The European Data Protection Board (EDPB) announced the topic for Coordinated Enforcement Action 2026 on transparency and information obligations. Articles 12, 13, and 14 of the GDPR require that individuals be informed when their personal data is processed, ensuring transparency and enabling greater control over personal information. Participating data protection authorities will join this action voluntarily in the coming weeks, with enforcement activities scheduled to launch during 2026. 

Experian credit checks fine

As the background example of the above transparency obligations, the Dutch data protection authority AP last week imposed a 2.7 million euro fine on Experian Nederland. Experian provided credit ratings on individuals to its customers until 2025. The company collected data on factors such as negative payment behavior, outstanding debts, and bankruptcies. The AP found that Experian violated the GDPR by improperly using personal data, and failed to adequately inform individuals about this.

Experian created credit reports on individuals at the request of clients such as telecom companies, online retailers, and landlords. People started contacting the AP after they could no longer pay installments or because they suddenly had to pay a high deposit when switching energy suppliers. Only afterward did it become clear that this could be due to Experian’s credit scores. Because people weren’t aware of the credit check, they couldn’t check in time whether the information was accurate. Experian collected data about people from various sources, both public and private, and failed to adequately explain why this data collection was necessary.

Experian acknowledged violating the law and will not appeal the fine. It has ceased operations in the Netherlands and will delete the database containing all personal data.

Stay up to date! Sign up to receive our fortnightly digest via email.

More legal updates

DMA and GDPR: The EDPB and the European Commission endorsed joint guidelines on the interplay between the Digital Markets Act (DMA) and the GDPR. The DMA and the GDPR both protect individuals in the digital landscape, but their goals are complementary as they address interconnected challenges: individual rights and privacy in the case of the GDPR and fairness and contestability of digital markets under the DMA. However, several activities regulated by the DMA entail the processing of personal data by gatekeepers and refer to definitions and concepts included in the GDPR (eg, on how to lawfully combine or cross-use personal data in core platform services). 

Italy’s new AI law: On 10 October, the Italian law on Provisions and Delegation to Government on Artificial Intelligence, including an age verification requirement, entered into force. It is the first comprehensive legislation adopted by an individual EU member state on research, testing, development, adoption, and application of AI systems and models, with a human-centric approach. The government has appointed the Agency for Digital Italy and the National Cybersecurity Agency to enforce the legislation, which received its final approval in the parliament after a year of debate. The enforcement measure imposes even prison terms on those who manipulate technology to cause harm, such as generating deepfakes. 

US Bulk Data: The US Department of Justice’s Sensitive Data Bulk Transfer Rule is in effect as of October 6, JD Supra law blog reports. This means if your organisation transfers US sensitive data (from demographic data to cookie data) that hits the bulk thresholds, you need to develop and implement a compliance program, either a stand-alone program or as part of the compliance program (through due diligence and audit procedures). 

Electronic patient files

In Germany, the electronic patient record (ePA) for everyone has been tested in model regions since January 2025. Since 29 April, it has been available for use nationwide by practices, hospitals, and pharmacies, among others. As of 1 October, it is generally mandatory for practices and other medical facilities to fill out the records. At the same time, the information (eg, on ongoing or further treatment) can only be included in the ePA for everyone if the insured person has not fundamentally objected to this with their health insurance provider.

Finally, special consent requirements apply to information from genetic testing for diagnostic purposes, as well as on children and adolescent records.

California privacy updates

At the end of September, California finalised regulations to strengthen consumer privacy that go into effect on 1 January, 2026. However, there is additional time for businesses to comply with some of the new requirements, namely cybersecurity audits, risk assessments, and requirements for automated decision-making technologies, as well as updates to existing CCPA regulations. The final regulations and supporting materials will be posted on the regulator’s website as soon as they are processed.

ISO/IEC 27701

On 14 October, ISO released ISO/IEC 27701:2025, the latest version of the global Privacy Information Management System (PIMS) standard. For the first time, ISO/IEC 27701 is now a standalone standard, no longer just an extension of ISO/IEC 27001. The standard is designed for personally identifiable information (PII) controllers and processors, who hold responsibility and accountability for processing PII to:

•  Strengthen data privacy and protection capabilities
•  Help demonstrate compliance with global privacy regulations such as the GDPR
•  Support trust-building with partners, clients and regulators
•  Align with existing ISO/IEC 27001 systems to streamline implementation
•  Facilitate accountability and evidence-based privacy management

Cookie updated guidance

The Swiss FDPIC published an updated version of its cookie guidelines, which contains specific clarifications and additions intended to improve the comprehensibility of the text and clarify practical issues. In particular, the FDPIC found it useful to clarify why the use of cookies for the purpose of delivering personalised advertising may require the consent of the data subjects. This is the case when the website operator provides third parties with access to visitors’ personal information in return for payment by integrating third-party cookies or similar technologies, and these third parties are embedded in several websites. As the latter are enabled to carry out high-risk profiling, this constitutes a particularly intensive intrusion into the privacy of the data subjects.

