The European Commission has announced that a new age verification app designed to protect children online is ‘technically ready’ and will soon be available for citizens to use. The app will allow users to prove their age when accessing online platforms, helping protect children from harmful or inappropriate content. It can be set up with a passport or ID card, enabling users to prove their age when accessing online services. 

Stay up to date! Sign up to receive our fortnightly digest via email.

Reportedly, the app is ‘completely anonymous’, works on any device, and is fully open source. Cyber and privacy experts, however, immediately examined the source code on the GitHub software platform and reported several issues with the app’s design, including low cybersecurity standards and the possibility of bypassing the app’s biometric authentication features.

Unjustified parking fines through automated means

The deployment of scanning vehicles to check parked cars has resulted in an estimated 500,000 unjustified fines. This is evident from a new thematic study by the Dutch Data Protection Authority AP. Municipalities carry out an estimated 250 to 375 million scans yearly. This results in 3 to 5 million parking fines per year.  According to calculations, more than 10 per cent of these are unjustified. People who object to the fine are successful in 40 to 62 per cent of cases. 

A scanning vehicle only takes a snapshot, and the algorithms in the monitoring system do not see the circumstances. As a result, a scanning vehicle cannot, for example, determine that someone is loading or unloading. In such a situation, an exception may apply. The disabled parking permit, which is not registered to the license plate by default and is placed behind the windshield, is also not ‘seen’ by the scanning vehicle. If payment has not been made, the systems are unforgiving, and a fine follows automatically. 

Other legal updates

Alabama comprehensive privacy law: The Alabama Personal Data Protection Act (APDPA) was enacted on April 16. It includes one of the lowest applicability thresholds for businesses in the US that: 

• handle personal data of more than 25,000 consumers (excluding data processed solely for completing a payment transaction), or 
• derive more than 25% of gross revenue from selling personal data. 

From 1 May 2027, it will empower a consumer to confirm whether a controller is processing any of the consumer’s personal data, correct inaccuracies, delete, obtain a copy, and opt out of the processing of their data. Controllers will be required to respond to consumer requests within 45 days, with a possible 45-day extension, and provide a secure and reliable method for consumers to exercise their rights; the analysis from vitallaw.com sums up. 

Scientific research in the EU:  The EDPB has, in the meantime, adopted Guidelines on processing of personal data for scientific research purposes.  Many areas of scientific research rely on the processing of individuals’ personal data. In the guidelines, the EU data protection regulator provides clarifications on the:

• concept of ‘scientific research’  
• further processing for scientific research purposes  
• reliance on “broad consent” where the purposes of research are not fully known 
• rights of individuals to erasure and objection when their personal data are processed for scientific purposes 
• qualifications of data controller, joint controllers or processors.

The guidelines will be subject to public consultation until 25 June. 

DPIA template

The EDPB has also adopted a template for Data Protection Impact Assessments (DPIA). The template will help organisations structure, harmonise and substantiate their DPIA reporting processes. The template is complemented by an explainer document providing concise explanations for completing this template effectively, by breaking down key concepts in a simple language and addressing possible questions and knowledge gaps controllers might have.

Controllers can conduct their risk analysis and management processes as they prefer, using the DPIA methodology of their choice. A DPIA is a process required in situations where the processing is likely to result in a high risk, to describe how personal data will be processed, assess whether the processing is necessary and appropriate, and identify and reduce risks to individuals’ rights and freedoms. 

Frontier AI systems

According to the Guardian, British banks will be given access in the next week to Antropic’s latest AI tool, highly skilled at cyber-security and hacking tasks, that was deemed too dangerous to be released to the public. Advances in the Claude Mythos model capabilities have come with concerns about hackers using such tools to figure out passwords or crack encryption meant to keep data safe.

Anthropic, which has so far limited the release of the new model to a small clutch of primarily US businesses, including Amazon, Apple and Microsoft, said it would expand that to UK financial institutions. UK regulators are due to raise the issue of Mythos’s risks with bank bosses and government officials in the coming weeks. 

According to the presented results, Mythos can detect vulnerabilities faster and link them into complete exploits and attack chains. This can strengthen defences, but can also accelerate digital attacks.  Defenders can deploy AI to detect vulnerabilities earlier and remedy them faster. But attackers with access to similar models will scale up investigation, identification, and exploitation as well. To that end, the Dutch National Cyber ​​Security Centre suggests practical steps to adopt: 

• Explicitly incorporate AI developments into your security measures, particularly patch management; delaying action by days or weeks no longer fits the current threat landscape.
• Anticipate attacks that occur faster, more automatically, and in larger numbers, for example, in the detection of anomalous behaviour in networks.
• Maintain solid basic security and supplement it with appropriate additional measures, as attackers already use AI to improve and automate existing techniques.  

More official guidance

Secure database configurations: The German Federal Office for Information Security (BSI) has published a collection of secure configurations for database systems. It provides recommendations for optimally configuring encryption, authentication, authorisation, and other security-relevant aspects. It serves as a template for securely operating the database management systems MariaDB, MongoDB, and Weaviate. The repository is continuously being developed and will be expanded to include support for other database management systems.

Healthcare institutions’ data security audit: The Lithuanian State Data Protection Inspectorate VDAI carried out 10 scheduled audits of the security measures of healthcare institutions. Security checks related to access control, backup management, and event log management were assessed. As a result, several areas for improvement were identified:

• Only 11% of institutions use multi-factor authentication (MFA).
• Only 56 % of institutions centrally store and encrypt log entries.
• 67% of institutions have implemented automated alerts for suspicious events.
• 78 % of institutions have a log entry management policy and review it regularly.
• 78% of institutions document backup and recovery procedures.

Pixel tracking: The French data protection authority CNIL publishes the final version of its recommendations on tracking pixels in emails (in French). The tracking pixel is an alternative tracking method to cookies, usually implemented in the form of a reduced image (1 pixel by 1 pixel). Loading this image, which contains a user ID, tracks a user when they visit a page or read an email. This technique is used for personalising communication according to the interests of users, measuring the audience, improving the proper reception of emails, etc. 

The recommendation specifies the cases in which consent will be required for the use of tracking pixels in emails and those which are exempt. It also specifies the procedures for withdrawing consent.  

In other news

Data breaches on the rise: The Estonian data protection agency provides an analysis of the received data breach notifications in Q1 2026. One of the most insidious threats in today’s cyber landscape is data-stealing malware. (eg, RedLine, Vidar). It is often downloaded onto personal devices unintentionally – through illegal software, malicious ads, or fraudulent links generated using artificial intelligence. Data thieves don’t just limit themselves to passwords: they also steal session cookies, which allow attackers to bypass even multi-factor authentication by “hijacking” the active logged-in session.

If employees use personal devices to check work emails or access SaaS platforms like Slack or Salesforce, a single infected home computer can compromise the entire corporate network.

Illegal GPS tracking: The Slovenian Information Commissioner found that one of the providers of public utilities was continuously and indiscriminately collecting location data of employees, obtained through GPS transmitters installed in company vehicles, without clearly defining the purpose of the data processing. Employees were not properly informed about the scope and purpose of such tracking. Besides, the objectives could be achieved with less stringent measures (eg, manual entries, use of vehicle odometer data).

Employee computer monitoring: In a similar inspection procedure, a Slovenian regulator found another employer’s covert surveillance (via Spyrix Employee Monitoring software), was carried out without a legal basis, without informing employees and to an extent that exceeded the permissible limits of interference with privacy in the workplace, as it targeted the content of employees’ communication via private e-mail and completely private conversations. The regulator imposed a fine of 71,474 euros due to the violations found. 

Amazon multimillion fine annulled

The Administrative Court of Luxembourg has annulled a 746 million euro GDPR fine imposed on Amazon, citing procedural failings by the national regulator. Judges ruled that authorities did not properly assess the company’s level of fault before setting the penalty, DigWatch News platform reports. The sanction was issued in 2021 by the national data protection commission over Amazon’s targeted ad system and appealed in March 2025. While the violations were upheld, the court found the regulator failed to determine whether the conduct was intentional or negligent.  

Other enforcement decisions

Access to an employee’s email after the end of employment: An employee can access messages on their company email account and documents stored on their computer after the end of their employment. Any restrictions must be justified by specific and proven reasons, such as protecting company secrets. This is what Italy’s ‘Garante’ established in accepting the complaint of a former employee of an insurance company who had requested a copy of his company email messages and documents saved on his computer. 

The company had accessed the former employee’s email and, after examining the contents, provided only the messages deemed “strictly personal,” excluding those related to work. According to the regulator, the right of access applies to all personal data, including communications exchanged through an individualised company account. Therefore, it is unlawful to pre-select the content to be provided, nor to limit or obscure it based on the distinction between personal and professional contexts. For the violations identified, a fine of 50,000 euros was imposed.  

Face recognition in the airport: Garante also declared the processing of biometric data of passengers at Milan Linate Airport using the facial recognition system “FaceBoarding” to be unlawful. The system was used to allow passengers to access the security-restricted area and board at the gate after registering at special kiosks or via an app and subsequently associating their face with their identification document and boarding pass. The system requires that the acquired biometric data be stored entirely centrally on the servers, preventing passengers from exercising exclusive control over their data. 

And Finally

AI awareness: While almost half of internet users in Germany feel capable of recognizing AI-generated content, in reality, hardly anyone looks closely: only a minority have ever searched for inconsistencies in the image or checked the source (28 % and 19%, respectively). Knowledge about potential fraud scenarios is also limited. Only 38 per cent believe it’s possible that cybercriminals could, for example, manipulate an AI program to transmit sensitive data. Similarly, only 40 percent consider it conceivable that criminals could insert invisible instructions for AI systems into documents. 

In fact, both scenarios are technically possible.

Police data reach: US police have access to a wide range of databases that they can use to look up and misuse information about people. This can result in humiliating and bad decisions, sometimes causing long-term damage to people’s lives. In-depth research by Rights & Security International and Privacy International reveals the impact of this and argues for more effective limits on what kinds of personal information police can view, when, and why. The US is not alone in this trend. The UK and the EU are also expanding law enforcement’s data-access powers, introducing facial-recognition surveillance and proposing scanning of private messages, PI resumes. 

The post Data protection digest 4-18 April 2026: questions rising over new EU age verification app & unjust automated parking fines appeared first on TechGDPR.

The EU Court of Justice ruled that even a first personal data access request may be deemed abusive under the GDPR if it is made solely to generate compensation claims, allowing controllers to refuse such requests. An individual residing in Austria subscribed to the newsletter of a family-run optician company in Germany by entering his personal data in the registration form available on the company’s website. 

Thirteen days later, he sent a request for access under Article 15 of the GDPR. The company refused the request, considering it to be abusive. According to various reports and blog articles, the individual systematically subscribes to newsletters of various companies before submitting an access request and then a compensation claim. The individual maintained that his access request was legitimate and claimed compensation of at least 1,000 euros. 

 Stay up to date! Sign up to receive our fortnightly digest via email.

Main developments

Protecting children online: On 3 April, the Regulation on the Extension of Derogation from the ePrivacy Directive for the purpose of identifying Child Sexual Abuse Material (CSAM) online expired, digitalpolicyalert.org reports. The extension concerns an exemption from data protection regulations, which grants hundreds of providers offering number-independent interpersonal communication services, such as messaging services, the authority to use technologies for processing personal and other data to identify, report, and remove instances of online child sexual abuse on their platforms. In addition, providers must ensure that information regarding reports of detected online child sexual abuse submitted to authorities and the Commission is accessible in a structured format.

‘Legitimate interests’ analysis: The EDPB has published a One-Stop-Shop case digest on the legal basis of “legitimate interest”. It provides useful examples of how regulators analyse controllers’ reliance on this legal basis in specific contexts, providing positive and negative compliance examples. In particular, it explains and summarises how regulators apply the three-step test to assess whether a controller can lawfully rely on legitimate interests. Relevant cases before the CJEU and national courts are also mentioned. 

Back up!

On World Backup Day, 31 March, the German Federal Office for Information Security (BSI) called on consumers to back up important data. Data backup is not a complicated process: most operating systems guide users through the process. Nonetheless, only one-fifth of internet users regularly create backups. Backups can be performed in the cloud or on a physical storage medium, such as an external hard drive.

Those who opt for a physical storage medium should keep it in a different location than, for example, the source computer for the data being backed up.  

Human resources management

The CNIL has published a reference framework (in French) to help data controllers identify retention periods for their personnel management activities. This document is particularly useful for data protection officers, GDPR referents, but also for staff working in human resources departments or for the information systems department. This repository is organised by processing activities and includes:

• recruitment;
• administrative management of personnel;
• compensation management;
• the security of goods and people;
• the management of professional vehicles;
• listening to and recording telephone conversations in the workplace;
• the management of collective labour relations;
• the management of occupational accidents;
• the management of litigation and pre-litigation;
• the management of Whistleblowing. 

More official guidance

Cookies user guide: The Swiss regulator, FDPIC, has published a factsheet on the use of cookies (in English) that explains how users can retain control over their own data and minimise the digital footprint they leave behind while browsing. Although cookies and similar technologies can enhance the online browsing experience, for example, by saving the contents of a shopping basket or certain preferences, they can also enable third parties to track users’ online activities. 

AI red lines: The Future of Privacy Forum continues its series of publications on Red Lines under the EU AI Act. This time, it pays attention to the prohibition on biometric categorisation for “certain sensitive characteristics” to deduce or infer race, political opinions, trade union membership, religious or philosophical beliefs, etc. The risks associated with biometric categorisation also reflect broader concerns under EU data protection legislation, as sensitive characteristics may themselves constitute special categories of personal data under the GDPR. 

