The French privacy regulator CNIL reviews the criteria and practical consequences of determining the GDPR role of data controllers and processors. The qualification does not always depend on a contractual choice but on the facts: who decides what, and who executes what, concerning personal data. The controller is the natural or legal person who determines both the purposes and the means of the processing, the “why” and “how” of the use of personal data, ensures compliance with the GDPR, but does not necessarily have actual access to the data:

• The essential means: what personal data is collected and used, for how long, who the recipients are, etc.
• Non-essential means: technical implementation, such as the choice of software.
• Where two or more controllers jointly determine the purposes and means of the processing, they are joint controllers.

The processor, meanwhile, is a person or body that processes personal data on behalf of the controller. They must always comply with the instructions given by the controller. Sometimes, they can choose the technical means that seem most suitable, as long as this respects the objectives set by the controller. If the processor decides on the objectives and means itself they exceed their GDPR role. In this case, they are considered to be the data controller and may be sanctioned. 

Only under certain conditions may the processor reuse the data entrusted to them by the data controller for their own purposes. For example, a subcontractor may reuse data for the purpose of improving its cloud computing services. Such re-use could be considered compatible with the original processing, subject to appropriate safeguards such as anonymisation. On the other hand, their reuse for commercial prospecting purposes would hardly satisfy the “compatibility test”.

Stay up to date! Sign up to receive our fortnightly digest via email.

UK data reform

The Data Use and Access Bill (DUAB) has passed Parliament and now awaits the Royal Assent, when it will become law. The bill introduces a framework of ‘smart data’ schemes to regulate the access, sharing, and protection of customer and business data across various sectors. It introduces, among other things, a recognised legitimate interest list to streamline data use for public safety, interoperable medical records and timely access for professionals, while maintaining a risk-based approach to automated decision-making and sensitive personal information, etc. The UK Information Commissioner is tasked with enforcing the regulations that will be introduced under the bill. The UK now benefits from the EU’s adequacy regime for personal data transfers, which was extended by six months on the Commission’s recommendation, until the end of 2025. This allows the UK government to complete the DUAB in advance of Brussels’ next adequacy assessment.

More legal updates

EDPB latest: The European Data Protection Board has published the final version of guidelines on data transfers to third-country authorities. The EDPB clarifies how organisations can best assess under which conditions they can lawfully respond to requests for personal data from non-European authorities. For example, the updated guidelines address the situation where the recipient of a request is a processor, or where a mother company in a third country receives a request from that country’s authority and then requests the personal data from its subsidiary in Europe. 

The EDPB also published training material on AI and data protection addressed to professionals with a legal and technical focus, such as data protection officers, privacy professionals, cybersecurity professionals, developers or deployers of high-risk AI systems. 

High-risk AI: The European Commission opened a consultation on the classification of AI systems as high-risk as part of the implementation of the AI Act, until 18 July. AI systems that classify as high-risk must be developed and designed to meet the requirements about data and data governance, documentation and record-keeping, transparency and provision of information to users, human oversight, robustness, accuracy, security and more.  The purpose of the survey is targeted consultation to collect input from stakeholders on practical examples of AI systems and issues to be clarified in the Commission’s guidelines. 

Australia privacy updates: The Bird&Bird legal blog explains that from 10 June 2025, Australia’s statutory tort for serious invasions of privacy comes into force. Passed by Parliament last year as part of a privacy reform, it introduces several causes that could trigger a legal action and remedies: a) invasion of privacy, b) reasonable expectation of privacy, c) fault element, d) seriousness, and e)  public interest balancing. Read more details on who will be exempt from these rules in the original publication. 

Pixel tracking

The French regulator CNIL opened a public consultation on its draft recommendation (in French) on the use of tracking pixels in emails. The objective is to help the actors who use these trackers to better understand their obligations, particularly in terms of collecting user consent. Tracking pixels are an alternative tracking method to cookies. They take the form of an image of 1 pixel by 1 pixel, integrated into a website or an email, but invisible to the user. Loading this image, whose name contains a user ID, lets you know that the tracked user has visited a page or read an email. The consultation will close on 24 July.

