- \n
- changing the definition of personal data<\/strong> to specify any entity that is reasonably likely to have the means to identify a person,<\/li>\n\n\n\n
- exempting certain biometric data and data used by AI<\/strong> from the restrictions on processing special categories of personal data,<\/li>\n\n\n\n
- clarifying on further processing of personal data in the public interest or for scientific research purposes<\/strong>, and<\/li>\n\n\n\n
- specifying that processing of personal data that is necessary for the interests of a controller in the development or operation of an AI system can be pursued for \u201dlegitimate interests\u201d<\/strong>.<\/li>\n<\/ul>\n\n\n\n
The Digital Omnibus would also exempt personal data processing from the cookie requirements under the ePrivacy Directive. Instead, it would amend the GDPR to maintain the consent requirement, while specifying that certain processing activities<\/a>, such as electronic communications transmissions, service provision, audience measurement solely for an online service provider, and maintaining or restoring security, would be considered lawful. Websites and apps would have to allow data subjects to consent through automated, machine-readable mechanisms<\/strong>; browser manufacturers must likewise enable users to grant or refuse consent.<\/p>\n\n\n\n
Finally, personal data breaches that are likely to result in a high risk to the rights and freedoms of natural persons would need to be reported to the single-entry point within 96 hours of becoming aware of them<\/a>. Similarly, there would be unified lists of processing activities that do or do not require a Data Protection Impact Assessment, and create a standard DPIA template and methodology.<\/strong><\/p>\n\n\n\n
Stay up to date! Sign up to receive our fortnightly digest via email. <\/mark><\/a>
<\/h4>\n\n\n\nGDPR enforcement<\/h4>\n\n\n\n
On 17 November, the Council of the EU adopted new rules to improve cooperation between national data protection bodies when they enforce the GDPR to speed up the process of handling cross-border data protection complaints<\/a>. Main elements of the new EU regulation include:<\/p>\n\n\n\n
- \n
- Admissibility: <\/strong>Regardless of where in the EU a complaint is filed, admissibility will be judged based on the same information\/conditions. <\/li>\n\n\n\n
- Rights of complainants and parties under investigation: <\/strong>Common rules will apply for the involvement of the complainant in the procedure, and the right to be heard for the company or organisation that is being investigated.<\/li>\n\n\n\n
- Simple cooperation procedure:<\/strong> For straightforward cases, data protection authorities can decide, to avoid administrative burden, to settle actions without resorting to the full set of cooperation rules.<\/li>\n\n\n\n
- Deadlines:<\/strong> In the future, an investigation should not take more than 15 months. For the most complex cases, this deadline can be extended by 12 months.<\/strong> In the case of a simple cooperation procedure between national data protection bodies, the investigation should be wrapped up within 12 months.<\/li>\n<\/ul>\n\n\n\n
The regulation will enter into force 20 days after its publication in the Official Journal of the EU. It will become applicable 15 months after it enters into force.<\/p>\n\n\n\n
More legal updates<\/h4>\n\n\n\n
![\"\"](\"https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/12\/image-3-1024x721.jpeg\")
<\/figure>\n<\/p>\n\n\n\n
The European Commission has launched a whistleblower tool for the AI Act<\/a><\/strong>. Whistleblowers can provide relevant information in any of the EU official languages and in any relevant format. The tool provides a secure means to report potential law violations that could compromise fundamental rights, health, or public trust. The highest level of confidentiality and data protection is guaranteed through certified encryption mechanisms. Anyone can access the AI Act Whistleblower Tool<\/a> and read more information about the tool<\/a> and the frequently asked questions<\/a>. <\/p>\n<\/div><\/div>\n\n\n\n
California privacy updates:<\/strong> California has enacted<\/a> a bill which amends the state\u2019s data breach notification law to establish strict new reporting timelines. Beginning January 1, 2026, businesses must notify affected California residents within 30 calendar days of discovering a security incident involving personal information<\/a>. For incidents affecting more than 500 residents, notice to the California Attorney General must be provided within 15 calendar days of the consumer notice. The amendment allows limited exceptions for law enforcement needs or when necessary to determine the scope of the incident and restore system integrity, JD Supra lawblog reports. <\/p>\n\n\n\n
In parallel, starting Jan. 1st, 2027, California will prohibit a business from developing or maintaining a browser, as defined, that does not include functionality configurable by a consumer that enables the browser to send an opt-out preference signal<\/a> to businesses with which the consumer interacts through the browser. The bill would require a business that develops or maintains a browser to make clear to a consumer in its public disclosures how the opt-out preference signal works and the intended effect. The bill would grant a business that develops or maintains a browser that includes this functionality immunity from liability for a violation of those provisions by a business that receives the opt-out preference signal. <\/p>\n\n\n\n
Child data protection in the EU<\/strong><\/h4>\n\n\n\n
<\/strong>On 26 November, the European Parliament adopted a resolution on the protection of minors online<\/a> as part of an own-initiative procedure on the topic. The resolution calls, among other things, for the implementation of an EU-wide harmonised digital minimum age of 16 for accessing social media, video-sharing platforms and AI companions without parental consent<\/a>, with 13 as the minimum age for any social media use by children, even with parental consent. <\/p>\n\n\n\n