Previous analysis by FPF also looked at prohibition and emotion recognition in the workplace and educational institutions.

Health data in the cloud: More and more organisations are using cloud solutions for processing health data. The Dutch data protection authority AP has therefore published an updated and broadened version of AP’s practice guide on patient data in the cloud. The practice guide now focuses not only on patient data within the treatment relationship, but on health data in a broader sense. 

In other news

Police biometric data: A police authority may,in a criminal investigation, collect biometric data solely because the collection is strictly necessary. The Maltese data protection agency looked at a recent ruling by the CJEU, which stated that the gathering of identification data may not be required systematically and clear reasons must be given for it, failing which the criminal penalty laid down for refusing to consent to that gathering will be invalid.

In a related case, a person was detained in Paris for organising a demonstration without prior notice and for disobedience. While he was in police custody, he refused to consent to the gathering of identification data (fingerprints and photo). That refusal resulted in his being charged, even though he was acquitted of the offence forming the basis of the envisaged gathering of identification data. 

Credit information checks should be free of charge: The Finnish data protection ombudsman considers that the regular practice of the credit information company Dun&Bradstreet, in which a person has only been able to check their own credit information once a year, free of charge, is not in accordance with data protection legislation. Customers had been regularly charged a fee if they had requested information more than once within a year. The company also had shortcomings in responding to requests for personal data. 

According to the law, a fee can only be charged in situations where the request is manifestly unfounded or unreasonable, for example, if the same information is requested repeatedly. 

More enforcement decisions

OKCupid data sharing: In the US, the Federal Trade Commission is taking action against OkCupid and its affiliate Match Group Americas over allegations that it deceived users of its dating app by sharing their personal information, including photos and location information, with an unrelated third party, contrary to OkCupid’s privacy promises. OkCupid provided the third party with access to nearly three million OkCupid user photos as well as location and other information without placing any formal or contractual restrictions on how the information could be used. 

The FTC also alleged that, since September 2014, Match and OkCupid took extensive steps to conceal their wrongdoing, including by trying to obstruct the FTC’s investigation.

Unauthorised access to banking information: The Italian data protection authority Garante has fined Intesa Sanpaolo 31.8 million euros for serious shortcomings in personal data security. The investigation found that an employee accessed, without justification, the banking information of 3,573 customers, making over 6,600 inquiries between February 21, 2022, and April 24, 2024. These unauthorised accesses were not detected by internal control systems, highlighting significant weaknesses in the monitoring and prevention mechanisms. 

And Finally

Wearables: The Swiss FDPIC has published practical advice on smartwatches and fitness trackers, which monitor your physical activity and bodily functions, and are now widely used. Smart glasses, which make it easy to take and share photos and videos, are also gaining in popularity. As all these body-worn devices pose a particular threat to privacy, users should exercise particular caution when using them. 

Before making their choice, buyers should check how the manufacturer has configured it and whether the product allows for privacy-friendly settings, where collected data is stored, and whether the processing of such data is comprehensible overall.

Fraudulent websites: Reportedly, phishing remains one of the largest forms of online crime. To better protect internet users against this, several Dutch public and private parties have jointly tested a new approach. The so-called Anti Phishing Shield demonstrates that the approach works: since the start of the pilot in July 2025, over two million attempts to visit phishing and fraudulent websites have been blocked among a group of over 200,000 users. Internet providers can easily connect to the tool and use it to protect their customers. And users must give their prior explicit consent via a so-called ‘opt-in’. 

Read the original publication to see how the Anti Phishing Shield works.

The post Data protection digest 3 April 2026: abusive access request, human resources management & patient data in the cloud  appeared first on TechGDPR.

A new regulation came into force on 1 January, supplementing the GDPR. It speeds up the work of data protection authorities in enforcement cases that involve multiple countries in the EU/EEA. The regulation provides, among other things, for time limits, stages of investigation, the exchange of information between authorities, and the rights of the parties concerned. In future, data protection authorities will have to issue a resolution proposal on a cross-border case as a rule within 12-15 months. In the most complex cases, the deadline can be extended by 12 months. The regulation will apply from April 2027. 

Stay up to date! Sign up to receive our fortnightly digest via email.

UK Adequacy decision

The European Commission adopted two new adequacy decisions for the UK – one under the GDPR and the other under the Law Enforcement Directive, until 27 December 2031.  In accordance with the new decisions, transfers of personal data from the EU to the UK can continue to take place without any specific framework. Following Brexit, the Commission adopted two adequacy decisions vis-à-vis the UK in 2021. Sunset clauses had been introduced in each of the decisions. The decisions expired in mid 2025, but have been extended until the end of the year. The EDPS has since issued an opinion on these decisions.

More legal updates

US consumer privacy updates: In Kentucky, as well as Indiana, Rhode Island and several other states, GDPR-enhanced legislation related to consumer data privacy took effect on January 1. In Kentucky, in particular, the new legislation establishes the rights to confirm whether data is being processed, to correct any inaccuracies, to delete personal data provided by the consumer, to obtain a copy of the consumer’s data, and to opt out of targeted advertising, the sale of data, or profiling of the consumer along with requirements for entities that control and process their data.

Similarly, in January, new regulations became effective in California regarding a risk-assessment framework for certain high-risk data processing activities, as well as transparency and notice requirements, disclosure of sensitive personal information, data breach reporting, consumer rights requests, and data collection and deletion by data brokers. 

AI use by banks

The Hungarian data protection regulator issued a report on the processing of personal data by AI systems used by banks in Hungary (available in English). Some good practices indicated by the report include:

• AI recognition of images, voices and texts must be reliable, without compromising data security. Principles of data minimisation and storage limitation must be observed.
• The quality of the data used for AI training is important, as well as identifying whether or not the training data needs to be linked to a specific natural person. In many cases, pseudonymisation or anonymisation can be used to mitigate privacy risks before training.
• The use of ‘Shadow AI’ is becoming a new phenomenon. It covers all cases where, in an organisation, users use AI systems in an unregulated, non-transparent, uncoordinated manner from the point of view of the organisation, either for work or for some personal use, using the organisation’s IT infrastructure. 
• In their operations, certain banks under review also use analytical models to analyse and predict creditworthiness and product affinity, the precise classification of which may raise questions. They often operate on a statistical basis, but may also have an AI-based component, and it is necessary to apply the appropriate safeguards. 

More from supervisory authorities

EU Data Act: The French privacy regulator CNIL explained how the EU Data Act is going to reform the EU digital economy, gradually implemented through 2026-2027. The Act sets fair rules on the access and use of personal or non-personal data generated by connected objects. It allows anyone who owns or uses connected products to access the data generated by this object. It also facilitates their sharing with other actors, in particular by prohibiting unfair contractual clauses.

The implementation of this regulation must be done in conjunction with the GDPR. In particular, it provides that in the event of a contradiction between the two texts, it is the GDPR that prevails when personal data is concerned.

Similarly, the Digital Governance Act should be taken into account, which has set up new trusted intermediaries to encourage voluntary data sharing.

Bodycam use: At the end of December, the CJEU ruled in a case regarding a data controller’s obligation to provide information when collecting personal data via a body-worn camera worn by ticket inspectors on public transport. The collection of personal data by means of body-worn cameras constitutes collection directly from the data subject. The information obligation must therefore be respected at the time of collection, Article 13 of the GDPR. The information obligation can operate at several levels, where the most important information is, for example, stated in a warning sign, while the remaining information can be provided in another appropriate (and easily accessible) way.

Disney US settlement

On 31 of December, a federal judge required Disney to pay 10 million dollars to settle FTC allegations that the company allowed personal data to be collected from children who viewed child-directed videos on YouTube without notifying parents or obtaining their consent as required by the Children’s Online Privacy Protection Rule (COPPA Rule). A complaint alleged that Disney violated the COPPA Rule by failing to properly label some videos that it uploaded to YouTube as “Made for Kids”.

The complaint alleged that by mislabeling these videos, Disney allowed for the collection, through YouTube, of personal data from children under 13 who viewed child-directed videos and used that data for targeted advertising to children.

More enforcement decisions

TikTok investigations: According to vitallaw.com, the Spanish and Norwegian data protection authorities have issued warnings to TikTok users regarding the company’s transfer of personal data to China, where national laws could require that data be shared with Chinese authorities. TikTok already faces EU fines over violations of the GDPR and was ordered to stop transferring personal data to China. 

So far, TikTok has been granted an interim injunction that allows the company to continue transferring personal data to China until the case is resolved. As a result, regulators are warning users to read the online platform’s notifications and privacy policies, check their privacy settings and think about what they share in the app. It is also recommended that businesses consider whether to continue using TikTok and conduct risk assessments.

PCRM software fine: Finally, the French CNIL has fined Nexpublica 1,700,000 euros for failing to provide sufficient security measures for a tool for managing the relationship with users in the field of social action.  Nexpublica (formerly Inetum Software), specialises in the design of computer systems and PCRM software used in particular by homes for disabled people.

At the end of 2022, Nexpublica customers made data breach notifications with the CNIL, because users of the portal had access to documents concerning third parties. The CNIL then carried out inspections of the company, which revealed the inadequacy of the technical and organisational measures. It is considered that the vulnerabilities found:

• were mostly the result of a lack of knowledge of the state of the art and basic safety principles;
• were known and identified by the company through several audit reports.

Despite this, the flaws were only patched after the data breaches.

The post Data protection digest 3 Jan 2026: Improvements are being made to GDPR enforcement, US consumer privacy, and emerging “Shadow AI” concerns appeared first on TechGDPR.

As a general rule, users should have the option to engage with e-commerce websites, including the ability to make purchases, without creating an account. In such cases, the EDPB recommends that e-commerce websites offer a choice: either a ‘guest’ mode, allowing users make purchases without creating an account, or the option to voluntarily create an account. This approach minimises the collection and processing of personal data, and therefore aligns with the GDPR’s principle of data protection by design and by default. However, mandatory account creation can be justified in a limited number of cases, including for example, offering a subscription service or providing access to exclusive offers. 

Stay up to date! Sign up to receive our fortnightly digest via email.

Google antitrust investigation

The EU Commission has opened an investigation into possible anticompetitive conduct by Google in the use of online content for AI purposes – using the content of web publishers, as well as content uploaded on the online video-sharing platform YouTube. The investigation will notably examine whether Google is distorting competition by imposing unfair terms and conditions on publishers and content creators, or by granting itself privileged access to such content, thereby placing developers of rival AI models at a disadvantage. It should be noted that there is no legal deadline in the EU for bringing an antitrust investigation to an end. 

More legal updates

US AI national policy: On 11 December, President Trump signed an Executive Order on  establishing a national policy framework for AI and lifting barriers to innovation. According to digitalpolicyalert.org, the US Administration will work with Congress to establish a single national AI standard that avoids conflicting state legislation. This standard would override any state laws that contradict the policy and would include protections for children, respect for copyrights, prevention of censorship, and measures to keep communities safe. 

US immigration data: According to Privacy International, the US Government also intends to force visitors who are not required to get visas, such as British and French citizens, to submit their digital history and even DNA as the price of entry. With this much data AI tools will likely be deployed to unlock details of your life for border and immigration agencies. In particular, it wants to know all about: 

1. ‘telephone numbers used in the last five years’
2. ‘email addresses used in the last ten years’
3. ‘family number telephone numbers (sic) used in the last five years’
4. biometrics – face, fingerprint, DNA, and iris
5. business telephone numbers used in the last five years
6. business email addresses used in the last ten years.

If the proposed changes, published on 10th of December, are adopted after the 60-day consultation, travellers will have to use dedicated apps for their ESTA application, and to provide biometric proof of their departure. The latter will disclose the user’s location once they have left the US and run live detection on the selfie photo. 

Password managers

The German Federal Office for Information Security (BSI) examined this product category and investigated the IT security features of ten selected password managers. Three out of ten stored passwords in a way that theoretically allows manufacturers access. This increases the attack surface on the manufacturer’s side, which must be mitigated by additional compensatory measures. Users must trust these additional measures.

If the password manager stores data in the cloud, consumers should be informed about the storage location and data protection measures. This information can be included, for example, on the manufacturer’s website, in the terms and conditions for using the product, or in the privacy policy.

AI Training guidance

The Swedish data protection authority IMY has investigated the possibility of using personal data to create synthetic data for AI training purposes. Such data is created to resemble the original data without being able to be linked to individuals. It can be very positive from a privacy perspective, even though the synthesis itself means that personal data is processed, so it needs to comply with the GDPR. The particular project IMY investigated was about custody cases. It therefore involved a large amount of data of a very sensitive nature, which requires special considerations and measures. 

More from supervisory authorities

Medical research: The Hessian data protection commissioner has published a guide to data protection in medical research (in German). The guide presents four concrete use cases from the practice of medical research and classifies them from a data protection perspective. In particular, the cases describe the use of AI in cancer screening, pathology, intensive care, and the distinction between quality assurance and scientific research. The guide pays particular attention to the question of under what circumstances data can be considered anonymous. The use of anonymised data is especially relevant for medical research and the training of AI models. For research projects where anonymisation is not practical, the guide presents alternative legal bases under data protection law.

