-19032025-combining-fria-with-dpia-is-possible-but-not-once-the-development-of-an-ai-system-has-begun\\\/\"},\"author\":{\"name\":\"Olya Vasylyk\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#\\\/schema\\\/person\\\/07e9c14fd01b25bd2c1907537e8547e8\"},\"headline\":\"Data protection digest 3-17 Mar 2025: Combining FRIA with DPIA is possible, but not once the development of an AI system has begun\",\"datePublished\":\"2025-03-19T09:27:22+00:00\",\"dateModified\":\"2025-03-19T12:26:42+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/data-protection-digest-19032025-combining-fria-with-dpia-is-possible-but-not-once-the-development-of-an-ai-system-has-begun\\\/\"},\"wordCount\":2342,\"publisher\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/data-protection-digest-19032025-combining-fria-with-dpia-is-possible-but-not-once-the-development-of-an-ai-system-has-begun\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/techgdpr.com\\\/wp-content\\\/uploads\\\/2025\\\/03\\\/technology-7173625_1280-1.jpg\",\"keywords\":[\"Artificial Intelligence\",\"DPIA\",\"dpo\",\"EHDS\",\"FRIA\",\"GDPR\"],\"articleSection\":[\"Data Protection Digest\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/data-protection-digest-19032025-combining-fria-with-dpia-is-possible-but-not-once-the-development-of-an-ai-system-has-begun\\\/\",\"url\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/data-protection-digest-19032025-combining-fria-with-dpia-is-possible-but-not-once-the-development-of-an-ai-system-has-begun\\\/\",\"name\":\"Data protection digest 3-17 Mar 2025: Combining FRIA with DPIA is possible, but not once the development of an AI system has begun - TechGDPR\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/data-protection-digest-19032025-combining-fria-with-dpia-is-possible-but-not-once-the-development-of-an-ai-system-has-begun\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/data-protection-digest-19032025-combining-fria-with-dpia-is-possible-but-not-once-the-development-of-an-ai-system-has-begun\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/techgdpr.com\\\/wp-content\\\/uploads\\\/2025\\\/03\\\/technology-7173625_1280-1.jpg\",\"datePublished\":\"2025-03-19T09:27:22+00:00\",\"dateModified\":\"2025-03-19T12:26:42+00:00\",\"description\":\"TechGDPR\u2019s data protection review: Combining FRIA with DPIA is possible, but not once the development of an AI system has begun.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/data-protection-digest-19032025-combining-fria-with-dpia-is-possible-but-not-once-the-development-of-an-ai-system-has-begun\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/techgdpr.com\\\/blog\\\/data-protection-digest-19032025-combining-fria-with-dpia-is-possible-but-not-once-the-development-of-an-ai-system-has-begun\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/data-protection-digest-19032025-combining-fria-with-dpia-is-possible-but-not-once-the-development-of-an-ai-system-has-begun\\\/#primaryimage\",\"url\":\"https:\\\/\\\/techgdpr.com\\\/wp-content\\\/uploads\\\/2025\\\/03\\\/technology-7173625_1280-1.jpg\",\"contentUrl\":\"https:\\\/\\\/techgdpr.com\\\/wp-content\\\/uploads\\\/2025\\\/03\\\/technology-7173625_1280-1.jpg\",\"width\":1280,\"height\":720,\"caption\":\"FRIA\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/data-protection-digest-19032025-combining-fria-with-dpia-is-possible-but-not-once-the-development-of-an-ai-system-has-begun\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/techgdpr.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Data protection digest 3-17 Mar 2025: Combining FRIA with DPIA is possible, but not once the development of an AI system has begun\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#website\",\"url\":\"https:\\\/\\\/techgdpr.com\\\/\",\"name\":\"TechGDPR\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/techgdpr.