In parallel, the German Data Protection Conference, DSK, adopted a resolution calling for amendments to the GDPR to strengthen protections for children. It proposes a ban on children\u2019s consent for profiling and advertising, limits on children\u2019s ability to consent<\/a> to special-category data processing, and clearer rights for children to access counselling and medical services privately. It also focuses on a prohibition on children consenting to automated decisions, attention to children in breach notifications, data protection by design and default, and consideration of children\u2019s risks in data protection impact assessments, digitalpolicyalert.org sums up. <\/p>\n\n\n\n
Cloud computing<\/strong><\/h4>\n\n\n\n
The European Commission has published non-binding Model Contractual Terms for data access and use and Standard Contractual Clauses for cloud computing contracts<\/a>. They have been developed to help parties, especially SMEs, implement the provisions of the Data Act<\/a>. Their use is voluntary and open to users\u2019 possible amendments. Although they were mainly drafted for business-to-business contracts, they can also be used in relations between businesses and consumers, if relevant consumer protection rules are added. <\/p>\n\n\n\n
Three sets of Model Contractual Terms (MCTs) were drafted to cover the relationships where data sharing is mandatory, between data holders, users and data recipients of data generated when using connected products. Plus, proposed Standard Contractual Clauses (SCCs) translate the provisions of \u2018cloud switching\u2019 into ready-to-use contractual terms that can be inserted in data processing contracts<\/a>:<\/p>\n\n\n\n
- \n
- SCC Switching & Exit<\/li>\n\n\n\n
- SCC Termination <\/li>\n\n\n\n
- SCC Security & Business continuity (including provider notification of significant incidents).<\/li>\n<\/ul>\n\n\n\n
Email security<\/strong><\/h4>\n\n\n\n
The German Federal Office for Information Security, BSI, has published a White paper on requirements for the protection, transparency, and user-friendliness of webmails that systematically and future-orientedly increase consumer security<\/a>. The paper considers not only technical security functions, but also usability, transparency and trust as essential components of digital sovereignty. A fundamental part of e-mail security currently still rests on the shoulders of users<\/strong>. They should be familiar with two-factor authentication, passkey and encryption. The BSI sees responsibility primarily with the providers: they must provide effective procedures regarding authentication, encryption, spam protection and account recovery that work without major user intervention.<\/p>\n\n\n\n
Data Act implementation<\/strong><\/h4>\n\n\n\n
![\"Digital](\"https:\/\/techgdpr.com\/wp-content\/uploads\/2025\/12\/image-1024x576.png\")
<\/figure>\n<\/p>\n\n\n\n
The Data Act has been in effect since September 2025. This new European regulation is intended to give consumers within the EU more control over the use of their data. For instance, a car owner will have the right to access the data their car collects. If repairs are needed, they can share the data with a garage of their choice, explains the Dutch data protection agency AP, which will jointly oversee the implementation process at a national level, starting from 21 November. <\/p>\n<\/div><\/div>\n\n\n\n
The Data Act and the implementing laws do not override the rules of the GDPR. In the event of conflicting rules, the GDPR takes precedence<\/a>. This means that any data sharing involving personal data must comply with the GDPR, stresses the regulator. <\/p>\n\n\n\n
More from supervisory authorities<\/h4>\n\n\n\n
Market research data processing:<\/strong> In Poland, the data protection regulator UODO approved the “Code of Conduct on the Processing of Personal Data by Private Research Agencies”. The reason for the development of the code was numerous discrepancies in the processing of the personal data of research participants<\/a>. As a result, in the case of identical surveys, their participants, depending on the entity conducting the study, could receive divergent information, for instance, on the legal basis for the processing of personal data. Information obligations were also fulfilled differently. The Code also provides guidance to help carry out a risk assessment or, where justified, a data protection impact assessment.<\/p>\n\n\n\n
It is worth noting that the code obliges all entities that join it to appoint a Data Protection Officer (DPO)<\/strong>. <\/p>\n\n\n\n
Sound recording and CCTV: <\/strong>Organisations often choose to conduct video surveillance with sound recording. Sometimes, they also do not disable the camera manufacturer’s default audio function. As a result, the additional risks posed not only by image capture, but also by sound recording are not sufficiently assessed. In addition, the processing of personal data related to it is not always carried out legally: recording sound and image are two different data processing operations, so both audio and video require different legal bases<\/a>. <\/p>\n\n\n\n
The processing of personal data by performing video surveillance with audio recording is not justified in most cases. There are rare situations where it is legal and permissible, mainly when it is associated with an increased risk to the essential interests of the organisation or society. Often, the legal basis for such processing can be found in the special regulatory framework applicable to a particular industry in which the organisation operates.<\/p>\n\n\n
- Rights of complainants and parties under investigation: <\/strong>Common rules will apply for the involvement of the complainant in the procedure, and the right to be heard for the company or organisation that is being investigated.<\/li>\n\n\n\n
- exempting certain biometric data and data used by AI<\/strong> from the restrictions on processing special categories of personal data,<\/li>\n\n\n\n