AI systems development guidance

In Germany, the Data Protection Conference (DSK) publishes guidance on AI systems with Retrieval Augmented Generation (RAG). It provides legal and technical information on how to harness the potential of such AI systems while simultaneously reducing the risks for those affected. RAG is an AI technology that augments large language models with targeted access to company or government agency knowledge sources to deliver context-specific answers. 

Typical application examples include in-house chatbots that access current business data and scientific assistance systems that leverage research databases. 

Thus, RAG use must be designed in compliance with data protection by design and by default. Controllers must ensure transparency, purpose limitation, and the protection of data subjects’ rights at all times. Controllers wishing to implement such RAG systems must conduct data protection assessments of the various processing operations on a case-by-case basis and always keep their technical and organisational measures up to date. 

More from supervisory authorities

Union membership: The Latvian data protection authority DVI explains whether an employer needs to know about a worker’s union membership. The answer is that the employer cannot request such information from the employee at any time. The most appropriate justification for processing such data is when such rights are established for the employer by law; however, there is also the possibility of obtaining the employee’s consent or finding out this information when the employee has disclosed it themself. 

Such a question should not be asked during a job interview, when drawing up an employment contract or during an employment relationship, as long as the employer does not intend to terminate the employment relationship with the employee in question. If an employee is to be dismissed, asking about union membership is important because union members may have special protections, such as the need to obtain the union’s consent to termination. 

Commercial robocalls: The DVI also explains what a company should consider if it wants to use commercial robocalls. The regulatory framework stipulates that the use of automated calling systems, which operate without human intervention for the purpose of sending commercial communications, is permitted only if the recipient of the service has given their prior free and explicit consent. Thus, sending commercial communications in this way is lawful only if the person concerned has previously (before making the call) given their free and explicit consent to be disturbed by automated calling devices. 

Google Analytics fine confirmed by court

In 2023, Sweden’s data protection authority IMY decided after an inspection that Tele2 (mobile network provider) must pay a penalty fee of SEK 12 million because they violated the GDPR. The Court of Appeal has now ruled in favor of IMY. The violation concerned the fact that the company, in connection with the use of Google Analytics, transferred personal data to the US without adequate protection.

IMY assessed that the data transferred to the US via Google’s statistical tool was personal data, since the data transferred could be linked with other data that Google had access to and thus enabled Google to distinguish and identify specific persons. 

Minors’ data in the EU

On 16 October, the European Parliament’s Committee on the Internal Market and Consumer Protection adopted its report on the Protection of minors online. The report calls for an EU-wide digital minimum age of 16 for accessing social media, video-sharing platforms and AI companions without parental consent, and a minimum age of 13 for any social media use. It urges the European Commission to strengthen enforcement of the Digital Services Act and to swiftly adopt guidelines on measures ensuring a high level of privacy, safety, and security for minors. The Parliament is expected to vote on the final recommendations during the November plenary session.

Microsoft use of children data

The Austrian data protection authority ruled on a complaint regarding Microsoft’s handling of children’s data under the GDPR. It found that the Federal High School and the Federal Ministry for Education, acting as joint controllers, violated the complainant’s right of access and right to be informed. They failed to provide complete and timely information on data processed through Microsoft Education 365, including cookies and third-party data transfers, (content, log, and cookie data). Microsoft was also found to have infringed the complainant’s right of access by not providing complete information on cookie data, its own processing purposes, and transfers to third parties such as LinkedIn, OpenAI, and Xandr, digitalpolicyalert.org reports. 

Doping scandals and personal data

A CJEU Advocate General has ruled on the publication of the name of professional athletes who have infringed anti-doping rules. In the related case in Austria, four athletes concerned submit that that publication contravenes the GDPR. Such publication is provided for by law. It aims, first, to deter athletes from committing infringements of the anti-doping rules and thus to prevent doping in sport.

