Stay up to date! Sign up to receive our fortnightly digest via email.<\/mark><\/a><\/h4>\n\n\n\nReportedly, the app is ‘completely anonymous’, works on any device, and is fully open source. Cyber and privacy experts, however, immediately examined the source code<\/a> on the GitHub software platform and reported several issues with the app’s design, including low cybersecurity standards and the possibility of bypassing the app\u2019s biometric authentication<\/a> features.<\/p>\n\n\n\nUnjustified parking fines through automated means<\/h4>\n\n\n\n![\"\"](\"https:\/\/techgdpr.com\/wp-content\/uploads\/2026\/04\/hans-park-6092-1024x768.jpg\")
<\/figure>\n<\/p>\n\n\n\n
The deployment of scanning vehicles to check parked cars has resulted in an estimated 500,000 unjustified fines<\/a>. This is evident from a new thematic study by the Dutch Data Protection Authority AP. Municipalities carry out an estimated 250 to 375 million scans yearly. This results in 3 to 5 million parking fines per year.\u00a0 According to calculations, more than 10 per cent of these are unjustified. People who object to the fine are successful in 40 to 62 per cent of cases.\u00a0<\/p>\n<\/div><\/div>\n\n\n\nA scanning vehicle only takes a snapshot, and the algorithms in the monitoring system do not see the circumstances.<\/strong> As a result, a scanning vehicle cannot, for example, determine that someone is loading or unloading. In such a situation, an exception may apply. The disabled parking permit, which is not registered to the license plate by default and is placed behind the windshield, is also not ‘seen’ by the scanning vehicle. If payment has not been made, the systems are unforgiving, and a fine follows automatically. <\/p>\n\n\n\nOther legal updates<\/h4>\n\n\n\n
Alabama comprehensive privacy law: <\/strong>The Alabama Personal Data Protection Act (APDPA) was enacted on April 16<\/a>. It includes one of the lowest applicability thresholds for businesses in the US that: <\/p>\n\n\n\n\n- handle personal data of more than 25,000 consumers (excluding data processed solely for completing a payment transaction), or\u00a0<\/li>\n\n\n\n
- derive more than 25% of gross revenue from selling personal data.\u00a0<\/li>\n<\/ul>\n\n\n\n
From 1 May 2027, it will empower a consumer to confirm whether a controller is processing any of the consumer\u2019s personal data, correct inaccuracies, delete, obtain a copy, and opt out of the processing of their data. Controllers will be required to respond to consumer requests within 45 days, with a possible 45-day extension, and provide a secure and reliable method for consumers to exercise their rights; the analysis from vitallaw.com<\/a> sums up. <\/p>\n\n\n\nScientific research in the EU: <\/strong> The EDPB has, in the meantime, adopted Guidelines on processing of personal data for scientific research purposes<\/a>. Many areas of scientific research rely on the processing of individuals\u2019 personal data. In the guidelines, the EU data protection regulator provides clarifications on the:<\/p>\n\n\n\n\n- concept of \u2018scientific research\u2019\u00a0\u00a0<\/li>\n\n\n\n
- further processing for scientific research purposes\u00a0\u00a0<\/li>\n\n\n\n
- reliance on \u201cbroad consent\u201d where the purposes of research are not fully known\u00a0<\/li>\n\n\n\n
- rights of individuals to erasure and objection when their personal data are processed for scientific purposes\u00a0<\/li>\n\n\n\n
- qualifications of data controller, joint controllers or processors.<\/li>\n<\/ul>\n\n\n\n
The guidelines will be subject to public consultation<\/a> until 25 June. <\/p>\n\n\n\nDPIA template<\/h4>\n\n\n\n
The EDPB has also adopted a template for Data Protection Impact Assessments (DPIA)<\/a>. The template will help organisations structure, harmonise and substantiate their DPIA reporting processes. The template is complemented by an explainer document<\/a> providing concise explanations for completing this template effectively, by breaking down key concepts in a simple language and addressing possible questions and knowledge gaps controllers might have.<\/p>\n\n\n\nControllers can conduct their risk analysis and management processes as they prefer, using the DPIA methodology of their choice. A DPIA<\/a> is a process required in situations where the processing is likely to result in a high risk, to describe how personal data will be processed, assess whether the processing is necessary and appropriate, and identify and reduce risks to individuals\u2019 rights and freedoms<\/strong>.\u00a0<\/p>\n\n\n\nFrontier AI systems<\/h4>\n\n\n\n![\"age](\"https:\/\/techgdpr.com\/wp-content\/uploads\/2026\/04\/image-2-1024x702.png\")
