The EU Court of Justice ruled that even a first personal data access request may be deemed abusive under the GDPR if it is made solely to generate compensation claims, allowing controllers to refuse such requests. An individual residing in Austria subscribed to the newsletter of a family-run optician company in Germany by entering his personal data in the registration form available on the company’s website. 

Thirteen days later, he sent a request for access under Article 15 of the GDPR. The company refused the request, considering it to be abusive. According to various reports and blog articles, the individual systematically subscribes to newsletters of various companies before submitting an access request and then a compensation claim. The individual maintained that his access request was legitimate and claimed compensation of at least 1,000 euros. 

 Stay up to date! Sign up to receive our fortnightly digest via email.

Main developments

Protecting children online: On 3 April, the Regulation on the Extension of Derogation from the ePrivacy Directive for the purpose of identifying Child Sexual Abuse Material (CSAM) online expired, digitalpolicyalert.org reports. The extension concerns an exemption from data protection regulations, which grants hundreds of providers offering number-independent interpersonal communication services, such as messaging services, the authority to use technologies for processing personal and other data to identify, report, and remove instances of online child sexual abuse on their platforms. In addition, providers must ensure that information regarding reports of detected online child sexual abuse submitted to authorities and the Commission is accessible in a structured format.

‘Legitimate interests’ analysis: The EDPB has published a One-Stop-Shop case digest on the legal basis of “legitimate interest”. It provides useful examples of how regulators analyse controllers’ reliance on this legal basis in specific contexts, providing positive and negative compliance examples. In particular, it explains and summarises how regulators apply the three-step test to assess whether a controller can lawfully rely on legitimate interests. Relevant cases before the CJEU and national courts are also mentioned. 

Back up!

On World Backup Day, 31 March, the German Federal Office for Information Security (BSI) called on consumers to back up important data. Data backup is not a complicated process: most operating systems guide users through the process. Nonetheless, only one-fifth of internet users regularly create backups. Backups can be performed in the cloud or on a physical storage medium, such as an external hard drive.

Those who opt for a physical storage medium should keep it in a different location than, for example, the source computer for the data being backed up.  

Human resources management

The CNIL has published a reference framework (in French) to help data controllers identify retention periods for their personnel management activities. This document is particularly useful for data protection officers, GDPR referents, but also for staff working in human resources departments or for the information systems department. This repository is organised by processing activities and includes:

• recruitment;
• administrative management of personnel;
• compensation management;
• the security of goods and people;
• the management of professional vehicles;
• listening to and recording telephone conversations in the workplace;
• the management of collective labour relations;
• the management of occupational accidents;
• the management of litigation and pre-litigation;
• the management of Whistleblowing. 

More official guidance

Cookies user guide: The Swiss regulator, FDPIC, has published a factsheet on the use of cookies (in English) that explains how users can retain control over their own data and minimise the digital footprint they leave behind while browsing. Although cookies and similar technologies can enhance the online browsing experience, for example, by saving the contents of a shopping basket or certain preferences, they can also enable third parties to track users’ online activities. 

AI red lines: The Future of Privacy Forum continues its series of publications on Red Lines under the EU AI Act. This time, it pays attention to the prohibition on biometric categorisation for “certain sensitive characteristics” to deduce or infer race, political opinions, trade union membership, religious or philosophical beliefs, etc. The risks associated with biometric categorisation also reflect broader concerns under EU data protection legislation, as sensitive characteristics may themselves constitute special categories of personal data under the GDPR. 

Previous analysis by FPF also looked at prohibition and emotion recognition in the workplace and educational institutions.

Health data in the cloud: More and more organisations are using cloud solutions for processing health data. The Dutch data protection authority AP has therefore published an updated and broadened version of AP’s practice guide on patient data in the cloud. The practice guide now focuses not only on patient data within the treatment relationship, but on health data in a broader sense. 

In other news

Police biometric data: A police authority may,in a criminal investigation, collect biometric data solely because the collection is strictly necessary. The Maltese data protection agency looked at a recent ruling by the CJEU, which stated that the gathering of identification data may not be required systematically and clear reasons must be given for it, failing which the criminal penalty laid down for refusing to consent to that gathering will be invalid.

In a related case, a person was detained in Paris for organising a demonstration without prior notice and for disobedience. While he was in police custody, he refused to consent to the gathering of identification data (fingerprints and photo). That refusal resulted in his being charged, even though he was acquitted of the offence forming the basis of the envisaged gathering of identification data. 

Credit information checks should be free of charge: The Finnish data protection ombudsman considers that the regular practice of the credit information company Dun&Bradstreet, in which a person has only been able to check their own credit information once a year, free of charge, is not in accordance with data protection legislation. Customers had been regularly charged a fee if they had requested information more than once within a year. The company also had shortcomings in responding to requests for personal data. 

According to the law, a fee can only be charged in situations where the request is manifestly unfounded or unreasonable, for example, if the same information is requested repeatedly. 

More enforcement decisions

OKCupid data sharing: In the US, the Federal Trade Commission is taking action against OkCupid and its affiliate Match Group Americas over allegations that it deceived users of its dating app by sharing their personal information, including photos and location information, with an unrelated third party, contrary to OkCupid’s privacy promises. OkCupid provided the third party with access to nearly three million OkCupid user photos as well as location and other information without placing any formal or contractual restrictions on how the information could be used. 

The FTC also alleged that, since September 2014, Match and OkCupid took extensive steps to conceal their wrongdoing, including by trying to obstruct the FTC’s investigation.

Unauthorised access to banking information: The Italian data protection authority Garante has fined Intesa Sanpaolo 31.8 million euros for serious shortcomings in personal data security. The investigation found that an employee accessed, without justification, the banking information of 3,573 customers, making over 6,600 inquiries between February 21, 2022, and April 24, 2024. These unauthorised accesses were not detected by internal control systems, highlighting significant weaknesses in the monitoring and prevention mechanisms. 

And Finally

Wearables: The Swiss FDPIC has published practical advice on smartwatches and fitness trackers, which monitor your physical activity and bodily functions, and are now widely used. Smart glasses, which make it easy to take and share photos and videos, are also gaining in popularity. As all these body-worn devices pose a particular threat to privacy, users should exercise particular caution when using them. 

Before making their choice, buyers should check how the manufacturer has configured it and whether the product allows for privacy-friendly settings, where collected data is stored, and whether the processing of such data is comprehensible overall.

Fraudulent websites: Reportedly, phishing remains one of the largest forms of online crime. To better protect internet users against this, several Dutch public and private parties have jointly tested a new approach. The so-called Anti Phishing Shield demonstrates that the approach works: since the start of the pilot in July 2025, over two million attempts to visit phishing and fraudulent websites have been blocked among a group of over 200,000 users. Internet providers can easily connect to the tool and use it to protect their customers. And users must give their prior explicit consent via a so-called ‘opt-in’. 

Read the original publication to see how the Anti Phishing Shield works.

The post Data protection digest 3 April 2026: abusive access request, human resources management & patient data in the cloud  appeared first on TechGDPR.

On 10 February, the EDPB and EDPS, in a joint opinion, strongly welcomed the regulatory solution to address cookie fatigue and the proliferation of consent banners. This follows the  European Commission’s proposal to switch to automated, machine-readable indications of data subjects’ choices under the Digital Omnibus package. The EU regulators welcome that, pursuant to the proposed Article 88b of the GDPR, harmonisation standards will be developed. 

Such standards should cover the communication of data subjects’ choices, from browsers to websites, from mobile phone applications to web services, and ensure that all involved actors use the same automated machine-readable indications and are not simply repackaging consent in a new technical format. 

 Stay up to date! Sign up to receive our fortnightly digest via email.

Anticipating the need of data controllers and browser providers in the near future to be able to accept and enable automated signals, TechGDPR publishes Conditional Consent, an open concept paper proposing what automated signalling should look like for meaningful user control, based on three dimensions:

• Cookie purpose
• Website category
• Third-party processing

The concept paper contains the main principles, legal basis and exceptions, technical specifications, along with a comparison with existing tools, and a proposed implementation solution, all available at conditionalconsent.com.

Main developments 

Prohibited AI practices: A Future of Privacy Forum analysis draws “red lines” under prohibited practices in the new EU AI Act. They concern harmful manipulation and deception, social scoring, individual risk assessment, untargeted scraping of facial images, emotion recognition, biometric categorisation, and real-time remote biometric identification for law enforcement. Prohibited AI practices are regulated by Article 5 of the AI Act, which became applicable in February 2025. Plus, starting on 2 August 2025, this provision also became enforceable. 

AI-generated images: The EDPB has signed a Joint Statement on AI-Generated Imagery and the Protection of Privacy. The statement, coordinated by the Global Privacy Assembly, represents the united position of 61 authorities across the world. The statement addresses serious concerns about AI systems that generate realistic images and videos depicting identifiable individuals without their knowledge or consent. The co-signatories are especially concerned about potential harm to children and other vulnerable groups, such as cyber-bullying and/or exploitation. Fundamental principles should guide all organisations developing and using AI content generation systems, including:

• Implement robust safeguards to prevent the misuse of personal information.
• Ensure meaningful transparency about AI system capabilities, safeguards, acceptable uses and the consequences of misuse. 
• Provide effective and accessible mechanisms for individuals to request the removal of harmful content involving personal information and respond rapidly to such requests. 
• Address specific risks to children through implementing enhanced safeguards and providing clear, age-appropriate information to children, parents, guardians and educators

Digital Omnibus legal study

The European Parliament published a study identifying interlinks and possible overlaps between different legal acts in the field of digital legislation. It analyses the European Commission’s Digital Omnibus package proposals published on 19 November 2025, distinguishing administrative simplification from more substantive recalibration of safeguards across data, privacy, cybersecurity and AI areas. The study highlights key areas of controversy (legal certainty, enforcement capacity, and impacts on rights) and sets out areas for consideration for parliamentary scrutiny, including:

• Debate over the definition of personal data in the GDPR
• Integrating ePrivacy into GDPR (cookie fatigue)
• Concerns about restricting data access rights
• Data Act consolidation
• Centralised incident notification submission SEP
• AI timelines, burden reduction and centralisation.

Ransomware statistics

In 2025, 65 ransomware incidents were reported to the police in the Netherlands. Incident response companies responded to 40 incidents. Access is usually gained through exploiting vulnerabilities and account takeovers. In a ransomware attack, computer systems and data are locked with a code containing malicious software. Hard drives, databases, backups, USB drives, and cloud data can also be affected. The victim is blackmailed. The attacker offers this code for payment. 

Reporting the incident is crucial if you, as a business or individual, have been a victim of ransomware. Even if the criminals have already been paid, filing a report provides the police with vital information. A report can contain missing information that police can use to unlock the system. It also helps them identify suspects. 

More from supervisory authorities

GDPR survey in Germany: The North Rhine-Westphalia data protection commissioner has used a recent survey by the business association Bitkom as an opportunity to reject discussions about the complete or partial centralisation of data protection supervision.

The survey of 603 companies clearly shows that businesses in the state primarily view data protection laws as too complicated. 85 % of the companies surveyed in Germany want more understandable data protection regulations. 79 % are calling for a reform of the GDPR, and 69 % demand better coordination with other regulations. 

Just 33 % believe that decision-making processes would be faster within a federal agency, while 44 % are concerned about losing proximity to their local supervisory authority and thus a direct contact person (which implies the need for additional staff to handle a sharply increasing number of complaints and consultation services). 

Session replay tools: The French data protection regulator CNIL is launching a public consultation on its draft recommendation concerning session replay tools that allow the monitoring and analysis of users’ online behaviour. The objective is to support the actors who design these tools and those who use them in their compliance. Session replay tools are used to reconstruct the complete browsing path of an Internet user on a website or a mobile app. They can, for example, be used to detect and fix bugs or optimise the structure or ergonomics of a website or mobile application. 

More official guidance

GDPR certification criteria: The North Rhine-Westphalia data protection commissioner also approved a nationwide catalogue (available in English and German) of criteria for IT solutions. Companies that meet these criteria will receive a certificate confirming their compliance with European data protection law, which they can then use for advertising purposes. The catalogue was developed by TÜV Nord Group. This is the third such approval issued by the NRW regulator.

Specifically, it addresses so-called information processing services – online banking, accounting, and AI systems, as well as search engines. The certification process, conducted by a specialised certification body, typically involves a detailed audit of the processing operations within the respective company. This audit verifies the technical and organisational measures in place, as well as compliance with the principles of the GDPR. 

Health screening campaigns via phone are possible: In Italy, the data protection authority Garante has approved the use of telephone numbers for screening, provided that adequate safeguards are respected. Healthcare companies may use adult patients’ telephone numbers, provided during previous healthcare services, to promote participation in screening campaigns required by national or regional regulations, even if the information request did not expressly state this purpose at the time the data was collected.

Specifically, healthcare companies will be required to update their information, specifying that the most recent contact details collected for treatment purposes, subject to verification of their accuracy. It may be used exclusively for the promotion of public prevention programs and not for other purposes (for example, scientific research or administrative activities).

