The Israeli data protection authority published a technical guide to Privacy Enhancing Technologies, available in English. PETs are a diverse family of methods, processes, and digital tools that are appropriate for different stages in the information life cycle:

• Data collection and preparation for use: Obfuscating personal data and reducing its level of detail by removing identifiers, altering data values, or masking exact figures.
• Data use and processing: Reducing exposure of personal data during processing, and in some cases, enabling data use without the need for viewing it during processing.
• Control over data use: Defining rules and permissions for access to personal data and displaying data relating to the identity of the person accessing the data, the type of data, and the time of access. 

Stay up to date! Sign up to receive our fortnightly digest via email.

Main developments 

Brazil adequacy decision: On 28 January, the European Commission recognised that Brazil ensures an adequate level of protection for personal data under the EU GDPR. The enforced decision confirms that Brazil provides comparable levels of data protection, allowing the free transfer of personal data between the two jurisdictions without additional authorisations or safeguards. The Commission also recognises the independence of the Brazilian Data Protection Authority (ANPD), and the safeguards governing public authorities’ access to personal data for law enforcement and national security purposes. 

Data Privacy Framework: The EDPB has published a new version of the EU-US Data Privacy Framework FAQ for European individuals.  “European individuals” means any natural person, regardless of their nationality, whose personal data has been transferred to a US company under this framework. It applies to any type of personal data processed for commercial or health purposes, and human resources data collected in the context of employment, as long as the recipient company in the US is self-certified under the DPF. 

If you believe that a company in the US has violated its obligations or your rights under the EU-U.S. Data Privacy Framework, several redress avenues are available. 

Digital omnibus: The EDPB and EDPS also adopted a joint opinion on simplification of the implementation of harmonised rules on AI. Among other things, the EDPB and the EDPS recommend maintaining the standard of strict necessity currently applying for the processing of special categories of personal data for bias detection and correction in relation to high-risk AI systems. They also support the creation of EU-level AI regulatory sandboxes to promote innovation and help SMEs, as well as AI literacy obligations for systems providers and deployers. The full opinion can be read here. 

HIPAA Notice

In the US, if your company provides health benefits or qualifies as a covered entity under the Health Insurance Portability and Accountability Act (HIPAA), it is important to update your Notice of Privacy Practices (NPP) by 16 February to remain compliant. The notice must include new and more restrictive requirements related to protected health information (PHI) in particular, on the disclosure of patients’ substance use disorder records. The following steps may include assessing related policies, training, materials, and business associate agreements (BAAs) for consistency.

You can also read the latest epic.org report on the health data privacy crisis in the US here. 

More from supervisory authorities

M&A: Before a planned company sale, large amounts of data are often processed as part of a due diligence review. This can include personal data, particularly of employees, customers, and suppliers. The Liechtenstein Data Protection Authority has compiled information (in German) regarding which data protection regulations must be observed. This information does not replace an individual assessment and is not exhaustive. 

Camera surveillance in public transport: The Dutch data protection authority states that permanent camera surveillance at employees’ designated workstations is not permitted. Cameras may only be used when strictly necessary, for example, for safety during incidents, and not for systematic monitoring or evaluation of employees. For the data controller, this includes technical adjustments to cameras, adapting internal protocols, and providing clear instructions to employees.

AI tools safe usage: The Spanish AEPD has published the main principles of safe, responsible, and conscious use of AI. Among the recommendations, the privacy regulator advises against sharing personal data with AI – full name, address, telephone number, ID/NIE, images of people, or sensitive or delicate information – medical, financial or contractual details, geolocation. In the workplace, the agency emphasises the importance of following the information and security policies of each organisation and, in particular, of not including information that reveals confidential data of the entity, its staff or clients.

Digital identities ecosystem

Verifiable Digital Credentials (VDCs) can represent a wide range of data, from a driver’s license to a diploma to proof of age, explains America’s NIST. However, their interoperability requires a common set of standards and protocols for issuing, using, and verifying VDCs. As VDCs gain traction for both in-person and online identity verification, two key standards are helping to define this space:

• ISO/IEC 18013-5, which underpins mobile driver’s licenses and related mobile documents, and
• the World Wide Web Consortium’s Verifiable Credentials formats.

See their comparison in the original publication. 

In parallel, the German Federal Office for Information Security (BSI) has issued the updated Technical Guideline for Biometric Authentication Systems (in German), which can be used for significantly more use cases of facial and fingerprint recognition through smartphones or access control systems. 

Cookie policy

The Latvian data protection authority reminds us of the essentials of a cookie policy, which provides the user with clear information about how their data is processed when using cookies. A document published on any website must explain in a user-friendly way: a) what cookies the website uses; b) for what purpose they are used; c) who their recipients are.

The multi-layered approach ensures that the most important information about the use of cookies on the website is provided in a concentrated manner (in the cookie pop-up notification or banner), including an indication of where more detailed information can be found (cookie policy). Cookie policies are often confused with privacy policies (by briefly including information about cookies among what is described in the privacy policy). However, to ensure transparency, information should be provided to users separately – in two documents or at least in clearly separated “blocks” of information. 

Shopping cart reminder e-mail

According to the Saxony data protection commissioner, retailers often send a reminder email pointing out an incomplete purchase process. Despite regular complaints received about such communication, there are no data protection concerns regarding a one-time shopping cart status update via email. The automatically generated messages must be distinguished from unsolicited advertising and are considered technical support. 

Given the customer’s expectations and the recipient’s perspective, it is at least realistic to expect a technically triggered status update during the contract negotiation phase, in accordance with Art. 6 of the GDPR. At the same time, the data processing known as reminder emails is subject to information requirements and must be appropriately indicated in the notices pursuant to Art. 13 of the GDPR.

In other news

Excel file disclosure: The Romanian regulator ANSPDCP imposed fines totalling 15,000 euros against Continental Automotive Products SRL for breaches of the GDPR principles of data minimisation, accountability, and the security of processing. The investigation followed the controller submitting a personal data breach notification concerning the repeated internal distribution of an Excel file containing a consolidated list of employees, including medical data from medical certificates relating to numerous employees and former employees over a period of time. 

GM driver data ban: America’s Federal Trade Commission finalised an order against General Motors and its OnStar subsidiary after the automaker secretly collected and sold detailed driving data from millions of vehicles without consumer consent.  The final order approved by the Commission imposes a five-year ban on GM disclosing consumers’ geolocation and driver behaviour data to consumer reporting agencies. And for the entire 20-year life of the order, GM will be required to:

• obtain affirmative express consent from consumers before collecting, using, or sharing connected vehicle data, with some exceptions, such as for providing location data to emergency first responders;
• create a way for all US consumers to request a copy of their data and seek its deletion;
• give consumers the ability to disable the collection of precise geolocation data from their vehicles if their vehicle has the necessary technology; and
• provide a way for consumers to opt out of the collection of geolocation and driver behaviour data, with some limited exceptions.

Chromebook case

The Danish data protection authority decided in the Chromebook case regarding 51 municipalities’ use of Google’s products for teaching in primary schools. The regulator issues serious criticism and warns the municipalities about their setup of the programs in question and about the use of sub-processors outside the EU. In addition, it states that as a data controller, municipalities cannot legally use products that contain unclear processing constructs. Finally, they must have access to the necessary resources to ensure lawful processing of personal data, including in situations where the contractual basis for the product changes.

Microsoft 365 Education

The Austrian data protection authority upheld a complaint filed by a pupil, represented by the European Centre for Digital Rights (NOYB), against Microsoft regarding the use of tracking cookies in Microsoft 365 Education. The decision relates to the installation and use of non-essential cookies on the device of a minor using Microsoft 365 Education at an Austrian school.  The authority also found that no valid consent had been obtained, digitalpolicyalert.org reports.

More enforcement decisions

Employees’ geolocation: The Italian regulator Garante fined a company in the agricultural seed selection and production sector 120,000 euros for unlawfully processing the personal data of five employees. As part of a multinational group, at the direction of its Swiss parent company, it installed a device on its company vehicles that unlawfully collected data on employees’ business and private travel (time, mileage, fuel consumption, and driving style) for the purpose of assigning a monthly score. The collected data was retained for 13 months and used to evaluate employee driving behaviour and to implement any corrective measures. 

Access to a fired worker’s email: Garante also ruled that the content of emails, contact information, and any attachments fall within the definition of correspondence and are therefore protected by the right to confidentiality. In the related case, the regulator fined a company 40,000 euros for violating the confidentiality of a CEO’s email account after his employment ended. After receiving a disciplinary letter that resulted in dismissal,  he asked the company to disable the email account, forward any messages received in the meantime to his personal email address, and activate an automatic reply. However, this request remained unanswered. 

France Travail: The French CNIL, meanwhile, fined France Travail 5 million euros for failing to ensure the security of the data of job seekers. In 2024, attackers managed to break into the agency’s information system. They used social engineering techniques to usurp the accounts of CAP EMPLOI advisors, responsible for people with disabilities. The attackers accessed the data of all registered people, or those who have been registered over the past 20 years. However, the attackers did not gain access to the complete files of job seekers, which may include health data. 

And finally

Change your password:  According to the German BSI, a blanket password change is no longer an effective security measure. Frequent password changes often lead consumers to use weak, easily predictable passwords. Password managers help to keep track of passwords. However, even a complex password does not offer 100% protection. Instead, BSI recommends activating two-factor authentication (2FA). 

Australia child accounts ban: According to the Guardian, Snapchat banned or disabled the accounts of around 415,000 Australian users who were detected as being under the age of 16. This was done to comply with the new under-16s social media prohibition. In December, Snapchat was one of ten platforms that needed to restrict people (4,7 million accounts) under the age of 16 from using its services. However, other allegations have surfaced after the prohibition went into place, with some claiming that Snapchat’s facial age verification was easily overcome by teens.

The post Data protection digest 19 Jan – 2 Feb 2026: New PETs guide, Digital identities ecosystem & employees’ surveillance fine appeared first on TechGDPR.

The Hamburg Data Protection Commissioner provided a comprehensive questionnaire for determining the legitimate interests legal basis for processing. It helps those responsible to examine and document precisely what their interest in data processing is and whether the rights and interests of the data subject are adequately considered. It guides users step-by-step through the most important checkpoints:

• Determination: What objectives are pursued with the data processing, and are these legally permissible?
• Necessity: Is the processing necessary, and is only the required personal data collected?
• Balancing: Are the rights and interests of the individuals concerned sufficiently considered and protected?
• Documentation and compliance: Are the audit procedures recorded and regularly updated?

You can download the LIA questionnaire in German or the LIA questionnaire in English.

Stay up to date! Sign up to receive our fortnightly digest via email.

EDPB updates

The European Data Protection Board welcomes comments on the recommendations on the elements and principles to be found in Processor Binding Corporate Rules – BCR-P. Such comments should be sent by 2 March. BCRs are a tool for providing appropriate safeguards for transfers of personal data by a group of undertakings engaged in a joint economic activity with third countries that have not been providing an adequate level of protection pursuant to the GDPR. The recommendations clarify when BCR-P can be used, namely, only for intra-group transfers between processors, when the controller is not part of the group. Read more about the scope of BCR-P and its interplay with the data processing agreements here.

Other developments

AWS Europe Sovereign Cloud: The German Federal Office for Information Security BSI has announced its support for the US cloud provider Amazon Web Services in the design of security and sovereignty features for its new European Sovereign Cloud (ESC): an independent cloud infrastructure located entirely within the EU, whose operation will be technically and organisationally independent from the global AWS instance.

Later this year, the BSI will publish general sovereignty criteria for cloud computing solutions based on the new framework. It will serve as a basis for assessing the degree of autonomy of cloud solutions and can also be used in procurement processes. 

HIPAA Security Rule: In the US, for HIPAA-covered entities and business associates, the HIPAA Security Rule requires ensuring the confidentiality, integrity, and availability of all electronic protected health information (ePHI) that the regulated entity creates, receives, maintains, or transmits. To that end, the US Department of Health and Human Services has published the latest recommendations on System Hardening and Protecting ePHI. The measures include: 

• patching known vulnerabilities
• removing or disabling unneeded software and services
• enabling and configuring security measures that sometimes intersect with some of the technical safeguard standards and implementation specifications of the HIPAA Security Rule, such as access controls, encryption, audit controls, and authentication.

GDPR certifications and codes of conduct

France’s CNIL maps the deployment of GDPR compliance tools across Europe. Two maps list the certifications and codes of conduct approved by national supervisory authorities or by the European Data Protection Board since the entry into force of the GDPR. These instruments may operate at either the national or European level. Certification (Art. 42 of the GDPR) makes it possible to demonstrate that a product, service, or data processing activity meets data protection criteria set out in an approved referential. And a code of conduct (Art. 40 of the GDPR) translates the Regulation’s obligations into concrete, sector-specific rules, and becomes binding on its members. 