Consent forms: Consent is one of the lawful grounds for processing personal data. It means that a person freely, specifically and unambiguously agrees to the processing of their data for one or more purposes. Consent has to be verifiable so that the controller can demonstrate that it was received in accordance with the requirements. Therefore, in situations where consent is requested in person, a written form is useful, which provides clarity for both the organisation and the customer. It can include the minimum information that is most important at the time of consent, so as not to overload the information to be received, as well as not to delay the duration of the service or process itself. The consent form must state: 

• Who will process the data (company, individual entrepreneur), with their name
• Why is data needed
• What data is needed
• How to withdraw consent
• Customer ID (data subject’s first name, last name)
• Date, signature
• Information on where to find more information about data processing, including the duration of data storage and how to contact the controller

Cambridge Analytica compensations

Eligible Australian Facebook users impacted by the Cambridge Analytica affair have until 31 December to register under a payment program established in a landmark settlement. The 50 million dollars payment program was established by Meta Platforms as part of an enforceable undertaking the Australian Information Commissioner accepted from Meta in December 2024. This brings to an end 7 years of investigation and litigation related to the Cambridge Analytica matter in Australia.

Meta data access

The Austrian Supreme Court ordered Meta must provide full access to all personal users data requests within 14 days, including the sources, recipients and purposes for which each information was used, Privacy advocacy group NOYB reports. Meta’s claims of trade secrets or other limitations were rejected. The company claimed it would lead to unprecedented access to the inner systems of the platform. 

Meta must also ensure that sensitive information (political views, sexual orientation, or health) is not processed together with other data unless a valid legal basis according to Art. 9 GDPR applies, even if it was collected unintentionally or technically distinguishing it would be impossible. The case was brought by the NOYB activist Max Schrems in 2014 and laboured 11 years in Austrian courts and the CJEU. The plaintiff was awarded 500 euros in damages.

American Express cookie fine

The French privacy regulator CNIL fined American Express Carte France, the French subsidiary of the American Express group, 1.5 million euros for non-compliance with the rules applicable to cookies: a) by depositing trackers without having user consent, or b) despite their refusal to consent, or c) by continuing to read the trackers previously deposited despite subsequent consent withdrawal. 

In other news

Germany telecommunications fine: Due to massive violations of data protection rights, the North Rhine-Westphalia data protection commissioner has imposed a fine of 300,000 euros on a local telecommunications company. Since 2022, consumers have repeatedly contacted the regulator for the same reason: they received personalised ad letters promoting a contract for an internet and telephone connection. The recipients consistently stated that they had never had any prior contact with this company. However, the advertising letters were remarkably detailed. The recipients were only required to add their IBAN and sign the form.

Due to the design of the letters and the similarity of the name to very well-known telecommunications provider, many consumers were unaware that it wasn’t an offer for a different tariff with their existing provider, but rather an offer to switch providers. As a result, those affected often signed the contract documents. Only when they later realized they had switched providers did they cancel or revoke the contracts – and were then hit with a demand for a flat-rate compensation fee by the company. 

Direct marketing fine: The Italian data protection authority has fined Verisure Italia for unlawful processing of personal data for marketing purposes. The measure stems from a complaint from a former customer who continued to receive unwanted promotional text messages even after objecting to the processing of his data, and from a report from a potential customer who, after requesting a quote, began receiving promotional phone calls, emails, and text messages. The communications continued despite the exercise of the right to object provided for by the GDPR. Furthermore, the regulator deemed the retention period for potential customer data envisaged for telemarketing (12 months) to be excessive. 

More enforcement actions

Data processor breach: The French CNIL imposed a fine on Mobius Solutions, the processor behind a data breach affecting users of Deezer. The company was fined 1 million euros for failing to comply with the applicable rules regarding subcontracting. In 2022, Deezer reported that its users’ data had been posted on the dark web and that its former processor, Mobius Solutions, whose services it used to carry out personalised advertising campaigns for its customers, was involved.

The processor retained a copy of the data of more than 46 million DEEZER users after the end of their contractual relationship, despite its obligation to delete all such data at the end of the contract.

University data breach: The Dutch AP imposed a 175,000-euro fine on HAN University of Applied Sciences for breaching the GDPR data security rules.  A hacker used SQL injection through a web form to access HAN’s database. The individual threatened to make personal data, including addresses, names, passwords, and citizen service numbers, public and unsuccessfully demanded ransom from the university.

Password manager data breach: The UK Information Commissioner fined password manager provider LastPass 1.2 million pounds following a 2022 data breach that compromised the personal information of up to 1.6 million of its UK users. LastPass failed to implement sufficiently robust technical and security measures, which ultimately enabled a hacker to gain unauthorised access to its backup database. The incidents occurred when a hacker gained access first to a corporate laptop of an employee based in Europe and then to a US-based employee’s personal laptop on which the hacker implanted malware and was then able to capture the employee’s master password.

In case you missed it

Meta personalised ads: On 8 December, the European Commission acknowledged Meta’s undertaking to offer users in the EU an alternative choice of Facebook and Instagram services that would show them fewer personalised ads, to comply with the Digital Markets Act. This is the first time that such a choice is offered on Meta’s social networks. Meta will give users the effective choice between: 

• consenting to share all their data and seeing fully personalised advertising, or 
• opting to share less personal data for an experience with more limited personalised advertising. 

Meta will present these new options to users in the EU in January 2026. This follows a close dialogue between the Commission and Meta after the Commission found Meta in breach of the Digital Markets Act and issued Meta a non-compliance decision related to Meta’s “consent or pay” model in April 2025.

TikTok usage risks in the EU: The Dutch AP urges users and organisations to carefully consider whether they wish to continue using TikTok and other services that transfer personal data to countries outside the EU, including China. The Irish data protection authority DPC has previously ruled that this transfer is in breach of the GDPR. In addition, the Irish court required TikTok to better inform users on data processing activities. Users can still decide whether they want to continue using TikTok under these circumstances. If not, they can (temporarily) delete the app or deactivate an account.

The post Data protection digest 3-18 Dec 2025: E-commerce websites should offer a choice between ‘guest’ mode, or voluntary account creation appeared first on TechGDPR.

On 19 November, the European Commission presented proposals for amendments in the digital area legislation, including the GDPR, the Data Act, the EU AI Act, and the NIS 2 Directive. According to digitalpolicyalert.org analysis, the Digital Omnibus would amend the GDPR by:

• changing the definition of personal data to specify any entity that is reasonably likely to have the means to identify a person,
• exempting certain biometric data and data used by AI from the restrictions on processing special categories of personal data,
• clarifying on further processing of personal data in the public interest or for scientific research purposes, and
• specifying that processing of personal data that is necessary for the interests of a controller in the development or operation of an AI system can be pursued for ”legitimate interests”.

The Digital Omnibus would also exempt personal data processing from the cookie requirements under the ePrivacy Directive. Instead, it would amend the GDPR to maintain the consent requirement, while specifying that certain processing activities, such as electronic communications transmissions, service provision, audience measurement solely for an online service provider, and maintaining or restoring security, would be considered lawful. Websites and apps would have to allow data subjects to consent through automated, machine-readable mechanisms; browser manufacturers must likewise enable users to grant or refuse consent.

Finally, personal data breaches that are likely to result in a high risk to the rights and freedoms of natural persons would need to be reported to the single-entry point within 96 hours of becoming aware of them. Similarly, there would be unified lists of processing activities that do or do not require a Data Protection Impact Assessment, and create a standard DPIA template and methodology.

Stay up to date! Sign up to receive our fortnightly digest via email.

GDPR enforcement

On 17 November, the Council of the EU adopted new rules to improve cooperation between national data protection bodies when they enforce the GDPR to speed up the process of handling cross-border data protection complaints. Main elements of the new EU regulation include:

• Admissibility: Regardless of where in the EU a complaint is filed, admissibility will be judged based on the same information/conditions. 
• Rights of complainants and parties under investigation: Common rules will apply for the involvement of the complainant in the procedure, and the right to be heard for the company or organisation that is being investigated.
• Simple cooperation procedure: For straightforward cases, data protection authorities can decide, to avoid administrative burden, to settle actions without resorting to the full set of cooperation rules.
• Deadlines: In the future, an investigation should not take more than 15 months. For the most complex cases, this deadline can be extended by 12 months. In the case of a simple cooperation procedure between national data protection bodies, the investigation should be wrapped up within 12 months.

The regulation will enter into force 20 days after its publication in the Official Journal of the EU. It will become applicable 15 months after it enters into force.

More legal updates

The European Commission has launched a whistleblower tool for the AI Act. Whistleblowers can provide relevant information in any of the EU official languages and in any relevant format. The tool provides a secure means to report potential law violations that could compromise fundamental rights, health, or public trust. The highest level of confidentiality and data protection is guaranteed through certified encryption mechanisms. Anyone can access the AI Act Whistleblower Tool and read more information about the tool and the frequently asked questions. 

California privacy updates: California has enacted a bill which amends the state’s data breach notification law to establish strict new reporting timelines. Beginning January 1, 2026, businesses must notify affected California residents within 30 calendar days of discovering a security incident involving personal information. For incidents affecting more than 500 residents, notice to the California Attorney General must be provided within 15 calendar days of the consumer notice. The amendment allows limited exceptions for law enforcement needs or when necessary to determine the scope of the incident and restore system integrity, JD Supra lawblog reports. 

In parallel, starting Jan. 1st, 2027, California will prohibit a business from developing or maintaining a browser, as defined, that does not include functionality configurable by a consumer that enables the browser to send an opt-out preference signal to businesses with which the consumer interacts through the browser. The bill would require a business that develops or maintains a browser to make clear to a consumer in its public disclosures how the opt-out preference signal works and the intended effect. The bill would grant a business that develops or maintains a browser that includes this functionality immunity from liability for a violation of those provisions by a business that receives the opt-out preference signal. 

Child data protection in the EU

On 26 November, the European Parliament adopted a resolution on the protection of minors online as part of an own-initiative procedure on the topic. The resolution calls, among other things, for the implementation of an EU-wide harmonised digital minimum age of 16 for accessing social media, video-sharing platforms and AI companions without parental consent, with 13 as the minimum age for any social media use by children, even with parental consent. 

In parallel, the German Data Protection Conference, DSK, adopted a resolution calling for amendments to the GDPR to strengthen protections for children. It proposes a ban on children’s consent for profiling and advertising, limits on children’s ability to consent to special-category data processing, and clearer rights for children to access counselling and medical services privately. It also focuses on a prohibition on children consenting to automated decisions, attention to children in breach notifications, data protection by design and default, and consideration of children’s risks in data protection impact assessments, digitalpolicyalert.org sums up. 

Cloud computing

The European Commission has published non-binding Model Contractual Terms for data access and use and Standard Contractual Clauses for cloud computing contracts. They have been developed to help parties, especially SMEs, implement the provisions of the Data Act. Their use is voluntary and open to users’ possible amendments. Although they were mainly drafted for business-to-business contracts, they can also be used in relations between businesses and consumers, if relevant consumer protection rules are added. 

Three sets of Model Contractual Terms (MCTs) were drafted to cover the relationships where data sharing is mandatory, between data holders, users and data recipients of data generated when using connected products. Plus, proposed Standard Contractual Clauses (SCCs) translate the provisions of ‘cloud switching’ into ready-to-use contractual terms that can be inserted in data processing contracts:

• SCC Switching & Exit
• SCC Termination 
• SCC Security & Business continuity (including provider notification of significant incidents).

Email security

The German Federal Office for Information Security, BSI,  has published a White paper on requirements for the protection, transparency, and user-friendliness of webmails that systematically and future-orientedly increase consumer security. The paper considers not only technical security functions, but also usability, transparency and trust as essential components of digital sovereignty. A fundamental part of e-mail security currently still rests on the shoulders of users. They should be familiar with two-factor authentication, passkey and encryption. The BSI sees responsibility primarily with the providers: they must provide effective procedures regarding authentication, encryption, spam protection and account recovery that work without major user intervention.

Data Act implementation

The Data Act has been in effect since September 2025. This new European regulation is intended to give consumers within the EU more control over the use of their data. For instance, a car owner will have the right to access the data their car collects. If repairs are needed, they can share the data with a garage of their choice, explains the Dutch data protection agency AP, which will jointly oversee the implementation process at a national level, starting from 21 November.

The Data Act and the implementing laws do not override the rules of the GDPR. In the event of conflicting rules, the GDPR takes precedence. This means that any data sharing involving personal data must comply with the GDPR, stresses the regulator. 

More from supervisory authorities

Market research data processing: In Poland, the data protection regulator UODO approved the “Code of Conduct on the Processing of Personal Data by Private Research Agencies”. The reason for the development of the code was numerous discrepancies in the processing of the personal data of research participants. As a result, in the case of identical surveys, their participants, depending on the entity conducting the study, could receive divergent information, for instance, on the legal basis for the processing of personal data. Information obligations were also fulfilled differently. The Code also provides guidance to help carry out a risk assessment or, where justified, a data protection impact assessment.

It is worth noting that the code obliges all entities that join it to appoint a Data Protection Officer (DPO). 

Sound recording and CCTV: Organisations often choose to conduct video surveillance with sound recording. Sometimes, they also do not disable the camera manufacturer’s default audio function. As a result, the additional risks posed not only by image capture, but also by sound recording are not sufficiently assessed. In addition, the processing of personal data related to it is not always carried out legally: recording sound and image are two different data processing operations, so both audio and video require different legal bases. 

The processing of personal data by performing video surveillance with audio recording is not justified in most cases. There are rare situations where it is legal and permissible, mainly when it is associated with an increased risk to the essential interests of the organisation or society. Often, the legal basis for such processing can be found in the special regulatory framework applicable to a particular industry in which the organisation operates.

Employment clauses and personal data processing

Labour clauses are widely used by both public and private contracting authorities to ensure fair wages and working conditions for suppliers. Contracting entities often require the supplier to provide documentation of its compliance with the labour clauses, typically in the form of employees’ salaries and timesheets, and employment contracts. This gives rise to questions about the supplier’s legal basis for disclosing such personal data to the contracting authority, notes Denmark’s data protection agency. To that end, there will generally be an overriding legitimate interest that these may form the basis for the disclosure of the information in question.