In other news

Employee data access rights: The LewisSilkin legal blog analyses a recent decision from the French Court of Appeal, which confirmed that employees cannot rely on their right of access to obtain copies of entire work email correspondence or business files, merely because their name or email address appears in them. Where the material contains no substantive personal data beyond identifying information, the right of access does not extend to wholesale document disclosure.

Furthermore, the right of access cannot be seen as a litigation discovery mechanism (e.g., employee dismissal as it appears in the above case). The court decision also reflects the ICO guidance on the Right of Access.  

Reddit fine: In the UK, Reddit was fined 14.47 million pounds for children’s privacy failures. The Information Commissioner’s investigation found that Reddit did not apply any robust age assurance mechanism. The company did not have a lawful basis for processing the personal information of children under the age of 13. It also failed to carry out a data protection impact assessment to assess and mitigate risks to children before 2025. In the past year, Reddit introduced age assurance measures that include age verification to access mature content and asked users to declare their age when opening an account. The commissioner once again informed Reddit that relying on self-declaration presents risks to children, as it is easy to bypass. 

Samsung consent case: The Texas Attorney General reached an agreement with Samsung Electronics America, concerning the collection of Automated Content Recognition (ACR) viewing data from Texas consumers through Samsung smart televisions. Under the agreement, Samsung must cease collecting or processing ACR viewing data without obtaining Texas consumers’ express consent and must update its smart televisions to implement clear and conspicuous disclosures and consent screens, digitalpolicyalert.org reports.

More enforcement decisions

Ransomware attack followed by privacy fine: In Spain, data protection agency AEPD fined Sprinter Megacentros del Deporte (a sporting goods retailer) 2.6 million euros for a data breach, DataGudance reports. A ransomware attack encrypted systems and exfiltrated data, affecting 6.3 million individuals. Notification of a data breach to data subjects was also not delivered ‘without undue delay’ and lacked specific mitigation information. 

Biometric data fine: The Italian Garante has fined eCampus University 50,000 euros for unlawfully processing the biometric data of numerous participants in its online courses. The investigations revealed the lack of a suitable legal basis to justify the use of biometric systems, especially given the availability of less invasive tools.

It also emerged that the University had not conducted a data protection impact assessment before implementing the system. The violations affected a very high number of participants, over 450 students for each lesson.

Data processing agreement fine: The Polish data protection authority UODO has fined DPD Polska more than 2.75 million euros after finding serious failures in how the courier company structured its relationships with external carriers, according to an analysis by grcreport.com. These carriers participated in loading and unloading parcels and had access to address labels containing personal data. In some cases, shipments were transported in vehicles not owned by DPD Polska and for which it had no other legal basis. Despite this third-party access, the company did not conclude personal data processing agreements with the carriers.

GDPR does not prevent authorities from being notified of social fraud

The Danish data protection regulator, Datatilsynet, explains that the GDPR does not contain a general prohibition on disclosing information to public authorities. On the contrary, the rules allow data to be disclosed when there is a lawful basis for processing. This may be if the disclosure is necessary to comply with a legal obligation. The question of whether, for example, an insurance company may or must disclose information on possible fraud to a public authority, therefore, depends on the specific legal basis in national legislation, including rules on confidentiality and sector-specific regulations. 

And Finally

AI models and GDPR audit tool:  The French CNIL, with other actors in the digital data domain, the ANSSI, the PEReN and Inria, are launching a call for expressions of interest to test an audit tool called PANAME that makes it possible to assess the confidentiality of AI models and their compliance with the GDPR. This project aims to develop a tool to audit the privacy of AI models. It will take the form of a library for performing data extraction and/or re-identification tests on AI models. 

For more than a decade, research has shown that it is possible to extract data, including personal data, from an AI model that was included in the training dataset. This extraction can be carried out via:

• statistical techniques at the model level, full or partial access to the model, 
• in the case of generative AI, by directly querying the model by instruction (prompt).

AI geolocation: Privacy International explains that one of the most concerning capabilities of the newest AI systems is to infer geographic location from images. Vision‑Language Models (VLMs) can now determine where in the world any given photo is taken with striking speed and accuracy. Most people are unaware that widely accessible AI tools can identify the location of their personal photos, even when Global Positioning System (GPS) metadata has been removed. Inferring location from images without GPS data may potentially support beneficial activities, such as robotics development or investigative journalism. But they are not privacy risk-free. 

The post Data protection digest 18 Feb – 2 Mar 2026: ‘Conditional Consent’ for meaningful user control over cookie preferences appeared first on TechGDPR.

Throughout 2025, 32 supervisory authorities across the EU/EEA launched coordinated investigations into controllers’ compliance with the right to erasure under the GDPR. Now, the EDPB has published a report of the findings. As the right to deletion is not absolute, some controllers face difficulties in assessing and applying the conditions for exercising this right, including in conducting the balancing tests between the right to erasure and other rights and freedoms. Many regulators raised concerns regarding controllers not having:

• internal procedure or practice in place to handle erasure requests, or having an incomplete or irregularly reviewed procedure,
• specific procedures and measures to handle erasure requests in the context of back-ups,
• staff training,  
• information provided to data subjects,
• legal certainty on the exceptions to deny erasure requests, and 
• data retention periods, etc.

Multiple regulators found that controllers relying on anonymisation for deletion have varying degrees of success in correctly implementing it. In some cases, they only apply basic pseudonymisation or partial masking, although such a process would not fulfil the requirements of the GDPR regarding deletion.

Stay up to date! Sign up to receive our fortnightly digest via email.

Interestingly, the majority of the polled controllers (out of 764) had not received a single request for erasure in the last two years. While controllers were often chosen due to being in certain particular situations (processing sensitive data, processing a very large amount of data, etc.), about 70% of controllers still received fewer than 10 requests per year. Also, it appears that certain profiles are less likely to exercise their rights (eg, applicants in public services, citizens toward public services, contractors, or job applicants/employees) while others seem less hesitant to do so (eg, potential customers).

Main developments 

Digital omnibus and GDPR simplification: The EDPB and EDPS issued a long-awaited statement on simplification of the digital legislative framework in the EU. Among many things, they advised against the proposed changes to the definition of personal data. The changes go far beyond a targeted modification of the GDPR, a ‘technical amendment’ or a mere codification of CJEU jurisprudence.

Defining what is no longer personal data directly affects and narrows the scope of application of EU data protection legislation and should not be addressed in an implementing act, say the regulators. The full opinion in the context of GDPR, AI Act, and ePrivacy Directive can be read here.

UK data reform: Meanwhile, in the UK, on 5 February, the main provisions of the Data Use and Access Act 2025  came into force, amending the UK GDPR and Data Protection Act 2018. These include: new ‘recognised legitimate interests’ legal basis for data controllers, cookie consent exemptions, data reuse permissions, the use of automated decision making, more relaxed transfers of personal data internationally, and sometimes limiting data subject access requests, etc. 

Age-appropriate code design

On February 5, South Carolina signed Age-Appropriate Code Design into law, after it was previously adopted by California, Maryland, Nebraska, and Vermont. According to JD Supra analysis, covered online services must exercise “reasonable care” in the use of a minor’s personal data and the design and operation of the covered online service. This includes features that:

•  Decrease minors’ time and activity on the service to prevent compulsive usage, severe psychological harm, and privacy intrusions. 
• Opt minors out of “personalisation recommendation systems” by default, and 
• Set personal data settings to the highest level of protection by default.
• Collect, use, share, or retain the minimum amount of a minor’s personal data “necessary” to provide the specific elements of the covered online service, etc.

More from supervisory authorities

DPO role: Under EU law, all EU institutions, bodies, offices and agencies (EUIs) are required to appoint a data protection officer (DPO). To strengthen the effectiveness and independence of this function, the EDPS has adopted two key documents clarifying the role and protection of DPOs within EUIs: 

• Supervisory Guidance on the role of DPOs in EUIs, and
• Rules on the application of the requirement of prior consent by the EDPS for the dismissal of DPOs 

They provide practical and up-to-date guidance on the designation of DPOs, their institutional positioning, the guarantees of independence attached to the function, and the responsibilities entrusted to them. 

Cybersecurity exercise: The ENISA offers a methodology to an end-to-end theoretical framework for planning, running and evaluating cybersecurity exercises. It ensures the right profiles and stakeholders are involved at the right time, and provides theoretical material based on lessons identified, industry best practices and cybersecurity expertise. Download the guide and the support toolkit templates here. 

Games age limitation: The French government, on 4 February, adopted a decree on the experimentation of games with monetisable digital objects. It requires, among other controls,  the refusal of the opening of a player account for any minor, or before verification of the identity and the age of the applicant. It requires the enterprise offering a game to document the arrangements used for verification, to carry out regular checks, and to be able to demonstrate the effectiveness and compliance of those arrangements to the National Gaming Authority. 

How to deal with data protection complaints

The updated UK ICO guidance reminds organisations what they need to do to meet the new requirements for people to open a data protection complaints process, as set out in the new Data Use and Access Act, although these requirements are not in force until 19 June 2026. At a glance, the law says organisations must:

• Give people a way of making data protection complaints;
• Acknowledge receipt of complaints within 30 days of receiving them;
• Without undue delay, take appropriate steps to respond to complaints, including making appropriate enquiries, and keep people informed;
• Without undue delay, tell people the outcome of their complaints.

Read practical advice on each of these points in the original publication.

In other news

СNIL sanctions statistics: Cookies, employee surveillance and data security were the main subjects of the penalties imposed by the French data protection authority CNIL, in 2025, the cumulative amount of which totalled 486,839,500 euros. Also, insufficient security of personal data, lack of cooperation with the CNIL and non-respect for the rights of individuals were the three main reasons for sanctions under the recently introduced simplified procedures. Numerous formal notices have targeted websites that allowed the deposit of cookies and other trackers without respecting the consent of individuals, either by not allowing them to refuse the deposit in a simple way, or by not taking into account the withdrawal of users’ consent.

In addition, the regulator often sanctioned the non-compliance with the obligations of the subcontractors concerning the data entrusted to them, in particular: 

• implementing appropriate technical and organisational measures to ensure an adequate level of security;
• only processing data on the instructions of the data controller;
• deleting the data at the end of their contractual relationship with the data controller.

OpenClaw AI: The Dutch data protection authority AP warns against the use of OpenClaw, an AI agent tool that has become popular since last year. The platform provides users with an AI assistant to install, which can perform tasks autonomously. For that, the user has to give full access to their computer and programs, including email, files and online services. The platform can also be vulnerable to hidden commands in websites, emails and chat messages. That can lead to taking over accounts, reading personal data and stealing access codes.

More enforcement decisions

Amazon Italy investigation: On 9 February, the Italian data protection authority Garante and the National Labour Inspectorate announced an investigation into Amazon regarding the processing of workers’ personal data and the use of video surveillance systems. The investigation will examine the company’s logistics hubs, with a particular focus on the distribution centres in Passo Corese and Castel San Giovanni, to determine the extent to which monitoring practices comply with the legal requirements stipulated within the Workers’ Statute, digitalpolicyalert.org reports. 

Dutch municipalities fined: The Dutch data protection AP authority fined 10 municipalities 250,000 euros for processing sensitive information without consent, according to DataGuidance. Violations included processing data on religious beliefs, family relationships, political views, and criminal or terrorism-related information. The municipalities processed this sensitive information (from an external research bureau, amid national counter-radicalisation efforts) without valid consent.

Swiss cookie redress case: Digitec Galaxus informed the Swiss privacy regulator FDPIC that it had implemented its formal recommendation that customers be given the option to object to the processing of their personal data for marketing purposes. Following criticism over excessive data processing, users can now disable personalisation with one click (one-click opt-out), whereby the corresponding cookies are automatically disabled. To that end, the registration form now explicitly mentions personalisation and the right to object, and the privacy policy has been updated accordingly.

And Finally

Data brokers warning in the US: The Federal Trade Commission sent letters to 13 data brokers warning them of their responsibility to comply with the Protecting Americans’ Data from Foreign Adversaries Act of 2024. It prohibits data brokers from selling, releasing, disclosing, or providing access to personally identifiable sensitive data about Americans to any foreign adversary, which includes North Korea, China, Russia, and Iran, or any entity controlled by those countries. 

The law defines personally identifiable sensitive data to include health, financial, genetic, biometric, geolocation, and sexual behaviour information, etc.

The post Data protection digest 3-17 Feb 2026: When using anonymisation for deletion, controllers have differing degrees of success – EDPB appeared first on TechGDPR.

The Hamburg Data Protection Commissioner provided a comprehensive questionnaire for determining the legitimate interests legal basis for processing. It helps those responsible to examine and document precisely what their interest in data processing is and whether the rights and interests of the data subject are adequately considered. It guides users step-by-step through the most important checkpoints:

• Determination: What objectives are pursued with the data processing, and are these legally permissible?
• Necessity: Is the processing necessary, and is only the required personal data collected?
• Balancing: Are the rights and interests of the individuals concerned sufficiently considered and protected?
• Documentation and compliance: Are the audit procedures recorded and regularly updated?