UK international transfers

The UK Information Commissioner published an updated guidance on international transfers of personal data, making it quicker for businesses to understand and comply with the transfer rules under the UK GDPR. It sets out a clear ‘three-step test’ for organisations to use to identify if they’re making restricted transfers. New content also provides clarity on areas where organisations have questions, such as roles and responsibilities, which reflects the complexity of multi-layered transfer scenarios.

Multi-device consent

The French regulator also published its recommendations (in French) on the collection of cross-device consent. For instance, when a user accesses a website or a mobile app, they express their choices about the use of cookies or other trackers on a device connected to their account. These choices are then automatically applied to all devices connected to that account. This includes, but is not limited to, their phone, tablet, computer or connected TV, as well as the browser or app they are using. Thus, users must be well-informed of this login system.

More from supervisory authorities

Remote job interviews: According to the Latvian regulator DVI, an employer may collect the content of a remote job interview using AI tools if an appropriate legal basis can be applied. Such data processing may be carried out based on the candidate’s consent or the legitimate interests of the company. Consent must be freely given, specific, unambiguous and informed. If the processing is carried out based on legitimate interests, a balancing test of the interests of both parties must be carried out before such processing is initiated.

Regardless of the chosen legal basis, the data controller is obliged to inform the candidate before the interview about the planned data processing during the interview, including the use of AI tools, the purposes of processing, the data retention period and the candidate’s rights. The candidate has the right to object, and such objections must be taken into account; in the event of potential harm, the processing must be stopped.

Cybersecurity guide: The Australian Cyber Security Centre published guidance with a checklist on managing cybersecurity risks of artificial intelligence for small businesses when adopting cloud-based AI technologies. Reportedly, more small businesses are using AI through applications, websites and enterprise systems hosted in the public cloud like OpenAI’s ChatGPT, Google Gemini, Anthropic’s Claude, and Microsoft Copilot. Before adopting AI tools, small businesses should understand the related risks and ways to mitigate them, including: 

• data leaks and privacy breaches
• reliability and manipulation of AI outputs
• supply chain vulnerabilities.

Data subject rights in the event of a bankruptcy

The Norwegian data protection authority has imposed a fine on Timegrip AS. The case concerns a retail chain that went bankrupt, and the employees needed to document the hours they had worked. The company Timegrip had been the data processor for the retail chain until the bankruptcy, and stored this data. However, they would not provide the data to either the bankruptcy estate or the employees themselves. 

Timegrip argued that the company did not have the right to provide the complainant with a copy because a data processor can only process personal data on the basis of an instruction from the controller. Since the controller retail chain had gone bankrupt, Timegrip claimed that no one could give them such an instruction. At the same time, Timegrip refused access requests from 80 different individuals, despite the company being aware that they were in a vulnerable situation and dependent on the timesheets to document their salary claims. 

In addition, it was Timegrip that made decisions about essential aspects of the processing, such as what the data could be used for, the storage period and who could have access to the personal data. In other words, it was clear that it was Timegrip that exercised the real control over the personal data.

Google multimillion-dollar settlement over child data

In the US, a federal judge granted final approval for a 30 million dollar class action settlement against Google, after six years of litigation with parents claiming the tech giant violated children’s privacy by collecting data while they watched YouTube videos. Although Google doesn’t charge for access to YouTube, the company does use it as a revenue source. It collaborates with advertisers and the owners of popular YouTube channels to advertise on specific videos, with Google and the channel owners splitting the payments received from advertisers.

In other news 

Free mobile fine: The French CNIL issued two sanctions against the companies FREE MOBILE and FREE, imposing fines of 27 and 15 million euros, respectively, over the inadequacy of the measures taken to ensure the security of their subscribers’ data. In October 2024, an attacker managed to infiltrate the companies’ information systems and access personal data concerning 24 million subscriber contracts, including IBANs, when the people were customers of both companies. 

The investigation has shown that the authentication procedure for connecting to the VPN of both companies, used in particular for the remote work of the company’s employees, was not sufficiently robust. In addition, the measures deployed by the companies in order to detect abnormal behaviour on their information system were ineffective.

Major university data breach: In Australia, a cyberattack compromised the personal information of students from all Victorian government schools. An unauthorised external third party accessed a database containing information about current and past school student accounts, including student names, school-issued email addresses, and encrypted passwords. In the opinion of the Australian legal expert from Moores, who analysed the breach, certain factors tend to correlate with such incidents. These include:

• Adoption of new CRMs and platforms (including leaving administrator access open, and having incorrect privacy settings, which make online forms publicly searchable);
• Keeping old information which is no longer required;
• A spike in emails sent to incorrect recipients on Fridays and in the lead-up to school holidays.
• Spreadsheets sent via email (instead of SharePoint, for example).

Business email compromise

Business Email Compromise (BEC) is currently one of the fastest-growing forms of digital fraud, according to the Dutch National Cybersecurity Centre. In BEC, criminals pose as trusted individuals within an organisation, often a director or manager, but also a colleague, supplier, or customer.

The criminals’ goals can vary, such as changing account numbers, obtaining login credentials, stealing sensitive information, or using compromised accounts for new phishing campaigns. The power of BEC lies not in its technical complexity but in exploiting the principles of social influence. BEC fraudsters cleverly utilise subtle social pressure, for example, by capitalising on scarcity by creating a sense of urgency, exploiting reciprocity by first building trust or asking for small favours, or relying on an authority figure. 

And finally 

AI prompting guide: IAB Europe has published its AI Prompting Guide. It provides practical, reusable techniques you can apply immediately, including, among others, managing risks such as hallucinations, sensitive data exposure, bias, and prompt injection. Mitigating methods in this case may be addressed through careful prompting, review, and user judgment, while others require more structural safeguards such as validation, monitoring, and clear boundaries around how models are used. 

For instance, sensitive data exposure occurs when confidential, personal, or proprietary information is included in prompts or generated in outputs inappropriately. This can involve personal data, commercial secrets, or information subject to legal or contractual restrictions. The mitigation strategy would include: 

• removing or anonymising sensitive information before including it in prompts 
• limiting the amount of context shared to what is strictly necessary for the task 
• following organisational guidance on approved tools and data handling, and 
• applying access controls where models are integrated into workflows. 

For sensitive use cases, ensure outputs are reviewed before being stored, shared, or acted upon.

The post Data protection digest 4-18 Jan 2026: Legitimate Interests Assessment, AWS Europe Sovereign Cloud, Google settlement over child data appeared first on TechGDPR.

A new regulation came into force on 1 January, supplementing the GDPR. It speeds up the work of data protection authorities in enforcement cases that involve multiple countries in the EU/EEA. The regulation provides, among other things, for time limits, stages of investigation, the exchange of information between authorities, and the rights of the parties concerned. In future, data protection authorities will have to issue a resolution proposal on a cross-border case as a rule within 12-15 months. In the most complex cases, the deadline can be extended by 12 months. The regulation will apply from April 2027. 

Stay up to date! Sign up to receive our fortnightly digest via email.

UK Adequacy decision

The European Commission adopted two new adequacy decisions for the UK – one under the GDPR and the other under the Law Enforcement Directive, until 27 December 2031.  In accordance with the new decisions, transfers of personal data from the EU to the UK can continue to take place without any specific framework. Following Brexit, the Commission adopted two adequacy decisions vis-à-vis the UK in 2021. Sunset clauses had been introduced in each of the decisions. The decisions expired in mid 2025, but have been extended until the end of the year. The EDPS has since issued an opinion on these decisions.

More legal updates

US consumer privacy updates: In Kentucky, as well as Indiana, Rhode Island and several other states, GDPR-enhanced legislation related to consumer data privacy took effect on January 1. In Kentucky, in particular, the new legislation establishes the rights to confirm whether data is being processed, to correct any inaccuracies, to delete personal data provided by the consumer, to obtain a copy of the consumer’s data, and to opt out of targeted advertising, the sale of data, or profiling of the consumer along with requirements for entities that control and process their data.

Similarly, in January, new regulations became effective in California regarding a risk-assessment framework for certain high-risk data processing activities, as well as transparency and notice requirements, disclosure of sensitive personal information, data breach reporting, consumer rights requests, and data collection and deletion by data brokers. 

AI use by banks

The Hungarian data protection regulator issued a report on the processing of personal data by AI systems used by banks in Hungary (available in English). Some good practices indicated by the report include:

• AI recognition of images, voices and texts must be reliable, without compromising data security. Principles of data minimisation and storage limitation must be observed.
• The quality of the data used for AI training is important, as well as identifying whether or not the training data needs to be linked to a specific natural person. In many cases, pseudonymisation or anonymisation can be used to mitigate privacy risks before training.
• The use of ‘Shadow AI’ is becoming a new phenomenon. It covers all cases where, in an organisation, users use AI systems in an unregulated, non-transparent, uncoordinated manner from the point of view of the organisation, either for work or for some personal use, using the organisation’s IT infrastructure. 
• In their operations, certain banks under review also use analytical models to analyse and predict creditworthiness and product affinity, the precise classification of which may raise questions. They often operate on a statistical basis, but may also have an AI-based component, and it is necessary to apply the appropriate safeguards. 

More from supervisory authorities

EU Data Act: The French privacy regulator CNIL explained how the EU Data Act is going to reform the EU digital economy, gradually implemented through 2026-2027. The Act sets fair rules on the access and use of personal or non-personal data generated by connected objects. It allows anyone who owns or uses connected products to access the data generated by this object. It also facilitates their sharing with other actors, in particular by prohibiting unfair contractual clauses.

The implementation of this regulation must be done in conjunction with the GDPR. In particular, it provides that in the event of a contradiction between the two texts, it is the GDPR that prevails when personal data is concerned.

Similarly, the Digital Governance Act should be taken into account, which has set up new trusted intermediaries to encourage voluntary data sharing.

Bodycam use: At the end of December, the CJEU ruled in a case regarding a data controller’s obligation to provide information when collecting personal data via a body-worn camera worn by ticket inspectors on public transport. The collection of personal data by means of body-worn cameras constitutes collection directly from the data subject. The information obligation must therefore be respected at the time of collection, Article 13 of the GDPR. The information obligation can operate at several levels, where the most important information is, for example, stated in a warning sign, while the remaining information can be provided in another appropriate (and easily accessible) way.

Disney US settlement

On 31 of December, a federal judge required Disney to pay 10 million dollars to settle FTC allegations that the company allowed personal data to be collected from children who viewed child-directed videos on YouTube without notifying parents or obtaining their consent as required by the Children’s Online Privacy Protection Rule (COPPA Rule). A complaint alleged that Disney violated the COPPA Rule by failing to properly label some videos that it uploaded to YouTube as “Made for Kids”.

The complaint alleged that by mislabeling these videos, Disney allowed for the collection, through YouTube, of personal data from children under 13 who viewed child-directed videos and used that data for targeted advertising to children.

More enforcement decisions

TikTok investigations: According to vitallaw.com, the Spanish and Norwegian data protection authorities have issued warnings to TikTok users regarding the company’s transfer of personal data to China, where national laws could require that data be shared with Chinese authorities. TikTok already faces EU fines over violations of the GDPR and was ordered to stop transferring personal data to China. 

So far, TikTok has been granted an interim injunction that allows the company to continue transferring personal data to China until the case is resolved. As a result, regulators are warning users to read the online platform’s notifications and privacy policies, check their privacy settings and think about what they share in the app. It is also recommended that businesses consider whether to continue using TikTok and conduct risk assessments.

PCRM software fine: Finally, the French CNIL has fined Nexpublica 1,700,000 euros for failing to provide sufficient security measures for a tool for managing the relationship with users in the field of social action.  Nexpublica (formerly Inetum Software), specialises in the design of computer systems and PCRM software used in particular by homes for disabled people.

At the end of 2022, Nexpublica customers made data breach notifications with the CNIL, because users of the portal had access to documents concerning third parties. The CNIL then carried out inspections of the company, which revealed the inadequacy of the technical and organisational measures. It is considered that the vulnerabilities found:

• were mostly the result of a lack of knowledge of the state of the art and basic safety principles;
• were known and identified by the company through several audit reports.

Despite this, the flaws were only patched after the data breaches.

The post Data protection digest 3 Jan 2026: Improvements are being made to GDPR enforcement, US consumer privacy, and emerging “Shadow AI” concerns appeared first on TechGDPR.