TechSonar 2025-2026

EDPS’s latest guidance on new technology concentrating on the TechSonar report 2025-2026 explores six trends: agentic AI, AI companions, automated proctoring, AI-driven personalised learning, coding assistants and confidential computing. While each of these technologies serves a distinct purpose, they are deeply interconnected. Together, they illustrate how AI is progressively reshaping not only business processes or common daily tasks, but also the human experience of technology. Continue reading the full report here. 

In other news

Data security in cloud-based EdTech: The US Federal Trade Commission will require education technology provider Illuminate Education, Inc. (Illuminate) to implement a data security program and delete unnecessary data to settle allegations that the company’s data security failures led to a major data breach, which allowed hackers to access the personal data of more than 10 million students. 

Illuminate sells cloud-based technology products and collects and maintains personal information about students on behalf of schools and school districts. In its complaint, the FTC alleged that in 2021, a hacker used the credentials of a former employee, who had departed Illuminate three and a half years prior, to breach Illuminate’s databases stored on a third-party cloud provider. 

Medical data breach: The Norwegian data protection regulator upheld the fine on Argon Medical Devices. In 2023, it issued an American company Argon Medical Devices an infringement fee of approximately. 127,000 euros for violating the GDPR. In 2021, Argon discovered a security breach that affected the personal data of all of its European employees, including those in Norway. Argon sent the Norwegian regulator a notification of a breach long after the 72-hour deadline for reporting such breaches. 

Argon believed that they did not need to report the breach until they had a complete overview of the incident and all its consequences. This view was enshrined in their procedures, and this was the basis for the delay.  The case is an important reminder that controllers must have appropriate measures in place to determine whether a breach has occurred and to promptly notify the supervisory authority and the data subject.

Mobile app gaming company fine

California’s Attorney General settled with Jam City, Inc., resolving allegations that the mobile app gaming company violated the state’s Consumer Privacy Act (CCPA) by failing to offer consumers methods to opt out of the sale or sharing of their personal information across its popular gaming apps. Jam City creates games for mobile platforms, including games based on popular franchises such as Frozen, Harry Potter, and Family Guy. In addition to 1.4 million dollars in civil penalties, Jam City must provide in-app methods for consumers to opt out of the sale or sharing of their data and must not sell or share the personal information of consumers under 16 years old without their affirmative “opt-in” consent.

Data brokers fine

The Belgian data protection authority GBA, meanwhile, has imposed a 40,000 euros fine on data broker Infobel for illegally reselling data for marketing purposes, cybernews.com reports. A consumer complained to the GBA after getting a marketing brochure in the mail from a firm with which he was not a customer. The complainant asks how the corporation received his information. The customer was informed that his information had been given by a media agency. The agency obtained his information via Infobel, a data broker that received it from a telecom operator. 

Infobel said it had permission to sell the complainant’s information to the media agency since it had secured approval from data subjects. However, the data protection authorities claimed that there was no explicit, informed, or unambiguous consent. 

Cookie consent fine

On November 20, the French regulator CNIL fined the French company Conde Nast Publications 750,000 euros for non-compliance with the rules applicable to cookies deposited on the terminals of users visiting the “vanityfair.fr” site. In particular, cookies subject to consent were placed on the terminals of users visiting the “vanityfair.fr” site as soon as they arrived on the site, even before they interacted with the cookie banner to express a choice. Also, when a user clicked on the “Refuse all” button in the banner, or when they decided to withdraw their consent to the registration of trackers on their terminal, new cookies subject to consent were nevertheless deposited, and other cookies, already present, continued to be read. 

And finally…

Meta multi-million file: A Spanish court has ordered Meta to pay 479 million euros to Spanish digital media outlets for unfair competition practices and infringing the GDPR, a ruling the company will appeal, Reuters reports. The settlement, which will be given to 87 digital press publishers and news organisations, is related to Meta’s use of personal data for behavioural advertising.

The complaint filed by the Spanish outlets centred on Meta’s shift in the legal basis for processing personal data after the GDPR went into effect in May 2018. Meta changed “user consent” to “performance of a contract” to support behavioural advertising. Later, regulators judged that it was insufficient. Meta returned to consent as its legal foundation in 2023. The judge assessed that Meta generated at least 5.3 billion euros in advertising income during those five years.

Personal data monetisation: The French CNIL commissioned a survey on the perception of the French people regarding the use of their personal data. From a representative sample of 2,082 people aged 15 and over, 65% of them say they are willing to sell their data. Of these, only 6% would be willing to sell it for less than 1 euro per month, while 14% preferred a fee of more than 200 euros per month. 

The most common valuation was between 10 and 30 euros per month, preferred by 28% of respondents. This coincides with the latest market research based on Meta services estimation, where, for a price of 5 euros, 20% of people would be willing to sell their data, and 90% of companies would be willing to buy it. Taken together, these results make it possible to approximate a market price for data that would be around 40 euros per month (and per subscribed service). 

The post Data protection digest 18 Nov-2 Dec 2025:  “Digital omnibus” package latest & market price of personal data already estimated appeared first on TechGDPR.

Consumer loan checks can reveal people’s lifestyles. The Dutch Data Protection Authority AP concluded this after reviewing a bill concerning consumer loans. It believes that lenders can assess a person’s ability to meet payment obligations with less information about them. It’s unlikely that all the information in a bank statement, including sender, recipient, or description, is always necessary. 

The bill introduces stricter rules for a consumer loan under 200 euros, (services like “buy now, pay later,” credit cards, and bank overdrafts). For these relatively small loans, the ability to pay the bill on time will also be checked, and whether there is a risk of default. People who use such loans will also be registered with the Credit Registration Office. The AP emphasises that the new rules need to be further developed for better data control and minimisation. 

Stay up to date! Sign up to receive our fortnightly digest via email.

EU Digital Omnibus package latest

The privacy advocacy group NOYB warns that the so-called Digital Omnibus, which is being prepared by the European Commission, brings fast-track deregulation, including ‘massive’ reform of the GDPR and e-Privacy legislations. Following the draft proposal, the Commission envisages changes to core elements like the definition of personal data, consent requirements, and data subjects’ rights, as well as lesser protections for special categories of data under the GDPR. In parallel, AI companies could also benefit from easier access to European personal data through the implementation of the ‘legitimate interests’ legal basis for processing.  

ETIAS and data protection

As the clock ticks down to the launch of a new EU large-scale border management system, the European Travel Information and Authorisation System (ETIAS) in autumn 2026, momentum is building to prepare it for entry into operation and ensure its compliance with data protection laws. The EDPS follows the implementation of ETIAS at close quarters. To help mitigate the risks, legislators have established an ETIAS Fundamental Rights Guidance Board. 

Composed of representatives of the EDPS, EDPB, EU Fundamental Rights Agency, Frontex Fundamental Rights Office and Frontex Consultative Forum, the EFRGB is mandated to issue guidance on the fundamental rights impacts of processing ETIAS applications. A critical concern for individuals required to apply for an ETIAS is ensuring access to an effective judicial remedy. For instance, refusal of a travel authorisation could result from a data processing error.

Brazil draft adequacy decision

The EDPB also adopted an opinion regarding the European Commission draft implementing decision on Brazil’s adequacy. The General Data Protection Law in Brazil, LGPD, together with Presidential decrees and binding regulations issued by Brazil’s Data Protection Authority, ANPD, establish requirements, including in relation to the principles, data subject rights, transfers, oversight and redress, closely aligned with the GDPR and case law of the CJEU. At the same time, the EDPB invites the Commission to clarify further how certain exemptions and specific limitations of data subject rights in the LGPD correspond to the adequate level of data protection regarding:

• national security purposes relating to the collection and sharing of data between the public entities within the Brazilian intelligence systems
• personal data processing for criminal law enforcement purposes
• rights of information and access to the data 
• accountability principle and the requirements for the data protection impact assessment

More legal updates

NIS2 implementation in Germany: On 13 November, the law implementing the European Network and Information Systems (NIS) 2 Directive, passed in the German Bundestag. The directive increases the cybersecurity requirements for certain companies and the federal administration. The Federal Office for Information Security (BSI) occupies a key position in both areas. It will become the supervisory authority for the companies affected by the directive; in addition, in the role of Chief Information Security Officer (CISO), it will be the central body for the cybersecurity of the federal administration. 

Affected companies must register with the BSI, report significant security incidents, and implement technical and organisational risk management measures. It includes an amendment to the BSI Act, which previously covered approximately 4,500 entities in the economic area: operators of critical infrastructure, providers of digital services, and companies of particular public interest. With the entry into force of the NIS2, this scope is expanded to include the categories of “important institutions” and “particularly important institutions,” meaning that the BSI will supervise approximately 29,500 institutions in the future. 

NIS upgrade in the UK: In parallel, on 12 November, the Cyber Security and Resilience Bill was introduced to the UK Parliament. The Bill will update the NIS Regulation from 2018 by expanding the regulatory scope to include a broader range of essential and digital service providers, including online marketplaces, cloud computing services, and search engines, as well as managed service providers (eg, data centres will be designated as essential services). It also places the Secretary of State in charge of maintaining consistency in implementation across sectors.

AI solutions legal basis

At the request of the Danish Agency for Higher Education and Science, the Danish Data Protection Agency has assessed whether the agency has the authority to develop and operate an AI solution that will function as support in the assessment of applications for disability allowance. The Danish Data Protection Authority assessed that the processing of personal data that takes place during the development and operation of an AI solution can, as a rule, be carried out based on what is necessary for reasons of substantial public interest – GDPR Art. 9(2)(g).

However, it requires a so-called supplementary national legal basis. In relation to the duty of information towards citizens whose historical cases are included in the training dataset, the Danish Agency for Higher Education and Science has, among other things, pointed out: 

• There is a large number of citizens (approx. 3,000).
• It would be resource-intensive to inform citizens individually.
• The processing of personal data is limited.
• The purpose of the processing is to improve case processing time.
• The treatment is not assessed to have direct consequences for citizens.

GDPR ready-to-use templates

The EDPB invites experts to participate in a public consultation aimed at proposing practical templates to help organisations comply with their obligations under the GDPR. The EDPB identified the need to develop standardised tools that could serve as guidance for both controllers and processors. The public consultation aims to find out which types of templates would be most beneficial in practice, for instance:  

• privacy notice,
• records of processing activities,
• data protection impact assessment,
• notification of a personal data breach.

It is possible to participate in the public consultation from November 5 to December 3, 2025. Experts, organisations, and individuals can submit their suggestions through this page.

More from supervisory authorities

Australia child privacy updates: From 10 December, platforms like Facebook, Instagram, Snapchat, TikTok, YouTube, X, Threads, Reddit and Kick must take reasonable steps to prevent under-16s from holding accounts on their services. Failure to do so will expose these platforms to fines of up to 49.5 million dollars. These services currently meet the criteria for under 16 restrictions as specified in the Social Media Minimum Age legislation, in particular the key requirement that their “sole or significant purpose is to enable online social interaction”.

Health data warehouses (EDS): The CNIL’s Digital Innovation Laboratory (LINC) has published a map of health data warehouses in France. An EDS, explains the CNIL, is a database built up over a long period of time and intended to be reused mainly for steering (management, control and administration of the activity) and research, studies and evaluations in the field of health. They can be set up by both public (such as a public healthcare institution) and private entities (such as a data broker or a startup), provided that they comply with the applicable legal framework.

AI risk assessment: The EDPS has published a new guidance document to help data controllers carry out data protection risk assessments when developing, acquiring and deploying AI systems. Although the new guidelines are aimed at EU institutions, organisations in both the public and private sectors that use or plan to adopt AI systems can use them as a valuable starting point. It focuses on the risk of non-compliance regarding: fairness, accuracy, data minimisation, security and certain data subjects’ rights. The list of risks and countermeasures is not exhaustive, but merely reflects some of the most pressing issues that controllers must address when procuring, developing and deploying AI systems. 

In other news

Cyber attack mitigation tools: The Dutch AP has issued recommendations for a strong data processing agreement in the event of a cyber attack. Organisations that collaborate with service providers must enter into a data processing agreement regarding the sharing and use of personal data. This agreement outlines agreements, for example, regarding security and the roles and responsibilities in the event of incidents such as data breaches. To that end, to limit the damage from cyber attacks, organisations can:

• Make agreements as concrete as possible
• Maintain control over the entire supply chain
• Give more priority to drafting and maintaining data processing agreements

Therefore, the regulator sums up, negotiate agreements carefully and promptly. And review agreements and appendices regularly to ensure they remain relevant in practice. Employee awareness and knowledge of the GDPR play a crucial role in this.

Misleading cookie banners: The AP also reports that three-quarters of websites modified misleading cookie banners after an investigation was launched on more than 200 websites in the Netherlands starting in April. The AP is now taking enforcement action against organisations that haven’t updated their cookie banners. The easiest way to respect this is to not use tracking software. In that case, a cookie banner isn’t necessary. Where organisations do use tracking software, they must adhere strictly to the rules and inform visitors honestly and clearly.

Biometric processing

In New Zealand, the Privacy Commissioner has issued a Biometric Processing Privacy Code that creates specific privacy rules for agencies (businesses and organisations) using biometric technologies to collect and process biometric information. The Code, which is now law made under the Privacy Act, will help make sure agencies implementing biometric technologies are doing it safely and in a way that is proportionate. Guidance has also been developed to support the Code. 