<\/figure>\n<\/p>\n\n\n\n
According to the Guardian, British banks will be given access in the next week to Antropic\u2019s latest AI tool, highly skilled at cyber-security and hacking tasks<\/a>, that was deemed too dangerous to be released to the public. Advances in the Claude Mythos model capabilities have come with concerns about hackers using such tools to figure out passwords or crack encryption meant to keep data safe<\/strong>. <\/p>\n<\/div><\/div>\n\n\n\n<\/p>\n\n\n\n
Anthropic, which has so far limited the release<\/a> of the new model to a small clutch of primarily US businesses, including Amazon, Apple and Microsoft, said it would expand that to UK financial institutions. UK regulators are due to raise the issue of Mythos\u2019s risks with bank bosses and government officials in the coming weeks.\u00a0<\/p>\n\n\n\nAccording to the presented results, Mythos can detect vulnerabilities faster and link them into complete exploits and attack chains<\/a>. This can strengthen defences, but can also accelerate digital attacks. Defenders can deploy AI to detect vulnerabilities earlier and remedy them faster. But attackers with access to similar models will scale up investigation, identification, and exploitation as well. To that end, the Dutch National Cyber \u200b\u200bSecurity Centre suggests practical steps to adopt: <\/p>\n\n\n\n\n- Explicitly incorporate AI developments into your security measures, particularly patch management; <\/strong>delaying action by days or weeks no longer fits the current threat landscape.<\/li>\n\n\n\n
- Anticipate attacks that occur faster, more automatically, and in larger numbers, for example, in the detection of anomalous behaviour in networks<\/strong>.<\/li>\n\n\n\n
- Maintain solid basic security <\/strong>and supplement it with appropriate additional measures, as attackers already use AI to improve and automate existing techniques.\u00a0\u00a0<\/li>\n<\/ul>\n\n\n\n
More official guidance<\/h4>\n\n\n\n
Secure database configurations: <\/strong>The German Federal Office for Information Security (BSI) has published a collection of secure configurations for database systems<\/a>. It provides recommendations for optimally configuring encryption, authentication, authorisation, and other security-relevant aspects<\/strong>. It serves as a template for securely operating the database management systems MariaDB, MongoDB, and Weaviate. The repository is continuously being developed and will be expanded to include support for other database management systems.<\/p>\n\n\n\n![\"\"](\"https:\/\/techgdpr.com\/wp-content\/uploads\/2026\/04\/image-2-1024x654.jpeg\")
<\/figure>\n<\/p>\n\n\n\n
Healthcare institutions’ data security audit:<\/strong> The Lithuanian State Data Protection Inspectorate VDAI carried out 10 scheduled audits of the security measures of healthcare institutions. Security checks related to access control, backup management, and event log management were assessed<\/a>. As a result, several areas for improvement were identified:<\/p>\n<\/div><\/div>\n\n\n\n\n- Only 11% of institutions use multi-factor authentication (MFA).<\/li>\n\n\n\n
- Only 56 % of institutions centrally store and encrypt log entries.<\/li>\n\n\n\n
- 67% of institutions have implemented automated alerts for suspicious events.<\/li>\n\n\n\n
- 78 % of institutions have a log entry management policy and review it regularly.<\/li>\n\n\n\n
- 78% of institutions document backup and recovery procedures.<\/li>\n<\/ul>\n\n\n\n