As a general rule, users should have the option to engage with e-commerce websites, including the ability to make purchases, without creating an account. In such cases, the EDPB recommends that e-commerce websites offer a choice: either a ‘guest’ mode, allowing users make purchases without creating an account, or the option to voluntarily create an account. This approach minimises the collection and processing of personal data, and therefore aligns with the GDPR’s principle of data protection by design and by default. However, mandatory account creation can be justified in a limited number of cases, including for example, offering a subscription service or providing access to exclusive offers. 

Stay up to date! Sign up to receive our fortnightly digest via email.

Google antitrust investigation

The EU Commission has opened an investigation into possible anticompetitive conduct by Google in the use of online content for AI purposes – using the content of web publishers, as well as content uploaded on the online video-sharing platform YouTube. The investigation will notably examine whether Google is distorting competition by imposing unfair terms and conditions on publishers and content creators, or by granting itself privileged access to such content, thereby placing developers of rival AI models at a disadvantage. It should be noted that there is no legal deadline in the EU for bringing an antitrust investigation to an end. 

More legal updates

US AI national policy: On 11 December, President Trump signed an Executive Order on  establishing a national policy framework for AI and lifting barriers to innovation. According to digitalpolicyalert.org, the US Administration will work with Congress to establish a single national AI standard that avoids conflicting state legislation. This standard would override any state laws that contradict the policy and would include protections for children, respect for copyrights, prevention of censorship, and measures to keep communities safe. 

US immigration data: According to Privacy International, the US Government also intends to force visitors who are not required to get visas, such as British and French citizens, to submit their digital history and even DNA as the price of entry. With this much data AI tools will likely be deployed to unlock details of your life for border and immigration agencies. In particular, it wants to know all about: 

1. ‘telephone numbers used in the last five years’
2. ‘email addresses used in the last ten years’
3. ‘family number telephone numbers (sic) used in the last five years’
4. biometrics – face, fingerprint, DNA, and iris
5. business telephone numbers used in the last five years
6. business email addresses used in the last ten years.

If the proposed changes, published on 10th of December, are adopted after the 60-day consultation, travellers will have to use dedicated apps for their ESTA application, and to provide biometric proof of their departure. The latter will disclose the user’s location once they have left the US and run live detection on the selfie photo. 

Password managers

The German Federal Office for Information Security (BSI) examined this product category and investigated the IT security features of ten selected password managers. Three out of ten stored passwords in a way that theoretically allows manufacturers access. This increases the attack surface on the manufacturer’s side, which must be mitigated by additional compensatory measures. Users must trust these additional measures.

If the password manager stores data in the cloud, consumers should be informed about the storage location and data protection measures. This information can be included, for example, on the manufacturer’s website, in the terms and conditions for using the product, or in the privacy policy.

AI Training guidance

The Swedish data protection authority IMY has investigated the possibility of using personal data to create synthetic data for AI training purposes. Such data is created to resemble the original data without being able to be linked to individuals. It can be very positive from a privacy perspective, even though the synthesis itself means that personal data is processed, so it needs to comply with the GDPR. The particular project IMY investigated was about custody cases. It therefore involved a large amount of data of a very sensitive nature, which requires special considerations and measures. 

More from supervisory authorities

Medical research: The Hessian data protection commissioner has published a guide to data protection in medical research (in German). The guide presents four concrete use cases from the practice of medical research and classifies them from a data protection perspective. In particular, the cases describe the use of AI in cancer screening, pathology, intensive care, and the distinction between quality assurance and scientific research. The guide pays particular attention to the question of under what circumstances data can be considered anonymous. The use of anonymised data is especially relevant for medical research and the training of AI models. For research projects where anonymisation is not practical, the guide presents alternative legal bases under data protection law.

Consent forms: Consent is one of the lawful grounds for processing personal data. It means that a person freely, specifically and unambiguously agrees to the processing of their data for one or more purposes. Consent has to be verifiable so that the controller can demonstrate that it was received in accordance with the requirements. Therefore, in situations where consent is requested in person, a written form is useful, which provides clarity for both the organisation and the customer. It can include the minimum information that is most important at the time of consent, so as not to overload the information to be received, as well as not to delay the duration of the service or process itself. The consent form must state: 

• Who will process the data (company, individual entrepreneur), with their name
• Why is data needed
• What data is needed
• How to withdraw consent
• Customer ID (data subject’s first name, last name)
• Date, signature
• Information on where to find more information about data processing, including the duration of data storage and how to contact the controller

Cambridge Analytica compensations

Eligible Australian Facebook users impacted by the Cambridge Analytica affair have until 31 December to register under a payment program established in a landmark settlement. The 50 million dollars payment program was established by Meta Platforms as part of an enforceable undertaking the Australian Information Commissioner accepted from Meta in December 2024. This brings to an end 7 years of investigation and litigation related to the Cambridge Analytica matter in Australia.

Meta data access

The Austrian Supreme Court ordered Meta must provide full access to all personal users data requests within 14 days, including the sources, recipients and purposes for which each information was used, Privacy advocacy group NOYB reports. Meta’s claims of trade secrets or other limitations were rejected. The company claimed it would lead to unprecedented access to the inner systems of the platform. 

Meta must also ensure that sensitive information (political views, sexual orientation, or health) is not processed together with other data unless a valid legal basis according to Art. 9 GDPR applies, even if it was collected unintentionally or technically distinguishing it would be impossible. The case was brought by the NOYB activist Max Schrems in 2014 and laboured 11 years in Austrian courts and the CJEU. The plaintiff was awarded 500 euros in damages.

American Express cookie fine

The French privacy regulator CNIL fined American Express Carte France, the French subsidiary of the American Express group, 1.5 million euros for non-compliance with the rules applicable to cookies: a) by depositing trackers without having user consent, or b) despite their refusal to consent, or c) by continuing to read the trackers previously deposited despite subsequent consent withdrawal. 

In other news

Germany telecommunications fine: Due to massive violations of data protection rights, the North Rhine-Westphalia data protection commissioner has imposed a fine of 300,000 euros on a local telecommunications company. Since 2022, consumers have repeatedly contacted the regulator for the same reason: they received personalised ad letters promoting a contract for an internet and telephone connection. The recipients consistently stated that they had never had any prior contact with this company. However, the advertising letters were remarkably detailed. The recipients were only required to add their IBAN and sign the form.

Due to the design of the letters and the similarity of the name to very well-known telecommunications provider, many consumers were unaware that it wasn’t an offer for a different tariff with their existing provider, but rather an offer to switch providers. As a result, those affected often signed the contract documents. Only when they later realized they had switched providers did they cancel or revoke the contracts – and were then hit with a demand for a flat-rate compensation fee by the company. 

Direct marketing fine: The Italian data protection authority has fined Verisure Italia for unlawful processing of personal data for marketing purposes. The measure stems from a complaint from a former customer who continued to receive unwanted promotional text messages even after objecting to the processing of his data, and from a report from a potential customer who, after requesting a quote, began receiving promotional phone calls, emails, and text messages. The communications continued despite the exercise of the right to object provided for by the GDPR. Furthermore, the regulator deemed the retention period for potential customer data envisaged for telemarketing (12 months) to be excessive. 

More enforcement actions

Data processor breach: The French CNIL imposed a fine on Mobius Solutions, the processor behind a data breach affecting users of Deezer. The company was fined 1 million euros for failing to comply with the applicable rules regarding subcontracting. In 2022, Deezer reported that its users’ data had been posted on the dark web and that its former processor, Mobius Solutions, whose services it used to carry out personalised advertising campaigns for its customers, was involved.

The processor retained a copy of the data of more than 46 million DEEZER users after the end of their contractual relationship, despite its obligation to delete all such data at the end of the contract.

University data breach: The Dutch AP imposed a 175,000-euro fine on HAN University of Applied Sciences for breaching the GDPR data security rules.  A hacker used SQL injection through a web form to access HAN’s database. The individual threatened to make personal data, including addresses, names, passwords, and citizen service numbers, public and unsuccessfully demanded ransom from the university.

Password manager data breach: The UK Information Commissioner fined password manager provider LastPass 1.2 million pounds following a 2022 data breach that compromised the personal information of up to 1.6 million of its UK users. LastPass failed to implement sufficiently robust technical and security measures, which ultimately enabled a hacker to gain unauthorised access to its backup database. The incidents occurred when a hacker gained access first to a corporate laptop of an employee based in Europe and then to a US-based employee’s personal laptop on which the hacker implanted malware and was then able to capture the employee’s master password.

In case you missed it

Meta personalised ads: On 8 December, the European Commission acknowledged Meta’s undertaking to offer users in the EU an alternative choice of Facebook and Instagram services that would show them fewer personalised ads, to comply with the Digital Markets Act. This is the first time that such a choice is offered on Meta’s social networks. Meta will give users the effective choice between: 

• consenting to share all their data and seeing fully personalised advertising, or 
• opting to share less personal data for an experience with more limited personalised advertising. 

Meta will present these new options to users in the EU in January 2026. This follows a close dialogue between the Commission and Meta after the Commission found Meta in breach of the Digital Markets Act and issued Meta a non-compliance decision related to Meta’s “consent or pay” model in April 2025.

TikTok usage risks in the EU: The Dutch AP urges users and organisations to carefully consider whether they wish to continue using TikTok and other services that transfer personal data to countries outside the EU, including China. The Irish data protection authority DPC has previously ruled that this transfer is in breach of the GDPR. In addition, the Irish court required TikTok to better inform users on data processing activities. Users can still decide whether they want to continue using TikTok under these circumstances. If not, they can (temporarily) delete the app or deactivate an account.

The post Data protection digest 3-18 Dec 2025: E-commerce websites should offer a choice between ‘guest’ mode, or voluntary account creation appeared first on TechGDPR.

Consumer loan checks can reveal people’s lifestyles. The Dutch Data Protection Authority AP concluded this after reviewing a bill concerning consumer loans. It believes that lenders can assess a person’s ability to meet payment obligations with less information about them. It’s unlikely that all the information in a bank statement, including sender, recipient, or description, is always necessary. 

The bill introduces stricter rules for a consumer loan under 200 euros, (services like “buy now, pay later,” credit cards, and bank overdrafts). For these relatively small loans, the ability to pay the bill on time will also be checked, and whether there is a risk of default. People who use such loans will also be registered with the Credit Registration Office. The AP emphasises that the new rules need to be further developed for better data control and minimisation. 

Stay up to date! Sign up to receive our fortnightly digest via email.

EU Digital Omnibus package latest

The privacy advocacy group NOYB warns that the so-called Digital Omnibus, which is being prepared by the European Commission, brings fast-track deregulation, including ‘massive’ reform of the GDPR and e-Privacy legislations. Following the draft proposal, the Commission envisages changes to core elements like the definition of personal data, consent requirements, and data subjects’ rights, as well as lesser protections for special categories of data under the GDPR. In parallel, AI companies could also benefit from easier access to European personal data through the implementation of the ‘legitimate interests’ legal basis for processing.  

ETIAS and data protection

As the clock ticks down to the launch of a new EU large-scale border management system, the European Travel Information and Authorisation System (ETIAS) in autumn 2026, momentum is building to prepare it for entry into operation and ensure its compliance with data protection laws. The EDPS follows the implementation of ETIAS at close quarters. To help mitigate the risks, legislators have established an ETIAS Fundamental Rights Guidance Board. 

Composed of representatives of the EDPS, EDPB, EU Fundamental Rights Agency, Frontex Fundamental Rights Office and Frontex Consultative Forum, the EFRGB is mandated to issue guidance on the fundamental rights impacts of processing ETIAS applications. A critical concern for individuals required to apply for an ETIAS is ensuring access to an effective judicial remedy. For instance, refusal of a travel authorisation could result from a data processing error.

Brazil draft adequacy decision

The EDPB also adopted an opinion regarding the European Commission draft implementing decision on Brazil’s adequacy. The General Data Protection Law in Brazil, LGPD, together with Presidential decrees and binding regulations issued by Brazil’s Data Protection Authority, ANPD, establish requirements, including in relation to the principles, data subject rights, transfers, oversight and redress, closely aligned with the GDPR and case law of the CJEU. At the same time, the EDPB invites the Commission to clarify further how certain exemptions and specific limitations of data subject rights in the LGPD correspond to the adequate level of data protection regarding:

• national security purposes relating to the collection and sharing of data between the public entities within the Brazilian intelligence systems
• personal data processing for criminal law enforcement purposes
• rights of information and access to the data 
• accountability principle and the requirements for the data protection impact assessment

More legal updates

NIS2 implementation in Germany: On 13 November, the law implementing the European Network and Information Systems (NIS) 2 Directive, passed in the German Bundestag. The directive increases the cybersecurity requirements for certain companies and the federal administration. The Federal Office for Information Security (BSI) occupies a key position in both areas. It will become the supervisory authority for the companies affected by the directive; in addition, in the role of Chief Information Security Officer (CISO), it will be the central body for the cybersecurity of the federal administration. 