More from supervisory authorities

Federated learning: The EDPS elaborated on the benefits and limitations of Federated Learning (FL) – an approach to Machine Learning (ML) by allowing multiple sources of data, (devices or entities), to train a shared model while keeping data decentralised collaboratively. From a personal data protection perspective, FL offers significant benefits by minimising personal data sharing, (data exchanged among the client devices and the resulting ML models can be treated as anonymous data), and purpose limitation. However, one of the primary concerns remains the potential for data leakage through model updates, as even without direct access to raw data, an attacker could infer sensitive information by analysing the gradients or weights shared between devices. Continue reading the EDPS analysis here. 

Unintentional disclosure: The situations in which personal data are unintentionally disclosed are increasingly occurring, according to the Bulgarian regulator CPDP. The most common cases concern: a) unintentionally or thoughtlessly providing data in a phone conversation or electronic communication with services – brokerage and investment services, marketing research etc, b) lost documents containing personal information, including copies of IDs, c) incorrectly provided documents to service providers, d) responding to misleading messages through phishing, smishing, and vishing. If you have inadvertently disclosed your personal information in the situations described above: 

• Save all messages, emails, phone numbers, documents and other relevant evidence. 
• If you have sent information to the wrong address, immediately contact the actual recipient or the one to whom you intended to send the message to inform them and seek any assistance.
• If you have managed to establish contact with the actual recipient, request to exercise your right to erasure. 
• Change passwords and enable two-factor authentication wherever possible. 
• Monitor your bank accounts, social media accounts, and other online platforms. 
• Tell your family, friends, colleagues so that they can take preventive precautions, etc. 

Vodafone multimillion fines

The German federal data protection authority BfDI issued fines totalling 45 mln euros as well as a reprimand imposed on Vodafone. The company uses different distribution channels, including local shops, some of which are operated by partner agencies. Investigations found privacy-related weaknesses in the processes to supervise and audit the processors as well as weaknesses in the IT systems leading to the risk of customer data being misused for fraud. Such risks actually materialised in some cases.

Furthermore, Vodafone offers an online service portal for its customers. When used in combination with the company’s hotline, investigations found weaknesses in the authentication process for the customer accounts that could lead to misuse of eSIMs, etc.

Spotify and Vinted fines upheld

In Sweden, an appeal court upheld the approx. 5.2 mln euro fine imposed on Spotify AB for noncompliance with the GDPR. The company must therefore pay a penalty fee. Spotify did not provide in a clear and easily accessible manner the information necessary for the data subject to be able to exercise their rights. It also failed to provide information about storage periods and criteria for determining these, and did not provide sufficient information about appropriate safeguards when transferring personal data to a third country or an international organisation. 

Similarly, the Regional Administrative Court in Lithuania rejected the complaint of UAB Vinted regarding decisions taken by the State Data Protection Inspectorate VDAI. The court found that all the examined factual circumstances and legal norms were assessed properly, and the regulator acted in accordance with the law and the limits of its competence. Last year, the VDAI fined the company 2.3 mln euros for GDPR violations:

• improper processing of requests from personal data subjects to delete their data and insufficient and unclear information provided;
• improper implementation of the accountability principle;
• processing of personal data through so-called shadow blocking, which was carried out without a clear and lawful basis.

In other news

Pixels tracking fine: The Norwegian regulator has audited six websites’ use of tracking pixels. All of them shared visitors’ personal data with third parties without any legal basis, (eg, visitors were “duped” into consent), and in several of the cases, the data was sensitive. These websites were – online pharmacy, services for vulnerable children, medical services, information about various diseases, conditions and diagnoses, and a website that sells bibles. The information included which websites people visited, what actions they took, or what they added to their shopping cart.

The regulator also found violations of the duty to provide information. In one of the cases, it imposed a fine of approx. 22,000 euros. 

Online pharmacy user tracking fine: Finland’s data protection agency meanwhile issued a 1,100,000 euro fine against the pharmacy company Yliopiston Apteekki because of data protection shortcomings, also related to the use of tracking services. The regulator started investigating the practices of the company after a doctoral researcher from the University of Turku contacted them. Using network traffic analysis, the researcher found data protection deficiencies in Finnish online pharmacies as part of research focused on the functioning of health-related online services.

Yliopiston Apteekki had used cookies and other tracking technologies for its online pharmacy in a manner that transmitted data on users’ interactions with the shop related to prescription medicines and over-the-counter medicines directly to Google and Meta, among others. For example, the tracking service providers received data on when a customer added a product to their basket and clicked the purchase button. The transmitted data also included users’ IP addresses and other identifying data. If a user was logged in to their Google or Facebook account when they used the online pharmacy, Google and Meta could have directly identified them. 