Pixel tracking: <\/strong>The French data protection authority CNIL publishes the final version of its recommendations on tracking pixels in emails (in French). The tracking pixel is an alternative tracking method to cookies, usually implemented in the form of a reduced image (1 pixel by 1 pixel). Loading this image, which contains a user ID, tracks a user when they visit a page or read an email. This technique is used for personalising communication according to the interests of users, measuring the audience, improving the proper reception of emails<\/a>, etc. <\/p>\n\n\n\nThe recommendation specifies the cases in which consent will be required for the use of tracking pixels in emails and those which are exempt. <\/strong>It also specifies the procedures for withdrawing consent. <\/p>\n\n\n\nIn other news<\/h4>\n\n\n\n![\"\"](\"https:\/\/techgdpr.com\/wp-content\/uploads\/2026\/04\/image-1-1024x661.jpeg\")
<\/figure>\n<\/p>\n\n\n\n
Data breaches on the rise: <\/strong>The Estonian data protection agency provides an analysis of the received data breach notifications in Q1 2026. One of the most insidious threats in today\u2019s cyber landscape is data-stealing malware<\/a>. (eg, RedLine, Vidar). It is often downloaded onto personal devices unintentionally \u2013 through illegal software, malicious ads, or fraudulent links generated using artificial intelligence. Data thieves don’t just limit themselves to passwords: they also steal session cookies, which allow attackers to bypass even multi-factor authentication by “hijacking” the active logged-in session.<\/p>\n<\/div><\/div>\n\n\n\nIf employees use personal devices to check work emails or access SaaS platforms like Slack or Salesforce, a single infected home computer can compromise the entire corporate network<\/strong>.<\/p>\n\n\n\nIllegal GPS tracking:<\/strong> The Slovenian Information Commissioner found that one of the providers of public utilities was continuously and indiscriminately collecting location data of employees, obtained through GPS transmitters installed in company vehicles, without clearly defining the purpose of the data processing<\/a>. Employees were not properly informed about the scope and purpose of such tracking. Besides, the objectives could be achieved with less stringent measures (eg, manual entries, use of vehicle odometer data).<\/p>\n\n\n\nEmployee computer monitoring:<\/strong> In a similar inspection procedure, a Slovenian regulator found another employer’s covert surveillance (via Spyrix Employee Monitoring software), was carried out without a legal basis, without informing employees and to an extent that exceeded the permissible limits of interference with privacy in the workplace, as it targeted the content of employees’ communication via private e-mail and completely private conversations<\/a>. The regulator imposed a fine of 71,474 euros due to the violations found. <\/p>\n\n\n
Unjustified parking fines through automated means<\/h4>\n\n\n\n<\/figure>\n<\/p>\n\n\n\n
The deployment of scanning vehicles to check parked cars has resulted in an estimated 500,000 unjustified fines<\/a>. This is evident from a new thematic study by the Dutch Data Protection Authority AP. Municipalities carry out an estimated 250 to 375 million scans yearly. This results in 3 to 5 million parking fines per year.\u00a0 According to calculations, more than 10 per cent of these are unjustified. People who object to the fine are successful in 40 to 62 per cent of cases.\u00a0<\/p>\n<\/div><\/div>\n\n\n\nA scanning vehicle only takes a snapshot, and the algorithms in the monitoring system do not see the circumstances.<\/strong> As a result, a scanning vehicle cannot, for example, determine that someone is loading or unloading. In such a situation, an exception may apply. The disabled parking permit, which is not registered to the license plate by default and is placed behind the windshield, is also not ‘seen’ by the scanning vehicle. If payment has not been made, the systems are unforgiving, and a fine follows automatically. <\/p>\n\n\n\nOther legal updates<\/h4>\n\n\n\n
Alabama comprehensive privacy law: <\/strong>The Alabama Personal Data Protection Act (APDPA) was enacted on April 16<\/a>. It includes one of the lowest applicability thresholds for businesses in the US that: <\/p>\n\n\n\n\n- handle personal data of more than 25,000 consumers (excluding data processed solely for completing a payment transaction), or\u00a0<\/li>\n\n\n\n
- derive more than 25% of gross revenue from selling personal data.\u00a0<\/li>\n<\/ul>\n\n\n\n