You can download the LIA questionnaire in German or the LIA questionnaire in English.

Stay up to date! Sign up to receive our fortnightly digest via email.

EDPB updates

The European Data Protection Board welcomes comments on the recommendations on the elements and principles to be found in Processor Binding Corporate Rules – BCR-P. Such comments should be sent by 2 March. BCRs are a tool for providing appropriate safeguards for transfers of personal data by a group of undertakings engaged in a joint economic activity with third countries that have not been providing an adequate level of protection pursuant to the GDPR. The recommendations clarify when BCR-P can be used, namely, only for intra-group transfers between processors, when the controller is not part of the group. Read more about the scope of BCR-P and its interplay with the data processing agreements here.

Other developments

AWS Europe Sovereign Cloud: The German Federal Office for Information Security BSI has announced its support for the US cloud provider Amazon Web Services in the design of security and sovereignty features for its new European Sovereign Cloud (ESC): an independent cloud infrastructure located entirely within the EU, whose operation will be technically and organisationally independent from the global AWS instance.

Later this year, the BSI will publish general sovereignty criteria for cloud computing solutions based on the new framework. It will serve as a basis for assessing the degree of autonomy of cloud solutions and can also be used in procurement processes. 

HIPAA Security Rule: In the US, for HIPAA-covered entities and business associates, the HIPAA Security Rule requires ensuring the confidentiality, integrity, and availability of all electronic protected health information (ePHI) that the regulated entity creates, receives, maintains, or transmits. To that end, the US Department of Health and Human Services has published the latest recommendations on System Hardening and Protecting ePHI. The measures include: 

• patching known vulnerabilities
• removing or disabling unneeded software and services
• enabling and configuring security measures that sometimes intersect with some of the technical safeguard standards and implementation specifications of the HIPAA Security Rule, such as access controls, encryption, audit controls, and authentication.

GDPR certifications and codes of conduct

France’s CNIL maps the deployment of GDPR compliance tools across Europe. Two maps list the certifications and codes of conduct approved by national supervisory authorities or by the European Data Protection Board since the entry into force of the GDPR. These instruments may operate at either the national or European level. Certification (Art. 42 of the GDPR) makes it possible to demonstrate that a product, service, or data processing activity meets data protection criteria set out in an approved referential. And a code of conduct (Art. 40 of the GDPR) translates the Regulation’s obligations into concrete, sector-specific rules, and becomes binding on its members. 

UK international transfers

The UK Information Commissioner published an updated guidance on international transfers of personal data, making it quicker for businesses to understand and comply with the transfer rules under the UK GDPR. It sets out a clear ‘three-step test’ for organisations to use to identify if they’re making restricted transfers. New content also provides clarity on areas where organisations have questions, such as roles and responsibilities, which reflects the complexity of multi-layered transfer scenarios.

Multi-device consent

The French regulator also published its recommendations (in French) on the collection of cross-device consent. For instance, when a user accesses a website or a mobile app, they express their choices about the use of cookies or other trackers on a device connected to their account. These choices are then automatically applied to all devices connected to that account. This includes, but is not limited to, their phone, tablet, computer or connected TV, as well as the browser or app they are using. Thus, users must be well-informed of this login system.

More from supervisory authorities

Remote job interviews: According to the Latvian regulator DVI, an employer may collect the content of a remote job interview using AI tools if an appropriate legal basis can be applied. Such data processing may be carried out based on the candidate’s consent or the legitimate interests of the company. Consent must be freely given, specific, unambiguous and informed. If the processing is carried out based on legitimate interests, a balancing test of the interests of both parties must be carried out before such processing is initiated.

Regardless of the chosen legal basis, the data controller is obliged to inform the candidate before the interview about the planned data processing during the interview, including the use of AI tools, the purposes of processing, the data retention period and the candidate’s rights. The candidate has the right to object, and such objections must be taken into account; in the event of potential harm, the processing must be stopped.

Cybersecurity guide: The Australian Cyber Security Centre published guidance with a checklist on managing cybersecurity risks of artificial intelligence for small businesses when adopting cloud-based AI technologies. Reportedly, more small businesses are using AI through applications, websites and enterprise systems hosted in the public cloud like OpenAI’s ChatGPT, Google Gemini, Anthropic’s Claude, and Microsoft Copilot. Before adopting AI tools, small businesses should understand the related risks and ways to mitigate them, including: 

• data leaks and privacy breaches
• reliability and manipulation of AI outputs
• supply chain vulnerabilities.

Data subject rights in the event of a bankruptcy

The Norwegian data protection authority has imposed a fine on Timegrip AS. The case concerns a retail chain that went bankrupt, and the employees needed to document the hours they had worked. The company Timegrip had been the data processor for the retail chain until the bankruptcy, and stored this data. However, they would not provide the data to either the bankruptcy estate or the employees themselves. 

Timegrip argued that the company did not have the right to provide the complainant with a copy because a data processor can only process personal data on the basis of an instruction from the controller. Since the controller retail chain had gone bankrupt, Timegrip claimed that no one could give them such an instruction. At the same time, Timegrip refused access requests from 80 different individuals, despite the company being aware that they were in a vulnerable situation and dependent on the timesheets to document their salary claims. 

In addition, it was Timegrip that made decisions about essential aspects of the processing, such as what the data could be used for, the storage period and who could have access to the personal data. In other words, it was clear that it was Timegrip that exercised the real control over the personal data.

Google multimillion-dollar settlement over child data

In the US, a federal judge granted final approval for a 30 million dollar class action settlement against Google, after six years of litigation with parents claiming the tech giant violated children’s privacy by collecting data while they watched YouTube videos. Although Google doesn’t charge for access to YouTube, the company does use it as a revenue source. It collaborates with advertisers and the owners of popular YouTube channels to advertise on specific videos, with Google and the channel owners splitting the payments received from advertisers.

In other news 

Free mobile fine: The French CNIL issued two sanctions against the companies FREE MOBILE and FREE, imposing fines of 27 and 15 million euros, respectively, over the inadequacy of the measures taken to ensure the security of their subscribers’ data. In October 2024, an attacker managed to infiltrate the companies’ information systems and access personal data concerning 24 million subscriber contracts, including IBANs, when the people were customers of both companies. 

The investigation has shown that the authentication procedure for connecting to the VPN of both companies, used in particular for the remote work of the company’s employees, was not sufficiently robust. In addition, the measures deployed by the companies in order to detect abnormal behaviour on their information system were ineffective.

Major university data breach: In Australia, a cyberattack compromised the personal information of students from all Victorian government schools. An unauthorised external third party accessed a database containing information about current and past school student accounts, including student names, school-issued email addresses, and encrypted passwords. In the opinion of the Australian legal expert from Moores, who analysed the breach, certain factors tend to correlate with such incidents. These include:

• Adoption of new CRMs and platforms (including leaving administrator access open, and having incorrect privacy settings, which make online forms publicly searchable);
• Keeping old information which is no longer required;
• A spike in emails sent to incorrect recipients on Fridays and in the lead-up to school holidays.
• Spreadsheets sent via email (instead of SharePoint, for example).

Business email compromise

Business Email Compromise (BEC) is currently one of the fastest-growing forms of digital fraud, according to the Dutch National Cybersecurity Centre. In BEC, criminals pose as trusted individuals within an organisation, often a director or manager, but also a colleague, supplier, or customer.

The criminals’ goals can vary, such as changing account numbers, obtaining login credentials, stealing sensitive information, or using compromised accounts for new phishing campaigns. The power of BEC lies not in its technical complexity but in exploiting the principles of social influence. BEC fraudsters cleverly utilise subtle social pressure, for example, by capitalising on scarcity by creating a sense of urgency, exploiting reciprocity by first building trust or asking for small favours, or relying on an authority figure. 

And finally 

AI prompting guide: IAB Europe has published its AI Prompting Guide. It provides practical, reusable techniques you can apply immediately, including, among others, managing risks such as hallucinations, sensitive data exposure, bias, and prompt injection. Mitigating methods in this case may be addressed through careful prompting, review, and user judgment, while others require more structural safeguards such as validation, monitoring, and clear boundaries around how models are used. 

For instance, sensitive data exposure occurs when confidential, personal, or proprietary information is included in prompts or generated in outputs inappropriately. This can involve personal data, commercial secrets, or information subject to legal or contractual restrictions. The mitigation strategy would include: 

• removing or anonymising sensitive information before including it in prompts 
• limiting the amount of context shared to what is strictly necessary for the task 
• following organisational guidance on approved tools and data handling, and 
• applying access controls where models are integrated into workflows. 

For sensitive use cases, ensure outputs are reviewed before being stored, shared, or acted upon.

The post Data protection digest 4-18 Jan 2026: Legitimate Interests Assessment, AWS Europe Sovereign Cloud, Google settlement over child data appeared first on TechGDPR.

As a general rule, users should have the option to engage with e-commerce websites, including the ability to make purchases, without creating an account. In such cases, the EDPB recommends that e-commerce websites offer a choice: either a ‘guest’ mode, allowing users make purchases without creating an account, or the option to voluntarily create an account. This approach minimises the collection and processing of personal data, and therefore aligns with the GDPR’s principle of data protection by design and by default. However, mandatory account creation can be justified in a limited number of cases, including for example, offering a subscription service or providing access to exclusive offers. 

Stay up to date! Sign up to receive our fortnightly digest via email.

Google antitrust investigation

The EU Commission has opened an investigation into possible anticompetitive conduct by Google in the use of online content for AI purposes – using the content of web publishers, as well as content uploaded on the online video-sharing platform YouTube. The investigation will notably examine whether Google is distorting competition by imposing unfair terms and conditions on publishers and content creators, or by granting itself privileged access to such content, thereby placing developers of rival AI models at a disadvantage. It should be noted that there is no legal deadline in the EU for bringing an antitrust investigation to an end. 

More legal updates

US AI national policy: On 11 December, President Trump signed an Executive Order on  establishing a national policy framework for AI and lifting barriers to innovation. According to digitalpolicyalert.org, the US Administration will work with Congress to establish a single national AI standard that avoids conflicting state legislation. This standard would override any state laws that contradict the policy and would include protections for children, respect for copyrights, prevention of censorship, and measures to keep communities safe. 

US immigration data: According to Privacy International, the US Government also intends to force visitors who are not required to get visas, such as British and French citizens, to submit their digital history and even DNA as the price of entry. With this much data AI tools will likely be deployed to unlock details of your life for border and immigration agencies. In particular, it wants to know all about: 

1. ‘telephone numbers used in the last five years’
2. ‘email addresses used in the last ten years’
3. ‘family number telephone numbers (sic) used in the last five years’
4. biometrics – face, fingerprint, DNA, and iris
5. business telephone numbers used in the last five years
6. business email addresses used in the last ten years.

If the proposed changes, published on 10th of December, are adopted after the 60-day consultation, travellers will have to use dedicated apps for their ESTA application, and to provide biometric proof of their departure. The latter will disclose the user’s location once they have left the US and run live detection on the selfie photo. 

Password managers

The German Federal Office for Information Security (BSI) examined this product category and investigated the IT security features of ten selected password managers. Three out of ten stored passwords in a way that theoretically allows manufacturers access. This increases the attack surface on the manufacturer’s side, which must be mitigated by additional compensatory measures. Users must trust these additional measures.

If the password manager stores data in the cloud, consumers should be informed about the storage location and data protection measures. This information can be included, for example, on the manufacturer’s website, in the terms and conditions for using the product, or in the privacy policy.

AI Training guidance

The Swedish data protection authority IMY has investigated the possibility of using personal data to create synthetic data for AI training purposes. Such data is created to resemble the original data without being able to be linked to individuals. It can be very positive from a privacy perspective, even though the synthesis itself means that personal data is processed, so it needs to comply with the GDPR. The particular project IMY investigated was about custody cases. It therefore involved a large amount of data of a very sensitive nature, which requires special considerations and measures. 

More from supervisory authorities

Medical research: The Hessian data protection commissioner has published a guide to data protection in medical research (in German). The guide presents four concrete use cases from the practice of medical research and classifies them from a data protection perspective. In particular, the cases describe the use of AI in cancer screening, pathology, intensive care, and the distinction between quality assurance and scientific research. The guide pays particular attention to the question of under what circumstances data can be considered anonymous. The use of anonymised data is especially relevant for medical research and the training of AI models. For research projects where anonymisation is not practical, the guide presents alternative legal bases under data protection law.

Consent forms: Consent is one of the lawful grounds for processing personal data. It means that a person freely, specifically and unambiguously agrees to the processing of their data for one or more purposes. Consent has to be verifiable so that the controller can demonstrate that it was received in accordance with the requirements. Therefore, in situations where consent is requested in person, a written form is useful, which provides clarity for both the organisation and the customer. It can include the minimum information that is most important at the time of consent, so as not to overload the information to be received, as well as not to delay the duration of the service or process itself. The consent form must state: 

• Who will process the data (company, individual entrepreneur), with their name
• Why is data needed
• What data is needed
• How to withdraw consent
• Customer ID (data subject’s first name, last name)
• Date, signature
• Information on where to find more information about data processing, including the duration of data storage and how to contact the controller

Cambridge Analytica compensations

Eligible Australian Facebook users impacted by the Cambridge Analytica affair have until 31 December to register under a payment program established in a landmark settlement. The 50 million dollars payment program was established by Meta Platforms as part of an enforceable undertaking the Australian Information Commissioner accepted from Meta in December 2024. This brings to an end 7 years of investigation and litigation related to the Cambridge Analytica matter in Australia.