23andMe bankruptcy case

23andMe’s customers should be given the opportunity to consent to the sale of their personal data to whoever buys the company’s assets, a consumer privacy ombudsman has told the bankruptcy court handling 23andMe’s case, VitalLaw law blog reports. An alternative safeguard would be for the consent request to come from the winning bidder. The question of what happens to 23andMe’s data upon sale has attracted significant interest from privacy advocates, lawyers and politicians, with US congressional hearings and calls for legislation to protect genetic data. You can view the whole 211-page ombudsman report into 23andMe’s planned sale of customers’ personally identifiable information here. 

In case you missed it 

Diversity at work: In a context of increased awareness of the fight against discrimination, more organisations want to measure the diversity within their workforce. Diversity measurement surveys distributed by employers to their employees collect personal, sometimes sensitive, data, explains the French CNIL, and must be accompanied by guarantees, in accordance with the GDPR. These surveys must remain optional, and employees or agents must be properly informed and their rights respected. The CNIL also recommends favouring anonymous surveys and limiting the data collected with closed-ended questions. Further advice for employers (in French) can be read here. 

AI assistants industry: Building AI assistants that fit into our daily lives is a top priority for the AI sector. Privacy International says that companies in this field need to respond to concerns about how they will secure our data. The fact that AI tools need a lot of processing power to perform some tasks is perhaps too much for a personal device. Thus, cloud-enabled synchronisation is how the corporations address that problem. Once the data leaves the device, businesses could use it to train their systems, and they might grant access to your data to their employees and service providers. These surpass what a consumer may reasonably expect. Therefore, AI firms must inform users about: 

• How do I have granular control over access to sensors, data and apps?
• How can I easily access settings to retract consent?
• Where is the clear information on what data is used to respond to a query?
• How can I access and delete any data accessed and used by the Assistant?

According to PI, this is why it is crucial that users insist that their data be processed on their devices as much as possible and used only for specific and limited reasons.  

The post Data protection digest 2-16 June 2025: Data controller, processor, how to properly identify your GDPR role appeared first on TechGDPR.

Legal redress

Pseudonymised (non-personal) data processing: In the instance of SRB v. EDPS, the European General Court ruled that pseudonymised data communicated by one party with another would not be regarded as personal data in the recipient’s hands if that party lacks a legal way to obtain the extra, identifiable information. The lawsuit resulted from the Single Resolution Board, (SRB), decision to conduct a shareholder poll in the case of Banco Popular Español, as part of which it shared the results with a consulting firm. In order to guarantee that replies could not be traced back to specific respondents, SRB pseudonymised the data. The decoding key that might identify specific responses from the alphanumeric codes was not given to the consulting company.

Additionally, the court did not rule out that personal views or opinions may constitute personal data. However, such a conclusion must be based on a case-by-case examination. View the court’s ruling here.

Right to GDPR compensations: The CJEU has recently published a number of rulings related to data subject rights. In one case, Österreichische Post collected information on the political affinities of the Austrian population, using an algorithm. Following lawsuits for compensation from upset citizens who did not consent to that, the Austrian supreme court asked the CJEU whether mere infringement of the GDPR is sufficient to confer that right and whether compensation is possible only if the non-material damage suffered reaches a certain degree of severity. It also asked what are the EU-law requirements for the determination of the amount of damages. 

The EU top court responds that mere infringement of the GDPR does not give rise to a right to compensation. However, there is no requirement for the non-material damage suffered to reach a certain threshold of severity. The court notes that the GDPR does not contain any rules governing the assessment of damages. It is therefore for the legal system of each Member State to prescribe the detailed rules. 

“Copy” of personal data definition: The CJEU also ruled that the right to obtain a ‘copy’ of personal data means that the data subject must be given a faithful and intelligible reproduction of all those data. The Court notes that the term ‘copy’ does not relate to a document as such, but to the personal data which it contains and which must be complete. That right entails the right to obtain copies of extracts from documents or even entire documents or extracts from databases which contain those data. 

The case relates to the CRIF in Austia, (a business consulting agency that provides, at the request of its clients, information on the creditworthiness of third parties). It sent the applicant in question a summary of his personal data undergoing processing. However, the individual had expected a copy of all of the documents containing his data, such as emails and database extracts. After the Austrian data protection authority rejected his complaint, the applicant went to court. 