From 1 May 2027, it will empower a consumer to confirm whether a controller is processing any of the consumer\u2019s personal data, correct inaccuracies, delete, obtain a copy, and opt out of the processing of their data. Controllers will be required to respond to consumer requests within 45 days, with a possible 45-day extension, and provide a secure and reliable method for consumers to exercise their rights; the analysis from vitallaw.com<\/a> sums up. <\/p>\n\n\n\nScientific research in the EU: <\/strong> The EDPB has, in the meantime, adopted Guidelines on processing of personal data for scientific research purposes<\/a>. Many areas of scientific research rely on the processing of individuals\u2019 personal data. In the guidelines, the EU data protection regulator provides clarifications on the:<\/p>\n\n\n\n\n- concept of \u2018scientific research\u2019\u00a0\u00a0<\/li>\n\n\n\n
- further processing for scientific research purposes\u00a0\u00a0<\/li>\n\n\n\n
- reliance on \u201cbroad consent\u201d where the purposes of research are not fully known\u00a0<\/li>\n\n\n\n
- rights of individuals to erasure and objection when their personal data are processed for scientific purposes\u00a0<\/li>\n\n\n\n
- qualifications of data controller, joint controllers or processors.<\/li>\n<\/ul>\n\n\n\n
The guidelines will be subject to public consultation<\/a> until 25 June. <\/p>\n\n\n\nDPIA template<\/h4>\n\n\n\n
The EDPB has also adopted a template for Data Protection Impact Assessments (DPIA)<\/a>. The template will help organisations structure, harmonise and substantiate their DPIA reporting processes. The template is complemented by an explainer document<\/a> providing concise explanations for completing this template effectively, by breaking down key concepts in a simple language and addressing possible questions and knowledge gaps controllers might have.<\/p>\n\n\n\nControllers can conduct their risk analysis and management processes as they prefer, using the DPIA methodology of their choice. A DPIA<\/a> is a process required in situations where the processing is likely to result in a high risk, to describe how personal data will be processed, assess whether the processing is necessary and appropriate, and identify and reduce risks to individuals\u2019 rights and freedoms<\/strong>.\u00a0<\/p>\n\n\n\nFrontier AI systems<\/h4>\n\n\n\n<\/figure>\n<\/p>\n\n\n\n
According to the Guardian, British banks will be given access in the next week to Antropic\u2019s latest AI tool, highly skilled at cyber-security and hacking tasks<\/a>, that was deemed too dangerous to be released to the public. Advances in the Claude Mythos model capabilities have come with concerns about hackers using such tools to figure out passwords or crack encryption meant to keep data safe<\/strong>. <\/p>\n<\/div><\/div>\n\n\n\n<\/p>\n\n\n\n
Anthropic, which has so far limited the release<\/a> of the new model to a small clutch of primarily US businesses, including Amazon, Apple and Microsoft, said it would expand that to UK financial institutions. UK regulators are due to raise the issue of Mythos\u2019s risks with bank bosses and government officials in the coming weeks.\u00a0<\/p>\n\n\n\nAccording to the presented results, Mythos can detect vulnerabilities faster and link them into complete exploits and attack chains<\/a>. This can strengthen defences, but can also accelerate digital attacks. Defenders can deploy AI to detect vulnerabilities earlier and remedy them faster. But attackers with access to similar models will scale up investigation, identification, and exploitation as well. To that end, the Dutch National Cyber \u200b\u200bSecurity Centre suggests practical steps to adopt: <\/p>\n\n\n\n\n- Explicitly incorporate AI developments into your security measures, particularly patch management; <\/strong>delaying action by days or weeks no longer fits the current threat landscape.<\/li>\n\n\n\n
- Anticipate attacks that occur faster, more automatically, and in larger numbers, for example, in the detection of anomalous behaviour in networks<\/strong>.<\/li>\n\n\n\n
- Maintain solid basic security <\/strong>and supplement it with appropriate additional measures, as attackers already use AI to improve and automate existing techniques.\u00a0\u00a0<\/li>\n<\/ul>\n\n\n\n