Meta data access

The Austrian Supreme Court ordered Meta must provide full access to all personal users data requests within 14 days, including the sources, recipients and purposes for which each information was used, Privacy advocacy group NOYB reports. Meta’s claims of trade secrets or other limitations were rejected. The company claimed it would lead to unprecedented access to the inner systems of the platform. 

Meta must also ensure that sensitive information (political views, sexual orientation, or health) is not processed together with other data unless a valid legal basis according to Art. 9 GDPR applies, even if it was collected unintentionally or technically distinguishing it would be impossible. The case was brought by the NOYB activist Max Schrems in 2014 and laboured 11 years in Austrian courts and the CJEU. The plaintiff was awarded 500 euros in damages.

American Express cookie fine

The French privacy regulator CNIL fined American Express Carte France, the French subsidiary of the American Express group, 1.5 million euros for non-compliance with the rules applicable to cookies: a) by depositing trackers without having user consent, or b) despite their refusal to consent, or c) by continuing to read the trackers previously deposited despite subsequent consent withdrawal. 

In other news

Germany telecommunications fine: Due to massive violations of data protection rights, the North Rhine-Westphalia data protection commissioner has imposed a fine of 300,000 euros on a local telecommunications company. Since 2022, consumers have repeatedly contacted the regulator for the same reason: they received personalised ad letters promoting a contract for an internet and telephone connection. The recipients consistently stated that they had never had any prior contact with this company. However, the advertising letters were remarkably detailed. The recipients were only required to add their IBAN and sign the form.

Due to the design of the letters and the similarity of the name to very well-known telecommunications provider, many consumers were unaware that it wasn’t an offer for a different tariff with their existing provider, but rather an offer to switch providers. As a result, those affected often signed the contract documents. Only when they later realized they had switched providers did they cancel or revoke the contracts – and were then hit with a demand for a flat-rate compensation fee by the company. 

Direct marketing fine: The Italian data protection authority has fined Verisure Italia for unlawful processing of personal data for marketing purposes. The measure stems from a complaint from a former customer who continued to receive unwanted promotional text messages even after objecting to the processing of his data, and from a report from a potential customer who, after requesting a quote, began receiving promotional phone calls, emails, and text messages. The communications continued despite the exercise of the right to object provided for by the GDPR. Furthermore, the regulator deemed the retention period for potential customer data envisaged for telemarketing (12 months) to be excessive. 

More enforcement actions

Data processor breach: The French CNIL imposed a fine on Mobius Solutions, the processor behind a data breach affecting users of Deezer. The company was fined 1 million euros for failing to comply with the applicable rules regarding subcontracting. In 2022, Deezer reported that its users’ data had been posted on the dark web and that its former processor, Mobius Solutions, whose services it used to carry out personalised advertising campaigns for its customers, was involved.

The processor retained a copy of the data of more than 46 million DEEZER users after the end of their contractual relationship, despite its obligation to delete all such data at the end of the contract.

University data breach: The Dutch AP imposed a 175,000-euro fine on HAN University of Applied Sciences for breaching the GDPR data security rules.  A hacker used SQL injection through a web form to access HAN’s database. The individual threatened to make personal data, including addresses, names, passwords, and citizen service numbers, public and unsuccessfully demanded ransom from the university.

Password manager data breach: The UK Information Commissioner fined password manager provider LastPass 1.2 million pounds following a 2022 data breach that compromised the personal information of up to 1.6 million of its UK users. LastPass failed to implement sufficiently robust technical and security measures, which ultimately enabled a hacker to gain unauthorised access to its backup database. The incidents occurred when a hacker gained access first to a corporate laptop of an employee based in Europe and then to a US-based employee’s personal laptop on which the hacker implanted malware and was then able to capture the employee’s master password.

In case you missed it

Meta personalised ads: On 8 December, the European Commission acknowledged Meta’s undertaking to offer users in the EU an alternative choice of Facebook and Instagram services that would show them fewer personalised ads, to comply with the Digital Markets Act. This is the first time that such a choice is offered on Meta’s social networks. Meta will give users the effective choice between: 

• consenting to share all their data and seeing fully personalised advertising, or 
• opting to share less personal data for an experience with more limited personalised advertising. 

Meta will present these new options to users in the EU in January 2026. This follows a close dialogue between the Commission and Meta after the Commission found Meta in breach of the Digital Markets Act and issued Meta a non-compliance decision related to Meta’s “consent or pay” model in April 2025.

TikTok usage risks in the EU: The Dutch AP urges users and organisations to carefully consider whether they wish to continue using TikTok and other services that transfer personal data to countries outside the EU, including China. The Irish data protection authority DPC has previously ruled that this transfer is in breach of the GDPR. In addition, the Irish court required TikTok to better inform users on data processing activities. Users can still decide whether they want to continue using TikTok under these circumstances. If not, they can (temporarily) delete the app or deactivate an account.

The post Data protection digest 3-18 Dec 2025: E-commerce websites should offer a choice between ‘guest’ mode, or voluntary account creation appeared first on TechGDPR.

As of 12 September, the Data Act has become directly applicable in the EU. It offers harmonised rules on fair access to and use of data. The new rules cover manufacturers, users, data holders, data recipients, public sector bodies, and data processing services. It is designed to empower users, both consumers and businesses, by giving them greater control over the data generated by their connected devices (and related services), such as cars, smart TVs, industrial machinery and much more:

• It ensures that connected devices on the EU market are designed to allow data sharing
• Gives consumers the possibility to choose more services, without having to rely on the manufacturer of the device 
• Provides business users in industries like manufacturing or agriculture access to data about the performance of industrial equipment, opening up opportunities to enhance efficiency and optimise operations
• Allows consumers to easily transfer data and switch between cloud providers
• Prohibits unfair contracts that could prevent data-sharing

The Data Act does not exclude or replace the GDPR

On the contrary, it is fully compliant with data protection rules. In one example, where the user is not the data subject whose data is being requested, personal data can only be made available if there is a valid legal basis (eg, consent). This is an important consideration as the co-generated data often contains both personal and non-personal data, which may be difficult to separate.  Additionally, the Data Act includes a non-exhaustive list of measures to remedy situations where a third party or user has unlawfully accessed or used data.  The infringing party will be obliged to cease production of the product in question, destroy the data it has unlawfully obtained, or pay compensation. 

Stay up to date! Sign up to receive our fortnightly digest via email.

The Act also includes requirements for international transfers of non-personal data. The data processing service providers are required to adopt technical, legal, and organisational measures to prevent international transfer or governmental access to non-personal data that would breach national or EU law. Furthermore, the Act includes protections for trade secrets and trade secret holders, aiming at preventing data breaches or data transfers to jurisdictions that don’t provide sufficient data protection and preventing other entities from accessing the data to reverse-engineer the services of their competitors.

Data subject rights under the Data Act

The Hamburg data protection authority explains that, from electronic toothbrushes to wind turbines, many consumer goods and machines send sensor data to their manufacturers via the internet. Starting September 12, consumers will benefit from new access rights to the data of such connected devices, as the Data Act allows both users of these devices and third parties to request it. This is provided that the eligibility requirements under the Data Act are met, data protection law does not conflict, and trade secrets are protected.

If the data to be transmitted is personal, European law appoints data protection authorities to supervise compliance with the provisions of the Data Act. This task follows directly from Art. 37(3) of the Data Act: a) Accessing personal data from the manufacturer; b) Changing the provider of data processing services (so-called cloud switching); c) Protection of confidentiality through technical and organisational measures at the receiving body; d) Transparency obligations. The data protection authorities can now enforce these rights by issuing orders. Violations can sometimes be punished with fines. Alternatively, claims can be pursued independently through civil law. Any natural or legal person can file a complaint. 

EU-US Data Privacy Framework maintained

On 3 September, the CJEU ruled on a case in which a French politician had brought an action against the Commission regarding the adequacy decision for the EU-US Data Privacy Framework. The case was brought with a claim that the adequacy decision should be annulled. According to the complainant, the newly established appeal body in the US, the Data Protection Review Court (DPRC), was not independent, and American legislation did not ensure adequate guarantees for the data subjects in connection with the mass collection of personal data by the intelligence services. 

The Court found no basis for concluding that the DPRC was not independent at the time of the decision. In this context, the Court recalled the Commission’s obligation to continuously monitor developments in the US and to act if changes in the legal framework might lead to a lower level of protection. With regard to the activities of the intelligence services, the Court also found that US legislation at the time of its adoption ensured a level of protection of personal data that was essentially equivalent to that existing within the EU.

On that basis, the court dismissed the lawsuit in its entirety.

Digital Services Act

The EU General Court, meanwhile, has ruled that the Commission failed to properly adopt the method it used to assess very large online platforms’ user bases under the Digital Services Act (DSA). As a result, the supervisory fees the Commission imposed on the largest platforms (Facebook, Instagram, TikTok and others), as calculated by reference to their user bases, were invalid (however, the effects of the annulled decisions are provisionally maintained). The Commission now has 12 months to rectify the situation. 

The EDPB has recently adopted guidance on the interaction between the Digital Services Act and the GDPR. The DSA aims to complement the rules of the GDPR to ensure the highest level of protection of fundamental rights in the digital space. It applies to online intermediary services, such as search engines and platforms. There are several provisions in the DSA which relate to the GDPR:

• Notice-and-action systems that help individuals or entities report illegal content
• Recommender systems used by online platforms to automatically present specific content to the users of the platform, with a certain relative order or prominence
• The provisions to ensure a high level of privacy, safety, and security of minors and to prohibit profile-based advertising using their data 
• Transparency of advertising by online platforms
• Prohibition of profiling-based advertising using special categories of data 

Pseudonymisation

In another ruling of September 4, the CJEU addressed various issues relating to personal data and pseudonymisation in connection with the transfer of this data to third parties: 

• Statements that reflect the personal opinions or views of the authors are information “about that person” because, as an expression of that person’s thoughts, they are necessarily closely linked to that person. 
• Pseudonymised data is not always considered personal data. Depending on the circumstances, pseudonymisation may actually prevent persons other than the controller from identifying the data subject, making them unidentifiable or no longer identifiable. 

The case concerned the obligation incumbent on controllers to inform data subjects, at the time of data collection, of the recipients or categories of recipients to whom their personal data are to be disclosed. Consequently, the identifiability of the data subject in such a case must be assessed from the perspective of the controller and not from that of the recipient. 

More from supervisory authorities

Brazil draft adequacy decision: On 4 September, the European Commission launched the process towards the adoption of a data protection adequacy decision with Brazil. The Commission has determined that Brazil ensures an adequate level of data protection, comparable to that of the EU. Once adopted, the decision would allow for free data flows for businesses, public authorities, and research projects between the EU and Brazil, one of the widest scopes possible for a data adequacy decision under the GDPR. The Brazilian authorities have also initiated a process to adopt an equivalent decision to allow for Brazilian data to flow freely to the EU.

Windows IT security guide for organisations: The German Federal Office for Information Security (BSI) provided recommendations for the secure configuration of Microsoft Office products for the Microsoft Windows operating system (in German). These recommendations were developed specifically for medium-sized to large organisations that manage their endpoints using Group Policies in an Active Directory environment. However, other experienced IT users can also apply the Group Policies locally. Implementing these policies offers the advantage of a wider range of configuration options compared to configuring them via the user interface. These recommendations are available for the Office applications Microsoft Access, Microsoft Excel, Microsoft Outlook, Microsoft PowerPoint, Microsoft Visio, and Microsoft Word.

Cybersecurity for teenagers: The BSI also published a comprehensive package to teach basic cybersecurity skills. It aims to support teachers and other educational professionals in raising young people’s awareness of digital risks at an early stage and teaching them how to use digital media safely. The media package includes educationally prepared worksheets, interactive activities, and background information for teachers and parents. It covers the three topics of smartphone and app security, cybercrime methods, and account protection. 

Personal recordings

Can recordings obtained for personal use be used for other purposes? The Latvian data protection regulator explains that such a recording is usually made without informing other people about it. In cases where the recording is planned to be used only for one’s own needs, without passing it on to others, the GDPR does not apply. However, before making a recording, you should consider whether it is not restricted by any other rules. For example, if the recording is made at a school event, you should make sure that the institution’s internal rules of procedure do not set any restrictions on the use of technical devices and the making of recordings. 

Over time, a person who has a recording made for personal purposes may want to use this information for other purposes. For example, it can serve as evidence in resolving a dispute or in detecting an offence. In this case, GDPR provisions must apply, in particular, when choosing the legal basis for processing, complying with fundamental principles in processing, including ensuring that the rights of the people heard and seen in the recordings are respected. 