CJEU opinions

Data controllers’ strict liability: A non-binding opinion by a CJEU Advocate General limits the strict liability of data controllers for GDPR fines: they may only be imposed on intentional or negligent conduct, (‘mens rea’). The referring court wanted to know whether the state agency could be fined on the simple basis that it breached the obligations imposed on it by virtue of being a controller, (strict liability), or whether an element of fault in committing the relevant breach is required. 

The case concerns the Lithuanian Public Health Centre in the design and deployment of a mobile application for tracking COVID-infected people. After funding for the project failed the state agency asked the app developers, (initially defined as joint controllers), not to use the LPHC details or any association with them in the mobile product. However it continued to be available for download by the public unaltered. To that end, the data protection authority decided to impose a fine on both entities in their capacity as joint controllers. 

The CJEU’s opinion confirmed that an entity which initiates the development of a mobile application can only be regarded as the ‘controller’. Furthermore, the absence of any agreement or even coordination between joint controllers cannot exclude a finding that the controllers are ‘joint controllers’.

Concept of lawful “data processing”: In the above case, the referring court also called for clarification as to whether the fact that the unlawful processing of personal data was not done by the controller itself but by a processor affects the ability of supervisory authorities to impose a fine on the controller.

The CJEU reasoned that a controller may be fined even though the unlawful processing is carried out by a processor. That possibility is open for so long as the processor acts on the controller’s behalf. However, if the processor uses personal data outside of, or contrary to, the lawful instructions of the controller, then the controller cannot be fined. 

The concept of ‘processing’ encompasses a situation in which personal data is used during the testing phase of a mobile application, unless such data has been anonymised in such a way that the data subject is not, or no longer, identifiable. 

Official guidance

Direct marketing: Effective direct marketing relies on you having a positive relationship with individuals you are marketing to and that is usually rooted in them having consented to you contacting them, states the latest guidance by the Guernsey data protection authority. The document answers the questions on how to obtain people’s consent in a lawful way, while being able to pursue commercial communication and inform people about what you are doing; explains lawful processing conditions under consent and legitimate interest; looks at the dangers of soft opt-in and automated calling systems and silent calls; and provides options for stopping direct marketing. See the full guidance (in English) here.

Client databases: The Latvian data protection agency also looks at client databases. Customer personal data permeates almost every aspect of business, from the delivery address of an order to the use of customer data to creating a company’s marketing campaign. Whether you only store a customer’s first name, last name and email address, or a personal identification number and bank details, you need to make sure that customer information is kept as correct and as secure as possible. The main principles to be followed are:

• Determine the purpose for which the database is being created  (eg, administration of fees, sending news, ensuring access).
• Evaluate and decide exactly what personal data is required from the client, and don’t collect or store personal data just because you think it might come in handy someday, (eg, if you plan to send information only to e-mail, you do not need to ask the customer for a phone number).
• The information included in the customer database must also be accurate and must be updated as necessary, (eg, inaccurate data may allow the service to be used by a person who has not paid for it).
• The necessary technical and organisational requirements must be implemented, (eg, limit personnel who can access customer information, maintain employee training, and if you transfer personal data, ensure that it is encrypted).

Enforcement decisions

Concept of warning and expansion of investigation periods: Spain has modified its law on the protection of personal data and clarified that a warning should not be considered a sanction, but rather an appropriate measure, of a non-punitive nature, included within the corrective powers of the supervisory authorities. Additionally, the increase and greater complexity, (including a one-stop-shop mechanism), of the issues addressed by the data protection agency in the sanctioning procedures show the need to extend some of the resolution deadlines. In particular, for this reason, the modification contemplates an increase from nine to twelve months in the maximum duration of disciplinary procedures, and from twelve to eighteen months in previous investigation actions.

TikTok fine: The UK Information Commissioner’s Office has issued a 12,7 million pound fine to TikTok Information Technologies UK Limited and TikTok Inc, for a number of breaches of data protection law, including failing to use children’s personal data lawfully. Whilst TikTok purports to rely on, in part, a contractual necessity as its lawful basis for processing the personal data of children under 13, the Commissioner considers that the legal test for contractual necessity is not met in this case. In addition, TikTok failed to make reasonable efforts to ensure that consent was given or authorised for underage child users of its video-sharing platform or to prevent children under 13 from accessing its services. Read the full list of TikTok’s infringements in the original decision.