More official guidance<\/h4>\n\n\n\n
Secure database configurations: <\/strong>The German Federal Office for Information Security (BSI) has published a collection of secure configurations for database systems<\/a>. It provides recommendations for optimally configuring encryption, authentication, authorisation, and other security-relevant aspects<\/strong>. It serves as a template for securely operating the database management systems MariaDB, MongoDB, and Weaviate. The repository is continuously being developed and will be expanded to include support for other database management systems.<\/p>\n\n\n\n<\/figure>\n<\/p>\n\n\n\n
Healthcare institutions’ data security audit:<\/strong> The Lithuanian State Data Protection Inspectorate VDAI carried out 10 scheduled audits of the security measures of healthcare institutions. Security checks related to access control, backup management, and event log management were assessed<\/a>. As a result, several areas for improvement were identified:<\/p>\n<\/div><\/div>\n\n\n\n\n- Only 11% of institutions use multi-factor authentication (MFA).<\/li>\n\n\n\n
- Only 56 % of institutions centrally store and encrypt log entries.<\/li>\n\n\n\n
- 67% of institutions have implemented automated alerts for suspicious events.<\/li>\n\n\n\n
- 78 % of institutions have a log entry management policy and review it regularly.<\/li>\n\n\n\n
- 78% of institutions document backup and recovery procedures.<\/li>\n<\/ul>\n\n\n\n
Pixel tracking: <\/strong>The French data protection authority CNIL publishes the final version of its recommendations on tracking pixels in emails (in French). The tracking pixel is an alternative tracking method to cookies, usually implemented in the form of a reduced image (1 pixel by 1 pixel). Loading this image, which contains a user ID, tracks a user when they visit a page or read an email. This technique is used for personalising communication according to the interests of users, measuring the audience, improving the proper reception of emails<\/a>, etc. <\/p>\n\n\n\nThe recommendation specifies the cases in which consent will be required for the use of tracking pixels in emails and those which are exempt. <\/strong>It also specifies the procedures for withdrawing consent. <\/p>\n\n\n\nIn other news<\/h4>\n\n\n\n<\/figure>\n<\/p>\n\n\n\n
Data breaches on the rise: <\/strong>The Estonian data protection agency provides an analysis of the received data breach notifications in Q1 2026. One of the most insidious threats in today\u2019s cyber landscape is data-stealing malware<\/a>. (eg, RedLine, Vidar). It is often downloaded onto personal devices unintentionally \u2013 through illegal software, malicious ads, or fraudulent links generated using artificial intelligence. Data thieves don’t just limit themselves to passwords: they also steal session cookies, which allow attackers to bypass even multi-factor authentication by “hijacking” the active logged-in session.<\/p>\n<\/div><\/div>\n\n\n\nIf employees use personal devices to check work emails or access SaaS platforms like Slack or Salesforce, a single infected home computer can compromise the entire corporate network<\/strong>.<\/p>\n\n\n\nIllegal GPS tracking:<\/strong> The Slovenian Information Commissioner found that one of the providers of public utilities was continuously and indiscriminately collecting location data of employees, obtained through GPS transmitters installed in company vehicles, without clearly defining the purpose of the data processing<\/a>. Employees were not properly informed about the scope and purpose of such tracking. Besides, the objectives could be achieved with less stringent measures (eg, manual entries, use of vehicle odometer data).<\/p>\n\n\n\nEmployee computer monitoring:<\/strong> In a similar inspection procedure, a Slovenian regulator found another employer’s covert surveillance (via Spyrix Employee Monitoring software), was carried out without a legal basis, without informing employees and to an extent that exceeded the permissible limits of interference with privacy in the workplace, as it targeted the content of employees’ communication via private e-mail and completely private conversations<\/a>. The regulator imposed a fine of 71,474 euros due to the violations found. <\/p>\n\n\n