Affected companies must register with the BSI, report significant security incidents, and implement technical and organisational risk management measures. It includes an amendment to the BSI Act, which previously covered approximately 4,500 entities in the economic area: operators of critical infrastructure, providers of digital services, and companies of particular public interest. With the entry into force of the NIS2, this scope is expanded to include the categories of “important institutions” and “particularly important institutions,” meaning that the BSI will supervise approximately 29,500 institutions in the future. 

NIS upgrade in the UK: In parallel, on 12 November, the Cyber Security and Resilience Bill was introduced to the UK Parliament. The Bill will update the NIS Regulation from 2018 by expanding the regulatory scope to include a broader range of essential and digital service providers, including online marketplaces, cloud computing services, and search engines, as well as managed service providers (eg, data centres will be designated as essential services). It also places the Secretary of State in charge of maintaining consistency in implementation across sectors.

AI solutions legal basis

At the request of the Danish Agency for Higher Education and Science, the Danish Data Protection Agency has assessed whether the agency has the authority to develop and operate an AI solution that will function as support in the assessment of applications for disability allowance. The Danish Data Protection Authority assessed that the processing of personal data that takes place during the development and operation of an AI solution can, as a rule, be carried out based on what is necessary for reasons of substantial public interest – GDPR Art. 9(2)(g).

However, it requires a so-called supplementary national legal basis. In relation to the duty of information towards citizens whose historical cases are included in the training dataset, the Danish Agency for Higher Education and Science has, among other things, pointed out: 

• There is a large number of citizens (approx. 3,000).
• It would be resource-intensive to inform citizens individually.
• The processing of personal data is limited.
• The purpose of the processing is to improve case processing time.
• The treatment is not assessed to have direct consequences for citizens.

GDPR ready-to-use templates

The EDPB invites experts to participate in a public consultation aimed at proposing practical templates to help organisations comply with their obligations under the GDPR. The EDPB identified the need to develop standardised tools that could serve as guidance for both controllers and processors. The public consultation aims to find out which types of templates would be most beneficial in practice, for instance:  

• privacy notice,
• records of processing activities,
• data protection impact assessment,
• notification of a personal data breach.

It is possible to participate in the public consultation from November 5 to December 3, 2025. Experts, organisations, and individuals can submit their suggestions through this page.

More from supervisory authorities

Australia child privacy updates: From 10 December, platforms like Facebook, Instagram, Snapchat, TikTok, YouTube, X, Threads, Reddit and Kick must take reasonable steps to prevent under-16s from holding accounts on their services. Failure to do so will expose these platforms to fines of up to 49.5 million dollars. These services currently meet the criteria for under 16 restrictions as specified in the Social Media Minimum Age legislation, in particular the key requirement that their “sole or significant purpose is to enable online social interaction”.

Health data warehouses (EDS): The CNIL’s Digital Innovation Laboratory (LINC) has published a map of health data warehouses in France. An EDS, explains the CNIL, is a database built up over a long period of time and intended to be reused mainly for steering (management, control and administration of the activity) and research, studies and evaluations in the field of health. They can be set up by both public (such as a public healthcare institution) and private entities (such as a data broker or a startup), provided that they comply with the applicable legal framework.

AI risk assessment: The EDPS has published a new guidance document to help data controllers carry out data protection risk assessments when developing, acquiring and deploying AI systems. Although the new guidelines are aimed at EU institutions, organisations in both the public and private sectors that use or plan to adopt AI systems can use them as a valuable starting point. It focuses on the risk of non-compliance regarding: fairness, accuracy, data minimisation, security and certain data subjects’ rights. The list of risks and countermeasures is not exhaustive, but merely reflects some of the most pressing issues that controllers must address when procuring, developing and deploying AI systems. 

In other news

Cyber attack mitigation tools: The Dutch AP has issued recommendations for a strong data processing agreement in the event of a cyber attack. Organisations that collaborate with service providers must enter into a data processing agreement regarding the sharing and use of personal data. This agreement outlines agreements, for example, regarding security and the roles and responsibilities in the event of incidents such as data breaches. To that end, to limit the damage from cyber attacks, organisations can:

• Make agreements as concrete as possible
• Maintain control over the entire supply chain
• Give more priority to drafting and maintaining data processing agreements

Therefore, the regulator sums up, negotiate agreements carefully and promptly. And review agreements and appendices regularly to ensure they remain relevant in practice. Employee awareness and knowledge of the GDPR play a crucial role in this.

Misleading cookie banners: The AP also reports that three-quarters of websites modified misleading cookie banners after an investigation was launched on more than 200 websites in the Netherlands starting in April. The AP is now taking enforcement action against organisations that haven’t updated their cookie banners. The easiest way to respect this is to not use tracking software. In that case, a cookie banner isn’t necessary. Where organisations do use tracking software, they must adhere strictly to the rules and inform visitors honestly and clearly.

Biometric processing

In New Zealand, the Privacy Commissioner has issued a Biometric Processing Privacy Code that creates specific privacy rules for agencies (businesses and organisations) using biometric technologies to collect and process biometric information. The Code, which is now law made under the Privacy Act, will help make sure agencies implementing biometric technologies are doing it safely and in a way that is proportionate. Guidance has also been developed to support the Code. 

Direct marketing and free-of-charge services

On 13 November, the CJEU released its ruling in Inteligo Media SA v ANSPDCP (Romanian data protection regulator) (C-654/23), where a media website provided information about new legislation in Romania, Bird&Bird law blog reports.  Six articles per month could be viewed completely free of charge. Users might also subscribe for free to an additional two articles and a daily newsletter. They could also pay for unlimited access and a fuller newsletter. ANSPDCP claimed that Inteligo could only process subscriber registration details and deliver the free newsletter if it had approval, which it did not. 

Inteligo argued it was covered by the soft opt-in exception. The ePrivacy Directive does demand that organisations obtain consent before sending direct marketing emails, but there is an exception: where the organisation acquires the subscriber’s information after selling a product or service, and the direct marketing is for that organisation’s similar product or service. The top EU court concluded that the free subscription did constitute a sale: a sale requires payment in exchange for goods or services, as well as remuneration. However, the reimbursement might be indirect, when a particular customer does not have to pay, but it is rather covered by the premium version of the subscription. 

Continue reading the original analysis here. 

Telecommunications multimillion fine

Following ex officio proceedings, the Croatian data protection agency imposed an administrative fine on a telecommunications operator, in its capacity as controller, for the total amount of 4.5 million euros for violations of the GDPR. The infringements concerned the transfer of personal data to third countries without a valid transfer instrument and without transparent information to data subjects, the processing of copies of employees’ identity cards and certificates of no criminal proceedings without a legal basis, as well as the failure to carry out appropriate prior checks of a processor.

Customer service fine

The EDPB sums up a recent enforcement case in Italy, when a customer, who was the victim of fraud, contacted their bank to obtain recordings of calls made to customer service, which would be useful in contesting a transfer of approximately 10,000 euros and reconstructing what had happened. Having received no satisfactory response, they complained to the privacy regulator Garante. Only after the authority had opened proceedings did the bank provide the recordings, but by then the 30-day deadline set by the GDPR had already passed. Garante imposed an administrative fine of 100,000 euros, taking into account the bank’s turnover, its cooperation during the investigation and the absence of previous infringements.

 In case you missed it

Children’s data lifecycle: Privacy International states that in England’s schools, children are tracked from birth through a vast, opaque network of digital systems that turn education into a lifelong exercise in data collection and surveillance. Children’s data in education starts from the day they are born until they are 25 years old:

• during pre-school, with personal data submitted by legal guardians during the school admissions process 
• every child is assigned a unique pupil record and a unique pupil number that stays with them forever
• the student’s educational setting gets added to the record, which includes its religious character and location, etc.

The next layer of data added to those records is created by school staff – absence and attendance records, assessments, etc. Separately, children’s data can be generated and collected by the EdTech tools used by staff. Some schools use a broad range of tools, such as behaviour tracking apps, which can take the form of scores but also of more complex profiles and predictions in relation to a child. Further personal data is collected and added to the National Pupil Database (NPD), and is kept indefinitely. 

Keep reading the original analysis here.

Agentic AI explained: The JD Supra law blog outlines the rise of “agentic AI”. Unlike traditional AI systems, which are designed to perform specific, narrowly defined tasks (generating text or images or analysing inputs) and rely on human input and oversight, agentic AI systems can complete far more complex, multi-step tasks autonomously and make context-dependent decisions. The emergence of these systems could transform a wide range of industries and business functions, including: a) consumer-facing systems, b) customer support, c) internal operations, and d) sales and marketing.

The post Data protection digest 3-17 Nov 2025: Consumer loan checks can reveal people’s lifestyle data  appeared first on TechGDPR.

The Bank of England, in its October statement, confirmed that many firms in the financial sector are already using AI, exploring opportunities to use quantum computing, and piloting DLT applications. One example is stablecoins built on DLT networks, which are already being used at scale by individuals and businesses worldwide for faster, cheaper cross-border payments and automated financial contracting. However, the bank admits that key barriers to scaling up blockchain solutions are regulatory frameworks that are not entirely suited to digital assets and cross-border initiatives. Blockchain’s inherent characteristics present unique challenges for GDPR compliance. 

When it comes to handling personal data, blockchains present a significant challenge in respecting data subject rights. Its immutability, for example, contradicts the fundamental “Right to be Forgotten”. The global distribution of blockchain nodes also complicates regulatory supervision. Conducting a Data Protection Impact Assessment (DPIA) is not just a legal requirement for high-risk blockchain-based personal data processing, but is an important step towards responsible innovation. To help organisations meet these requirements, TechGDPR has created a free downloadable Blockchain DPIA Template, which guides users through all required areas of GDPR compliance:

• Description of the processing operations
• Legal basis and necessity assessment
• Identification of risks
• Safeguards and technical measures
• Implementing privacy by design principles
• Data subject rights and governance structures

The pre-designed template includes ready-to-use sections, prompts, and examples, significantly saving time and ensuring that no critical aspect of your DPIA is overlooked.

Stay up to date! Sign up to receive our fortnightly digest via email.

UK Adequacy

The European Data Protection Board, EDPB, has issued its opinion on the adequate protection of personal data by the United Kingdom. In July 2025, the European Commission started the process towards the adoption of its draft implementing decision on the adequate protection of personal data by the UK. It extends the validity of certain parts of the previous adequacy decision until December 2031. In particular, the EDPB asks for the need to further clarify by the Commission recent changes in the UK post-Brexit legislation regarding: 

• removing the direct application of the principles of EU law, including the right to privacy and data protection
• new powers to introduce changes via secondary regulations, which require less Parliamentary scrutiny (eg, on international transfers, automated decision-making)
• changes to the rules governing third-country transfers
• processing exemptions for law enforcement 
• restructuring of the Information Commissioner’s Office 
• safeguards provided by the EU-US Umbrella Agreement, whose privacy and data protection safeguards are incorporated into the UK-US Cloud Act Agreement
• encryption to remain essential for ensuring the security and confidentiality of personal data and electronic communications.

AI Act and the GDPR

The European Parliament has published a study on the Interplay between the AI Act and the EU digital legislative framework, including the GDPR. In particular, the AI Act introduces requirements for fundamental rights impact assessments (FRIAs) in cases that often also trigger data protection impact assessments (DPIAs) under the GDPR. These instruments differ in scope, supervision, and procedural requirements, creating duplication and uncertainty. Transparency and logging obligations are also redundant across both regimes. Moreover, there is ambiguity over how data controllers and AI providers should manage rights of access, rectification, and erasure when personal data becomes embedded in complex AI models. 

In AI contexts, the GDPR-governed “legitimate interests” legal basis is widely regarded as the most relevant and frequently invoked basis, states the report. Meanwhile, consent is often impracticable and contractual or legal obligation bases rarely map neatly onto AI training or deployment scenarios. Finally, the AI Act introduces additional governance layers: the AI Office and the European AI Board at the EU level and the national GDPR supervisory bodies with respect to data protection issues, which produce a potentially overlapping set of competent supervisory bodies. 

Legal updates

Dragi report: The Future of Privacy Forum takes a closer look at the report on European competitiveness issued in 2024 by former Italian Prime Minister Mario Draghi, which calls for simplification of the GDPR, and criticizes “heavy gold-plating” by Member States in GDPR implementation. The Commission is now set to announce a Digital Omnibus package with proposals to quickly reduce the burden on businesses. However, changes to the GDPR fundamental principles could bring any reform into conflict with the TFEU and the Charter and lead to action before the Court of Justice. 