Second, it aims to prevent circumvention of the anti-doping rules by informing all persons likely to sponsor or engage the athlete in question that he or she is suspended. In that context, the Austrian court asked the Court of Justice to interpret the GDPR. The first opinion was that such practice is contrary to EU law. The principle of proportionality requires account to be taken of the specific circumstances of each individual case. In the Advocate General’s view, publishing the relevant name, but limited to the relevant bodies and sports federations, accompanied, for example, by pseudonymised publication on the internet, would make it possible to achieve both those objectives.

In other news

Clearview AI fine confirmed: On 7 October, the UK Upper Tribunal confirmed that Clearview AI’s facial recognition business is subject to the EU and UK GDPRs. Clearview had argued that its scraping of billions of online images to produce facial recognition services for sale to foreign law enforcement agencies placed it outside of GDPR’s material and territorial scope. The tribunal rejected the claim and made it clear that Clearview’s activities involve ‘behavioural monitoring’. Clearview sought a narrow interpretation of the GDPR, but the tribunal rightly adopted a broader one that clearly encompasses automated processing.

This decision follows the Information Commissioner and Privacy International’s appeal against a 2023 First Tier Tribunal ruling that had quashed Clearview’s 7,552,800 pounds fine. Clearview trawls through sites like Instagram, YouTube and Facebook, as well as personal blogs and professional websites. It uses facial recognition technology to extract the unique features of people’s faces, effectively building a gigantic biometrics database. Clearview has previously been found to be in breach of the GDPR in France, Italy, Austria and Greece, resulting in fines totalling 65,200,000 euros.

Meta AI bots: The Guardian reports that parents will be able to block their children’s interactions with Meta’s AI character chatbots. The social media company is adding new safeguards to its “teen accounts”, which are a default setting for under-18 users, by letting parents turn off their children’s chats with AI characters. These chatbots, which are created by users, are available on Facebook, Instagram and the Meta AI app. Parents will also be able to block specific AI characters and get “insights” into the topics their children are chatting about with AI. Meta said the changes would be rolled out early next year, initially to the US, UK, Canada and Australia. 

In case you missed it

AI for everyday tasks: As more and more companies are using their users’ personal data to train AI models, the French data protection regulator CNIL explains how to oppose it for the main platforms. The practical cases include: Google – Gemini, Meta – Meta AI, Open AI – ChatGPT, Microsoft – Copilot, X – Grok, DeepSeek, Mistral – The Cat, Anthropic – Claude, and LinkedIn.

‘Self-aware’ AI: Guernsey’s data protection authority meanwhile publishes its observations on how AI has formed the basis of a number of companion apps and the creation of numerous digital friends and partners. It is important to remember, for all of us, personally and professionally, that such products are not ‘living beings’, while more and more news stories continue to emerge of tragic outcomes in which a digital companion played a part. Individuals have the right not to be subject to automated decision making which is at the core of such products, without appropriate safeguards being in place. And for organisations functioning as data controllers, these are vested with the responsibility on any decisions AI makes or advice it provides to people. 

The post Data protection digest 4-18 Oct 2025: Transparency the GDPR’s 2026 enforcement goal, and the Experian case as a model NOT to follow appeared first on TechGDPR.

Data subject rights (DSRs) are not optional check boxes. They are legally enforceable rights granted to individuals whose personal data is processed. Businesses must respect data subject rights throughout all stages of AI development, deployment, and ongoing system management. The GDPR grants individuals several rights over their personal data. Let us focus on four of these here:

1. Right to be informed: As with other data protection frameworks, transparency is key under the GDPR. This right takes the form of a duty to inform prior to the processing taking place. Businesses must include information on how they collect, use, store, and share data, the purpose of processing, the legal basis, data retention periods, and who may receive the data. Privacy notices are the typical repositories for this information. They must be concise, accessible, and written in plain language.
2. Right of access: Data subjects can request access to the exact personal data a business holds about them. Businesses must provide information about processing activities, data categories, and any third parties with whom they share the data.
3. Right to rectification: Data subjects can request organizations to correct incorrect or incomplete data without delay. Businesses must respond promptly and update the data across systems and third-party processors where necessary.
4. Right to object, right to be forgotten and right to revoke consent: It allows individuals to exercise control. The European Data Protection Board (EDPB)  published a case digest on right to object and erasure. Data subjects must be able to object to the use of their data and request its erasure when it is no longer necessary, when they withdraw consent, or for purposes like direct marketing.

Incorporating data minimization in AI Systems

One of the most effective ways businesses can respect data subject rights is by adhering to the data protection principle of data minimization. This GDPR principle requires businesses to collect and process only the minimum personal data necessary to achieve their specific purpose. Avoid over-collecting data, use anonymized or synthetic data for training, and regularly review AI outputs to remove unnecessary personal information.