<\/figure><\/p>\n\n\n\n
The deployment of scanning vehicles to check parked cars has resulted in an estimated 500,000 unjustified fines<\/a>. This is evident from a new thematic study by the Dutch Data Protection Authority AP. Municipalities carry out an estimated 250 to 375 million scans yearly. This results in 3 to 5 million parking fines per year.\u00a0 According to calculations, more than 10 per cent of these are unjustified. People who object to the fine are successful in 40 to 62 per cent of cases.\u00a0<\/p>\n<\/div><\/div>\n\n\n\n A scanning vehicle only takes a snapshot, and the algorithms in the monitoring system do not see the circumstances.<\/strong> As a result, a scanning vehicle cannot, for example, determine that someone is loading or unloading. In such a situation, an exception may apply. The disabled parking permit, which is not registered to the license plate by default and is placed behind the windshield, is also not ‘seen’ by the scanning vehicle. If payment has not been made, the systems are unforgiving, and a fine follows automatically. <\/p>\n\n\n\n Alabama comprehensive privacy law: <\/strong>The Alabama Personal Data Protection Act (APDPA) was enacted on April 16<\/a>. It includes one of the lowest applicability thresholds for businesses in the US that: <\/p>\n\n\n\n From 1 May 2027, it will empower a consumer to confirm whether a controller is processing any of the consumer\u2019s personal data, correct inaccuracies, delete, obtain a copy, and opt out of the processing of their data. Controllers will be required to respond to consumer requests within 45 days, with a possible 45-day extension, and provide a secure and reliable method for consumers to exercise their rights; the analysis from vitallaw.com<\/a> sums up. <\/p>\n\n\n\n Scientific research in the EU: <\/strong> The EDPB has, in the meantime, adopted Guidelines on processing of personal data for scientific research purposes<\/a>. Many areas of scientific research rely on the processing of individuals\u2019 personal data. In the guidelines, the EU data protection regulator provides clarifications on the:<\/p>\n\n\n\n The guidelines will be subject to public consultation<\/a> until 25 June. <\/p>\n\n\n\n The EDPB has also adopted a template for Data Protection Impact Assessments (DPIA)<\/a>. The template will help organisations structure, harmonise and substantiate their DPIA reporting processes. The template is complemented by an explainer document<\/a> providing concise explanations for completing this template effectively, by breaking down key concepts in a simple language and addressing possible questions and knowledge gaps controllers might have.<\/p>\n\n\n\n Controllers can conduct their risk analysis and management processes as they prefer, using the DPIA methodology of their choice. A DPIA<\/a> is a process required in situations where the processing is likely to result in a high risk, to describe how personal data will be processed, assess whether the processing is necessary and appropriate, and identify and reduce risks to individuals\u2019 rights and freedoms<\/strong>.\u00a0<\/p>\n\n\n\n <\/p>\n\n\n\n According to the Guardian, British banks will be given access in the next week to Antropic\u2019s latest AI tool, highly skilled at cyber-security and hacking tasks<\/a>, that was deemed too dangerous to be released to the public. Advances in the Claude Mythos model capabilities have come with concerns about hackers using such tools to figure out passwords or crack encryption meant to keep data safe<\/strong>. <\/p>\n<\/div><\/div>\n\n\n\n <\/p>\n\n\n\n Anthropic, which has so far limited the release<\/a> of the new model to a small clutch of primarily US businesses, including Amazon, Apple and Microsoft, said it would expand that to UK financial institutions. UK regulators are due to raise the issue of Mythos\u2019s risks with bank bosses and government officials in the coming weeks.