GDPR enforcement: On 21 October, the European Parliament passed the regulation on additional procedural rules regarding the enforcement of the GDPR. The document aims to harmonise the criteria for assessing the admissibility of cross-border complaints and clarifies the rights of complainants and entities under investigation. The regulation establishes the same admissibility standards no matter where in the EU the GDPR complaint was filed. Both complainants and companies involved will have the right to be heard at specific stages of the investigation and will receive preliminary findings to express their views before a final decision is issued. 

Data for research: From 29 October, researchers can request data access from very large online platforms and search engines to study systemic risks. Access to public platform data has been available since the Digital Services Act (DSA) came into force in February 2024. Researchers now have the opportunity to request access to platforms’ internal data and to investigate its impact on society. Since datasets can allow direct or indirect inferences about individual users through their interactions, profiles, or other published content, researchers must comply with the requirements of the GDPR when carrying out their projects.

More from supervisory authorities

DSA and the GDPR: The EDPB has closed the consultation on the guidelines on the interplay between the Digital Services Act and the GDPR. One of its sections examines the limits on automated decision-making that involves the processing of personal data by intermediary service providers. The paper also further examines the transparency of processing and deceptive design patterns prohibited by the DSA when these practices involve personal data.  It also reviews the relationship between profiling restrictions and advertising technology, systematic risk assessments and minors’ data protection.

China privacy updates: China has issued its first national standard for certification of cross-border personal information processing. The standard, which takes effect on March 1, 2026, sets out fundamental principles, security requirements, and obligations for safeguarding individuals’ rights in cross-border data processing. Reportedly, the certification is valid for three years. The applicant may reapply for certification for continual use of such certification six months before its expiration. In general, under the Chinese Personal Information Protection Law (PIPL), a data handler may transfer personal information outside of China if one of the following three conditions (with some exemptions) is met:

• Apply for and pass the security assessment;
• Sign and file the standard contract; or
• Obtain the personal information protection certification.

Hacked emails

Almost one in ten people affected by cybercrime in the previous year experienced unauthorised access to an online account or email. To provide targeted support to consumers in such cases, the German Federal Office for Information Security (BSI) published a guide – Emergency checklist: Hacked account (in German). If a person can no longer log in despite having the correct password, their email account may have been hacked. Changes in settings or attempts to log in from new devices can also be signs. To protect your account, the BSI recommends securing it with either a strong password combined with two-factor authentication or with passkeys. 

IoT security

According to America’s NIST, IoT products often lack product cybersecurity capabilities that their customers, organisations and individuals can use to help mitigate their cybersecurity risks. Manufacturers can help their customers by providing necessary cybersecurity functionality and the cybersecurity-related information they need. To that end, NIST closes public consultations and offers a public draft of Foundational Cybersecurity Activities for IoT Product Manufacturers. This publication describes recommended activities that manufacturers should consider performing before their IoT products are sold to customers. 

GenAI guidance

European Data Protection Supervisor (EDPS) has published its revised and updated guidelines on the use of generative AI and processing of personal data by EU institutions, bodies, offices, and agencies (EUIs), reflecting the fast-moving technological landscape and the evolving challenges posed by generative AI systems. It introduces several key updates, including:

• a refined definition of generative AI for greater clarity and consistency
• a new, action-oriented compliance checklist for EUIs to assess and ensure the lawfulness of their processing activities
• clarified roles and responsibilities, assisting EUIs in determining whether they act as controllers, joint controllers, or processors
• detailed advice on lawful bases, purpose limitation, and the handling of data subjects’ rights in the context of generative AI.

Capita fine

The UK’s privacy regulator, ICO, issued a fine of 14 million pounds to Capita for failing to ensure the security of personal data related to a breach in 2023 that saw hackers steal millions of people’s information, from pension records to the details of customers of organisations Capita supports. For some people, this included sensitive information such as details of criminal records, financial data or special category data. Capita processes personal information on behalf of over 600 organisations providing pension schemes, with 325 of these organisations also impacted by the data breach.

The investigation found that Capita, in its capacity as a data controller, had failed to ensure the security of the processing, as well as lacking the appropriate technical and organisational measures. In particular, Capita did not prevent both privilege escalation and unauthorised lateral movement through the network, and did not effectively respond to security alerts when detected.    

Grindr fine confirmed

On October 21, Norway’s Borgarting Court of Appeal upheld Grindr’s multi-million privacy fine for violating Art. 9 of the GDPR, which forbids the processing of specific categories of personal data. The court decided that sharing a dating app user ID with advertisers revealed sensitive information regarding their sexual orientation. It further stated that consent was invalid since it was combined with service access, giving customers no real option.

Grindr’s multi-page privacy policy was also unclear concerning the extent and beneficiaries of data sharing, according to the Digital Policy Alert legal blog.

In other news

Data security fine: Australian Clinical Labs (ACL) has been ordered to pay AUD 5.8 million for breach of the Privacy Act 1988 following a 2022 cyber incident which impacted the personal information of over 223,000 individuals. This is the first civil penalty under the Privacy Act, DLA Piper law blog reports. The incident occurred within the IT environment of ACL’s subsidiary, Medlab Pathology, which was acquired only 3 months prior. Critical vulnerabilities in the subsidiary’s IT systems were not properly identified before the acquisition, as part of the due diligence process, as ACL intended to fully integrate them into its own IT environment within the following 6 months.

Insurance data security fines: The New York state Attorney General secured a 14.2 million fine from car Insurance companies over data breaches. Eight car insurance companies’ poor cybersecurity allowed hackers to steal driver’s license numbers to fraudulently obtain unemployment benefits, failing to protect the private information of more than 825,000 New Yorkers. These companies allowed people to obtain a car insurance price quote using an online tool. Some of the companies also provided password-protected tools to insurance agents to generate quotes for customers. The investigation found that data thieves were able to exploit a “pre-fill” function in the companies’ online quoting tools.

Electronic identification services fine: In Finland, the Data Protection Ombudsman has imposed an 865,000 euro fine on Aktia Bank for neglecting information security in its electronic identification service. Due to a short-term disruption, some people who logged into various services with Aktia’s bank codes had access to other customers’ highly personal information, as the service mixed up the identification of people. The regulator found that the bank had shortcomings in the planning, implementation and testing of a technical change made to the service.

Patient data breaches

Polish regulator UODO imposed an approximately 10,000 euro fine on Gyncentrum for failing to report a personal data breach. A medical centre specialising in infertility treatment, among other things, sent a communication, the subject line of which indicated the name of a genetic test, to another person, also a patient of the centre (with the same name). The document contained personal data: first name, last name, bank account number, and address. It also included the transfer amount and the name of the test performed, revealing that it was part of an extensive prenatal diagnostic program. The patient herself learned of the incident from another patient at the centre. 

In Guernsey, the Medical Specialist Group (MSG) was also fined 100,000 pounds following a cyber-attack. In 2021, the MSG became aware of a personal data breach after it received suspicious emails indicating that its email server had been accessed by cybercriminals. These vulnerabilities enabled criminals to access and steal e-mails stored on the server, some of which contained sensitive patient health data. These e-mails were subsequently used to facilitate multiple phishing campaigns targeting MSG patients over a series of months. The MSG notified the regulator of this breach. The inquiry found that the company routinely failed to install security updates to its e-mail server over the course of 13 months. This included updates directly related to the breach exploit and other critical vulnerabilities. 

California privacy violations

California’s Attorney General secured a settlement with Sling TV, a streaming service, resolving allegations that the company violated the California Consumer Privacy Act (CCPA) by failing to provide an easy-to-use method for consumers to stop the sale of their personal information and by failing to provide sufficient privacy protections for children. Sling TV is an internet-based live TV service that offers both a paid subscription and a free, ad-supported streaming service. Unlike traditional television, where advertising is based on the content of the programming, Sling TV uses its internet-based platform to deliver highly targeted advertising, using detailed consumer data such as age, gender, location, and income to personalise ads for viewers, often without their awareness.   

In case you missed it

Digital health care: Privacy International suggests that a Digital Health Technology Assessment (dHTA) is needed to make sure that tools developed by the private sector and relied on by public healthcare providers do not harm people and their rights. The Health Technology Assessment (HTA) is a longstanding practice that is used to assess the effectiveness and safety of technological innovations before they can be used in the diagnosis, treatment, management and prevention of health problems.

Thus, there is an overwhelming need for clear and specific rules that engage with the specific needs and challenges of new and emerging practices.

Multi-party computation: An EDPS blog article states that across sectors from health research to financial systems, data sharing continues to drive innovation, yet it also intensifies privacy and compliance challenges, making the balance between access to data and confidentiality increasingly difficult. Secure multi-party computation (SMPC) proposes a way to reconcile these seemingly conflicting goals – enabling organisations to jointly compute insights without revealing their underlying data. Under SMPC, multiple parties can work together to compute a result from their private data without ever exposing that data to one another. Unlike traditional encryption, which protects data only while it’s stored or transmitted, SMPC ensures confidentiality throughout the computation process itself for:

• hospitals improving disease prediction models using patient data,
• banks detecting cross-border fraud patterns,
• governments analysing the impact of social policies,

From a legal perspective, SMPC challenges traditional interpretations of privacy law. Frameworks like the GDPR were not designed with cooperative computation in mind; thus, they must be embedded within transparent governance frameworks and ethical oversight.

The post Data protection digest 19 Oct – 2 Nov 2025: New AI Act and GDPR study & personal data stored on Blockchain appeared first on TechGDPR.

In Denmark, an individual has been awarded financial compensation for non-material damage resulting from a data breach (Art. 82 of the GDPR). A High Court ruled on 20 August, that a woman should receive approx. 335 euros in compensation after a municipality mistakenly shared her health information with a third party. The decision has been appealed to the Supreme Court, where the woman and her lawyer will, among other things, try to have the GDPR compensations increased and awarded to her spouse as well. 

Until now, Danish practice has been that claims for compensation without financial loss must be assessed according to the provisions of the Danish Civil Liability Act. The court has generally required a qualified damage effect. The decision from August could, if upheld by the Supreme Court, be a new breakthrough in Danish law and possibly the European law. The compensation of 335 is a small amount, but if thousands of citizens choose to file a lawsuit in connection with the same breach – for example via a class action – the consequences for companies and authorities could be extensive. 

Stay up to date! Sign up to receive our fortnightly digest via email.

EU-US data transfers and immigration control

On 17 September, the European Data Protection Supervisor (EDPS) issued an Opinion on a framework agreement between the EU and the US on the exchange of information for security screenings and identity verifications. Individual Member States would be empowered to sign bilateral agreements for the exchange of data from their national systems. It would be the first agreement concluded by the EU to entail the large-scale sharing of personal data, including biometric data (fingerprints), for border and immigration control purposes with a third country.

More legal updates

Data transfers for medical research: The German Data Protection Conference (DSK) adopted a paper on data transfers to third countries for scientific research in the medical sector. The admissibility of transferring personal data to third countries under data protection law cannot be assessed in general terms, but only on a case-by-case basis, as numerous circumstances play a role in the assessment. This also applies to scientific research for medical purposes. It must always be examined whether the data subjects have been adequately informed about the (intended) transfer in accordance with the GDPR. In scientific research for medical purposes, broad consent is an established legal basis for data processing. Since there may be special interactions between Broad Consent and the basis for transfer under the GDPR, these are explained in detail in the DSK paper (in German). 

The European Innovation Act: The European Commission concluded its consultation and evidence-gathering for an impact assessment to assist in the creation of the European Innovation Act. The Commission seeks information on ways to overcome obstacles that innovative entities encounter, including fragmented regulations, restricted access to infrastructure and funding, underutilised innovation procurement, and inadequate commercialisation of findings from publicly funded research and innovation. The Act aims to create sector-wide horizontal conditions as opposed to sector-specific programs. 

Political online targeting ban in the EU: Political parties will soon be prohibited from targeting voters online with political advertisements. A new European regulation on the Transparency and Targeting of Political Advertising (TTPA) will take effect on 10 October. It aims to prevent voters from being secretly influenced during election campaigns and to undermine trust in fair elections, which can involve the processing of personal data. 

LinkedIn AI training

Users who do not want LinkedIn to use their data to train AI models must disable this before 3 November. The European data protection authorities are urging people to do so. This data includes profile information and public content shared in the past. Once this data is in LinkedIn’s AI systems, it will be impossible to retrieve, and users will lose control over their data. All LinkedIn users’ data will automatically be used for AI training unless the setting is actively disabled.

Anyone who does not want personal data used for LinkedIn AI training must opt ​​out before 3 November via this link or in the app under “Settings & Privacy > Data Privacy >Data for Generative AI Improvement” and disable the switch.