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#organization\",\"name\":\"TechGDPR\",\"url\":\"https:\\\/\\\/techgdpr.com\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/staging.techgdpr.com\\\/wp-content\\\/uploads\\\/2018\\\/04\\\/TGDPR_logo_500px.png\",\"contentUrl\":\"https:\\\/\\\/staging.techgdpr.com\\\/wp-content\\\/uploads\\\/2018\\\/04\\\/TGDPR_logo_500px.png\",\"width\":501,\"height\":334,\"caption\":\"TechGDPR\"},\"image\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/techgdpr\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/techgdpr\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#\\\/schema\\\/person\\\/07e9c14fd01b25bd2c1907537e8547e8\",\"name\":\"Olya Vasylyk\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/wp-content\\\/uploads\\\/2021\\\/10\\\/readyIMG_3694-1-2-150x150.jpg\",\"url\":\"https:\\\/\\\/techgdpr.com\\\/wp-content\\\/uploads\\\/2021\\\/10\\\/readyIMG_3694-1-2-150x150.jpg\",\"contentUrl\":\"https:\\\/\\\/techgdpr.com\\\/wp-content\\\/uploads\\\/2021\\\/10\\\/readyIMG_3694-1-2-150x150.jpg\",\"caption\":\"Olya Vasylyk\"},\"description\":\"Creator and editor of TechGDPR\u2019s weekly Digest. Postgraduate masters Diploma in Data Protection, Digital law and Management. Over a decade Olga previously was a broadcast journalist in Ukraine and France specializing in international affairs.\",\"url\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/author\\\/olyav\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Data protection digest 3-17 Mar 2025: Combining FRIA with DPIA is possible, but not once the development of an AI system has begun - TechGDPR","description":"TechGDPR\u2019s data protection review: Combining FRIA with DPIA is possible, but not once the development of an AI system has begun.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/techgdpr.com\/blog\/data-protection-digest-19032025-combining-fria-with-dpia-is-possible-but-not-once-the-development-of-an-ai-system-has-begun\/","og_locale":"en_US","og_type":"article","og_title":"Data protection digest 3-17 Mar 2025: Combining FRIA with DPIA is possible, but not once the development of an AI system has begun - TechGDPR","og_description":"TechGDPR\u2019s data protection review: Combining FRIA with DPIA is possible, but not once the development of an AI system has begun.","og_url":"https:\/\/techgdpr.com\/blog\/data-protection-digest-19032025-combining-fria-with-dpia-is-possible-but-not-once-the-development-of-an-ai-system-has-begun\/","og_site_name":"TechGDPR","article_published_time":"2025-03-19T09:27:22+00:00","article_modified_time":"2025-03-19T12:26:42+00:00","og_image":[{"width":1280,"height":720,"url":"https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/03\/technology-7173625_1280-1.jpg","type":"image\/jpeg"}],"author":"Olya Vasylyk","twitter_card":"summary_large_image","twitter_creator":"@techgdpr","twitter_site":"@techgdpr","twitter_misc":{"Written by":"Olya Vasylyk","Est. reading time":"12 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/techgdpr.com\/blog\/data-protection-digest-19032025-combining-fria-with-dpia-is-possible-but-not-once-the-development-of-an-ai-system-has-begun\/#article","isPartOf":{"@id":"https:\/\/techgdpr.com\/blog\/data-protection-digest-19032025-combining-fria-with-dpia-is-possible-but-not-once-the-development-of-an-ai-system-has-begun\/"},"author":{"name":"Olya Vasylyk","@id":"https:\/\/techgdpr.com\/#\/schema\/person\/07e9c14fd01b25bd2c1907537e8547e8"},"headline":"Data protection digest 3-17 Mar 2025: Combining FRIA with DPIA is possible, but not once the development of an AI system has begun","datePublished":"2025-03-19T09:27:22+00:00","dateModified":"2025-03-19T12:26:42+00:00","mainEntityOfPage":{"@id":"https:\/\/techgdpr.com\/blog\/data-protection-digest-19032025-combining-fria-with-dpia-is-possible-but-not-once-the-development-of-an-ai-system-has-begun\/"},"wordCount":2342,"publisher":{"@id":"https:\/\/techgdpr.com\/#organization"},"image":{"@id":"https:\/\/techgdpr.com\/blog\/data-protection-digest-19032025-combining-fria-with-dpia-is-possible-but-not-once-the-development-of-an-ai-system-has-begun\/#primaryimage"},"thumbnailUrl":"https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/03\/technology-7173625_1280-1.jpg","keywords":["Artificial Intelligence","DPIA","dpo","EHDS","FRIA","GDPR"],"articleSection":["Data Protection Digest"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/techgdpr.com\/blog\/data-protection-digest-19032025-combining-fria-with-dpia-is-possible-but-not-once-the-development-of-an-ai-system-has-begun\/","url":"https:\/\/techgdpr.com\/blog\/data-protection-digest-19032025-combining-fria-with-dpia-is-possible-but-not-once-the-development-of-an-ai-system-has-begun\/","name":"Data protection digest 3-17 Mar 2025: Combining FRIA with DPIA is possible, but not once the development of an AI system has begun - TechGDPR","isPartOf":{"@id":"https:\/\/techgdpr.