Implement transparent data practices

Transparency is central to building trust and achieving legal compliance. Always define the purpose of processing, specifically the training of AI models. If businesses rely on legitimate interest, they must show that they gave data subjects the chance to object; otherwise, they invalidate their legal basis.

Clearly inform existing customers in advance when using their data to train AI models, and provide opt-out options before processing begins. Transparency is key. 

When there’s no direct relationship with the individual (such as when using publicly available data or from data brokers), the GDPR requires information to be provided within one month of its collection GDPR Articles 14.  

In 2023, the Italian DPA temporarily banned OpenAI’s ChatGPT, citing a lack of transparency around how it used personal data for training. The DPA later required the company to implement clear privacy notices and provide users with ways to exercise their rights.

Respect the right to access 

Can data owners request access to training data? 

This becomes complicated with large language models, but under the GDPR, individuals have the right to know if and how their data is being used.

How to exercise that right? 

Under the GDPR, individuals have the right to know if and how their personal data is used, including data processed by AI systems. While this is straightforward for users with an existing relationship (who can submit data subject access requests via account settings or customer support), it’s more complicated when there’s no direct connection.

In such cases, organizations must ensure proactive transparency by clearly informing people through privacy policies and AI transparency reports. Failure to uphold this right contributes to loss of trust and accountability in AI use and development.

Develop clear processes for data deletion and rectification 

Can data be corrected or deleted after it has been used to train an AI model? 

While difficult, companies must explore the use of data architectures that allow tracing of personal data contributions. The GDPR (Recital 26) considers even pseudonymous data, like randomly generated user IDs, as personal data since organizations can technically link it back to a person, directly or indirectly.

To reduce data subject risk while improving compliance, companies could implement the following measures:

• Data encryption: Businesses should ensure proper security implementation, especially when handling sensitive personal information.
• Anonymization and pseudonymization: Where possible, anonymize or pseudonymize data before using it in AI models. Anonymization and pseudonymization protect personal data by reducing breach risks and limiting the impact on individuals in case of a data exposure.
• Access control: Implement strict access controls and monitoring to ensure only authorized personnel can access personal data. This prevents unauthorized exposure of sensitive information.

By embedding these practices into AI development pipelines, organizations can take meaningful steps toward compliance, trust-building, and ethical AI deployment.

Ensure security and privacy by design

Organizations should build user trust and meet regulations by embedding privacy from the start, not treating it as an afterthought. This is the core of the privacy by design principle under the GDPR.

Key steps include:

• Promoting user choice and control: Provide clear opt-out options before processing data—whether in email campaigns, mobile app popups, or web trackers.). Empower users with privacy dashboards that let them view, manage, and delete their personal data at any time.
• Secure data handling: Businesses must encrypt personal data used in AI training while transmitting and at rest. Implement strict access control mechanisms to ensure that only authorized personnel can interact with sensitive data.

Embedding privacy and security into system architecture from the outset not only ensures compliance, trust-building, and ethical AI deployment.

Maintain ongoing communication and feedback loops

Transparency shouldn’t stop at data collection. When introducing AI processing, update your privacy notices to reflect new processing activities, as required by the GDPR. Use layered notices to highlight AI-specific practices like model training, profiling or automated decision-making. Importantly, inform users before processing, not after. True consent means giving people a real choice. Building feedback loops as user input is essential for improving fairness, spotting issues, and building trust in your AI systems.

Conclusion

As AI continues to shape modern business, respecting data subject rights is not just a legal obligation; it’s a foundation for responsible innovation. By embedding privacy by design, adopting transparent data practices, and enabling user control, organizations can align AI development with GDPR principles and foster long-term trust. Data protection isn’t a compliance checkbox, it’s a strategic imperative for ethical and sustainable AI.

Feel free to reach out to us for any clarification of AI compliance needs.

The post Respecting Data Subject Rights in AI: A Practical Guide for Businesses appeared first on TechGDPR.