Vehicle data in the era of the Data Act

On 12 September, the European Commission published the “Guidance on Vehicle Data, accompanying the Data Act.” The document defines the categories of data falling within the scope of he regulation and outlines the access rights granted to users and to third parties designated by them. It clarifies, first of all, that a vehicle qualifies as a “connected product” when it meets two cumulative requirements: it must generate or collect data concerning its use or its surrounding environment, and it must have the ability to communicate such data via an electronic communications service. 

More from supervisory authorities

‘Neighbour’s camera’ a major annoyance: The Dutch data protection uthority (DPA) is receiving a growing number of complaints from people concerned about their privacy due to their neighbours’ doorbells or security cameras. The regulator wants to prevent the improper use of doorbell cameras as much as possible. Therefore, the DPA is urging manufacturers to configure doorbell cameras to be privacy-friendly by default. It also wants to raise consumer awareness, for example, by providing information about what is and isn’t permitted. 

AI risks in the health profession: A bill sponsored by the California Medical Association (CMA) that addresses dangers associated with the use of AI in health care has passed out of the Legislature and is headed for the Governor’s signature. It prohibits AI systems from being misrepresented as licensed medical professionals and provides California’s state health profession boards with the authority to enforce title protections for health care workers, ensure that new technologies in health care are deployed in ways that protect patient safety, preserve trust, and support the physician-patient relationship. 

Medical records: The Swiss FDPIC has published a factsheet on the forms that are given to patients to sign when they go to the doctor. It takes account of the various opinions expressed on the subject and aims to clarify a number of issues raised by these forms: a) the distinction between the duty to provide information on data collection and the issue of patient consent to data processing; b) secure data communication; c) the question of proportionality, regarding what data a patient can legitimately be asked to provide. The document is available in English.

Digital communication and minors

In France, the regulatory authority for audiovisual and digital communication (Arcom) released the results of its study on online risks for minors,  digitalpolicyalert.org reports. Over four out of five children use at least one extremely major internet platform on a daily basis, according to the study. 42 per cent of minors use social networks before the age of 13 by lying about their age, and the average age of initial use is 12 years old.

According to the study, 83 per cent of children are regularly exposed to at least one of the six risks: harmful or shocking content, cyberbullying, dangerous challenges, malicious adult contact, and online scams. 

E-health data security

The European Union Agency for Cybersecurity (ENISA) has published a good practice guide to support entities of the health sector in strengthening their digital security. The health sector is classified among those in the risk zone, highlighting a significant gap between its cybersecurity maturity and its critical importance: medical systems and data have become growing targets of cybercrime, with ransomware and phishing campaigns on the rise. These actionable practices are designed to be simple to implement and enhance the preparedness and security of all types of health entities, from hospitals and service providers to individual medical specialists. The recommendations cover areas such as systems and network protection, safeguarding devices and patient data, addressing challenges in the ICT supply chain. 

Reporting AI incidents

The European Commission has issued draft guidance and a reporting template on serious AI incidents. Under the EU AI Act, providers of high-risk AI systems will be required to report serious incidents to national authorities. This new obligation, set out in Art. 73, aims to detect risks early, ensure accountability, enable quick action, and build public trust in AI technologies. While the rules will only become applicable from August 2026, you can already download the draft guidance and reporting template below. Both these documents will help providers to prepare. The draft guidance clarifies definitions, offers practical examples, and explains how the new rules relate to other legal obligations. 

Drone use and personal data

The Latvian data protection authority elaborated on this topic, which is becoming increasingly popular today as drones are used in defence, business, and people’s private lives. Personal data processing occurs when materials are obtained with the help of a drone that can identify a specific person. Therefore, it is not possible to say with certainty that personal data processing is performed in all cases when a drone comes into view of a person. If the materials are intended to be distributed publicly, this processing may be justified based on legitimate interests. This may be done after a balancing of interests, in which the proportionality of the processing in relation to the interests of the people depicted is assessed. Similarly, the use of drones may, in some cases, be linked to the public interest, as well as processing for journalistic purposes.

Video games and personal accounts

In the audiovisual and video game sectors, the purchase of digital content can justify a long retention of data. The French CNIL reminds professionals of the rules to follow to manage inactive accounts while respecting the rights of users. Professionals must guarantee uninterrupted access to purchased digital content, as provided for in consumer law. In the audiovisual and video game sector, this access often goes through a personal account that acts as a video library, allowing the user to find their movies, series or games at any time. The deletion of accounts for which no action has been taken by users for two years is considered proportionate. It is recommended that affected users be notified before this deadline to allow them to keep their accounts active. 

‘Facial boarding’ at airport

Italian data protection regulator Garante has recently blocked the use of facial recognition in Italian airports (so-called face boarding), with the provision adopted against Società per Azioni Esercizi Aeroportuali, to suspend the use of the specific technological solution adopted, since it is incompatible with the GDPR. Garante specifies that the use of facial recognition technologies at airports in principle is permitted, but requires technological solutions that balance the need for simplified boarding procedures with the need to protect personal data in compliance with current European regulations, particularly regarding the processing of biometric data. 

In other news

Automated-decision fine: The Hamburg Data Protection Commissioner HmbBfDI has imposed a fine of almost 500,000 euros on a financial company for violations of the rights of affected customers in automated decisions in individual cases. Despite good credit ratings, several customers’ credit card applications were rejected based on automated decisions, decisions made by machines based on algorithms and without human intervention. When the affected customers subsequently demanded a reason for the rejected applications, the company failed to adequately fulfill its statutory information and disclosure obligations. 

Hospital data fine: The Italian regulator Garante has fined a university hospital 80,000 euros for failing to properly configure its health records. The hospital used two applications, on patients and hospitalisation records, through which all healthcare personnel could conduct searches on patients’ medical histories, even if they were not involved in their treatment. They did not include adequate access profiling measures or security measures such as alerts or tracking of operations performed on the applications in dedicated log files. Furthermore, patients were unaware of the existence of the treatments performed through the records and were therefore unable to give or deny their consent to their records or decide whether to obscure certain information, such as that subject to greater protection.

HIPAA violation: A 182,000 dollar settlement has been agreed between the HHS’ Office for Civil Rights and five Delaware healthcare providers to resolve alleged violations of the HIPAA Privacy and HIPAA Breach Notification Rules. The settlement concerns the posting of patients’ protected health information (PHI) on social media without first obtaining HIPAA-compliant authorizations to use PHI for a purpose not expressly permitted by the HIPAA Privacy Rule, then failing to notify individuals about the impermissible use and disclosure.

Candid cameras against theft

The French CNIL fined SAMARITAINE, which operates the store of the same name, 100,000 euros for concealing cameras in the store’s reserves. In 2023, due to the increase in cargo thefts from its reserves, SAMARITAINE placed new cameras in two reserves. These cameras were disguised as smoke detectors and made it possible to record sound. Discovered by employees, the cameras were removed shortly after that. In principle, in order to meet the requirement of loyalty, video surveillance filming employees must be visible and not concealed. However, in exceptional circumstances and under certain conditions, the data controller can temporarily install cameras that are not visible to employees. The company did report the existence of thefts committed in the reserves and explained that the device was temporary (which the technical characteristics of the device seem to confirm).

It nevertheless did not carry out any prior analysis of compliance with the GDPR, nor documented the temporary nature of the installation. 

In case you missed it

Human oversight in AI: EDPS’s latest TechDispatch episode explores the human oversight of Automated Decision-Making. While human oversight can occur at different stages of an AI system’s lifecycle, including before deployment (ex-ante), real-time oversight on system operations is considered the one that can be most consequential, when an operator can still review the system’s behaviour and intervene before its output takes effect, helping to prevent potential harm to human lives or infringements on individuals’ fundamental rights.

Dark Net: Sweden’s privacy protection authority IMY answers questions about how data controllers should handle developments following an IT attack where personal data was published on the Darknet. It is NOT recommended to search for or download the information published on the Darknet: the files found may contain, for example, additional malware. It also recommends that the organisations first and foremost, and in accordance with your data processor agreement, contact your data processor. Plus, organisations have a duty to notify the impacted data subjects of the personal data breach as soon as possible, as there is a high risk to the rights and freedoms of natural persons. 

Patients’ data and AI boom: Privacy international reports a boom for the UK’s technology sector, with American tech firms collectively investing billions of pounds into the UK’s AI and tech infrastructure. The UK government hailed these investments as an element of a new ‘Tech Prosperity Deal’. A key area mentioned as part of it is healthcare. Last summer, the UK released its 10 year health plan, which emphasised the centrality of technology, innovation and AI for the National Health Service. The plan states that to move the NHS into the 21st century, its unique advantages will be used, including the NHS’s ‘world-leading data’. 

The post Data protection digest 17 Sep – 3 Oct 2025: New Danish court ruling may change practice for GDPR compensations appeared first on TechGDPR.

As of 12 September, the Data Act has become directly applicable in the EU. It offers harmonised rules on fair access to and use of data. The new rules cover manufacturers, users, data holders, data recipients, public sector bodies, and data processing services. It is designed to empower users, both consumers and businesses, by giving them greater control over the data generated by their connected devices (and related services), such as cars, smart TVs, industrial machinery and much more:

• It ensures that connected devices on the EU market are designed to allow data sharing
• Gives consumers the possibility to choose more services, without having to rely on the manufacturer of the device 
• Provides business users in industries like manufacturing or agriculture access to data about the performance of industrial equipment, opening up opportunities to enhance efficiency and optimise operations
• Allows consumers to easily transfer data and switch between cloud providers
• Prohibits unfair contracts that could prevent data-sharing

The Data Act does not exclude or replace the GDPR

On the contrary, it is fully compliant with data protection rules. In one example, where the user is not the data subject whose data is being requested, personal data can only be made available if there is a valid legal basis (eg, consent). This is an important consideration as the co-generated data often contains both personal and non-personal data, which may be difficult to separate.  Additionally, the Data Act includes a non-exhaustive list of measures to remedy situations where a third party or user has unlawfully accessed or used data.  The infringing party will be obliged to cease production of the product in question, destroy the data it has unlawfully obtained, or pay compensation. 

Stay up to date! Sign up to receive our fortnightly digest via email.

The Act also includes requirements for international transfers of non-personal data. The data processing service providers are required to adopt technical, legal, and organisational measures to prevent international transfer or governmental access to non-personal data that would breach national or EU law. Furthermore, the Act includes protections for trade secrets and trade secret holders, aiming at preventing data breaches or data transfers to jurisdictions that don’t provide sufficient data protection and preventing other entities from accessing the data to reverse-engineer the services of their competitors.

Data subject rights under the Data Act

The Hamburg data protection authority explains that, from electronic toothbrushes to wind turbines, many consumer goods and machines send sensor data to their manufacturers via the internet. Starting September 12, consumers will benefit from new access rights to the data of such connected devices, as the Data Act allows both users of these devices and third parties to request it. This is provided that the eligibility requirements under the Data Act are met, data protection law does not conflict, and trade secrets are protected.

If the data to be transmitted is personal, European law appoints data protection authorities to supervise compliance with the provisions of the Data Act. This task follows directly from Art. 37(3) of the Data Act: a) Accessing personal data from the manufacturer; b) Changing the provider of data processing services (so-called cloud switching); c) Protection of confidentiality through technical and organisational measures at the receiving body; d) Transparency obligations. The data protection authorities can now enforce these rights by issuing orders. Violations can sometimes be punished with fines. Alternatively, claims can be pursued independently through civil law. Any natural or legal person can file a complaint. 

EU-US Data Privacy Framework maintained

On 3 September, the CJEU ruled on a case in which a French politician had brought an action against the Commission regarding the adequacy decision for the EU-US Data Privacy Framework. The case was brought with a claim that the adequacy decision should be annulled. According to the complainant, the newly established appeal body in the US, the Data Protection Review Court (DPRC), was not independent, and American legislation did not ensure adequate guarantees for the data subjects in connection with the mass collection of personal data by the intelligence services. 

The Court found no basis for concluding that the DPRC was not independent at the time of the decision. In this context, the Court recalled the Commission’s obligation to continuously monitor developments in the US and to act if changes in the legal framework might lead to a lower level of protection. With regard to the activities of the intelligence services, the Court also found that US legislation at the time of its adoption ensured a level of protection of personal data that was essentially equivalent to that existing within the EU.

On that basis, the court dismissed the lawsuit in its entirety.

Digital Services Act

The EU General Court, meanwhile, has ruled that the Commission failed to properly adopt the method it used to assess very large online platforms’ user bases under the Digital Services Act (DSA). As a result, the supervisory fees the Commission imposed on the largest platforms (Facebook, Instagram, TikTok and others), as calculated by reference to their user bases, were invalid (however, the effects of the annulled decisions are provisionally maintained). The Commission now has 12 months to rectify the situation. 