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/techgdpr.com\/blog\/data-protection-digest-19032025-combining-fria-with-dpia-is-possible-but-not-once-the-development-of-an-ai-system-has-begun\/#primaryimage"},"image":{"@id":"https:\/\/techgdpr.com\/blog\/data-protection-digest-19032025-combining-fria-with-dpia-is-possible-but-not-once-the-development-of-an-ai-system-has-begun\/#primaryimage"},"thumbnailUrl":"https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/03\/technology-7173625_1280-1.jpg","datePublished":"2025-03-19T09:27:22+00:00","dateModified":"2025-03-19T12:26:42+00:00","description":"TechGDPR\u2019s data protection review: Combining FRIA with DPIA is possible, but not once the development of an AI system has begun.","breadcrumb":{"@id":"https:\/\/techgdpr.com\/blog\/data-protection-digest-19032025-combining-fria-with-dpia-is-possible-but-not-once-the-development-of-an-ai-system-has-begun\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/techgdpr.com\/blog\/data-protection-digest-19032025-combining-fria-with-dpia-is-possible-but-not-once-the-development-of-an-ai-system-has-begun\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/techgdpr.com\/blog\/data-protection-digest-19032025-combining-fria-with-dpia-is-possible-but-not-once-the-development-of-an-ai-system-has-begun\/#primaryimage","url":"https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/03\/technology-7173625_1280-1.jpg","contentUrl":"https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/03\/technology-7173625_1280-1.jpg","width":1280,"height":720,"caption":"FRIA"},{"@type":"BreadcrumbList","@id":"https:\/\/techgdpr.com\/blog\/data-protection-digest-19032025-combining-fria-with-dpia-is-possible-but-not-once-the-development-of-an-ai-system-has-begun\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/techgdpr.com\/"},{"@type":"ListItem","position":2,"name":"Data protection digest 3-17 Mar 2025: Combining FRIA with DPIA is possible, but not once the development of an AI system has begun"}]},{"@type":"WebSite","@id":"https:\/\/techgdpr.com\/#website","url":"https:\/\/techgdpr.com\/","name":"TechGDPR","description":"","publisher":{"@id":"https:\/\/techgdpr.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/techgdpr.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/techgdpr.com\/#organization","name":"TechGDPR","url":"https:\/\/techgdpr.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/techgdpr.com\/#\/schema\/logo\/image\/","url":"https:\/\/staging.techgdpr.com\/wp-content\/uploads\/2018\/04\/TGDPR_logo_500px.png","contentUrl":"https:\/\/staging.techgdpr.com\/wp-content\/uploads\/2018\/04\/TGDPR_logo_500px.png","width":501,"height":334,"caption":"TechGDPR"},"image":{"@id":"https:\/\/techgdpr.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/techgdpr","https:\/\/www.linkedin.com\/company\/techgdpr"]},{"@type":"Person","@id":"https:\/\/techgdpr.com\/#\/schema\/person\/07e9c14fd01b25bd2c1907537e8547e8","name":"Olya Vasylyk","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/techgdpr.com\/wp-content\/uploads\/2021\/10\/readyIMG_3694-1-2-150x150.jpg","url":"https:\/\/techgdpr.com\/wp-content\/uploads\/2021\/10\/readyIMG_3694-1-2-150x150.jpg","contentUrl":"https:\/\/techgdpr.com\/wp-content\/uploads\/2021\/10\/readyIMG_3694-1-2-150x150.jpg","caption":"Olya Vasylyk"},"description":"Creator and editor of TechGDPR\u2019s weekly Digest. Postgraduate masters Diploma in Data Protection, Digital law and Management. Over a decade Olga previously was a broadcast journalist in Ukraine and France specializing in international affairs.","url":"https:\/\/techgdpr.com\/blog\/author\/olyav\/"}]}},"_links":{"self":[{"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/posts\/10461","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/users\/21"}],"replies":[{"embeddable":true,"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/comments?post=10461"}],"version-history":[{"count":18,"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/posts\/10461\/revisions"}],"predecessor-version":[{"id":10482,"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/posts\/10461\/revisions\/10482"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/media\/10470"}],"wp:attachment":[{"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/media?parent=10461"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/categories?post=10461"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/tags?post=10461"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}