Right to erasure

The EDPB launched a coordinated action earlier this year to examine how organisations handle the right to erasure (requests from individuals to have their personal data erased by the organisation). The Swedish Data Protection Authority IMY is now reporting its findings. Regarding the 20 Swedish businesses surveyed, despite handling large amounts of personal data, businesses have received few requests from individuals who want their data deleted. Among the problems and challenges that IMY has identified are: a) Lack of or inadequate internal routines and processes, b) Uncertainty about deletion in backups, and c) Difficulty verifying the identity of the person who wants their data deleted. IMY has identified examples of best practice for data deletion requests, such as:

• Create clear and updated procedures, control documents and checklists that specify who does what, how the assessment is carried out and what criteria apply for deletion
• Offer multiple channels to submit a deletion request, such as email, phone, web form, or physical visits
• Verify the individual’s identity only in cases of reasonable uncertainty
• Always provide a clear justification with reference to relevant provisions when rejecting a request

Google and Shein cookie fines

The French regulator CNIL fined Google 325 million and Shein 150 million euros, in particular for non-compliance with the rules on online trackers. The checks revealed that Google displayed, between the emails present in the ‘Promotions’ and ‘Social networks’ tabs of Gmail, advertisements in the form of emails. In the case of Shein, the CNIL noted that several trackers, particularly for advertising purposes, were deposited as soon as they arrived on the site, even before they interacted with the information banner to express a choice.

Also, when a user visiting the “shein.com” site clicked on the “Refuse all” button in the banner, or when they decided to withdraw consent to the registration of trackers on their terminal, new trackers were nevertheless deposited. 

Toymaker fine

America’s FTC  just settled with Apitor Technology, a Chinese toymaker, for allegations that the company violated the Children’s Online Privacy Protection Rule (COPPA). Apitor develops, markets, and distributes robot toys for kids ages 6-14. To program the robots, users need to download Apitor’s free companion app. It incorporated a third party’s software development kit (SDK), enabling app functionalities like push notifications and usage tracking. The SDK allowed the third party to collect geolocation data from children playing with the robot toys using an Android device. At the same time, companies providing online services directed at children must notify parents if they’re collecting, using, or disclosing personal information from juveniles. They also have to get parents’ verified consent to do so, even if a third party is the one collecting the data on a company’s behalf. 

Online banking authentication

In Finland, the data protection agency has imposed a penalty of 1.8 million euros on S-Bank for neglecting information security in online banking authentication. Due to a software error in the authentication service in 2022, it was possible to log in to online banking and online services using strong authentication with another customer’s credentials. The agency investigated the data breach based on a notification made by S-Bank in 2022. The bank had implemented a new login functionality in S-mobile. 

The bank had not tested the new software sufficiently before implementing it, and it had not identified vulnerabilities before the functionality was implemented. It also did not respond adequately to customer complaints about irregularities in online banking logins. A security vulnerability had been exploitable for more than three months. It affected a significant portion of the bank’s customers. Misuse of bank codes caused financial damage to customers. S-Bank has announced that it has compensated customers for direct losses.

In other news

Disney: Another settlement by the FTC with Disney alleges that it failed to properly designate their YouTube videos as directed to children. When Disney uploaded videos to YouTube, its policy was to set the audience at the channel level, rather than checking the audience for each video. As a result, some child-directed videos were incorrectly designated as “not made for kids.” Personal information of children viewing these videos was collected and used for targeted advertising without parental notice or consent as required under COPPA. Kids were also exposed to YouTube features not meant for kids: autoplay to other “not made for kids” videos and access to unrestricted public comments.

Recruitment agency: North Rhine-Westphalia data protection commissioner imposed a fine of over 35,000 euros on a Düsseldorf-based recruitment agency which had not only consistently ignored the data protection rights of job seekers, but also requests from the regulator. The focus was on requests from employees asking whether and which data the company had processed about them. Some of the individuals also demanded that their data be deleted.  

Health data: In Estonia, Allium UPI, the company that manages the Apotheka loyalty program, received a fine of 3 million euros for failing to protect customer data and using insufficient security measures. The company’s reckless attitude towards its customers’ data put the privacy of more than 750,000 people, including children and other vulnerable groups, at risk. A security incident occurred in the information system of the Apotheka loyalty program in early 2024.

The leaked files contained personal data and purchase history of those who joined the Apotheka customer program between 2014 and 2020: purchased medicines, health measurement services, and other sensitive pharmacy products, such as pregnancy and ovulation tests, hearing aid accessories, blood pressure supplements, intimate hygiene products, and medications for skin problems. 

In case you missed it

Football fans face recognition in Denmark:  The Danish Data Protection Authority has granted permission for the clubs in the Super League (season 2025/2026) to use automatic facial recognition during football matches, in order to support the enforcement of the rules on club quarantines. The permits for the Super League clubs state, among other things, that the processing must comply with the rules on the preparation of an impact assessment: it must be carried out before the processing begins.

Bossware in the UK: A third of UK companies use “bossware” to track employees‘ activities, according to an article in the Guardian. One in seven employers are monitoring or evaluating screen activity, and private organisations are the most likely to implement in-work surveillance, according to a UK-wide poll. The fact that about one-third of managers said their companies watch employees’ internet activity on company-owned devices, however, is likely an underestimation because the same percentage stated they had no idea what tracking their companies do. Preventing insider threats, protecting sensitive data, and identifying productivity declines are the goals of many monitoring systems. 

The post Data protection digest 1-15 Sep 2025: The Data Act is fully applicable, “bossware” takes over workspaces appeared first on TechGDPR.

The Danish EU Presidency is promoting GDPR reform to increase competitiveness by introducing SME-friendly amendments, such as restricting data rights in low-risk situations, rationalising DPIAs, and requiring prior mediation procedures before lodging complaints, the eutechloop.com article states. These are in line with the precedent established by the Commission’s simplification plan in May this year, which gives small and mid-cap companies, those with less than 750 employees, targeted relief from GDPR reporting requirements on keeping records of processing activities (GDPR Art. 30).

In addition, the proposal introduces a definition of SME and SMC in Art. 4 of the GDPR and extends the scope of the GDPR’s Art. 40 and 42 to the SMCs, which refer to codes of conduct and certification. 

According to an insideprivacy.com article, the following Danish proposals may make it easier for European organisations to process personal data as they:  

• Define a minimum threshold for when data subject rights apply (Art. 12-20 GDPR). 
• Clarify when DPIAs are required and consider exemptions or simplifications for SMEs (Art. 35 GDPR). 
• Make the data subject’s right to complain to the supervisory authority conditional upon certain criteria (eg, prior engagement with the data controller) (Art. 77 GDPR).  
• Exempt data controllers from having to notify certain data breaches to the supervisory authority, such as “uncomplicated and clearly defined” breaches (Art. 33 GDPR), etc.

At the moment, the EU is reevaluating its digital policies. This is partly motivated by Mario Draghi’s report on the bloc’s lapsed productivity and technology use, but also is fueled by the ongoing political pressure from Washington to ease digital regulations to unlock trade. 

Provisions of data reform in the UK are already in place

On the 20th of August, a set of provisions of the new Data Use and Access Act 2025 entered into force, establishing provisions on ‘overriding’ and data breach notification, plus reporting and progress requirements in relation to the use of copyright works in the development of AI systems. The Bill applies to all data controllers, processors, and electronic communications service providers handling personal data.

It introduces new sections to the UK Data Protection Act 2018 to prevent relevant enactments passed after the Bill’s commencement from overriding main data protection legislation requirements (eg, it establishes that data subject rights cannot be overridden unless an express contrary provision is made). The Bill also mandates personal data breach notifications to the Information Commissioner within 72 hours of becoming aware of the breach, digitalpolicyalert.org sums up.

In parallel, the Information Commissioner’s Office is consulting on draft changes to how we handle data protection complaints. The Data Use and Access Act places new requirements on organisations to have a complaints process specifically for data protection-related issues,  such as providing an electronic complaints form. They also must acknowledge your complaint within 30 days and respond to it ‘without undue delay’.  

Stay up to date! Sign up to receive our fortnightly digest via email.

Another consultation aims to address the new lawful basis of “recognised legitimate interests”. It will provide a presumption of legitimacy to processing activities for certain pre-approved public interest purposes, including activities such as crime prevention, public security, safeguarding, emergency response, and sharing personal data to help other organisations perform their public tasks.

Cybersecurity of digital products in Switzerland

The Swiss Federal Council, meanwhile, decided to strengthen the cyber resilience of digital products. Despite the importance of preventing or quickly addressing such vulnerabilities, Switzerland currently lacks clear cyber resilience requirements. This new legislation will set out cybersecurity requirements for the development and commercialisation of products with digital components, establish rules for market surveillance of these products, and lay the groundwork for banning the import and sale of insecure devices.

The new legislation will take into account the international context, including the EU’s Cyber Resilience Act, which came into force on 11 December 2024, with a draft corresponding bill to be submitted for consultation by Autumn 2026. 

Documentation requirements under DORA

What documentation requirements do companies have to fulfil under DORA? The German Federal Financial Supervisory Authority (BaFin) has published an overview with graphic attachments to help companies navigate these requirements. Companies have had to apply the European Digital Operational Resilience Act’s regulation since 17 January 2025. DORA aims to make the European financial market more secure against cyber risks and incidents affecting information and communication technology (ICT). 

More guidance on the DORA application can be found here. 

Software updates and patch releases

Most software needs updating after its initial release to address bugs, newly identified vulnerabilities, and revisions to features and functionality. But software patches and other changes can introduce new cybersecurity and privacy risks and can impair operations if not managed effectively. To support successful, secure software updates and patches, the US National Institute of Standards and Technology, (NIST), has finalised modifications to its catalogue of security and privacy safeguards to assist both the developers who create patches and the organisations that receive and implement them in their own systems.

More from supervisory authorities

Public cloud and data protection: ISO/IEC 27018 has provided guidance for protecting personally identifiable information (PII) in public cloud services, specifically when the cloud service provider acts as a PII processor. As cloud computing becomes the default mode of service delivery, organisations must ensure that personal data stored and processed in the cloud is properly safeguarded. ISO/IEC 27018 helps cloud providers meet legal, contractual, and ethical obligations regarding PII. It supports compliance across jurisdictions, enhances customer trust, and provides a clear structure for data protection in the cloud.

IT security label: Manufacturers of smart security solutions can now apply for the IT security label from the German Federal Office for Information Security (BSI). The connected home is part of everyday life for many people. This includes smart security technology, such as app-controlled alarm systems, smart motion sensors, mechatronic security devices (smart locks), and networked smoke detectors. In addition to the physical protection of their own four walls, consumers should also consider the cybersecurity of their digital security solutions. With the IT security label, the IT security features of smart security technology are transparent for buyers, and help manufacturers highlight their products on the market. 

Protecting child data online

To improve children’s online safety, the European Commission has adopted guidelines for the protection of minors under Art. 28 of the Digital Services Act (DSA). This requires platforms accessible to minors to implement appropriate and proportionate measures to ensure a high level of privacy, security and protection of minors, including: 

• Age verification and default settings.
• Interface design that does not encourage prolonged use of the platform by adolescents. 
• Limits on the processing of behavioural data and prioritising explicit signals from minors regarding desired content.
• Clear rules regarding harmful content and behaviour, the establishment of coordinated moderation policies, and allowing for the possibility of human review in cases of harmful content.

At the same time, parental controls are best used as a complement to other measures, as they are often not equally effective due to different family situations.

Is it permissible to offer a discount for consenting to receive commercial communications?

The Latvian data protection authority states that a small additional benefit (for example, a symbolic discount that the customer can choose to use or not) may be permissible if it does not affect access to the service itself. That is to say, consent is not included as a non-negotiable part of the conditions for using the service in its essence, for example, purchasing in an online store. 

It is important to ensure that the benefits offered, which are associated with consent to the processing of personal data, do not create a feeling of pressure on customers. Namely, the intended amount of benefits should be small enough not to create the feeling in the customer that, by not providing consent to the processing of their data, they will receive a significantly less advantageous offer, thus affecting the person’s right to freely decide on the processing of their data.

The section intended for entering contact information for receiving news must clearly state the purpose of data processing – sending commercial communications, and must also contain a function (most often a tickable box) in which the person clearly expresses his/her wish to receive such communications. Information on the withdrawal of consent and its consequences must also be made easily accessible. In this section, the advantage that the vendor, for example, gives to customers who have shown interest in receiving news should be indicated only as additional information. 

GDPR (non) compliance trends

Some advancements in GDPR compliance are detailed in the Icelandic data protection authority’s 2024 report. It is good to note that the biggest Icelandic insurance firms, which make automated decisions on applications and requests for offers for health and life insurance, largely comply with the data privacy laws. The agency has placed a greater emphasis on protecting children’s privacy. Businesses started to monitor closely how kids behave when playing computer games online. Additionally, a business that handles Icelandic genetic analysis is facing legal challenges, and the public sector was sanctioned for improper handling of minors’ data in education.