The EDPB has recently adopted guidance on the interaction between the Digital Services Act and the GDPR. The DSA aims to complement the rules of the GDPR to ensure the highest level of protection of fundamental rights in the digital space. It applies to online intermediary services, such as search engines and platforms. There are several provisions in the DSA which relate to the GDPR:

• Notice-and-action systems that help individuals or entities report illegal content
• Recommender systems used by online platforms to automatically present specific content to the users of the platform, with a certain relative order or prominence
• The provisions to ensure a high level of privacy, safety, and security of minors and to prohibit profile-based advertising using their data 
• Transparency of advertising by online platforms
• Prohibition of profiling-based advertising using special categories of data 

Pseudonymisation

In another ruling of September 4, the CJEU addressed various issues relating to personal data and pseudonymisation in connection with the transfer of this data to third parties: 

• Statements that reflect the personal opinions or views of the authors are information “about that person” because, as an expression of that person’s thoughts, they are necessarily closely linked to that person. 
• Pseudonymised data is not always considered personal data. Depending on the circumstances, pseudonymisation may actually prevent persons other than the controller from identifying the data subject, making them unidentifiable or no longer identifiable. 

The case concerned the obligation incumbent on controllers to inform data subjects, at the time of data collection, of the recipients or categories of recipients to whom their personal data are to be disclosed. Consequently, the identifiability of the data subject in such a case must be assessed from the perspective of the controller and not from that of the recipient. 

More from supervisory authorities

Brazil draft adequacy decision: On 4 September, the European Commission launched the process towards the adoption of a data protection adequacy decision with Brazil. The Commission has determined that Brazil ensures an adequate level of data protection, comparable to that of the EU. Once adopted, the decision would allow for free data flows for businesses, public authorities, and research projects between the EU and Brazil, one of the widest scopes possible for a data adequacy decision under the GDPR. The Brazilian authorities have also initiated a process to adopt an equivalent decision to allow for Brazilian data to flow freely to the EU.

Windows IT security guide for organisations: The German Federal Office for Information Security (BSI) provided recommendations for the secure configuration of Microsoft Office products for the Microsoft Windows operating system (in German). These recommendations were developed specifically for medium-sized to large organisations that manage their endpoints using Group Policies in an Active Directory environment. However, other experienced IT users can also apply the Group Policies locally. Implementing these policies offers the advantage of a wider range of configuration options compared to configuring them via the user interface. These recommendations are available for the Office applications Microsoft Access, Microsoft Excel, Microsoft Outlook, Microsoft PowerPoint, Microsoft Visio, and Microsoft Word.

Cybersecurity for teenagers: The BSI also published a comprehensive package to teach basic cybersecurity skills. It aims to support teachers and other educational professionals in raising young people’s awareness of digital risks at an early stage and teaching them how to use digital media safely. The media package includes educationally prepared worksheets, interactive activities, and background information for teachers and parents. It covers the three topics of smartphone and app security, cybercrime methods, and account protection. 

Personal recordings

Can recordings obtained for personal use be used for other purposes? The Latvian data protection regulator explains that such a recording is usually made without informing other people about it. In cases where the recording is planned to be used only for one’s own needs, without passing it on to others, the GDPR does not apply. However, before making a recording, you should consider whether it is not restricted by any other rules. For example, if the recording is made at a school event, you should make sure that the institution’s internal rules of procedure do not set any restrictions on the use of technical devices and the making of recordings. 

Over time, a person who has a recording made for personal purposes may want to use this information for other purposes. For example, it can serve as evidence in resolving a dispute or in detecting an offence. In this case, GDPR provisions must apply, in particular, when choosing the legal basis for processing, complying with fundamental principles in processing, including ensuring that the rights of the people heard and seen in the recordings are respected. 

Right to erasure

The EDPB launched a coordinated action earlier this year to examine how organisations handle the right to erasure (requests from individuals to have their personal data erased by the organisation). The Swedish Data Protection Authority IMY is now reporting its findings. Regarding the 20 Swedish businesses surveyed, despite handling large amounts of personal data, businesses have received few requests from individuals who want their data deleted. Among the problems and challenges that IMY has identified are: a) Lack of or inadequate internal routines and processes, b) Uncertainty about deletion in backups, and c) Difficulty verifying the identity of the person who wants their data deleted. IMY has identified examples of best practice for data deletion requests, such as:

• Create clear and updated procedures, control documents and checklists that specify who does what, how the assessment is carried out and what criteria apply for deletion
• Offer multiple channels to submit a deletion request, such as email, phone, web form, or physical visits
• Verify the individual’s identity only in cases of reasonable uncertainty
• Always provide a clear justification with reference to relevant provisions when rejecting a request

Google and Shein cookie fines

The French regulator CNIL fined Google 325 million and Shein 150 million euros, in particular for non-compliance with the rules on online trackers. The checks revealed that Google displayed, between the emails present in the ‘Promotions’ and ‘Social networks’ tabs of Gmail, advertisements in the form of emails. In the case of Shein, the CNIL noted that several trackers, particularly for advertising purposes, were deposited as soon as they arrived on the site, even before they interacted with the information banner to express a choice.

Also, when a user visiting the “shein.com” site clicked on the “Refuse all” button in the banner, or when they decided to withdraw consent to the registration of trackers on their terminal, new trackers were nevertheless deposited. 

Toymaker fine

America’s FTC  just settled with Apitor Technology, a Chinese toymaker, for allegations that the company violated the Children’s Online Privacy Protection Rule (COPPA). Apitor develops, markets, and distributes robot toys for kids ages 6-14. To program the robots, users need to download Apitor’s free companion app. It incorporated a third party’s software development kit (SDK), enabling app functionalities like push notifications and usage tracking. The SDK allowed the third party to collect geolocation data from children playing with the robot toys using an Android device. At the same time, companies providing online services directed at children must notify parents if they’re collecting, using, or disclosing personal information from juveniles. They also have to get parents’ verified consent to do so, even if a third party is the one collecting the data on a company’s behalf. 

Online banking authentication

In Finland, the data protection agency has imposed a penalty of 1.8 million euros on S-Bank for neglecting information security in online banking authentication. Due to a software error in the authentication service in 2022, it was possible to log in to online banking and online services using strong authentication with another customer’s credentials. The agency investigated the data breach based on a notification made by S-Bank in 2022. The bank had implemented a new login functionality in S-mobile. 

The bank had not tested the new software sufficiently before implementing it, and it had not identified vulnerabilities before the functionality was implemented. It also did not respond adequately to customer complaints about irregularities in online banking logins. A security vulnerability had been exploitable for more than three months. It affected a significant portion of the bank’s customers. Misuse of bank codes caused financial damage to customers. S-Bank has announced that it has compensated customers for direct losses.

In other news

Disney: Another settlement by the FTC with Disney alleges that it failed to properly designate their YouTube videos as directed to children. When Disney uploaded videos to YouTube, its policy was to set the audience at the channel level, rather than checking the audience for each video. As a result, some child-directed videos were incorrectly designated as “not made for kids.” Personal information of children viewing these videos was collected and used for targeted advertising without parental notice or consent as required under COPPA. Kids were also exposed to YouTube features not meant for kids: autoplay to other “not made for kids” videos and access to unrestricted public comments.

Recruitment agency: North Rhine-Westphalia data protection commissioner imposed a fine of over 35,000 euros on a Düsseldorf-based recruitment agency which had not only consistently ignored the data protection rights of job seekers, but also requests from the regulator. The focus was on requests from employees asking whether and which data the company had processed about them. Some of the individuals also demanded that their data be deleted.  

Health data: In Estonia, Allium UPI, the company that manages the Apotheka loyalty program, received a fine of 3 million euros for failing to protect customer data and using insufficient security measures. The company’s reckless attitude towards its customers’ data put the privacy of more than 750,000 people, including children and other vulnerable groups, at risk. A security incident occurred in the information system of the Apotheka loyalty program in early 2024.

The leaked files contained personal data and purchase history of those who joined the Apotheka customer program between 2014 and 2020: purchased medicines, health measurement services, and other sensitive pharmacy products, such as pregnancy and ovulation tests, hearing aid accessories, blood pressure supplements, intimate hygiene products, and medications for skin problems. 

In case you missed it

Football fans face recognition in Denmark:  The Danish Data Protection Authority has granted permission for the clubs in the Super League (season 2025/2026) to use automatic facial recognition during football matches, in order to support the enforcement of the rules on club quarantines. The permits for the Super League clubs state, among other things, that the processing must comply with the rules on the preparation of an impact assessment: it must be carried out before the processing begins.

Bossware in the UK: A third of UK companies use “bossware” to track employees‘ activities, according to an article in the Guardian. One in seven employers are monitoring or evaluating screen activity, and private organisations are the most likely to implement in-work surveillance, according to a UK-wide poll. The fact that about one-third of managers said their companies watch employees’ internet activity on company-owned devices, however, is likely an underestimation because the same percentage stated they had no idea what tracking their companies do. Preventing insider threats, protecting sensitive data, and identifying productivity declines are the goals of many monitoring systems. 

The post Data protection digest 1-15 Sep 2025: The Data Act is fully applicable, “bossware” takes over workspaces appeared first on TechGDPR.

The question is evident: how do businesses employ global AI systems and continue to comply with the GDPR cross-border data transfer principles? It is essential to understand the link between AI and personal data and its impact through the legal landscape governing cross-border transfers.

Understanding the AI and the GDPR Landscape

Artificial intelligence systems will typically need to use humongous amounts of data, of which may include personal data. This data is typically obtained from various jurisdictions and processed using cloud platforms, data centers, and development teams in various countries. The worldwide infrastructure complicates the fulfillment of the GDPR since it inhibits the transfer of personal data beyond the European Economic Area (EEA) and United Kingdom.

The GDPR is grounded in fundamental principles of lawfulness, fairness, transparency, limitation of purpose, and data minimization. It also requires accuracy, limitation of storage, integrity, confidentiality, and accountability. These principles should be adhered to by any AI system that involves personal data even when data is transported.

Cross-border data transfers happen when personal data is moved from the EEA to a third country. These are addressed by Chapter V of the GDPR, which dictates the legal frameworks organisations must obey. Since most AI systems are international data processing, virtually all of them are confronted with this regulatory challenge.

Focal Compliance Challenges in Cross-Border AI Projects

There are a few challenges that make it hard to regulate cross-border data in AI:

• Terabytes of information: AI systems read text, images, video, audio, and behavior data in volumes that older compliance procedures find difficult to keep up with. It’s no small challenge to collect, categorize, and safeguard these datasets across borders.
• Pseudonymization risks: So-called anonymized data can in fact facilitate re-identification, particularly when combined with additional datasets. It is important to understand the difference between pseudonymized and anonymized data. 
• Lack of transparency: Most AI systems, especially deep learning-based systems, are “black boxes.” This uninterpretability may hinder the ability of organizations to show compliance with the GDPR, especially purpose limitation and data minimization.
• Shifting rules: Regular updated guidance from national authorities and the European Data Protection Board (EDPB) on AI, transfers abroad, and the way the two interoperate. Just requirements mount with the arrival of legislation such as the EU AI Act.
• Third-party risk: Third-party data suppliers, cloud vendors, and outsourcing data processors are all more likely to be in the AI supply chain. Unless they are properly managed, they bring inherent third-party risk through non-compliance, data loss, or unauthorized transfers.

Legal Frameworks for GDPR-Compliant Cross-Border Transfers

The GDPR provides a range of legal frameworks for cross-border transfers of personal data beyond the EEA, depending on conditions and limitations.

• Adequacy decisions are among them. The European Commission will be in a position to determine that a non-EEA nation ensures “adequate” protection for personal data, and data can flow freely. These decisions have been granted to Japan and Switzerland, and the same has been granted to the United States under the new EU–U.S. Data Privacy Framework. Adequacy decisions are not absolute, however, and can be invalidated, as was the invalidation of Privacy Shield.
• For organizations in countries not issuing an adequacy decision, Standard Contractual Clauses (SCCs) are the most used. Contractual clauses maintain international data transferred from being reduced below EU levels. Organizations must perform Transfer Impact Assessments and introduce additional safeguards since the Schrems II judgment, in order to lawfully use SCCs.

• Binding Corporate Rules (BCRs) is a further possibility for multinationals. They are internal codes of conduct that have to be approved by a data protection authority and are legally enforceable against the corporate group. It is a scalable solution to implement for intragroup data transfers, but it may be time-consuming and costly to obtain the approval.
• The GDPR also has limited derogations for certain situations, including where the individual provides unambiguous consent or where a transfer must be conducted in order for a contract to be formed. Exceptions are few and not to be generalized or bulked.

