Until now, Danish practice has been that claims for compensation without financial loss must be assessed according to the provisions of the Danish Civil Liability Act. The court has generally required a qualified damage effect. The decision from August could, if upheld by the Supreme Court, be a new breakthrough in Danish law and possibly the European law. The compensation of 335 is a small amount, but if thousands of citizens choose to file a lawsuit in connection with the same breach \u2013 for example via a class action \u2013 the consequences for companies and authorities could be extensive. <\/p>\n\n\n\n
Stay up to date! Sign up to receive our fortnightly digest via email.<\/a><\/mark><\/h4>\n\n\n\nEU-US data transfers and immigration control<\/strong><\/h4>\n\n\n\n![\"\"](\"https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/10\/image-3-1024x682.png\")
<\/figure>\n<\/p>\n\n\n\n
On 17 September, the European Data Protection Supervisor (EDPS) issued an Opinion on a framework agreement between the EU and the US on the exchange of information for security screenings<\/a> and identity verifications. Individual Member States would be empowered to sign bilateral agreements for the exchange of data from their national systems. It would be the first agreement concluded by the EU to entail the large-scale sharing of personal data, including biometric data (fingerprints), for border and immigration control purposes with a third country. <\/p>\n<\/div><\/div>\n\n\n\nMore legal updates<\/h4>\n\n\n\n
Data transfers for medical research: <\/strong>The German Data Protection Conference (DSK) adopted a paper on data transfers to third countries for scientific research in the medical sector. The admissibility of transferring personal data to third countries under data protection law cannot be assessed in general terms, but only on a case-by-case basis, as numerous circumstances play a role in the assessment. This also applies to scientific research for medical purposes. It must always be examined whether the data subjects have been adequately informed about the (intended) transfer in accordance with the GDPR. In scientific research for medical purposes, broad consent is an established legal basis for data processing. Since there may be special interactions between Broad Consent and the basis for transfer under the GDPR<\/a>, these are explained in detail in the DSK paper (in German). <\/p>\n\n\n\nThe European Innovation Act:<\/strong> The European Commission concluded its consultation and evidence-gathering for an impact assessment to assist in the creation of the European Innovation Act. The Commission seeks information on ways to overcome obstacles that innovative entities encounter, including fragmented regulations, restricted access to infrastructure and funding<\/a>, underutilised innovation procurement, and inadequate commercialisation of findings from publicly funded research and innovation. The Act aims to create sector-wide horizontal conditions as opposed to sector-specific programs. <\/p>\n\n\n\nPolitical online targeting ban in the EU: <\/strong>Political parties will soon be prohibited from targeting voters online<\/a> with political advertisements. A new European regulation on the Transparency and Targeting of Political Advertising (TTPA) will take effect on 10 October. It aims to prevent voters from being secretly influenced during election campaigns and to undermine trust in fair elections, which can involve the processing of personal data. <\/p>\n\n\n\nLinkedIn AI training<\/strong><\/h4>\n\n\n\n![\"\"](\"https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/10\/image-1024x731.png\")
<\/figure>\n<\/p>\n\n\n\n
Users who do not want LinkedIn to use their data to train AI models must disable this before 3 November. The European data protection authorities are urging people to do so. This data includes profile information and public content shared in the past. Once this data is in LinkedIn’s AI systems, it will be impossible to retrieve, and users will lose control over their data. All LinkedIn users’ data will automatically be used for AI training unless the setting is actively disabled. <\/p>\n<\/div><\/div>\n\n\n\n
Anyone who does not want personal data used for LinkedIn AI training must opt \u200b\u200bout before 3 November via this link<\/a> or in the app under “Settings & Privacy > Data Privacy >Data for Generative AI Improvement” and disable the switch.<\/a><\/p>\n\n\n\nVehicle data in the era of the Data Act<\/strong><\/h4>\n\n\n\nOn 12 September, the European Commission published the \u201cGuidance on Vehicle Data, accompanying the Data Act.\u201d<\/a> The document defines the categories of data falling within the scope of he regulation and outlines the access rights granted to users and to third parties designated by them. It clarifies, first of all, that a vehicle qualifies as a \u201cconnected product\u201d when it meets two cumulative requirements: it must generate or collect data concerning its use or its surrounding environment, and it must have the ability to communicate such data via an electronic communications service<\/a>. <\/p>\n\n\n\nMore from supervisory authorities<\/h4>\n\n\n\n