Direct marketing and free-of-charge services

On 13 November, the CJEU released its ruling in Inteligo Media SA v ANSPDCP (Romanian data protection regulator) (C-654/23), where a media website provided information about new legislation in Romania, Bird&Bird law blog reports.  Six articles per month could be viewed completely free of charge. Users might also subscribe for free to an additional two articles and a daily newsletter. They could also pay for unlimited access and a fuller newsletter. ANSPDCP claimed that Inteligo could only process subscriber registration details and deliver the free newsletter if it had approval, which it did not. 

Inteligo argued it was covered by the soft opt-in exception. The ePrivacy Directive does demand that organisations obtain consent before sending direct marketing emails, but there is an exception: where the organisation acquires the subscriber’s information after selling a product or service, and the direct marketing is for that organisation’s similar product or service. The top EU court concluded that the free subscription did constitute a sale: a sale requires payment in exchange for goods or services, as well as remuneration. However, the reimbursement might be indirect, when a particular customer does not have to pay, but it is rather covered by the premium version of the subscription. 

Continue reading the original analysis here. 

Telecommunications multimillion fine

Following ex officio proceedings, the Croatian data protection agency imposed an administrative fine on a telecommunications operator, in its capacity as controller, for the total amount of 4.5 million euros for violations of the GDPR. The infringements concerned the transfer of personal data to third countries without a valid transfer instrument and without transparent information to data subjects, the processing of copies of employees’ identity cards and certificates of no criminal proceedings without a legal basis, as well as the failure to carry out appropriate prior checks of a processor.

Customer service fine

The EDPB sums up a recent enforcement case in Italy, when a customer, who was the victim of fraud, contacted their bank to obtain recordings of calls made to customer service, which would be useful in contesting a transfer of approximately 10,000 euros and reconstructing what had happened. Having received no satisfactory response, they complained to the privacy regulator Garante. Only after the authority had opened proceedings did the bank provide the recordings, but by then the 30-day deadline set by the GDPR had already passed. Garante imposed an administrative fine of 100,000 euros, taking into account the bank’s turnover, its cooperation during the investigation and the absence of previous infringements.

 In case you missed it

Children’s data lifecycle: Privacy International states that in England’s schools, children are tracked from birth through a vast, opaque network of digital systems that turn education into a lifelong exercise in data collection and surveillance. Children’s data in education starts from the day they are born until they are 25 years old:

• during pre-school, with personal data submitted by legal guardians during the school admissions process 
• every child is assigned a unique pupil record and a unique pupil number that stays with them forever
• the student’s educational setting gets added to the record, which includes its religious character and location, etc.

The next layer of data added to those records is created by school staff – absence and attendance records, assessments, etc. Separately, children’s data can be generated and collected by the EdTech tools used by staff. Some schools use a broad range of tools, such as behaviour tracking apps, which can take the form of scores but also of more complex profiles and predictions in relation to a child. Further personal data is collected and added to the National Pupil Database (NPD), and is kept indefinitely. 

Keep reading the original analysis here.

Agentic AI explained: The JD Supra law blog outlines the rise of “agentic AI”. Unlike traditional AI systems, which are designed to perform specific, narrowly defined tasks (generating text or images or analysing inputs) and rely on human input and oversight, agentic AI systems can complete far more complex, multi-step tasks autonomously and make context-dependent decisions. The emergence of these systems could transform a wide range of industries and business functions, including: a) consumer-facing systems, b) customer support, c) internal operations, and d) sales and marketing.

The post Data protection digest 3-17 Nov 2025: Consumer loan checks can reveal people’s lifestyle data  appeared first on TechGDPR.

In Denmark, an individual has been awarded financial compensation for non-material damage resulting from a data breach (Art. 82 of the GDPR). A High Court ruled on 20 August, that a woman should receive approx. 335 euros in compensation after a municipality mistakenly shared her health information with a third party. The decision has been appealed to the Supreme Court, where the woman and her lawyer will, among other things, try to have the GDPR compensations increased and awarded to her spouse as well. 

Until now, Danish practice has been that claims for compensation without financial loss must be assessed according to the provisions of the Danish Civil Liability Act. The court has generally required a qualified damage effect. The decision from August could, if upheld by the Supreme Court, be a new breakthrough in Danish law and possibly the European law. The compensation of 335 is a small amount, but if thousands of citizens choose to file a lawsuit in connection with the same breach – for example via a class action – the consequences for companies and authorities could be extensive. 

Stay up to date! Sign up to receive our fortnightly digest via email.

EU-US data transfers and immigration control

On 17 September, the European Data Protection Supervisor (EDPS) issued an Opinion on a framework agreement between the EU and the US on the exchange of information for security screenings and identity verifications. Individual Member States would be empowered to sign bilateral agreements for the exchange of data from their national systems. It would be the first agreement concluded by the EU to entail the large-scale sharing of personal data, including biometric data (fingerprints), for border and immigration control purposes with a third country.

More legal updates

Data transfers for medical research: The German Data Protection Conference (DSK) adopted a paper on data transfers to third countries for scientific research in the medical sector. The admissibility of transferring personal data to third countries under data protection law cannot be assessed in general terms, but only on a case-by-case basis, as numerous circumstances play a role in the assessment. This also applies to scientific research for medical purposes. It must always be examined whether the data subjects have been adequately informed about the (intended) transfer in accordance with the GDPR. In scientific research for medical purposes, broad consent is an established legal basis for data processing. Since there may be special interactions between Broad Consent and the basis for transfer under the GDPR, these are explained in detail in the DSK paper (in German). 

The European Innovation Act: The European Commission concluded its consultation and evidence-gathering for an impact assessment to assist in the creation of the European Innovation Act. The Commission seeks information on ways to overcome obstacles that innovative entities encounter, including fragmented regulations, restricted access to infrastructure and funding, underutilised innovation procurement, and inadequate commercialisation of findings from publicly funded research and innovation. The Act aims to create sector-wide horizontal conditions as opposed to sector-specific programs. 

Political online targeting ban in the EU: Political parties will soon be prohibited from targeting voters online with political advertisements. A new European regulation on the Transparency and Targeting of Political Advertising (TTPA) will take effect on 10 October. It aims to prevent voters from being secretly influenced during election campaigns and to undermine trust in fair elections, which can involve the processing of personal data. 

LinkedIn AI training

Users who do not want LinkedIn to use their data to train AI models must disable this before 3 November. The European data protection authorities are urging people to do so. This data includes profile information and public content shared in the past. Once this data is in LinkedIn’s AI systems, it will be impossible to retrieve, and users will lose control over their data. All LinkedIn users’ data will automatically be used for AI training unless the setting is actively disabled.

Anyone who does not want personal data used for LinkedIn AI training must opt ​​out before 3 November via this link or in the app under “Settings & Privacy > Data Privacy >Data for Generative AI Improvement” and disable the switch.

Vehicle data in the era of the Data Act

On 12 September, the European Commission published the “Guidance on Vehicle Data, accompanying the Data Act.” The document defines the categories of data falling within the scope of he regulation and outlines the access rights granted to users and to third parties designated by them. It clarifies, first of all, that a vehicle qualifies as a “connected product” when it meets two cumulative requirements: it must generate or collect data concerning its use or its surrounding environment, and it must have the ability to communicate such data via an electronic communications service. 

More from supervisory authorities

‘Neighbour’s camera’ a major annoyance: The Dutch data protection uthority (DPA) is receiving a growing number of complaints from people concerned about their privacy due to their neighbours’ doorbells or security cameras. The regulator wants to prevent the improper use of doorbell cameras as much as possible. Therefore, the DPA is urging manufacturers to configure doorbell cameras to be privacy-friendly by default. It also wants to raise consumer awareness, for example, by providing information about what is and isn’t permitted. 

AI risks in the health profession: A bill sponsored by the California Medical Association (CMA) that addresses dangers associated with the use of AI in health care has passed out of the Legislature and is headed for the Governor’s signature. It prohibits AI systems from being misrepresented as licensed medical professionals and provides California’s state health profession boards with the authority to enforce title protections for health care workers, ensure that new technologies in health care are deployed in ways that protect patient safety, preserve trust, and support the physician-patient relationship. 

Medical records: The Swiss FDPIC has published a factsheet on the forms that are given to patients to sign when they go to the doctor. It takes account of the various opinions expressed on the subject and aims to clarify a number of issues raised by these forms: a) the distinction between the duty to provide information on data collection and the issue of patient consent to data processing; b) secure data communication; c) the question of proportionality, regarding what data a patient can legitimately be asked to provide. The document is available in English.

Digital communication and minors

In France, the regulatory authority for audiovisual and digital communication (Arcom) released the results of its study on online risks for minors,  digitalpolicyalert.org reports. Over four out of five children use at least one extremely major internet platform on a daily basis, according to the study. 42 per cent of minors use social networks before the age of 13 by lying about their age, and the average age of initial use is 12 years old.

According to the study, 83 per cent of children are regularly exposed to at least one of the six risks: harmful or shocking content, cyberbullying, dangerous challenges, malicious adult contact, and online scams. 

E-health data security

The European Union Agency for Cybersecurity (ENISA) has published a good practice guide to support entities of the health sector in strengthening their digital security. The health sector is classified among those in the risk zone, highlighting a significant gap between its cybersecurity maturity and its critical importance: medical systems and data have become growing targets of cybercrime, with ransomware and phishing campaigns on the rise. These actionable practices are designed to be simple to implement and enhance the preparedness and security of all types of health entities, from hospitals and service providers to individual medical specialists. The recommendations cover areas such as systems and network protection, safeguarding devices and patient data, addressing challenges in the ICT supply chain. 

Reporting AI incidents

The European Commission has issued draft guidance and a reporting template on serious AI incidents. Under the EU AI Act, providers of high-risk AI systems will be required to report serious incidents to national authorities. This new obligation, set out in Art. 73, aims to detect risks early, ensure accountability, enable quick action, and build public trust in AI technologies. While the rules will only become applicable from August 2026, you can already download the draft guidance and reporting template below. Both these documents will help providers to prepare. The draft guidance clarifies definitions, offers practical examples, and explains how the new rules relate to other legal obligations. 

Drone use and personal data

The Latvian data protection authority elaborated on this topic, which is becoming increasingly popular today as drones are used in defence, business, and people’s private lives. Personal data processing occurs when materials are obtained with the help of a drone that can identify a specific person. Therefore, it is not possible to say with certainty that personal data processing is performed in all cases when a drone comes into view of a person. If the materials are intended to be distributed publicly, this processing may be justified based on legitimate interests. This may be done after a balancing of interests, in which the proportionality of the processing in relation to the interests of the people depicted is assessed. Similarly, the use of drones may, in some cases, be linked to the public interest, as well as processing for journalistic purposes.

Video games and personal accounts

In the audiovisual and video game sectors, the purchase of digital content can justify a long retention of data. The French CNIL reminds professionals of the rules to follow to manage inactive accounts while respecting the rights of users. Professionals must guarantee uninterrupted access to purchased digital content, as provided for in consumer law. In the audiovisual and video game sector, this access often goes through a personal account that acts as a video library, allowing the user to find their movies, series or games at any time. The deletion of accounts for which no action has been taken by users for two years is considered proportionate. It is recommended that affected users be notified before this deadline to allow them to keep their accounts active. 

‘Facial boarding’ at airport

Italian data protection regulator Garante has recently blocked the use of facial recognition in Italian airports (so-called face boarding), with the provision adopted against Società per Azioni Esercizi Aeroportuali, to suspend the use of the specific technological solution adopted, since it is incompatible with the GDPR. Garante specifies that the use of facial recognition technologies at airports in principle is permitted, but requires technological solutions that balance the need for simplified boarding procedures with the need to protect personal data in compliance with current European regulations, particularly regarding the processing of biometric data. 

In other news

Automated-decision fine: The Hamburg Data Protection Commissioner HmbBfDI has imposed a fine of almost 500,000 euros on a financial company for violations of the rights of affected customers in automated decisions in individual cases. Despite good credit ratings, several customers’ credit card applications were rejected based on automated decisions, decisions made by machines based on algorithms and without human intervention. When the affected customers subsequently demanded a reason for the rejected applications, the company failed to adequately fulfill its statutory information and disclosure obligations. 

Hospital data fine: The Italian regulator Garante has fined a university hospital 80,000 euros for failing to properly configure its health records. The hospital used two applications, on patients and hospitalisation records, through which all healthcare personnel could conduct searches on patients’ medical histories, even if they were not involved in their treatment. They did not include adequate access profiling measures or security measures such as alerts or tracking of operations performed on the applications in dedicated log files. Furthermore, patients were unaware of the existence of the treatments performed through the records and were therefore unable to give or deny their consent to their records or decide whether to obscure certain information, such as that subject to greater protection.

HIPAA violation: A 182,000 dollar settlement has been agreed between the HHS’ Office for Civil Rights and five Delaware healthcare providers to resolve alleged violations of the HIPAA Privacy and HIPAA Breach Notification Rules. The settlement concerns the posting of patients’ protected health information (PHI) on social media without first obtaining HIPAA-compliant authorizations to use PHI for a purpose not expressly permitted by the HIPAA Privacy Rule, then failing to notify individuals about the impermissible use and disclosure.

Candid cameras against theft

The French CNIL fined SAMARITAINE, which operates the store of the same name, 100,000 euros for concealing cameras in the store’s reserves. In 2023, due to the increase in cargo thefts from its reserves, SAMARITAINE placed new cameras in two reserves. These cameras were disguised as smoke detectors and made it possible to record sound. Discovered by employees, the cameras were removed shortly after that. In principle, in order to meet the requirement of loyalty, video surveillance filming employees must be visible and not concealed. However, in exceptional circumstances and under certain conditions, the data controller can temporarily install cameras that are not visible to employees. The company did report the existence of thefts committed in the reserves and explained that the device was temporary (which the technical characteristics of the device seem to confirm).