Practical Steps to Remain Compliant

To effectively administer cross-border data transfers, follow these best practices:

• Map data flows: Determine where personal data comes from, is processed, and travels.
• Perform Data Protection Impact Assessments (DPIAs): DPIAs for riskier AI projects ensure assurance of risk identification in the areas of discrimination, bias, and data protection and transfer risk assessment.
• Improve data governance: Establish policies and roles that ensure accountability to operating, technical, and legal teams.This ensures consistency and accountability when dealing with personal data.
• Enforce security controls: There must also be organizational and technical controls. These include secure development of AI models, access controls, pseudonymization, and encryption. Security audits and penetration tests done on a regular basis can combat threats that can be used in performing cross-border transfers.
• Manage third parties: Secure good data processing terms and ensure all suppliers comply with the GDPR. Any AI supplier or cloud provider dealing with your personal data on your behalf must be subject to rigorous due diligence. This includes negotiating good DPAs and ensuring vendors apply GDPR-level controls.
• Train your staff: Make sure staff is educated about their part to play with regard to AI and international processing of data. A specific incident response plan also needs to be created to handle any AI system-related breaches.

Readiness and Regulation

Regulatory requirements are changing. The EU AI Act and industry-specific guidelines from the EDPB and others will keep transforming what looks like compliance with AI. Leading-edge businesses are already constructing governance structures in accordance with the GDPR and these new rules. Technologies such as data flow mapping automation, real-time risk management, and Transfer Impact Assessments run on a regular basis become typical. Legal, technical, and compliance staff need to interact so that AI ingenuity is converged into regulatory requirements.

Conclusion

Cross-border transmissions of AI data under the GDPR is not impossible, but difficult. With good understanding of the regulatory frameworks, operating on high-risk subjects, and adopting good mitigations, organizations can deploy effective AI technologies in immaculate compliance.

Creating AI responsibly involves creating it legally. Now is the time to audit your cross-border data transfer processes, enhance your governance structure, and embed compliance in all areas of your AI work.

The post GDPR Compliance for AI: Managing Cross-Border Data Transfers appeared first on TechGDPR.

The French privacy regulator CNIL reviews the criteria and practical consequences of determining the GDPR role of data controllers and processors. The qualification does not always depend on a contractual choice but on the facts: who decides what, and who executes what, concerning personal data. The controller is the natural or legal person who determines both the purposes and the means of the processing, the “why” and “how” of the use of personal data, ensures compliance with the GDPR, but does not necessarily have actual access to the data:

• The essential means: what personal data is collected and used, for how long, who the recipients are, etc.
• Non-essential means: technical implementation, such as the choice of software.
• Where two or more controllers jointly determine the purposes and means of the processing, they are joint controllers.

The processor, meanwhile, is a person or body that processes personal data on behalf of the controller. They must always comply with the instructions given by the controller. Sometimes, they can choose the technical means that seem most suitable, as long as this respects the objectives set by the controller. If the processor decides on the objectives and means itself they exceed their GDPR role. In this case, they are considered to be the data controller and may be sanctioned. 

Only under certain conditions may the processor reuse the data entrusted to them by the data controller for their own purposes. For example, a subcontractor may reuse data for the purpose of improving its cloud computing services. Such re-use could be considered compatible with the original processing, subject to appropriate safeguards such as anonymisation. On the other hand, their reuse for commercial prospecting purposes would hardly satisfy the “compatibility test”.

Stay up to date! Sign up to receive our fortnightly digest via email.

UK data reform

The Data Use and Access Bill (DUAB) has passed Parliament and now awaits the Royal Assent, when it will become law. The bill introduces a framework of ‘smart data’ schemes to regulate the access, sharing, and protection of customer and business data across various sectors. It introduces, among other things, a recognised legitimate interest list to streamline data use for public safety, interoperable medical records and timely access for professionals, while maintaining a risk-based approach to automated decision-making and sensitive personal information, etc. The UK Information Commissioner is tasked with enforcing the regulations that will be introduced under the bill. The UK now benefits from the EU’s adequacy regime for personal data transfers, which was extended by six months on the Commission’s recommendation, until the end of 2025. This allows the UK government to complete the DUAB in advance of Brussels’ next adequacy assessment.

More legal updates

EDPB latest: The European Data Protection Board has published the final version of guidelines on data transfers to third-country authorities. The EDPB clarifies how organisations can best assess under which conditions they can lawfully respond to requests for personal data from non-European authorities. For example, the updated guidelines address the situation where the recipient of a request is a processor, or where a mother company in a third country receives a request from that country’s authority and then requests the personal data from its subsidiary in Europe. 

The EDPB also published training material on AI and data protection addressed to professionals with a legal and technical focus, such as data protection officers, privacy professionals, cybersecurity professionals, developers or deployers of high-risk AI systems. 

High-risk AI: The European Commission opened a consultation on the classification of AI systems as high-risk as part of the implementation of the AI Act, until 18 July. AI systems that classify as high-risk must be developed and designed to meet the requirements about data and data governance, documentation and record-keeping, transparency and provision of information to users, human oversight, robustness, accuracy, security and more.  The purpose of the survey is targeted consultation to collect input from stakeholders on practical examples of AI systems and issues to be clarified in the Commission’s guidelines. 

Australia privacy updates: The Bird&Bird legal blog explains that from 10 June 2025, Australia’s statutory tort for serious invasions of privacy comes into force. Passed by Parliament last year as part of a privacy reform, it introduces several causes that could trigger a legal action and remedies: a) invasion of privacy, b) reasonable expectation of privacy, c) fault element, d) seriousness, and e)  public interest balancing. Read more details on who will be exempt from these rules in the original publication. 

Pixel tracking

The French regulator CNIL opened a public consultation on its draft recommendation (in French) on the use of tracking pixels in emails. The objective is to help the actors who use these trackers to better understand their obligations, particularly in terms of collecting user consent. Tracking pixels are an alternative tracking method to cookies. They take the form of an image of 1 pixel by 1 pixel, integrated into a website or an email, but invisible to the user. Loading this image, whose name contains a user ID, lets you know that the tracked user has visited a page or read an email. The consultation will close on 24 July.

More from supervisory authorities

Federated learning: The EDPS elaborated on the benefits and limitations of Federated Learning (FL) – an approach to Machine Learning (ML) by allowing multiple sources of data, (devices or entities), to train a shared model while keeping data decentralised collaboratively. From a personal data protection perspective, FL offers significant benefits by minimising personal data sharing, (data exchanged among the client devices and the resulting ML models can be treated as anonymous data), and purpose limitation. However, one of the primary concerns remains the potential for data leakage through model updates, as even without direct access to raw data, an attacker could infer sensitive information by analysing the gradients or weights shared between devices. Continue reading the EDPS analysis here. 

Unintentional disclosure: The situations in which personal data are unintentionally disclosed are increasingly occurring, according to the Bulgarian regulator CPDP. The most common cases concern: a) unintentionally or thoughtlessly providing data in a phone conversation or electronic communication with services – brokerage and investment services, marketing research etc, b) lost documents containing personal information, including copies of IDs, c) incorrectly provided documents to service providers, d) responding to misleading messages through phishing, smishing, and vishing. If you have inadvertently disclosed your personal information in the situations described above: 

• Save all messages, emails, phone numbers, documents and other relevant evidence. 
• If you have sent information to the wrong address, immediately contact the actual recipient or the one to whom you intended to send the message to inform them and seek any assistance.
• If you have managed to establish contact with the actual recipient, request to exercise your right to erasure. 
• Change passwords and enable two-factor authentication wherever possible. 
• Monitor your bank accounts, social media accounts, and other online platforms. 
• Tell your family, friends, colleagues so that they can take preventive precautions, etc. 

Vodafone multimillion fines

The German federal data protection authority BfDI issued fines totalling 45 mln euros as well as a reprimand imposed on Vodafone. The company uses different distribution channels, including local shops, some of which are operated by partner agencies. Investigations found privacy-related weaknesses in the processes to supervise and audit the processors as well as weaknesses in the IT systems leading to the risk of customer data being misused for fraud. Such risks actually materialised in some cases.

Furthermore, Vodafone offers an online service portal for its customers. When used in combination with the company’s hotline, investigations found weaknesses in the authentication process for the customer accounts that could lead to misuse of eSIMs, etc.

Spotify and Vinted fines upheld

In Sweden, an appeal court upheld the approx. 5.2 mln euro fine imposed on Spotify AB for noncompliance with the GDPR. The company must therefore pay a penalty fee. Spotify did not provide in a clear and easily accessible manner the information necessary for the data subject to be able to exercise their rights. It also failed to provide information about storage periods and criteria for determining these, and did not provide sufficient information about appropriate safeguards when transferring personal data to a third country or an international organisation. 

Similarly, the Regional Administrative Court in Lithuania rejected the complaint of UAB Vinted regarding decisions taken by the State Data Protection Inspectorate VDAI. The court found that all the examined factual circumstances and legal norms were assessed properly, and the regulator acted in accordance with the law and the limits of its competence. Last year, the VDAI fined the company 2.3 mln euros for GDPR violations:

• improper processing of requests from personal data subjects to delete their data and insufficient and unclear information provided;
• improper implementation of the accountability principle;
• processing of personal data through so-called shadow blocking, which was carried out without a clear and lawful basis.

In other news

Pixels tracking fine: The Norwegian regulator has audited six websites’ use of tracking pixels. All of them shared visitors’ personal data with third parties without any legal basis, (eg, visitors were “duped” into consent), and in several of the cases, the data was sensitive. These websites were – online pharmacy, services for vulnerable children, medical services, information about various diseases, conditions and diagnoses, and a website that sells bibles. The information included which websites people visited, what actions they took, or what they added to their shopping cart.

The regulator also found violations of the duty to provide information. In one of the cases, it imposed a fine of approx. 22,000 euros. 

Online pharmacy user tracking fine: Finland’s data protection agency meanwhile issued a 1,100,000 euro fine against the pharmacy company Yliopiston Apteekki because of data protection shortcomings, also related to the use of tracking services. The regulator started investigating the practices of the company after a doctoral researcher from the University of Turku contacted them. Using network traffic analysis, the researcher found data protection deficiencies in Finnish online pharmacies as part of research focused on the functioning of health-related online services.

Yliopiston Apteekki had used cookies and other tracking technologies for its online pharmacy in a manner that transmitted data on users’ interactions with the shop related to prescription medicines and over-the-counter medicines directly to Google and Meta, among others. For example, the tracking service providers received data on when a customer added a product to their basket and clicked the purchase button. The transmitted data also included users’ IP addresses and other identifying data. If a user was logged in to their Google or Facebook account when they used the online pharmacy, Google and Meta could have directly identified them. 

23andMe bankruptcy case

23andMe’s customers should be given the opportunity to consent to the sale of their personal data to whoever buys the company’s assets, a consumer privacy ombudsman has told the bankruptcy court handling 23andMe’s case, VitalLaw law blog reports. An alternative safeguard would be for the consent request to come from the winning bidder. The question of what happens to 23andMe’s data upon sale has attracted significant interest from privacy advocates, lawyers and politicians, with US congressional hearings and calls for legislation to protect genetic data. You can view the whole 211-page ombudsman report into 23andMe’s planned sale of customers’ personally identifiable information here. 

In case you missed it 

Diversity at work: In a context of increased awareness of the fight against discrimination, more organisations want to measure the diversity within their workforce. Diversity measurement surveys distributed by employers to their employees collect personal, sometimes sensitive, data, explains the French CNIL, and must be accompanied by guarantees, in accordance with the GDPR. These surveys must remain optional, and employees or agents must be properly informed and their rights respected. The CNIL also recommends favouring anonymous surveys and limiting the data collected with closed-ended questions. Further advice for employers (in French) can be read here. 

AI assistants industry: Building AI assistants that fit into our daily lives is a top priority for the AI sector. Privacy International says that companies in this field need to respond to concerns about how they will secure our data. The fact that AI tools need a lot of processing power to perform some tasks is perhaps too much for a personal device. Thus, cloud-enabled synchronisation is how the corporations address that problem. Once the data leaves the device, businesses could use it to train their systems, and they might grant access to your data to their employees and service providers. These surpass what a consumer may reasonably expect. Therefore, AI firms must inform users about: 

• How do I have granular control over access to sensors, data and apps?
• How can I easily access settings to retract consent?
• Where is the clear information on what data is used to respond to a query?
• How can I access and delete any data accessed and used by the Assistant?

According to PI, this is why it is crucial that users insist that their data be processed on their devices as much as possible and used only for specific and limited reasons.  

The post Data protection digest 2-16 June 2025: Data controller, processor, how to properly identify your GDPR role appeared first on TechGDPR.