‘Neighbour’s camera’ a major annoyance: <\/strong>The Dutch data protection uthority (DPA) is receiving a growing number of complaints from people concerned about their privacy due to their neighbours’ doorbells or security cameras. The regulator wants to prevent the improper use of doorbell cameras as much as possible. Therefore, the DPA is urging manufacturers to configure doorbell cameras to be privacy-friendly by default<\/a>. It also wants to raise consumer awareness, for example, by providing information about what is and isn’t permitted. <\/p>\n\n\n\nAI risks in the health profession: <\/strong>A bill sponsored by the California Medical Association (CMA) that addresses dangers associated with the use of AI in health care has passed out of the Legislature and is headed for the Governor\u2019s signature. It prohibits AI systems from being misrepresented as licensed medical professionals and provides California\u2019s state health profession boards with the authority to enforce title protections for health care workers, ensure that new technologies in health care are deployed in ways that protect patient safety, preserve trust, and support the physician-patient relationship<\/a>. <\/p>\n\n\n\nMedical records: <\/strong>The Swiss FDPIC has published a factsheet on the forms that are given to patients to sign when they go to the doctor. It takes account of the various opinions expressed on the subject and aims to clarify a number of issues raised by these forms: a) the distinction between the duty to provide information on data collection and the issue of patient consent to data processing; b) secure data communication; c) the question of proportionality, regarding what data a patient can legitimately be asked to provide. The document is available in English<\/a>.<\/p>\n\n\n\nDigital communication and minors<\/strong><\/h4>\n\n\n\n![\"\"](\"https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/10\/image-1-1024x683.png\")
<\/figure>\n<\/p>\n\n\n\n
In France, the regulatory authority for audiovisual and digital communication (Arcom) released the results of its study on online risks for minors, digitalpolicyalert.org reports. Over four out of five children use at least one extremely major internet platform on a daily basis<\/a>, according to the study. 42 per cent of minors use social networks before the age of 13 by lying about their age, and the average age of initial use is 12 years old. <\/p>\n<\/div><\/div>\n\n\n\nAccording to the study, 83 per cent of children are regularly exposed to at least one of the six risks: harmful or shocking content, cyberbullying, dangerous challenges, malicious adult contact, and online scams. <\/p>\n\n\n\n
E-health data security<\/strong><\/h4>\n\n\n\nThe European Union Agency for Cybersecurity (ENISA) has published a good practice guide to support entities of the health sector<\/a> in strengthening their digital security. The health sector is classified among those in the risk zone, highlighting a significant gap between its cybersecurity maturity and its critical importance: medical systems and data have become growing targets of cybercrime, with ransomware and phishing campaigns on the rise. These actionable practices are designed to be simple to implement and enhance the preparedness and security of all types of health entities, from hospitals and service providers to individual medical specialists. The recommendations cover areas such as systems and network protection, safeguarding devices and patient data, addressing challenges in the ICT supply chain. <\/p>\n\n\n\nReporting AI incidents<\/strong><\/h4>\n\n\n\nThe European <\/strong>Commission <\/strong>has issued draft guidance and a reporting template on serious AI incidents.<\/a> Under the EU AI Act, providers of high-risk AI systems will be required to report serious incidents to national authorities. This new obligation, set out in Art. 73, aims to detect risks early, ensure accountability, enable quick action, and build public trust in AI technologies. While the rules will only become applicable from August 2026, you can already download the draft guidance and reporting template below. Both these documents will help providers to prepare. The draft guidance clarifies definitions, offers practical examples, and explains how the new rules relate to other legal obligations. <\/p>\n\n\n
<\/figure><\/p>\n\n\n\n
On 17 September, the European Data Protection Supervisor (EDPS) issued an Opinion on a framework agreement between the EU and the US on the exchange of information for security screenings<\/a> and identity verifications. Individual Member States would be empowered to sign bilateral agreements for the exchange of data from their national systems. It would be the first agreement concluded by the EU to entail the large-scale sharing of personal data, including biometric data (fingerprints), for border and immigration control purposes with a third country. <\/p>\n<\/div><\/div>\n\n\n\n Data transfers for medical research: <\/strong>The German Data Protection Conference (DSK) adopted a paper on data transfers to third countries for scientific research in the medical sector. The admissibility of transferring personal data to third countries under data protection law cannot be assessed in general terms, but only on a case-by-case basis, as numerous circumstances play a role in the assessment. This also applies to scientific research for medical purposes. It must always be examined whether the data subjects have been adequately informed about the (intended) transfer in accordance with the GDPR. In scientific research for medical purposes, broad consent is an established legal basis for data processing. Since there may be special interactions between Broad Consent and the basis for transfer under the GDPR<\/a>, these are explained in detail in the DSK paper (in German). <\/p>\n\n\n\n The European Innovation Act:<\/strong> The European Commission concluded its consultation and evidence-gathering for an impact assessment to assist in the creation of the European Innovation Act. The Commission seeks information on ways to overcome obstacles that innovative entities encounter, including fragmented regulations, restricted access to infrastructure and funding<\/a>, underutilised innovation procurement, and inadequate commercialisation of findings from publicly funded research and innovation. The Act aims to create sector-wide horizontal conditions as opposed to sector-specific programs. <\/p>\n\n\n\n Political online targeting ban in the EU: <\/strong>Political parties will soon be prohibited from targeting voters online<\/a> with political advertisements. A new European regulation on the Transparency and Targeting of Political Advertising (TTPA) will take effect on 10 October. It aims to prevent voters from being secretly influenced