It nevertheless did not carry out any prior analysis of compliance with the GDPR, nor documented the temporary nature of the installation. 

In case you missed it

Human oversight in AI: EDPS’s latest TechDispatch episode explores the human oversight of Automated Decision-Making. While human oversight can occur at different stages of an AI system’s lifecycle, including before deployment (ex-ante), real-time oversight on system operations is considered the one that can be most consequential, when an operator can still review the system’s behaviour and intervene before its output takes effect, helping to prevent potential harm to human lives or infringements on individuals’ fundamental rights.

Dark Net: Sweden’s privacy protection authority IMY answers questions about how data controllers should handle developments following an IT attack where personal data was published on the Darknet. It is NOT recommended to search for or download the information published on the Darknet: the files found may contain, for example, additional malware. It also recommends that the organisations first and foremost, and in accordance with your data processor agreement, contact your data processor. Plus, organisations have a duty to notify the impacted data subjects of the personal data breach as soon as possible, as there is a high risk to the rights and freedoms of natural persons. 

Patients’ data and AI boom: Privacy international reports a boom for the UK’s technology sector, with American tech firms collectively investing billions of pounds into the UK’s AI and tech infrastructure. The UK government hailed these investments as an element of a new ‘Tech Prosperity Deal’. A key area mentioned as part of it is healthcare. Last summer, the UK released its 10 year health plan, which emphasised the centrality of technology, innovation and AI for the National Health Service. The plan states that to move the NHS into the 21st century, its unique advantages will be used, including the NHS’s ‘world-leading data’. 

The post Data protection digest 17 Sep – 3 Oct 2025: New Danish court ruling may change practice for GDPR compensations appeared first on TechGDPR.

As of 12 September, the Data Act has become directly applicable in the EU. It offers harmonised rules on fair access to and use of data. The new rules cover manufacturers, users, data holders, data recipients, public sector bodies, and data processing services. It is designed to empower users, both consumers and businesses, by giving them greater control over the data generated by their connected devices (and related services), such as cars, smart TVs, industrial machinery and much more:

• It ensures that connected devices on the EU market are designed to allow data sharing
• Gives consumers the possibility to choose more services, without having to rely on the manufacturer of the device 
• Provides business users in industries like manufacturing or agriculture access to data about the performance of industrial equipment, opening up opportunities to enhance efficiency and optimise operations
• Allows consumers to easily transfer data and switch between cloud providers
• Prohibits unfair contracts that could prevent data-sharing

The Data Act does not exclude or replace the GDPR

On the contrary, it is fully compliant with data protection rules. In one example, where the user is not the data subject whose data is being requested, personal data can only be made available if there is a valid legal basis (eg, consent). This is an important consideration as the co-generated data often contains both personal and non-personal data, which may be difficult to separate.  Additionally, the Data Act includes a non-exhaustive list of measures to remedy situations where a third party or user has unlawfully accessed or used data.  The infringing party will be obliged to cease production of the product in question, destroy the data it has unlawfully obtained, or pay compensation. 

Stay up to date! Sign up to receive our fortnightly digest via email.

The Act also includes requirements for international transfers of non-personal data. The data processing service providers are required to adopt technical, legal, and organisational measures to prevent international transfer or governmental access to non-personal data that would breach national or EU law. Furthermore, the Act includes protections for trade secrets and trade secret holders, aiming at preventing data breaches or data transfers to jurisdictions that don’t provide sufficient data protection and preventing other entities from accessing the data to reverse-engineer the services of their competitors.

Data subject rights under the Data Act

The Hamburg data protection authority explains that, from electronic toothbrushes to wind turbines, many consumer goods and machines send sensor data to their manufacturers via the internet. Starting September 12, consumers will benefit from new access rights to the data of such connected devices, as the Data Act allows both users of these devices and third parties to request it. This is provided that the eligibility requirements under the Data Act are met, data protection law does not conflict, and trade secrets are protected.

If the data to be transmitted is personal, European law appoints data protection authorities to supervise compliance with the provisions of the Data Act. This task follows directly from Art. 37(3) of the Data Act: a) Accessing personal data from the manufacturer; b) Changing the provider of data processing services (so-called cloud switching); c) Protection of confidentiality through technical and organisational measures at the receiving body; d) Transparency obligations. The data protection authorities can now enforce these rights by issuing orders. Violations can sometimes be punished with fines. Alternatively, claims can be pursued independently through civil law. Any natural or legal person can file a complaint. 

EU-US Data Privacy Framework maintained

On 3 September, the CJEU ruled on a case in which a French politician had brought an action against the Commission regarding the adequacy decision for the EU-US Data Privacy Framework. The case was brought with a claim that the adequacy decision should be annulled. According to the complainant, the newly established appeal body in the US, the Data Protection Review Court (DPRC), was not independent, and American legislation did not ensure adequate guarantees for the data subjects in connection with the mass collection of personal data by the intelligence services. 

The Court found no basis for concluding that the DPRC was not independent at the time of the decision. In this context, the Court recalled the Commission’s obligation to continuously monitor developments in the US and to act if changes in the legal framework might lead to a lower level of protection. With regard to the activities of the intelligence services, the Court also found that US legislation at the time of its adoption ensured a level of protection of personal data that was essentially equivalent to that existing within the EU.

On that basis, the court dismissed the lawsuit in its entirety.

Digital Services Act

The EU General Court, meanwhile, has ruled that the Commission failed to properly adopt the method it used to assess very large online platforms’ user bases under the Digital Services Act (DSA). As a result, the supervisory fees the Commission imposed on the largest platforms (Facebook, Instagram, TikTok and others), as calculated by reference to their user bases, were invalid (however, the effects of the annulled decisions are provisionally maintained). The Commission now has 12 months to rectify the situation. 

The EDPB has recently adopted guidance on the interaction between the Digital Services Act and the GDPR. The DSA aims to complement the rules of the GDPR to ensure the highest level of protection of fundamental rights in the digital space. It applies to online intermediary services, such as search engines and platforms. There are several provisions in the DSA which relate to the GDPR:

• Notice-and-action systems that help individuals or entities report illegal content
• Recommender systems used by online platforms to automatically present specific content to the users of the platform, with a certain relative order or prominence
• The provisions to ensure a high level of privacy, safety, and security of minors and to prohibit profile-based advertising using their data 
• Transparency of advertising by online platforms
• Prohibition of profiling-based advertising using special categories of data 

Pseudonymisation

In another ruling of September 4, the CJEU addressed various issues relating to personal data and pseudonymisation in connection with the transfer of this data to third parties: 

• Statements that reflect the personal opinions or views of the authors are information “about that person” because, as an expression of that person’s thoughts, they are necessarily closely linked to that person. 
• Pseudonymised data is not always considered personal data. Depending on the circumstances, pseudonymisation may actually prevent persons other than the controller from identifying the data subject, making them unidentifiable or no longer identifiable. 

The case concerned the obligation incumbent on controllers to inform data subjects, at the time of data collection, of the recipients or categories of recipients to whom their personal data are to be disclosed. Consequently, the identifiability of the data subject in such a case must be assessed from the perspective of the controller and not from that of the recipient. 

More from supervisory authorities

Brazil draft adequacy decision: On 4 September, the European Commission launched the process towards the adoption of a data protection adequacy decision with Brazil. The Commission has determined that Brazil ensures an adequate level of data protection, comparable to that of the EU. Once adopted, the decision would allow for free data flows for businesses, public authorities, and research projects between the EU and Brazil, one of the widest scopes possible for a data adequacy decision under the GDPR. The Brazilian authorities have also initiated a process to adopt an equivalent decision to allow for Brazilian data to flow freely to the EU.

Windows IT security guide for organisations: The German Federal Office for Information Security (BSI) provided recommendations for the secure configuration of Microsoft Office products for the Microsoft Windows operating system (in German). These recommendations were developed specifically for medium-sized to large organisations that manage their endpoints using Group Policies in an Active Directory environment. However, other experienced IT users can also apply the Group Policies locally. Implementing these policies offers the advantage of a wider range of configuration options compared to configuring them via the user interface. These recommendations are available for the Office applications Microsoft Access, Microsoft Excel, Microsoft Outlook, Microsoft PowerPoint, Microsoft Visio, and Microsoft Word.

Cybersecurity for teenagers: The BSI also published a comprehensive package to teach basic cybersecurity skills. It aims to support teachers and other educational professionals in raising young people’s awareness of digital risks at an early stage and teaching them how to use digital media safely. The media package includes educationally prepared worksheets, interactive activities, and background information for teachers and parents. It covers the three topics of smartphone and app security, cybercrime methods, and account protection. 

Personal recordings

Can recordings obtained for personal use be used for other purposes? The Latvian data protection regulator explains that such a recording is usually made without informing other people about it. In cases where the recording is planned to be used only for one’s own needs, without passing it on to others, the GDPR does not apply. However, before making a recording, you should consider whether it is not restricted by any other rules. For example, if the recording is made at a school event, you should make sure that the institution’s internal rules of procedure do not set any restrictions on the use of technical devices and the making of recordings. 

Over time, a person who has a recording made for personal purposes may want to use this information for other purposes. For example, it can serve as evidence in resolving a dispute or in detecting an offence. In this case, GDPR provisions must apply, in particular, when choosing the legal basis for processing, complying with fundamental principles in processing, including ensuring that the rights of the people heard and seen in the recordings are respected. 

Right to erasure

The EDPB launched a coordinated action earlier this year to examine how organisations handle the right to erasure (requests from individuals to have their personal data erased by the organisation). The Swedish Data Protection Authority IMY is now reporting its findings. Regarding the 20 Swedish businesses surveyed, despite handling large amounts of personal data, businesses have received few requests from individuals who want their data deleted. Among the problems and challenges that IMY has identified are: a) Lack of or inadequate internal routines and processes, b) Uncertainty about deletion in backups, and c) Difficulty verifying the identity of the person who wants their data deleted. IMY has identified examples of best practice for data deletion requests, such as:

• Create clear and updated procedures, control documents and checklists that specify who does what, how the assessment is carried out and what criteria apply for deletion
• Offer multiple channels to submit a deletion request, such as email, phone, web form, or physical visits
• Verify the individual’s identity only in cases of reasonable uncertainty
• Always provide a clear justification with reference to relevant provisions when rejecting a request

Google and Shein cookie fines

The French regulator CNIL fined Google 325 million and Shein 150 million euros, in particular for non-compliance with the rules on online trackers. The checks revealed that Google displayed, between the emails present in the ‘Promotions’ and ‘Social networks’ tabs of Gmail, advertisements in the form of emails. In the case of Shein, the CNIL noted that several trackers, particularly for advertising purposes, were deposited as soon as they arrived on the site, even before they interacted with the information banner to express a choice.

Also, when a user visiting the “shein.com” site clicked on the “Refuse all” button in the banner, or when they decided to withdraw consent to the registration of trackers on their terminal, new trackers were nevertheless deposited. 

Toymaker fine

America’s FTC  just settled with Apitor Technology, a Chinese toymaker, for allegations that the company violated the Children’s Online Privacy Protection Rule (COPPA). Apitor develops, markets, and distributes robot toys for kids ages 6-14. To program the robots, users need to download Apitor’s free companion app. It incorporated a third party’s software development kit (SDK), enabling app functionalities like push notifications and usage tracking. The SDK allowed the third party to collect geolocation data from children playing with the robot toys using an Android device. At the same time, companies providing online services directed at children must notify parents if they’re collecting, using, or disclosing personal information from juveniles. They also have to get parents’ verified consent to do so, even if a third party is the one collecting the data on a company’s behalf. 

Online banking authentication

In Finland, the data protection agency has imposed a penalty of 1.8 million euros on S-Bank for neglecting information security in online banking authentication. Due to a software error in the authentication service in 2022, it was possible to log in to online banking and online services using strong authentication with another customer’s credentials. The agency investigated the data breach based on a notification made by S-Bank in 2022. The bank had implemented a new login functionality in S-mobile. 

The bank had not tested the new software sufficiently before implementing it, and it had not identified vulnerabilities before the functionality was implemented. It also did not respond adequately to customer complaints about irregularities in online banking logins. A security vulnerability had been exploitable for more than three months. It affected a significant portion of the bank’s customers. Misuse of bank codes caused financial damage to customers. S-Bank has announced that it has compensated customers for direct losses.

In other news

Disney: Another settlement by the FTC with Disney alleges that it failed to properly designate their YouTube videos as directed to children. When Disney uploaded videos to YouTube, its policy was to set the audience at the channel level, rather than checking the audience for each video. As a result, some child-directed videos were incorrectly designated as “not made for kids.” Personal information of children viewing these videos was collected and used for targeted advertising without parental notice or consent as required under COPPA. Kids were also exposed to YouTube features not meant for kids: autoplay to other “not made for kids” videos and access to unrestricted public comments.

Recruitment agency: North Rhine-Westphalia data protection commissioner imposed a fine of over 35,000 euros on a Düsseldorf-based recruitment agency which had not only consistently ignored the data protection rights of job seekers, but also requests from the regulator. The focus was on requests from employees asking whether and which data the company had processed about them. Some of the individuals also demanded that their data be deleted.  

Health data: In Estonia, Allium UPI, the company that manages the Apotheka loyalty program, received a fine of 3 million euros for failing to protect customer data and using insufficient security measures. The company’s reckless attitude towards its customers’ data put the privacy of more than 750,000 people, including children and other vulnerable groups, at risk. A security incident occurred in the information system of the Apotheka loyalty program in early 2024.