The EU AI Act 

The EU AI Act is one of the first laws in the world designed to regulate AI, setting rules to ensure AI systems are safe, ethical, and respect human rights. It classifies AI systems into four risk categories — from minimal risk to high risk. The stricter the category, the more oversight and compliance are required. The AI Act also outlines use of AI that is prohibited within the EU. Chapter 2, Act 5 of the EU AI Act prohibits the following uses of AI: 

• Using manipulative techniques to distort behavior and impair informed decision-making, causing significant harm;
• Exploiting vulnerabilities related to age, disability, or socio-economic status to distort behavior, causing significant harm;
• Inferring sensitive attributes (e.g., race, political opinions, sexual orientation) through biometric categorization, except for lawful purposes;
• Social scoring that leads to detrimental treatment based on social behavior or personal traits;
• Assessing criminal risk solely based on profiling or personality traits, unless supporting human assessments based on objective facts;
• Compiling facial recognition databases by scraping images from the internet or CCTV footage;
• Inferring emotions in workplaces or educational institutions, except for medical or safety reasons; and
• ‘Real-time’ remote biometric identification in public spaces for law enforcement, with exceptions for serious cases like missing persons or imminent threats.

There are also special considerations and requirements for the development or use of high risk AI systems, which are classified as such in Chapter 3 of the EU AI Act which could result in the necessity of a risk management system. Risk management systems are frameworks for identifying, mitigating, and managing AI-related risks, especially regarding discrimination and data breaches.

Lastly, the providers of General Purpose AI systems (GPAI) are subject to special requirements under Chapter 5. 

Important Principles for Ethical AI Policies to Address

When developing ethical AI, it is important to emphasize fairness, accountability and transparency. It is not just important in the development of AI systems but the use of AI systems. In essence, ethical AI is about ensuring that as AI technology advances, it does so in a way that respects human dignity, promotes fairness, and fosters trust, ultimately contributing to the well-being of individuals and society as a whole. 

Fairness

The primary objective of a fairness policy is to eliminate algorithmic bias and ensure that AI decision-making processes treat all individuals equitably. An AI policy should include comprehensive protocols such as fairness assessments, regular bias audits, and data diversity requirements during the training phases of AI systems. By mandating AI fairness testing before deployment and continuously monitoring systems for potential biases, organizations can proactively address and mitigate any unfair treatment. For instance, consider the case of Amazon’s AI recruitment tool, which was found to exhibit bias in hiring practices against women; this highlighted the necessity of implementing bias mitigation policies in AI-driven recruitment processes to ensure equitable outcomes.

Accountability

Establishing clear lines of responsibility for AI decision-making is crucial to ensuring human oversight and accountability. An AI policy should address the issue of accountability by defining specific roles and responsibilities within the organization for the oversight of AI systems. This includes establishing audit trails to track decisions and requiring regular reviews of AI outputs to ensure accountability. As Data Officers, TechGDPR can help in the development of these policies. Since the role of Data Officer involves data governance, we can help ensure oversight for your organization to maintain control over AI systems and understand their impact on decision-making processes.

Transparency

Transparency in AI systems is essential for building trust among users and complying with regulatory demands. The principle of transparency is also mentioned in Art.12 GDPR. An AI policy should be transparent and include protocols that mandate the use of explainable AI models, thorough documentation of decision-making processes, and clear disclosures in privacy notices regarding AI-driven data usage. A good AI policy should require organizations to provide stakeholders with comprehensible explanations for AI-driven decisions, ensuring that the operations of AI systems are understandable to both users and regulators. Organizations that adopt explainable AI frameworks such as the OECD Transparency and Explainability Principle, for example, can better maintain transparency and meet regulatory requirements, fostering trust and accountability in their AI applications.

The Role of Data Officers in Ethical AI Policy Creation

Data Officer is a new service provided by TechGDPR in which we can help with AI compliance as well as serving as a Data Protection officer, a role which can be mandated by the GDPR. Instead of having multiple people filling these roles, a Data Officer can understand how to navigate everything for your peace of mind. It is not a traditional role for privacy or AI compliance but this innovative role can alleviate stress for how to navigate multiple regulations including the AI Act as it is so new. 

Conclusion

In conclusion, as AI continues to permeate various industries, ensuring its ethical use is paramount. The EU AI Act lays out new legal requirements for AI systems and multiple frameworks including the OECD emphasizing the need for fairness, accountability, and transparency which can be done through the creation of AI policies. Organizations must not only comply with these regulations but also proactively adopt ethical AI practices to build trust and mitigate risks.

TechGDPR’s Data Officer service offers a comprehensive solution, integrating AI compliance with data protection and privacy governance. By crafting and implementing tailored AI policies, a Data Officer can ensure that your organization’s AI systems are not only legally compliant but also ethically sound, fostering a responsible approach to AI development and usage. As the landscape of AI regulation evolves, partnering with a Data Officer will be crucial in navigating these complexities and maintaining your organization’s commitment to ethical AI.

The post Ethical AI: How Data Officers Craft Policies for Fairness, Accountability, and Transparency appeared first on TechGDPR.