during election campaigns and to undermine trust in fair elections, which can involve the processing of personal data. <\/p>\n\n\n\n <\/p>\n\n\n\n Users who do not want LinkedIn to use their data to train AI models must disable this before 3 November. The European data protection authorities are urging people to do so. This data includes profile information and public content shared in the past. Once this data is in LinkedIn’s AI systems, it will be impossible to retrieve, and users will lose control over their data. All LinkedIn users’ data will automatically be used for AI training unless the setting is actively disabled. <\/p>\n<\/div><\/div>\n\n\n\n Anyone who does not want personal data used for LinkedIn AI training must opt \u200b\u200bout before 3 November via this link<\/a> or in the app under “Settings & Privacy > Data Privacy >Data for Generative AI Improvement” and disable the switch.<\/a><\/p>\n\n\n\n On 12 September, the European Commission published the \u201cGuidance on Vehicle Data, accompanying the Data Act.\u201d<\/a> The document defines the categories of data falling within the scope of he regulation and outlines the access rights granted to users and to third parties designated by them. It clarifies, first of all, that a vehicle qualifies as a \u201cconnected product\u201d when it meets two cumulative requirements: it must generate or collect data concerning its use or its surrounding environment, and it must have the ability to communicate such data via an electronic communications service<\/a>. <\/p>\n\n\n\n ‘Neighbour’s camera’ a major annoyance: <\/strong>The Dutch data protection uthority (DPA) is receiving a growing number of complaints from people concerned about their privacy due to their neighbours’ doorbells or security cameras. The regulator wants to prevent the improper use of doorbell cameras as much as possible. Therefore, the DPA is urging manufacturers to configure doorbell cameras to be privacy-friendly by default<\/a>. It also wants to raise consumer awareness, for example, by providing information about what is and isn’t permitted. <\/p>\n\n\n\n AI risks in the health profession: <\/strong>A bill sponsored by the California Medical Association (CMA) that addresses dangers associated with the use of AI in health care has passed out of the Legislature and is headed for the Governor\u2019s signature. It prohibits AI systems from being misrepresented as licensed medical professionals and provides California\u2019s state health profession boards with the authority to enforce title protections for health care workers, ensure that new technologies in health care are deployed in ways that protect patient safety, preserve trust, and support the physician-patient relationship<\/a>. <\/p>\n\n\n\n Medical records: <\/strong>The Swiss FDPIC has published a factsheet on the forms that are given to patients to sign when they go to the doctor. It takes account of the various opinions expressed on the subject and aims to clarify a number of issues raised by these forms: a) the distinction between the duty to provide information on data collection and the issue of patient consent to data processing; b) secure data communication; c) the question of proportionality, regarding what data a patient can legitimately be asked to provide. The document is available in English<\/a>.<\/p>\n\n\n\n <\/p>\n\n\n\n In France, the regulatory authority for audiovisual and digital communication (Arcom) released the results of its study on online risks for minors, digitalpolicyalert.org reports. Over four out of five children use at least one extremely major internet platform on a daily basis<\/a>, according to the study. 42 per cent of minors use social networks before the age of 13 by lying about their age, and the average age of initial use is 12 years old. <\/p>\n<\/div><\/div>\n\n\n\n According to the study, 83 per cent of children are regularly exposed to at least one of the six risks: harmful or shocking content, cyberbullying, dangerous challenges, malicious adult contact, and online scams. <\/p>\n\n\n\n The European Union Agency for Cybersecurity (ENISA) has published a good practice guide to support entities of the health sector<\/a> in strengthening their digital security. The health sector is classified among those in the risk zone, highlighting a significant gap between its cybersecurity maturity and its critical importance: medical systems and data have become growing targets of cybercrime, with ransomware and phishing campaigns on the rise. These actionable practices are designed to be simple to implement and enhance the preparedness and security of all types of health entities, from hospitals and service providers to individual medical specialists. The recommendations cover areas such as systems and network protection, safeguarding devices and patient data, addressing challenges in the ICT supply chain. <\/p>\n\n\n\n The European <\/strong>Commission <\/strong>has issued draft guidance and a reporting template on serious AI incidents.<\/a> Under the EU AI Act, providers of high-risk AI systems will be required to report serious incidents to national authorities. This new obligation, set out in Art. 73, aims to detect risks early, ensure accountability, enable quick action, and build public trust in AI technologies. While the rules will only become applicable from August 2026, you can already download the draft guidance and reporting template below. Both these documents will help providers to prepare. The draft guidance clarifies definitions, offers practical examples, and explains how the new rules relate to other legal obligations. <\/p>\n\n\nMore legal updates<\/h4>\n\n\n\n
LinkedIn AI training<\/strong><\/h4>\n\n\n\n
<\/figure>Vehicle data in the era of the Data Act<\/strong><\/h4>\n\n\n\n
More from supervisory authorities<\/h4>\n\n\n\n
Digital communication and minors<\/strong><\/h4>\n\n\n\n
<\/figure>E-health data security<\/strong><\/h4>\n\n\n\n
Reporting AI incidents<\/strong><\/h4>\n\n\n\n