In parallel, the Maltese data protection regulator, in its annual report, revealed that the majority of complaints received were about CCTV-related cases, while other major areas of compliance included data subject access requests and their shortcomings (increasingly in cross-border situations), unsolicited direct marketing and disclosure to third parties, data security and information obligation by data controllers, cookie banners and, finally, AI use. 

Cancelling membership “not easy”

According to the US FTC’s recent case against the operators of LA Fitness, “not easy” is an understatement for consumers seeking to cancel their LA Fitness memberships or related services. For in-person cancellations, LA Fitness designated only one employee (even though multiple employees can initiate memberships). This has effectively restricted cancellations to whenever that person is available at the gym, often during hours when consumers are typically at work. 

The FTC alleges that consumers who try to cancel via mail faced similar challenges. LA Fitness has instructed consumers to print and mail a hard-to-find cancellation form. Although consumers have been able to cancel by mail without the form, LA Fitness doesn’t disclose which details must be included in the cancellation notice. The company also instructs consumers to send cancellation requests via registered or certified mail. Finally, LA Fitness reinforced these unlawful practices by training staff to reject such emails or phone calls. 

In other news

YouTube settlement: Google and YouTube have agreed to pay $30 million to settle a long-running class action alleging they unlawfully collected data from children under 13 to serve targeted ads without parental consent. The Google class action settlement, filed in a California federal court, proposes a fund to compensate an estimated 35-45 million children who watched YouTube videos between July 2013 and April 2020. 

“Pay or Ok” illegal: According to the Noyb privacy advocacy organisation, the Austrian Federal Administrative Court upheld a previous ruling by the country’s data protection authorities that the Austrian daily DerStandard had breached the GDPR by launching “Pay or Okay.” Users must be allowed to object to or give selected permission for each processing purpose, according to rulings from the court. DerStandard was the first news website in Austria to implement a “pay or okay” policy. Customers were forced to consent or pay for a monthly subscription, rather than having a free choice to accept or reject the online tracking of hundreds of third parties.

Non-cooperation with the authority: The Swiss FDPIC has filed a criminal complaint against Add Conti GmbH for failure to cooperate in an investigation. Following several complaints from affected individuals, the FDPIC opened an investigation on 4 June. The FDPIC requested the company answer a list of questions within 30 days. The FDPIC expressly reminded Add Conti GmbH of its obligation to cooperate in the proceedings and of the fact that deliberate refusal to cooperate is punishable by a fine of up to CHF 250,000. Although the letter was delivered, the FDPIC received no response. 

Add Conti was collecting personal data of persons residing in Germany without their knowledge and making it available to German companies for advertising purposes. In addition, the company was not responding to requests for information and deletion.

Major cyberattack on Swedish municipalities

On 23 August, a cyberattack on Miljödata disrupted services in around 200 municipalities, several major private businesses and universities and colleges, with concerns over stolen sensitive data, news outlets report. The Swedish data protection regulator confirmed that it has already received around 200 reports of cyber incidents. Managers and HR use the affected systems to handle medical certificates, rehabilitation matters, and the reporting and management of work-related injuries. The attacker has encrypted personal data, preventing businesses from accessing it, but the reporting parties are unaware of how the data has been otherwise affected. In many cases, this concerns information about employees, such as health and union membership.

‘Personalisation’ in AI systems

The Future of Privacy Forum explains the subject of ‘Personalisation’, which refers to features of AI systems that adapt to an individual user’s preferences, behaviour, history, or context. Personalisation techniques can include long-term memory knowledge bases, short-term conversation history, user and system prompts, settings, and fine-tuning the model after training.

For example, an AI instructor may be able to track a student’s progress on certain subjects, recall their learning interests and level, and modify explanations as necessary. According to some scholars, an AI system must have a complete understanding of its user, including their present emotional state, to be useful in even more sensitive or private situations, such as mental health.

A user’s personal information, including prejudices and stereotypes, may be reflected in some of the data they provide to the chatbot or what the algorithm deduces from their interactions. Last but not least, an AI system (such as the newest AI agents by Google, Meta, Anthropic, Microsoft, OpenAI ) that has received or observed user data may be more likely to share that information with third parties in an effort to complete a task without the user’s consent.

In case you missed it

Face photo morphs: America’s NIST issues guidelines to help organisations detect face photo morphs and deter identity fraud. Face morphing software, which combines photos of different people into a single image, is being used to commit identity fraud. Thus, morph detection software, which has grown more effective in recent years, can help flag questionable photos.  However, the most effective defence against the use of morphs in identity fraud is to prevent morphs from getting into operational systems and workflows in the first place.  

Single-image detection, in the best cases, can detect morphs as often as 100% of the time (at a false detection rate of 1%) if the detector has been trained on examples from the software that generated the morph.  However, accuracy can degrade to well below 40% on morphs generated with software unfamiliar to the detector. Differential detectors are more consistent in their abilities, in the best cases, with accuracy ranging from 72% to 90%, across morphs created using both open-source and closed-source morphing software, but they require an additional genuine photo for comparison.

The post Data protection digest 18-31 Aug 2025: Greater simplification of GDPR, ‘personalisation’ in AI systems appeared first on TechGDPR.

The goal of information security is to protect an organisation’s business processes. This means responsibility for the security of the entire operating system and the ability to resist any activities that threaten the availability, authenticity, integrity, and confidentiality of data processed in the system or the services provided and accessed through the system, according to the Estonian data protection regulator.

The information assets include all IT resources – hardware, software, various data communication devices, etc. However, people working in an organisation and customers can also be considered information assets. Therefore, it can be said that data protection and information security are like two sides of the same coin: data protection determines the basic principles of personal data processing, while information security helps to implement these principles. 

Stay up to date! Sign up to receive our fortnightly digest via email.

Beyond the simple fact that it makes good business sense to ensure information security and protect assets, the obligation to implement information security comes among other things from data protection laws, which state that personal data security must be ensured by appropriate and secure measures. This means that each situation must be assessed individually. To start with: 

• Map out what your organisation does and what business processes it involves. 
• Identify the assets you have in place—whether they’re customer data, documents, employees, information systems, or security equipment. 
• Don’t forget your “global defense zone”: your physical office, home office, coworking spaces, and other locations where your organisation’s assets and information might be located.
• If something major happens in any of these components, you need to know immediately if and how it will impact your organisation.

As a general approach, try to process as little personal data as necessary and only when needed, stresses the Estonian regulator.

List of AI companies signed up to the EU Code of Practice

The Commission has published the full list of signatories to the EU’s generative AI Code of Practice initiative so far, known also as the Code of Practice for General Purpose AIs (GPAIs), published on July 10, 2025. This will reduce their administrative burden and give them more legal certainty than if they proved compliance through other methods.

Among signatories there are: Amazon, Anthropic, Google, IBM, OpenAI, Microsoft, Mistral AI and a dozen other companies, (some signatories may not appear immediately on the list). In addition, xAI signed up to the Safety and Security Chapter; this means that it will have to demonstrate compliance with the AI Act’s obligations concerning transparency and copyright via alternative adequate means.

The code has also been complemented by Commission guidelines and the Q&A on key concepts related to general-purpose AI models. 

More legal updates

European Biotech Act: The Commission opened a consultation, until 10 November, as part of the development of the European Biotech Act. It will propose a series of measures to create an enabling environment to accelerate the transition of biotech products from laboratory to factory and to the market, while maintaining the highest safety standards for the protection of the population and the environment. The act will address growing dependencies in biotech on data, storage, computing power, and AI. 

In the EU, biotechnology reached a gross value added in 2022 of 38.1 billion euros: the highest contribution came from medical and pharmaceutical biotechnologies, and the fastest-growing area was industrial biotechnology. At the same time, European biotech companies face an opportunity gap, with the US having twice as many early-stage venture capital deals and three times as many late-stage deals. Over the last six years, 66 of the 67 biotech companies going public have targeted the US NASDAQ rather than European stock markets. 

California privacy updates: The California Privacy Protection Agency (CPPA) has filed a judicial action seeking to enforce an investigative subpoena against Tractor Supply Company, a Fortune 500 company that bills itself as the nation’s largest rural lifestyle retailer. The CPPA’s petition alleges that Tractor Supply failed to comply with a subpoena seeking information about the company’s compliance with the California Consumer Privacy Act of 2018. The petition marks the CPPA’s first public disclosure of an ongoing investigation into a company and its first judicial action to enforce an investigative request. The agency has been investigating whether Tractor Supply failed to honour Californians’ right to opt out of the sale and sharing of their personal information online. 

More from supervisory authorities

GDPR from A to Z:  The German Federal Data Protection Commissioner (BfDI) has updated a catalogue that provides a compact compilation of the most important legal texts: the European General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG). In addition to the legal texts and the references to the GDPR, it contains explanations of specific topics and vague legal terms.

Data memorisation in LLMs: Additionally, the BfDI has finished its consultation on processing personal data in large language models in a way that complies with data protection laws. Civil society, industry, and scientific groups were all included in the consultation. It looked for information about the limits of anonymisation, the memorisation of personal information, the dangers of data extraction, and the protection of the rights of data subjects under the GDPR in AI systems.

AI in healthcare: The EU Publication Office offers a study on on the deployment of AI in healthcare. Present-day healthcare systems face several complex challenges, including rising demand due to an ageing population, increasing prevalence of chronic and complex conditions, rising costs, and shortages in the healthcare workforce. AI has the potential to address some of these by improving operational efficiency, reducing administrative burdens, and enhancing diagnosis and treatment pathways. 

E-store data minimisation

The Latvian DVI explains what is the minimum amount of data to place an order in an e-store. In order to ensure the fulfillment of an order, certain personal data must be collected and processed. This process can be conditionally called a mutual agreement. The following data is required to place an order:

• customer’s name and surname (for indication in a supporting document, for example, an invoice);
• email address (for sending invoices and order status messages);
• phone number (to ensure delivery, the courier also receives this information);
• delivery address or parcel machine address (depending on the selected delivery method).

The merchant must be able to clearly indicate why each type of data is necessary. For example, first and last name is necessary to fulfill a legal obligation. Other data, on the other hand, is necessary to fulfill the requirements of the contract. For example, if the service is “intangible” (online courses), first name, last name and email address are sufficient, which are necessary for sending the invoice and access data. A merchant may also need additional information if the product or service is individually tailored to the customer (eg, tailored clothing, selection of skin care products manufacturing of spectacles).

Customer data may only be used for the purposes originally specified. It may not be transferred to other parties unless there is a legal basis for this, such as the customer’s consent, a legal obligation or a legitimate interest. It may also be justified to use the data for related purposes such as archiving, if this does not conflict with the original purpose of obtaining the data.

Data deletion request

The DVI has also tried to answer the question: Should the deletion request itself be erased if someone has asked for data processed with their consent to be deleted? If a person withdraws consent to the processing of their data and requests the deletion of all data related to this consent, the organisation is obliged to stop processing this data as soon as possible and delete it, unless there is another legal basis for continuing to store or use it. This means that all data that was collected on the basis of consent must be deleted (eg, the person being removed from the list of recipients of commercial communications).

However, the request document itself, by which the person withdraws consent, as well as the organisation’s response to it, cannot be deleted at the same time as the aforementioned data, since the basis for processing such information is not the person’s consent within the meaning of the GDPR. They may be stored to fulfill the institution’s interests in managing its documentation and ensuring the protection of its rights (so that, if necessary, it can be confirmed that the request has been received, fulfilled and when it occurred).

More official guidance

Biometrics: Canada’s Privacy Commissioner has published guidance on biometrics for the public and private sectors. While biometrics can enhance security and help in service delivery, they can also raise privacy issues. Biometric information is intimately linked to an individual’s body and is often unique, and unlikely to vary significantly over time. It can reveal sensitive information such as health information or information about race and gender characteristics. The guidance among other things addresses key considerations for organisations when planning and implementing initiatives involving biometric technology – transparency, safeguarding data, and accuracy, including testing for biometric systems.

IoT data security: America’s NIST finalized its ‘Lightweight Cryptography’ Standard to Protect Small Devices. Four relevant algorithms are now ready for use to protect data created and transmitted by the Internet of Things and other electronics. The standard is built around a group of cryptographic algorithms in the Ascon family, which NIST selected in 2023 as the planned basis for its lightweight cryptography standard . They require less computing power and time than more conventional cryptographic methods do, making them useful for securing data from resource-constrained devices. For more technical information on the standard, visit the NIST Lightweight Cryptography Project page. 

Optus data breach in Australia

The Australian Information Commissioner has filed civil penalty proceedings against Optus (telecommunications), following an investigation in relation to the data breach made public by Optus on 22 September 2022. The data breach involved unauthorised access to the personal information of millions of current, former and prospective customers of Optus, and the subsequent release of some of this information on the dark web. This included names, dates of birth, home addresses, phone numbers and email addresses, passport numbers, driver’s licence numbers, Medicare card numbers, birth certificate information, marriage certificate information, and armed forces, defence force and police identification information.