The leaked files contained personal data and purchase history of those who joined the Apotheka customer program between 2014 and 2020: purchased medicines, health measurement services, and other sensitive pharmacy products, such as pregnancy and ovulation tests, hearing aid accessories, blood pressure supplements, intimate hygiene products, and medications for skin problems. 

In case you missed it

Football fans face recognition in Denmark:  The Danish Data Protection Authority has granted permission for the clubs in the Super League (season 2025/2026) to use automatic facial recognition during football matches, in order to support the enforcement of the rules on club quarantines. The permits for the Super League clubs state, among other things, that the processing must comply with the rules on the preparation of an impact assessment: it must be carried out before the processing begins.

Bossware in the UK: A third of UK companies use “bossware” to track employees‘ activities, according to an article in the Guardian. One in seven employers are monitoring or evaluating screen activity, and private organisations are the most likely to implement in-work surveillance, according to a UK-wide poll. The fact that about one-third of managers said their companies watch employees’ internet activity on company-owned devices, however, is likely an underestimation because the same percentage stated they had no idea what tracking their companies do. Preventing insider threats, protecting sensitive data, and identifying productivity declines are the goals of many monitoring systems. 

The post Data protection digest 1-15 Sep 2025: The Data Act is fully applicable, “bossware” takes over workspaces appeared first on TechGDPR.

The Danish EU Presidency is promoting GDPR reform to increase competitiveness by introducing SME-friendly amendments, such as restricting data rights in low-risk situations, rationalising DPIAs, and requiring prior mediation procedures before lodging complaints, the eutechloop.com article states. These are in line with the precedent established by the Commission’s simplification plan in May this year, which gives small and mid-cap companies, those with less than 750 employees, targeted relief from GDPR reporting requirements on keeping records of processing activities (GDPR Art. 30).

In addition, the proposal introduces a definition of SME and SMC in Art. 4 of the GDPR and extends the scope of the GDPR’s Art. 40 and 42 to the SMCs, which refer to codes of conduct and certification. 

According to an insideprivacy.com article, the following Danish proposals may make it easier for European organisations to process personal data as they:  

• Define a minimum threshold for when data subject rights apply (Art. 12-20 GDPR). 
• Clarify when DPIAs are required and consider exemptions or simplifications for SMEs (Art. 35 GDPR). 
• Make the data subject’s right to complain to the supervisory authority conditional upon certain criteria (eg, prior engagement with the data controller) (Art. 77 GDPR).  
• Exempt data controllers from having to notify certain data breaches to the supervisory authority, such as “uncomplicated and clearly defined” breaches (Art. 33 GDPR), etc.

At the moment, the EU is reevaluating its digital policies. This is partly motivated by Mario Draghi’s report on the bloc’s lapsed productivity and technology use, but also is fueled by the ongoing political pressure from Washington to ease digital regulations to unlock trade. 

Provisions of data reform in the UK are already in place

On the 20th of August, a set of provisions of the new Data Use and Access Act 2025 entered into force, establishing provisions on ‘overriding’ and data breach notification, plus reporting and progress requirements in relation to the use of copyright works in the development of AI systems. The Bill applies to all data controllers, processors, and electronic communications service providers handling personal data.

It introduces new sections to the UK Data Protection Act 2018 to prevent relevant enactments passed after the Bill’s commencement from overriding main data protection legislation requirements (eg, it establishes that data subject rights cannot be overridden unless an express contrary provision is made). The Bill also mandates personal data breach notifications to the Information Commissioner within 72 hours of becoming aware of the breach, digitalpolicyalert.org sums up.

In parallel, the Information Commissioner’s Office is consulting on draft changes to how we handle data protection complaints. The Data Use and Access Act places new requirements on organisations to have a complaints process specifically for data protection-related issues,  such as providing an electronic complaints form. They also must acknowledge your complaint within 30 days and respond to it ‘without undue delay’.  

Stay up to date! Sign up to receive our fortnightly digest via email.

Another consultation aims to address the new lawful basis of “recognised legitimate interests”. It will provide a presumption of legitimacy to processing activities for certain pre-approved public interest purposes, including activities such as crime prevention, public security, safeguarding, emergency response, and sharing personal data to help other organisations perform their public tasks.

Cybersecurity of digital products in Switzerland

The Swiss Federal Council, meanwhile, decided to strengthen the cyber resilience of digital products. Despite the importance of preventing or quickly addressing such vulnerabilities, Switzerland currently lacks clear cyber resilience requirements. This new legislation will set out cybersecurity requirements for the development and commercialisation of products with digital components, establish rules for market surveillance of these products, and lay the groundwork for banning the import and sale of insecure devices.

The new legislation will take into account the international context, including the EU’s Cyber Resilience Act, which came into force on 11 December 2024, with a draft corresponding bill to be submitted for consultation by Autumn 2026. 

Documentation requirements under DORA

What documentation requirements do companies have to fulfil under DORA? The German Federal Financial Supervisory Authority (BaFin) has published an overview with graphic attachments to help companies navigate these requirements. Companies have had to apply the European Digital Operational Resilience Act’s regulation since 17 January 2025. DORA aims to make the European financial market more secure against cyber risks and incidents affecting information and communication technology (ICT). 

More guidance on the DORA application can be found here. 

Software updates and patch releases

Most software needs updating after its initial release to address bugs, newly identified vulnerabilities, and revisions to features and functionality. But software patches and other changes can introduce new cybersecurity and privacy risks and can impair operations if not managed effectively. To support successful, secure software updates and patches, the US National Institute of Standards and Technology, (NIST), has finalised modifications to its catalogue of security and privacy safeguards to assist both the developers who create patches and the organisations that receive and implement them in their own systems.

More from supervisory authorities

Public cloud and data protection: ISO/IEC 27018 has provided guidance for protecting personally identifiable information (PII) in public cloud services, specifically when the cloud service provider acts as a PII processor. As cloud computing becomes the default mode of service delivery, organisations must ensure that personal data stored and processed in the cloud is properly safeguarded. ISO/IEC 27018 helps cloud providers meet legal, contractual, and ethical obligations regarding PII. It supports compliance across jurisdictions, enhances customer trust, and provides a clear structure for data protection in the cloud.

IT security label: Manufacturers of smart security solutions can now apply for the IT security label from the German Federal Office for Information Security (BSI). The connected home is part of everyday life for many people. This includes smart security technology, such as app-controlled alarm systems, smart motion sensors, mechatronic security devices (smart locks), and networked smoke detectors. In addition to the physical protection of their own four walls, consumers should also consider the cybersecurity of their digital security solutions. With the IT security label, the IT security features of smart security technology are transparent for buyers, and help manufacturers highlight their products on the market. 

Protecting child data online

To improve children’s online safety, the European Commission has adopted guidelines for the protection of minors under Art. 28 of the Digital Services Act (DSA). This requires platforms accessible to minors to implement appropriate and proportionate measures to ensure a high level of privacy, security and protection of minors, including: 

• Age verification and default settings.
• Interface design that does not encourage prolonged use of the platform by adolescents. 
• Limits on the processing of behavioural data and prioritising explicit signals from minors regarding desired content.
• Clear rules regarding harmful content and behaviour, the establishment of coordinated moderation policies, and allowing for the possibility of human review in cases of harmful content.

At the same time, parental controls are best used as a complement to other measures, as they are often not equally effective due to different family situations.

Is it permissible to offer a discount for consenting to receive commercial communications?

The Latvian data protection authority states that a small additional benefit (for example, a symbolic discount that the customer can choose to use or not) may be permissible if it does not affect access to the service itself. That is to say, consent is not included as a non-negotiable part of the conditions for using the service in its essence, for example, purchasing in an online store. 

It is important to ensure that the benefits offered, which are associated with consent to the processing of personal data, do not create a feeling of pressure on customers. Namely, the intended amount of benefits should be small enough not to create the feeling in the customer that, by not providing consent to the processing of their data, they will receive a significantly less advantageous offer, thus affecting the person’s right to freely decide on the processing of their data.

The section intended for entering contact information for receiving news must clearly state the purpose of data processing – sending commercial communications, and must also contain a function (most often a tickable box) in which the person clearly expresses his/her wish to receive such communications. Information on the withdrawal of consent and its consequences must also be made easily accessible. In this section, the advantage that the vendor, for example, gives to customers who have shown interest in receiving news should be indicated only as additional information. 

GDPR (non) compliance trends

Some advancements in GDPR compliance are detailed in the Icelandic data protection authority’s 2024 report. It is good to note that the biggest Icelandic insurance firms, which make automated decisions on applications and requests for offers for health and life insurance, largely comply with the data privacy laws. The agency has placed a greater emphasis on protecting children’s privacy. Businesses started to monitor closely how kids behave when playing computer games online. Additionally, a business that handles Icelandic genetic analysis is facing legal challenges, and the public sector was sanctioned for improper handling of minors’ data in education.

In parallel, the Maltese data protection regulator, in its annual report, revealed that the majority of complaints received were about CCTV-related cases, while other major areas of compliance included data subject access requests and their shortcomings (increasingly in cross-border situations), unsolicited direct marketing and disclosure to third parties, data security and information obligation by data controllers, cookie banners and, finally, AI use. 

Cancelling membership “not easy”

According to the US FTC’s recent case against the operators of LA Fitness, “not easy” is an understatement for consumers seeking to cancel their LA Fitness memberships or related services. For in-person cancellations, LA Fitness designated only one employee (even though multiple employees can initiate memberships). This has effectively restricted cancellations to whenever that person is available at the gym, often during hours when consumers are typically at work. 

The FTC alleges that consumers who try to cancel via mail faced similar challenges. LA Fitness has instructed consumers to print and mail a hard-to-find cancellation form. Although consumers have been able to cancel by mail without the form, LA Fitness doesn’t disclose which details must be included in the cancellation notice. The company also instructs consumers to send cancellation requests via registered or certified mail. Finally, LA Fitness reinforced these unlawful practices by training staff to reject such emails or phone calls. 

In other news

YouTube settlement: Google and YouTube have agreed to pay $30 million to settle a long-running class action alleging they unlawfully collected data from children under 13 to serve targeted ads without parental consent. The Google class action settlement, filed in a California federal court, proposes a fund to compensate an estimated 35-45 million children who watched YouTube videos between July 2013 and April 2020. 

“Pay or Ok” illegal: According to the Noyb privacy advocacy organisation, the Austrian Federal Administrative Court upheld a previous ruling by the country’s data protection authorities that the Austrian daily DerStandard had breached the GDPR by launching “Pay or Okay.” Users must be allowed to object to or give selected permission for each processing purpose, according to rulings from the court. DerStandard was the first news website in Austria to implement a “pay or okay” policy. Customers were forced to consent or pay for a monthly subscription, rather than having a free choice to accept or reject the online tracking of hundreds of third parties.

Non-cooperation with the authority: The Swiss FDPIC has filed a criminal complaint against Add Conti GmbH for failure to cooperate in an investigation. Following several complaints from affected individuals, the FDPIC opened an investigation on 4 June. The FDPIC requested the company answer a list of questions within 30 days. The FDPIC expressly reminded Add Conti GmbH of its obligation to cooperate in the proceedings and of the fact that deliberate refusal to cooperate is punishable by a fine of up to CHF 250,000. Although the letter was delivered, the FDPIC received no response. 

Add Conti was collecting personal data of persons residing in Germany without their knowledge and making it available to German companies for advertising purposes. In addition, the company was not responding to requests for information and deletion.

Major cyberattack on Swedish municipalities

On 23 August, a cyberattack on Miljödata disrupted services in around 200 municipalities, several major private businesses and universities and colleges, with concerns over stolen sensitive data, news outlets report. The Swedish data protection regulator confirmed that it has already received around 200 reports of cyber incidents. Managers and HR use the affected systems to handle medical certificates, rehabilitation matters, and the reporting and management of work-related injuries. The attacker has encrypted personal data, preventing businesses from accessing it, but the reporting parties are unaware of how the data has been otherwise affected. In many cases, this concerns information about employees, such as health and union membership.

‘Personalisation’ in AI systems

The Future of Privacy Forum explains the subject of ‘Personalisation’, which refers to features of AI systems that adapt to an individual user’s preferences, behaviour, history, or context. Personalisation techniques can include long-term memory knowledge bases, short-term conversation history, user and system prompts, settings, and fine-tuning the model after training.

For example, an AI instructor may be able to track a student’s progress on certain subjects, recall their learning interests and level, and modify explanations as necessary. According to some scholars, an AI system must have a complete understanding of its user, including their present emotional state, to be useful in even more sensitive or private situations, such as mental health.

A user’s personal information, including prejudices and stereotypes, may be reflected in some of the data they provide to the chatbot or what the algorithm deduces from their interactions. Last but not least, an AI system (such as the newest AI agents by Google, Meta, Anthropic, Microsoft, OpenAI ) that has received or observed user data may be more likely to share that information with third parties in an effort to complete a task without the user’s consent.

In case you missed it

Face photo morphs: America’s NIST issues guidelines to help organisations detect face photo morphs and deter identity fraud. Face morphing software, which combines photos of different people into a single image, is being used to commit identity fraud. Thus, morph detection software, which has grown more effective in recent years, can help flag questionable photos.  However, the most effective defence against the use of morphs in identity fraud is to prevent morphs from getting into operational systems and workflows in the first place.  

