{"id":11232,"date":"2025-10-20T12:12:00","date_gmt":"2025-10-20T10:12:00","guid":{"rendered":"https:\/\/s8.tgin.eu\/?p=11232"},"modified":"2025-10-20T12:12:01","modified_gmt":"2025-10-20T10:12:01","slug":"data-protection-digest-20102025-transparency-the-gdprs-2026-enforcement-goal-and-the-experian-case-as-a-model-not-to-follow","status":"publish","type":"post","link":"https:\/\/techgdpr.com\/blog\/data-protection-digest-20102025-transparency-the-gdprs-2026-enforcement-goal-and-the-experian-case-as-a-model-not-to-follow\/","title":{"rendered":"Data protection digest 4-18 Oct 2025: Transparency the GDPR’s 2026 enforcement goal, and the Experian case as a model NOT to follow"},"content":{"rendered":"\n

Transparency and information obligation<\/strong> under GDPR<\/h4>\n\n\n\n
\"\"<\/figure>
\n

<\/p>\n\n\n\n

The European Data Protection Board (EDPB) announced the topic for Coordinated Enforcement Action 2026 on transparency and information obligations<\/a>. Articles 12, 13, and 14 of the GDPR require that individuals be informed when their personal data is processed, ensuring transparency and enabling greater control over personal information. Participating data protection authorities will join this action voluntarily in the coming weeks, with enforcement activities scheduled to launch during 2026. <\/p>\n<\/div><\/div>\n\n\n\n

Experian credit checks fine<\/strong><\/h4>\n\n\n\n

As the background example of the above transparency obligations, the Dutch data protection authority AP last week imposed a 2.7 million euro fine on Experian Nederland. Experian provided credit ratings on individuals to its customers until 2025. The company collected data on factors such as negative payment behavior, outstanding debts, and bankruptcies. The AP found that Experian violated the GDPR by improperly using personal data, and failed to adequately inform individuals about this.<\/p>\n\n\n\n

Experian created credit reports on individuals at the request of clients such as telecom companies, online retailers, and landlords. People started contacting the AP after they could no longer pay installments or because they suddenly had to pay a high deposit when switching energy suppliers<\/a>. Only afterward did it become clear that this could be due to Experian’s credit scores. Because people weren’t aware of the credit check, they couldn’t check in time whether the information was accurate. Experian collected data about people from various sources, both public and private, and failed to adequately explain why this data collection was necessary.<\/p>\n\n\n\n

Experian acknowledged violating the law and will not appeal the fine. It has ceased operations in the Netherlands and will delete the database containing all personal data.<\/p>\n\n\n\n

Stay up to date! Sign up to receive our fortnightly digest via email.<\/mark><\/a><\/h6>\n\n\n\n

More legal updates<\/h4>\n\n\n\n

DMA and GDPR: <\/strong>The EDPB and the European Commission endorsed <\/a>joint guidelines on the interplay between the Digital Markets Act (DMA) and the GDPR<\/a>. The DMA and the GDPR both protect individuals in the digital landscape, but their goals are complementary as they address interconnected challenges: individual rights and privacy in the case of the GDPR and fairness and contestability of digital markets under the DMA. However, several activities regulated by the DMA entail the processing of personal data by gatekeepers and refer to definitions and concepts included in the GDPR (eg, on how to lawfully combine or cross-use personal data in core platform services). <\/p>\n\n\n\n

Italy’s new AI law: <\/strong>On 10 October, the Italian law on Provisions and Delegation to Government on Artificial Intelligence, including an age verification requirement, entered into force<\/a>. It is the first comprehensive legislation adopted by an individual EU member state on research, testing, development, adoption, and application of AI systems and models, with a human-centric approach. The government has appointed the Agency for Digital Italy and the National Cybersecurity Agency to enforce the legislation, which received its final approval in the parliament after a year of debate. The enforcement measure imposes even prison terms on those who manipulate technology to cause harm<\/a>, such as generating deepfakes. <\/p>\n\n\n\n

US Bulk Data: <\/strong>The US Department of Justice\u2019s Sensitive Data Bulk Transfer Rule<\/a> is in effect as of October 6, JD Supra law blog reports. This means if your organisation transfers US sensitive data (from demographic data to cookie data) that hits the bulk thresholds, you need to develop and implement a compliance program, either a stand-alone program or as part of the compliance program (through due diligence and audit procedures). <\/p>\n\n\n\n

Electronic patient files<\/strong><\/h4>\n\n\n\n
\"\"<\/figure>
\n

<\/p>\n\n\n\n

In Germany, the electronic patient record (ePA) for everyone has been tested in model regions since January 2025. Since 29 April, it has been available for use nationwide by practices, hospitals, and pharmacies, among others. As of 1 October, it is generally mandatory for practices and other medical facilities to fill out the records<\/a>. At the same time, the information (eg, on ongoing or further treatment) can only be included in the ePA for everyone if the insured person has not fundamentally objected to this with their health insurance provider.<\/p>\n<\/div><\/div>\n\n\n\n

Finally, special consent requirements apply to information from genetic testing for diagnostic purposes, as well as on children and adolescent records.<\/p>\n\n\n\n

California privacy updates<\/strong><\/h4>\n\n\n\n

At the end of September, California finalised regulations to strengthen consumer privacy that go into effect on 1 January, 2026. However, there is additional time for businesses to comply with some of the new requirements, namely cybersecurity audits, risk assessments, and requirements for automated decision-making technologies<\/a>, as well as updates to existing CCPA regulations. The final regulations and supporting materials will be posted on the regulator’s website<\/a> as soon as they are processed.<\/p>\n\n\n\n

ISO\/IEC 27701<\/strong><\/h4>\n\n\n\n

On 14 October, ISO released ISO\/IEC 27701:2025, the latest version of the global Privacy Information Management System (PIMS) standard<\/a>. For the first time, ISO\/IEC 27701 is now a standalone standard, no longer just an extension of ISO\/IEC 27001. The standard is designed for personally identifiable information (PII) controllers and processors, who hold responsibility and accountability for processing PII to:<\/p>\n\n\n\n