Based on this case the Australian regulator asks all organisations to: 

• implement procedures that ensure clear ownership and responsibility over internet-facing domains
• ensure that requests for customers’ personal information are authorised to access that information
• layer security controls to avoid a single point of failure
• implement robust security monitoring procedures to ensure any vulnerabilities are detected and that any incidents are responded to in a timely manner
• appropriately resource privacy and cyber security, including when outsourced to third party providers
• regularly review practices and systems, including actively assessing critical and sensitive infrastructure, and act on areas for improvement in a timely manner.

Voiceprint for authentication purposes

The Swiss Federal Data Protection Commissioner has examined whether PostFinance (a retail banking and business client) is violating data protection regulations when using voice recognition as a means of authentication. It concluded the investigation on 16 May with a ruling instructing PostFinance to obtain the express consent of the person concerned when creating voiceprints for voice recognition and to delete voiceprints for which no consent has been explicitly given.

Voiceprints are a type of biometric data. Under data protection law, they are considered sensitive personal data if they enable the identification of an individual. Unlike a password, it cannot be recreated in case of misuse. 

In other news

Meta AI: According to the privacy advocacy group Noyb, just 7% of consumers want Meta to utilise their personal information for AI, despite the fact that over 75% of users were aware of Meta’s ambitions. Noyb has commissioned the Gallup Institute to survey 1,000 Meta users in Germany in order to learn more.

In May this year, Meta decided to begin using EU personal data to train its AI systems by just asserting that they had a “legitimate interest” under Article 6 of the GDPR. Although nearly two-thirds of the participants claim to have heard about Meta’s announcement, just 40% of Instagram or Facebook users can recall seeing the in-app message that was concealed under a notification menu, (or can recall the email notice that was sent with a subject line designed to make people ignore it).

But as people age, knowledge about this issue increases significantly, while women are less inclined to give AI their data.

IBAN: The IBAN can in some cases allow a hacker to issue illegitimate direct debit orders. The hacker can also, more directly, usurp another person’s IBAN by communicating it when creating a direct debit mandate as part of a subscription to a service. In order to reduce the risk of fraudulent use of your IBAN and minimise its consequences, the French regulator CNIL recommends:

• Monitor your bank account transactions regularly and block your bank account if necessary.
• Contact your usual bank advisor if you have any doubts.
• Check the list of authorised creditors (eg, the beneficiaries of direct debits) in your online banking space.
• When receiving a pre-filled direct debit mandate, or an alleged update of it, be vigilant about the information describing the creditor.

One click was nothing. But you gave away a lot

As digital technology allows for limitless information sharing with just a single click, the Latvian DVI is launching an educational public awareness campaign to encourage every digital user, but especially young people, to realise that personal data is a value, not an accidental footprint left on the internet. The campaign emphasizes that seemingly harmless digital actions, such as posting your photos on social networks, participating in a free game, or clicking the “I agree” button without reading the contents of a document, can mean widespread and irreversible data transfer consequences that are not always easy to predict or reverse.

Similarly, Privacy International publishes a series of educational case studies to answer the question of “Why privacy matters” for schoolchildren, workers, people with disabilities, protestors and even sports fans and many others. Here are some outstanding points of the analyses:

• When surveillance creeps into classrooms and digital learning platforms, it threatens the freedom of pupils to feel safe to explore ideas, make mistakes and develop into their own unique selves.
• Employers are using surveillance to monitor, control, and exploit workers in ways that many may not even be aware of.
• The growing threat of intrusive surveillance such as AI-powered facial recognition in stadiums risks turning a vibrant cultural space into one of control and suspicion.
• Privacy is a universal right, but for people with disabilities, it’s often compromised in the very systems designed to support them.
• In society, dissent – especially through protest – is vital for progress, change, and holding power accountable. Without privacy, protestors risk losing their voices, and their own safety.
• Migrants have the same right to a private life and to be free from intrusive surveillance as anyone else. Yet, for people on the move, this right to privacy is under constant threat.

In case you missed it

Meta’s “story” photos: The Icelandic data protection regulator explains that Meta launched a feature that goes through photos on your phone and suggests what to post on Facebook. The social media app automatically selects photos or videos from your phone and sends them to Meta’s servers. The photos are then processed using artificial intelligence to display post suggestions in “Story”.

This is done without the user having specifically uploaded the photos or videos to the social media platform for publication there. Since this may be a significant intrusion into people’s privacy, and since the regulator has received reports that people have not realised that this feature has been enabled, the regulator provided the instructions on how to disable the feature:

• Open the app on your phone.
• Press + at the top of the screen.
• Tap “Story”.
• In the top right corner: Press the “Settings” gear.
• At the bottom is “Camera roll settings”.
• Turn off “Get camera roll suggestions when you’re browsing Facebook”.

Political advertising in the EU: Google and Meta announced that they will suspend all political advertising services in the EU due to the application of the Political Advertising Transparency and Targeting Regulation in October 2025, the Estonian regulator reports. The implementation of the new regulation will bring a number of operational and legal requirements that are difficult to implement. As a result, Google has decided to suspend all political advertising services, including on YouTube, until there is greater clarity on the implementation of the regulation. However, Meta believes that the implementation of the new regulation will make the current transparency and targeting systems too complex and ineffective, significantly reducing the ability of advertisers to reach the electorate.

The post Data protection digest 2-17 Aug 2025: “Data protection says what should be done, information security says how we do it” – Estonian regulator appeared first on TechGDPR.

The French data protection regulator CNIL has studied the economic benefits of the presence of a Data Protection Officer within companies. Statistical analysis shows that it is often profitable, especially for companies taking a positive approach to GDPR compliance. The two most represented sectors were research, IT and consulting, and banking, insurance and mutual insurance companies. There are different types of benefits related to the DPO function – leverage to win calls for tenders, avoidance of sanctions, avoidance of data leaks and rationalisation of data management. Here are some examples:

• The DPO is the point of contact for the supervisory authority and the persons whose data is processed. As such, they can take charge of organising the processing of people’s requests to exercise their rights so that a complete response is provided within the set deadlines.
• The DPO contributes to a better knowledge of the company’s information assets. In doing so, their action helps to facilitate the use of data by centralising information and avoiding duplicates or data silos. This makes it easier for teams to access relevant data, which improves the efficiency of internal processes and decision-making.
• A DPO ensures the main GDPR principles of purpose limitation, data minimisation, and limitation of retention, which leads to operational savings in terms of storage space (as well as fewer entry points for cybercriminals).
• Finally, DPOs advise companies on the security measures to be put in place and participate in privacy impact assessments. They can carry out checks and audits and alert managers when security flaws are found.

Stay up to date! Sign up to receive our fortnightly digest via email.

There is also a return on investment in the sense that DPOs who have more time to dedicate to their function have better conditions to ensure the company’s compliance, which reduces the likelihood of being sanctioned. However, these benefits are not received by all companies with DPOs. They are better realised by large companies and by those that are most invested in GDPR compliance and consider compliance as a lever and less as a constraint. The adoption of certain good practices can make it possible to generate economic gains for the DPO function: 

• Involving DPOs in certain executive committee meetings allows them to articulate compliance with the company’s overall strategy. 
• Integrate GDPR compliance with the CSR strategy and the ISS strategy to promote consistent planning and operations. 
• Try to quantify the economic benefits linked to the role of the DPO in the company, informally or through internal consultations.
• Increase other business lines’ understanding of the importance of compliance concerns in the organisation’s strategy, acknowledge a DPO as a value creator, and coordinate their efforts with those of other departments.

EU-UK data transfers

According to a draft document released by the European Commission on 22 July, the UK maintains an adequate level of protection for EU-UK data transfers under the new Data Use and Access Act 2025 (DUAA), aligning with the EU GDPR and the Law Enforcement Directive. While the scope of the DUAA, which amends the UK GDPR and the DPA 2018, goes well beyond the protection of personal data, it provides for limited changes to several aspects of the data protection regime:

a) the rules on data processing for purposes of scientific research, b) the legal bases for data processing, c) the rules relating to the purpose limitation principle, and d) the conditions for automated decision-making.  In addition, the DUAA makes amendments to the governance structure of the ICO. Once implemented, these measures will replace the ICO with a new entity, the Information Commission. The role and functions of the regulator will remain unchanged in the UK. The Act also introduces new enforcement powers for the regulator. 

More legal updates

UK children’s data: On 25 July, the Protection of Children Code of Practice for regulated search services came into force, as required under the Online Safety Act 2023. The code imposes specific duties on search service providers to implement measures addressing content that is harmful to children, including requirements for governance and accountability arrangements, search moderation systems, content reporting mechanisms, complaints procedures, user support functionalities, and publicly available safety statements, digitalpolicyalert.org reports. 

EU AI Act provisions: Provisions of the EU AI Act on general-purpose AI models entered into force on 2 August. These mean clearer information about how AI models are trained, better enforcement of copyright protections and more responsible AI development. The Commission has also confirmed that the GPAI Code of Practice, developed by independent experts, is an adequate voluntary tool for providers of GPAI models. Providers who sign and adhere to the Code will benefit from a reduced regulatory burden and increased legal certainty. Providers must comply with transparency and copyright obligations when placing GPAI models on the EU market. Models already on the market must ensure compliance by 2 August 2027.

AI Act implementation in Germany: EU member states were required to designate competent market surveillance authorities to oversee the AI Act by 2 August. This deadline has been missed by Germany, according to the Hamburg Data Protection Commissioner HmbBfDI. The regulator is therefore appealing to the federal government to promptly designate the AI market surveillance authorities stipulated by the AI Regulation, which, at least in some areas, also include the data protection supervisory authorities. Due to the delay, companies and authorities now lack a reliable contact person for questions about the AI regulation. This is also a disadvantage for Germany as a centre of AI innovation.

Web filtering

A web filtering gateway, often referred to as a web proxy, is a device or service used to control and monitor internet access by filtering web content according to predefined policies. Its main role is to block access to certain websites or categories of content for security and compliance reasons.

Web filtering gateways can help organisations meet their data security obligations (Art. 32 of the GDPR). However, they are based on data processing that must also be ensured to comply with the GDPR. To that end, the French data protection regulator CNIL opened to public consultation a draft guideline (in French) to promote such cybersecurity solutions that comply with the GDPR, both in their use and in their design.  The draft document targets data controllers, who, as employers, deploy a filtering web gateway (URL filtering and detection and blocking of malicious payloads) to secure internet browsing on their information system. This applies to the browsing of employees, agents, service providers or external visitors. It does not deal with the use of web filtering gateways by data controllers providing internet access via a public Wi-Fi, as is the case with retailers, media libraries or other public or private organisations. 

More from supervisory authorities

Human intervention in automated decisions: The Dutch data protection authority AP has developed guidelines for meaningful human intervention in algorithmic decision-making for organisations (in Dutch only). Art. 22 of the GDPR prohibits a decision based solely on automated processing that produces legal effects for data subjects or significantly affects them in another way.  For example, if an employee is hindered, or a credit application is assessed under time pressure or an unclear automated system, this can impact the outcome of any decision. The recommendations have been written as practically as possible to best address the questions organisations have.  

Profiling online: The UK ICO prepared a draft of guidelines on Profiling Tools for Online Safety. This guidance applies to any organisations that carry out profiling, as defined in the UK GDPR, as part of their trust and safety processes. It is aimed at user-to-user services that are using, or considering using, profiling to meet their obligations under the Online Safety Act 2023. But it also applies to any organisations using, or considering using, these tools for broader trust and safety reasons. 

However, due to the Data Use and Access Act (DUAA) coming into law on 19 June 2025, this guidance is under review and may be subject to change. 

Data to train AI models

The European Commission presents a template for General-Purpose AI model providers to summarise the data used to train their model (under Art. 53 of the EU AI Act). General-purpose AI models are trained with large quantities of data, but there is only limited information available regarding the origin of this data. The public summary will provide a comprehensive overview of the data used to train a model, list the main data collections and explain other sources used. This template will also assist parties with legitimate interests, such as copyright holders, in exercising their rights under Union law, test particularly powerful models with systemic risk for vulnerabilities and risks, report serious security incidents, etc. 

The template is part of a broader initiative linked to the EU-wide rules for general-purpose AI models kicking in on 2 August 2025. It complements the guidelines on the scope of the rules for general-purpose AI models, published on 18 July, and the General-Purpose AI Code of Practice released on 10 July. Also, France’s CNIL offers a guide on how best model makers should ensure their systems comply (in French). It also suggests solutions for companies to avoid using personal data when training their models.