\u00a0<\/p>\n\n\n\n According to the presented results, Mythos can detect vulnerabilities faster and link them into complete exploits and attack chains<\/a>. This can strengthen defences, but can also accelerate digital attacks. Defenders can deploy AI to detect vulnerabilities earlier and remedy them faster. But attackers with access to similar models will scale up investigation, identification, and exploitation as well. To that end, the Dutch National Cyber \u200b\u200bSecurity Centre suggests practical steps to adopt: <\/p>\n\n\n\n Secure database configurations: <\/strong>The German Federal Office for Information Security (BSI) has published a collection of secure configurations for database systems<\/a>. It provides recommendations for optimally configuring encryption, authentication, authorisation, and other security-relevant aspects<\/strong>. It serves as a template for securely operating the database management systems MariaDB, MongoDB, and Weaviate. The repository is continuously being developed and will be expanded to include support for other database management systems.<\/p>\n\n\n\n <\/p>\n\n\n\n Healthcare institutions’ data security audit:<\/strong> The Lithuanian State Data Protection Inspectorate VDAI carried out 10 scheduled audits of the security measures of healthcare institutions. Security checks related to access control, backup management, and event log management were assessed<\/a>. As a result, several areas for improvement were identified:<\/p>\n<\/div><\/div>\n\n\n\n Pixel tracking: <\/strong>The French data protection authority CNIL publishes the final version of its recommendations on tracking pixels in emails (in French). The tracking pixel is an alternative tracking method to cookies, usually implemented in the form of a reduced image (1 pixel by 1 pixel). Loading this image, which contains a user ID, tracks a user when they visit a page or read an email. This technique is used for personalising communication according to the interests of users, measuring the audience, improving the proper reception of emails<\/a>, etc. <\/p>\n\n\n\n The recommendation specifies the cases in which consent will be required for the use of tracking pixels in emails and those which are exempt. <\/strong>It also specifies the procedures for withdrawing consent. <\/p>\n\n\n\n <\/p>\n\n\n\n Data breaches on the rise: <\/strong>The Estonian data protection agency provides an analysis of the received data breach notifications in Q1 2026. One of the most insidious threats in today\u2019s cyber landscape is data-stealing malware<\/a>. (eg, RedLine, Vidar). It is often downloaded onto personal devices unintentionally \u2013 through illegal software, malicious ads, or fraudulent links generated using artificial intelligence. Data thieves don’t just limit themselves to passwords: they also steal session cookies, which allow attackers to bypass even multi-factor authentication by “hijacking” the active logged-in session.<\/p>\n<\/div><\/div>\n\n\n\n If employees use personal devices to check work emails or access SaaS platforms like Slack or Salesforce, a single infected home computer can compromise the entire corporate network<\/strong>.<\/p>\n\n\n\n Illegal GPS tracking:<\/strong> The Slovenian Information Commissioner found that one of the providers of public utilities was continuously and indiscriminately collecting location data of employees, obtained through GPS transmitters installed in company vehicles, without clearly defining the purpose of the data processing<\/a>. Employees were not properly informed about the scope and purpose of such tracking. Besides, the objectives could be achieved with less stringent measures (eg, manual entries, use of vehicle odometer data).<\/p>\n\n\n\n Employee computer monitoring:<\/strong> In a similar inspection procedure, a Slovenian regulator found another employer’s covert surveillance (via Spyrix Employee Monitoring software), was carried out without a legal basis, without informing employees and to an extent that exceeded the permissible limits of interference with privacy in the workplace, as it targeted the content of employees’ communication via private e-mail and completely private conversations<\/a>. The regulator imposed a fine of 71,474 euros due to the violations found. <\/p>\n\n\nOther legal updates<\/h4>\n\n\n\n
\n
\n
DPIA template<\/h4>\n\n\n\n
Frontier AI systems<\/h4>\n\n\n\n
<\/figure>\n
More official guidance<\/h4>\n\n\n\n
<\/figure>\n
In other news<\/h4>\n\n\n\n
<\/figure>