Single-image detection, in the best cases, can detect morphs as often as 100% of the time (at a false detection rate of 1%) if the detector has been trained on examples from the software that generated the morph.  However, accuracy can degrade to well below 40% on morphs generated with software unfamiliar to the detector. Differential detectors are more consistent in their abilities, in the best cases, with accuracy ranging from 72% to 90%, across morphs created using both open-source and closed-source morphing software, but they require an additional genuine photo for comparison.

The post Data protection digest 18-31 Aug 2025: Greater simplification of GDPR, ‘personalisation’ in AI systems appeared first on TechGDPR.

The goal of information security is to protect an organisation’s business processes. This means responsibility for the security of the entire operating system and the ability to resist any activities that threaten the availability, authenticity, integrity, and confidentiality of data processed in the system or the services provided and accessed through the system, according to the Estonian data protection regulator.

The information assets include all IT resources – hardware, software, various data communication devices, etc. However, people working in an organisation and customers can also be considered information assets. Therefore, it can be said that data protection and information security are like two sides of the same coin: data protection determines the basic principles of personal data processing, while information security helps to implement these principles. 

Stay up to date! Sign up to receive our fortnightly digest via email.

Beyond the simple fact that it makes good business sense to ensure information security and protect assets, the obligation to implement information security comes among other things from data protection laws, which state that personal data security must be ensured by appropriate and secure measures. This means that each situation must be assessed individually. To start with: 

• Map out what your organisation does and what business processes it involves. 
• Identify the assets you have in place—whether they’re customer data, documents, employees, information systems, or security equipment. 
• Don’t forget your “global defense zone”: your physical office, home office, coworking spaces, and other locations where your organisation’s assets and information might be located.
• If something major happens in any of these components, you need to know immediately if and how it will impact your organisation.

As a general approach, try to process as little personal data as necessary and only when needed, stresses the Estonian regulator.

List of AI companies signed up to the EU Code of Practice

The Commission has published the full list of signatories to the EU’s generative AI Code of Practice initiative so far, known also as the Code of Practice for General Purpose AIs (GPAIs), published on July 10, 2025. This will reduce their administrative burden and give them more legal certainty than if they proved compliance through other methods.

Among signatories there are: Amazon, Anthropic, Google, IBM, OpenAI, Microsoft, Mistral AI and a dozen other companies, (some signatories may not appear immediately on the list). In addition, xAI signed up to the Safety and Security Chapter; this means that it will have to demonstrate compliance with the AI Act’s obligations concerning transparency and copyright via alternative adequate means.

The code has also been complemented by Commission guidelines and the Q&A on key concepts related to general-purpose AI models. 

More legal updates

European Biotech Act: The Commission opened a consultation, until 10 November, as part of the development of the European Biotech Act. It will propose a series of measures to create an enabling environment to accelerate the transition of biotech products from laboratory to factory and to the market, while maintaining the highest safety standards for the protection of the population and the environment. The act will address growing dependencies in biotech on data, storage, computing power, and AI. 

In the EU, biotechnology reached a gross value added in 2022 of 38.1 billion euros: the highest contribution came from medical and pharmaceutical biotechnologies, and the fastest-growing area was industrial biotechnology. At the same time, European biotech companies face an opportunity gap, with the US having twice as many early-stage venture capital deals and three times as many late-stage deals. Over the last six years, 66 of the 67 biotech companies going public have targeted the US NASDAQ rather than European stock markets. 

California privacy updates: The California Privacy Protection Agency (CPPA) has filed a judicial action seeking to enforce an investigative subpoena against Tractor Supply Company, a Fortune 500 company that bills itself as the nation’s largest rural lifestyle retailer. The CPPA’s petition alleges that Tractor Supply failed to comply with a subpoena seeking information about the company’s compliance with the California Consumer Privacy Act of 2018. The petition marks the CPPA’s first public disclosure of an ongoing investigation into a company and its first judicial action to enforce an investigative request. The agency has been investigating whether Tractor Supply failed to honour Californians’ right to opt out of the sale and sharing of their personal information online. 

More from supervisory authorities

GDPR from A to Z:  The German Federal Data Protection Commissioner (BfDI) has updated a catalogue that provides a compact compilation of the most important legal texts: the European General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG). In addition to the legal texts and the references to the GDPR, it contains explanations of specific topics and vague legal terms.

Data memorisation in LLMs: Additionally, the BfDI has finished its consultation on processing personal data in large language models in a way that complies with data protection laws. Civil society, industry, and scientific groups were all included in the consultation. It looked for information about the limits of anonymisation, the memorisation of personal information, the dangers of data extraction, and the protection of the rights of data subjects under the GDPR in AI systems.

AI in healthcare: The EU Publication Office offers a study on on the deployment of AI in healthcare. Present-day healthcare systems face several complex challenges, including rising demand due to an ageing population, increasing prevalence of chronic and complex conditions, rising costs, and shortages in the healthcare workforce. AI has the potential to address some of these by improving operational efficiency, reducing administrative burdens, and enhancing diagnosis and treatment pathways. 

E-store data minimisation

The Latvian DVI explains what is the minimum amount of data to place an order in an e-store. In order to ensure the fulfillment of an order, certain personal data must be collected and processed. This process can be conditionally called a mutual agreement. The following data is required to place an order:

• customer’s name and surname (for indication in a supporting document, for example, an invoice);
• email address (for sending invoices and order status messages);
• phone number (to ensure delivery, the courier also receives this information);
• delivery address or parcel machine address (depending on the selected delivery method).

The merchant must be able to clearly indicate why each type of data is necessary. For example, first and last name is necessary to fulfill a legal obligation. Other data, on the other hand, is necessary to fulfill the requirements of the contract. For example, if the service is “intangible” (online courses), first name, last name and email address are sufficient, which are necessary for sending the invoice and access data. A merchant may also need additional information if the product or service is individually tailored to the customer (eg, tailored clothing, selection of skin care products manufacturing of spectacles).

Customer data may only be used for the purposes originally specified. It may not be transferred to other parties unless there is a legal basis for this, such as the customer’s consent, a legal obligation or a legitimate interest. It may also be justified to use the data for related purposes such as archiving, if this does not conflict with the original purpose of obtaining the data.

Data deletion request

The DVI has also tried to answer the question: Should the deletion request itself be erased if someone has asked for data processed with their consent to be deleted? If a person withdraws consent to the processing of their data and requests the deletion of all data related to this consent, the organisation is obliged to stop processing this data as soon as possible and delete it, unless there is another legal basis for continuing to store or use it. This means that all data that was collected on the basis of consent must be deleted (eg, the person being removed from the list of recipients of commercial communications).

However, the request document itself, by which the person withdraws consent, as well as the organisation’s response to it, cannot be deleted at the same time as the aforementioned data, since the basis for processing such information is not the person’s consent within the meaning of the GDPR. They may be stored to fulfill the institution’s interests in managing its documentation and ensuring the protection of its rights (so that, if necessary, it can be confirmed that the request has been received, fulfilled and when it occurred).

More official guidance

Biometrics: Canada’s Privacy Commissioner has published guidance on biometrics for the public and private sectors. While biometrics can enhance security and help in service delivery, they can also raise privacy issues. Biometric information is intimately linked to an individual’s body and is often unique, and unlikely to vary significantly over time. It can reveal sensitive information such as health information or information about race and gender characteristics. The guidance among other things addresses key considerations for organisations when planning and implementing initiatives involving biometric technology – transparency, safeguarding data, and accuracy, including testing for biometric systems.

IoT data security: America’s NIST finalized its ‘Lightweight Cryptography’ Standard to Protect Small Devices. Four relevant algorithms are now ready for use to protect data created and transmitted by the Internet of Things and other electronics. The standard is built around a group of cryptographic algorithms in the Ascon family, which NIST selected in 2023 as the planned basis for its lightweight cryptography standard . They require less computing power and time than more conventional cryptographic methods do, making them useful for securing data from resource-constrained devices. For more technical information on the standard, visit the NIST Lightweight Cryptography Project page. 

Optus data breach in Australia

The Australian Information Commissioner has filed civil penalty proceedings against Optus (telecommunications), following an investigation in relation to the data breach made public by Optus on 22 September 2022. The data breach involved unauthorised access to the personal information of millions of current, former and prospective customers of Optus, and the subsequent release of some of this information on the dark web. This included names, dates of birth, home addresses, phone numbers and email addresses, passport numbers, driver’s licence numbers, Medicare card numbers, birth certificate information, marriage certificate information, and armed forces, defence force and police identification information.

Based on this case the Australian regulator asks all organisations to: 

• implement procedures that ensure clear ownership and responsibility over internet-facing domains
• ensure that requests for customers’ personal information are authorised to access that information
• layer security controls to avoid a single point of failure
• implement robust security monitoring procedures to ensure any vulnerabilities are detected and that any incidents are responded to in a timely manner
• appropriately resource privacy and cyber security, including when outsourced to third party providers
• regularly review practices and systems, including actively assessing critical and sensitive infrastructure, and act on areas for improvement in a timely manner.

Voiceprint for authentication purposes

The Swiss Federal Data Protection Commissioner has examined whether PostFinance (a retail banking and business client) is violating data protection regulations when using voice recognition as a means of authentication. It concluded the investigation on 16 May with a ruling instructing PostFinance to obtain the express consent of the person concerned when creating voiceprints for voice recognition and to delete voiceprints for which no consent has been explicitly given.

Voiceprints are a type of biometric data. Under data protection law, they are considered sensitive personal data if they enable the identification of an individual. Unlike a password, it cannot be recreated in case of misuse. 

In other news

Meta AI: According to the privacy advocacy group Noyb, just 7% of consumers want Meta to utilise their personal information for AI, despite the fact that over 75% of users were aware of Meta’s ambitions. Noyb has commissioned the Gallup Institute to survey 1,000 Meta users in Germany in order to learn more.

In May this year, Meta decided to begin using EU personal data to train its AI systems by just asserting that they had a “legitimate interest” under Article 6 of the GDPR. Although nearly two-thirds of the participants claim to have heard about Meta’s announcement, just 40% of Instagram or Facebook users can recall seeing the in-app message that was concealed under a notification menu, (or can recall the email notice that was sent with a subject line designed to make people ignore it).

But as people age, knowledge about this issue increases significantly, while women are less inclined to give AI their data.

IBAN: The IBAN can in some cases allow a hacker to issue illegitimate direct debit orders. The hacker can also, more directly, usurp another person’s IBAN by communicating it when creating a direct debit mandate as part of a subscription to a service. In order to reduce the risk of fraudulent use of your IBAN and minimise its consequences, the French regulator CNIL recommends:

• Monitor your bank account transactions regularly and block your bank account if necessary.
• Contact your usual bank advisor if you have any doubts.
• Check the list of authorised creditors (eg, the beneficiaries of direct debits) in your online banking space.
• When receiving a pre-filled direct debit mandate, or an alleged update of it, be vigilant about the information describing the creditor.

One click was nothing. But you gave away a lot

As digital technology allows for limitless information sharing with just a single click, the Latvian DVI is launching an educational public awareness campaign to encourage every digital user, but especially young people, to realise that personal data is a value, not an accidental footprint left on the internet. The campaign emphasizes that seemingly harmless digital actions, such as posting your photos on social networks, participating in a free game, or clicking the “I agree” button without reading the contents of a document, can mean widespread and irreversible data transfer consequences that are not always easy to predict or reverse.

Similarly, Privacy International publishes a series of educational case studies to answer the question of “Why privacy matters” for schoolchildren, workers, people with disabilities, protestors and even sports fans and many others. Here are some outstanding points of the analyses:

• When surveillance creeps into classrooms and digital learning platforms, it threatens the freedom of pupils to feel safe to explore ideas, make mistakes and develop into their own unique selves.
• Employers are using surveillance to monitor, control, and exploit workers in ways that many may not even be aware of.
• The growing threat of intrusive surveillance such as AI-powered facial recognition in stadiums risks turning a vibrant cultural space into one of control and suspicion.
• Privacy is a universal right, but for people with disabilities, it’s often compromised in the very systems designed to support them.
• In society, dissent – especially through protest – is vital for progress, change, and holding power accountable. Without privacy, protestors risk losing their voices, and their own safety.
• Migrants have the same right to a private life and to be free from intrusive surveillance as anyone else. Yet, for people on the move, this right to privacy is under constant threat.

In case you missed it

Meta’s “story” photos: The Icelandic data protection regulator explains that Meta launched a feature that goes through photos on your phone and suggests what to post on Facebook. The social media app automatically selects photos or videos from your phone and sends them to Meta’s servers. The photos are then processed using artificial intelligence to display post suggestions in “Story”.

This is done without the user having specifically uploaded the photos or videos to the social media platform for publication there. Since this may be a significant intrusion into people’s privacy, and since the regulator has received reports that people have not realised that this feature has been enabled, the regulator provided the instructions on how to disable the feature:

• Open the app on your phone.
• Press + at the top of the screen.
• Tap “Story”.
• In the top right corner: Press the “Settings” gear.
• At the bottom is “Camera roll settings”.
• Turn off “Get camera roll suggestions when you’re browsing Facebook”.

Political advertising in the EU: Google and Meta announced that they will suspend all political advertising services in the EU due to the application of the Political Advertising Transparency and Targeting Regulation in October 2025, the Estonian regulator reports. The implementation of the new regulation will bring a number of operational and legal requirements that are difficult to implement. As a result, Google has decided to suspend all political advertising services, including on YouTube, until there is greater clarity on the implementation of the regulation. However, Meta believes that the implementation of the new regulation will make the current transparency and targeting systems too complex and ineffective, significantly reducing the ability of advertisers to reach the electorate.

The post Data protection digest 2-17 Aug 2025: “Data protection says what should be done, information security says how we do it” – Estonian regulator appeared first on TechGDPR.