Public disclosure of personal data

The UK ICO released guidelines for public bodies managing Freedom of Information requests and organisations answering Subject Access Requests, which can involve a lot of personal data. It includes simple checklists and how-to videos, covering topics such as:  

• Deciding on an appropriate format for disclosure to the public 
• Finding various types of hidden personal information, including hidden rows, columns and worksheets, metadata and active filters 
• Converting documents to simpler formats to reveal hidden data  
• Avoiding using ineffective techniques to keep information secure 
• Using software tools designed to help identify hidden personal information (such as Microsoft Document Inspector)  
• Reviewing the circumstances of a breach to prevent a recurrence 
• Removing and redacting personal information effectively 

Data protection complaints increase

In the first half of 2025, significantly more people complained to the Lower Saxony State Commissioner for Data Protection about possible data protection violations than in the same period of the previous year. The authority recorded 1,689 data protection complaints from January to June 2025, compared to 1,186 in the same period of the previous year. This represents a sharp increase of approximately 42 per cent. The authority also noted significant increases in complaints from the health, social services, and municipal sectors, as well as from the real estate industry, credit reporting agencies, and the financial sector. One reason for the high number of data breaches and complaints is the increasing digitalisation of business and administration – more personal data flows, and the risk of data protection violations also increases. 

Similarly, the Lithuanian regulator VDAI counted that in the first half of 2025, most data breaches occurred due to human error, as well as due to actions that cannot be protected from by normally applied technical and organisational measures and other reasons (IT system errors, improperly performed programming work, etc.). Also, it was found that a third of data security breaches occurred due to cyber incidents (data encryption and ransomware attacks, unauthorised access to IT systems, social engineering attacks, login data and Brute Force attacks, and SQL injection and system disruption). 

In other news

Temporary password fine: In Croatia, the personal data protection agency imposed an administrative fine of 320,000 euros on HEP-Toplinarstvo (an Electric utility company). The agency received a report from a respondent that when requesting a change of a forgotten password on the HEP District Heating “My Account” portal, the user was sent a temporary password by e-mail, which was actually the last password set by the user. Also, all the passwords of users of the “My Account” portal (almost 16,000 of them) were stored in the controller’s database in readable form. This meant that the controller knowingly chose a solution that did not include basic data security measures, such as generating a temporary password or using data encryption methods, did not take into account the risks to the security of personal data, nor did they conduct an assessment of the risks of processing users’ data. 

McDonald’s fine: The Polish UODO has fined McDonald’s Polska approximately 3,9 mln euros after a personal data breach. The shared file in the public directory contained data on McDonald’s employees and its franchisees: first and last names, passport numbers, McDonald’s restaurant number, work start date and time, work end date and time, number of hours worked, position, days off, type of day, and type of work. 

McDonald’s entrusted the processing of personal data of its restaurant chain’s employees to an external company to manage work schedules. The controller did not have the authority to manage the resources and configuration of the IT system containing the employee schedule module. Only the processor had such authority. At the same time, the provisions of the personal data processing agreement, particularly those related to audits and inspections, were not implemented. The controller failed to exercise proper oversight over the entrusted personal data.

In case you missed it 

Agentic AI: The move to AI assistants and agents risks a sea change in privacy and security, states Privacy International. These services’ usefulness increases with the quantity and quality of the data they have access to, and the temptation will be to lower the friction of data controls to allow the processing of personal data. In one example, ChatGPT’s agent uses ‘connectors’ to interface with third-party applications, such as cloud data stores, calendars, email accounts, etc.

This allows ChatGPT’s agent to search data on those services, conduct deeper analysis, and sync data. This seems analogous to Anthropic’s ‘Model Context Protocol’, which provides context data from applications to LLMs. Consequently, Privacy International is worried that:

• the AI tools would generate new datasets on you that create new risks
• could access and share your data at unprecedented levels, and
• will store this data beyond your reach, across their services and in the cloud.

Bias in AI systems: The Federal Office for Information Security in Germany issued a white paper on Bias in Artificial Intelligence (in German). The term “bias” describes the resulting unequal treatment of individuals or organisations. This can have various causes. The document outlines bias identification and mitigation as a continuous process. It describes 11 different forms of bias, such as historical bias and automation bias. Along with 13 mitigation strategies that include pre-processing to post-processing methods, it highlights bias as a cybersecurity issue that compromises availability, confidentiality, and integrity.

The post Data protection digest 18 Jul – 1 Aug 2025: DPO as a value creator and return on investment for companies appeared first on TechGDPR.

Personal data protection should be the cornerstone of risk assessments for organisations. The Polish regulator UODO came to this conclusion after investigating a ransom attack in a children’s clinical hospital in Białystok. Access to IT systems was blocked, which resulted in a breach of confidentiality and availability of personal data of approximately 2,000 employees, including the possibility of obtaining unauthorized access to them. In the circumstances of this case, the risk assessment was conducted on the basis of a flawed procedure – from the perspective of the hospital as an organisation, and not from the perspective of protecting data subjects. 

The documents, which were supposed to prove that the risk analysis had been conducted, were inconsistent and full of ambiguities. The hospital did not indicate which processes it was analysing, nor did it link these processes to identified threats, vulnerabilities and the final risk assessment. When explaining what technical measures it used to secure its IT systems, the administrator referred to an audit conducted for compliance with the act on the national cybersecurity. However, this act focuses primarily on ensuring a safe and uninterrupted system for providing services, and not – as is the case with the GDPR – on protecting the rights and freedoms of natural persons.

The hospital did not implement an appropriate procedure for performing and documenting recovery tests, and did not apply appropriate security measures for the backup copies created, which could have contributed to the fact that the hospital was unable to fully restore the data lost as a result of the attack.

Stay up to date! Sign up to receive our fortnightly digest via email.

Other legal developments

From 19 June, the Data Use and Access Act 2025 (DUAA) amends, but does not replace, the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA) and the Privacy and Electronic Communications Regulations (PECR), to promote innovation (eg, commercial scientific research, automated decision-making) and economic growth. Whilst it still protects people and their rights, the DUAA simplifies personal data usage in the following ways: 

• New ‘recognised legitimate interests’ lawful basis of data processing (from public safety to direct marketing)
• Assumption of compatibility for some data reuses
• ‘Soft opt-in’ (eg, for charities)
• More flexible requirements on cookies
• Reasonable and proportionate subject access requests, etc.

At the same time, if you provide an online service that is likely to be used by children, the DUAA explicitly requires you to take their needs into account. The data subject complaints must also be facilitated by offering electronic complaint forms and respecting the 30-day legal time frame for acknowledgement and response. The changes will be phased in between June 2025 and June 2026. More summaries of changes can be found here and here.

GDPR enforcement ease: The Council of the European Union and the Parliament have reached a deal to make cross-border GDPR enforcement work better for citizens. Once adopted, the regulation will speed up the process of handling cross-border GDPR complaints, and any follow-up investigations.  The co-legislators agreed on an overall investigation deadline of 15 months, which can be extended by 12 months for the most complex cases. The early resolution mechanism will allow data protection authorities to resolve a case before triggering the standard procedures for handling a cross-border complaint. This may be the case where the company or organisation in question has addressed the infringement and where the complainant has not objected to the early resolution of the complaint.

AI and web scraping

The GDPR, in many cases, applies to AI models trained on personal data, due to their memorisation capabilities. To that end, a French CNIL guide specifies the conditions for using legitimate interest in the development of AI in the case of web scraping.  In line with the opinion adopted by the EDPB in December 2024, the CNIL considers that the development of AI systems does not systematically require the consent of individuals. Legitimate interest is a possible legal basis for the development of AI systems, subject to strong safeguards. 

The guide offers examples of concrete safeguards adapted to the different types of AI systems: exclusion of certain data from collection, increased transparency, facilitation of the exercise of data subject rights, etc. For example, the reuse of future conversations of users with a chatbot for the improvement of the AI model can be based on legitimate interest provided that certain strong guarantees are put in place: information for individuals, right to object, restriction of processing towards pseudonymised/anonymised data, etc. 

More from supervisory authorities worldwide

COPPA update: In the US, the amended Children’s Online Privacy Protection Rule took effect on 23 June. It includes a new definition for a mixed audience website or online service that is intended to provide greater clarity regarding an existing sub-category of child-directed services. The amendments also modify operators’ obligations concerning direct and online notices; information security, deletion, and retention protocols; annual assessment, disclosure, and reporting requirements. It also adopts rules related to parental consent requirements, methods of obtaining verifiable parental consent, and exceptions. 

Biometric identifiers vs biometric data: The JDSupra legal blog explains the differences between the two categories, specified in the Colorado Privacy Act, which went into effect on July 1: Biometric identifiers is data generated by the technological processing, measurement, or analysis of a consumer’s biological, physical, or behavioral characteristics which can be processed for identification. Biometric data is a subset of biometric identifiers which are used or intended to be used for identification purposes. It does not include digital or physical photographs, audio or voice recordings, or any data generated from a digital or physical photograph or an audio or video recording unless any of these are used for identification purposes. Both categories can be considered sensitive data and can require a privacy notice and consent. 

Child data: Also in the US, New York’s Child Data Protection Act (NYCDPA) went into effect on June 20. The Office of the Attorney General issues the practical guidance in advance concerning the application of NYCDPA to minors’ data and the federal COPPA Rules; operator responsibilities concerning user-provided age flags; requirements for schools, school districts, and their third-party contractors; parental requests for products and services, etc. The guidance refers to a website, online service, online application, mobile application, or connected devices directed at minors. 

DeepSeek AI

Germany’s data protection commissioner has asked Apple and Google to remove Chinese AI startup DeepSeek from their app stores in the country due to concerns about data protection, Reuters reports. According to its privacy policy, DeepSeek stores numerous pieces of personal data, such as requests to its AI or uploaded files, on computers in China. The commissioner took the decision after asking DeepSeek in May to meet the requirements for non-EU data transfers or else voluntarily withdraw its app. DeepSeek did not comply with this request. Across Europe the authorities have also been evaluating the app, but while Italy has completely blocked it on app stores, the UK government said that the use of DeepSeek remains a personal choice for members of the public. 

In other news

Data access requests: The Swiss FDPIC concluded its investigation into Cembra Money Bank AG. After receiving complaints, the privacy regulator contacted Cembra with a view to a low-threshold intervention. Cembra replied that due to staff shortages, responses to requests for information were delayed. The company was reminded of the legal deadline for responding to requests for information within 30 days. The regulator also ordered the bank to provide all persons who had previously received only a standardised response to their requests with the actual information on their personal processed data. 

Telemarketing and data subject rights: An organisation must provide the most important information about the processing of personal data immediately during the first direct marketing call, if it has obtained the person’s contact information from somewhere other than itself, states the Finnish data protection authority. If a person submits a request to delete their data to customer service, the request cannot be left unprocessed because it has not been submitted to the data protection officer.

The organisation must ensure that the request is transferred to the party that processes it. The same applies to the prohibition of direct marketing: If a person wants to prohibit direct marketing during a call, the request cannot be bypassed by giving instructions for prohibiting it. 

Unjust dismissal

The Italian regulator Garante fined Autostrade per l’Italia Spa 420,000 euros for having unlawfully processed the personal data of an employee, which was then used to justify her dismissal.  The authority’s intervention followed the complaint of the worker who had reported the use, by the company, of content extracted from her Facebook profile and private chats on Messenger and WhatsApp to justify the disciplinary proceedings  against her. The content used also included excerpts of comments and photo descriptions in quotation marks. 

The investigations revealed that the content had been used by the employer without a valid legal basis, through screenshots provided by some colleagues and a third party, present among the employee’s “friends” on Facebook and active in her private conversations on Messenger and WhatsApp. Furthermore, the communications concerned opinions and exchanges that took place in contexts outside the employment relationship, not relevant for the purposes of assessing professional suitability. 

AI prohibited practices in the gaming sector

The Maltese data protection authority IDPC warns us that AI systems used for player profiling, personalised gaming experiences and monetisation are not just subject to Art. 22 of the GDPR, which restricts automated decisions that carry legal or similarly significant implications for individuals, but are also high-risk under the AI Act so as to qualify them as prohibited practices. Manipulative AI deploys subliminal or deceptive techniques with the object of distorting player behaviour by impairing their ability to make an informed decision, causing them to take a decision they would have otherwise not taken, (for eg, AI powered algorithms which regulate emotion-triggered loot boxes which distort player behaviour). 

Other prohibited techniques in the gaming sector are exploitation of vulnerabilities and social scoring. 

In case you missed it 

Video integration into websites: Germany’s Federal Commissioner for Data Protection and Freedom of Information (BfDI) has carried out an automated website check for the first time and identified violations in the integration of YouTube videos on federal websites. YouTube videos can be used by public authorities and others on their websites in compliance with data protection regulations. However, this becomes problematic when videos are embedded directly. 

When the website is accessed, the user’s browser automatically connects to YouTube servers and transmits, among other things, IP addresses. This data transfer takes place without the user’s prior consent and thus violates the Telecommunications Digital Services Data Protection Act (TDDDG). For implementing video integration in compliance with data protection regulations, the BfDI offers two other options: 

• Self-hosting is the gold standard: Videos are hosted on your own servers and embedded on the website. This ensures complete control over data processing and user interactions.
• Two-click solutions: Users must actively click on a preview image before the connection to YouTube is established. (With this option, an equivalent alternative without a third-party provider should always be offered).

The post Data protection digest  17 Jun – 1 Jul 2025: protecting individuals, not organisations, should be the focus of risk assessment appeared first on TechGDPR.