Information obligation: The Romanian data protection agency fined Libra Internet Bank for not fulfilling its data subject rights obligation. It was found that a response sent to a plaintiff by e-mail did not contain information about the possibility of filing a complaint before a supervisory authority and introducing a judicial appeal for the bank’s refusal to communicate a copy of a requested video recording, thus violating the provisions of Art. 12 in conjunction with Art. 15 of the GDPR. On the same occasion, the regulator noted that the data controller did not present evidence to show that it had adopted measures to facilitate the exercise of the right of access.

Grocery data: The Norwegian data protection authority has taken a decision to ban Statistics Norway’s planned collection of data from the population’s grocery purchases. Through bank data and bank transaction data, Statistics Norway would have information on what a significant proportion of the population buys for groceries. This in turn could be linked to socio-economic data such as household type, income and level of education. No sufficient legal basis for such intrusive processing of personal data exists. Even if the purpose of the collection is anonymous statistics for societal benefit, the intervention in the individual’s privacy will have already occurred once the personal information was collected, (from private actors). Finally, citizens have no real opportunity to oppose such a collection, other than by using cash as a means of payment.

Debt collection data: Croatia’s privacy regulator issued an administrative fine of over 2 million euros on the debt collection agency. The data controller didn’t inform its data subjects, in an accurate and clear manner, about the processing of their personal data. In addition, it did not conclude a data processing agreement with the service of monitoring consumer bankruptcy. The debt collecting agency also did not apply appropriate technical and organisational measures while processing quite sensitive personal data, so it would probably never have noticed a data breach. 

Data security

Encryption pros and cons: The Spanish data protection agency has published a guide for the supervision of cryptographic systems as a security measure in data protection. Encryption is a procedure by which information is transformed into an apparently unintelligible data set using various techniques. The GDPR mentions it as a measure that is part of the conditions for the compliance of the treatment and as an aid to mitigate the risks in the event of a possible breach of personal data. However, if not well designed it can give a  false sense of security, that relaxes the application of other complementary measures, in particular, privacy by design. The document also proposes a list of controls to facilitate the data protection specialist in selecting those that could be the most appropriate in validating the encryption system. Read the full guide, (in Spanish), here.  

Password hurdle: Reportedly, the average internet user has between 70 and 80 passwords for a wide variety of services, explains the Slovenian data protection agency base on recent research. Considering that a strong password is (at least) 12 characters long, complex and of course unique, it is extremely difficult to remember them all. 

Password managers also offer effective management and safe storage of passwords. In this case, it is important to have a very strong master password, which is also the only one we need to remember. Two-factor authentication solves two of the most common problems: short, weak, and repeated passwords are no longer so problematic since access to the service requires an additional unique code that is obtained over the phone. 

Finally, most information security experts do not recommend saving passwords in browsers. The reason is primarily the rapid spread of Trojan horses that specialize in stealing user data. Nothing helps if we have long and unique passwords, because the virus simply copies them and sends them to attackers.

International data transfers

US data transfers: The European Parliament has rejected the draft US adequacy decision during the plenary vote. However the resolution is not binding, MEPs concluded that the EU-US Data Privacy Framework fails to create essential equivalence on the level of protection, and calls on the Commission to continue negotiations with its US counterparts to provide the adequate level of protection required by Union data protection law as interpreted by the CJEU. MEPs call on the Commission not to adopt the adequacy finding until all the recommendations – on safeguards against American intelligence activities, and practical deployment of the redress mechanism for individuals are fully implemented. 

To that end, a parliamentary group from the Civil Liberties Committee visits the US capital this week to meet with members of the House of Representatives and Senators working on privacy, and cybersecurity issues, including sponsors of different federal privacy acts – the Federal Trade Commission, US Courts administration, Department of State, the Data Protection Review Court, the Office of the Director of National Intelligence, NGOs, and think-tanks. 

UK privacy reform: According to govinfosecurity.com, the Information Commissioner gave assurances to UK lawmakers considering changes to the country’s national privacy legislation that they won’t jeopardize the adequacy decision made with the EU in 2021. The Data Protection and Digital Information Bill was once again proposed this spring by the Conservative government as an alternative to the GDPR that is more pro-innovation and less bureaucratic. External observers, however, are less certain, citing rulings by the ECHR that British mass intelligence collecting infringed private communications. 

Supporting documents assessing the impact of the Data Protection and Digital Information Bill can be seen here.

The post Data protection & privacy digest 3 – 16 May 2023: data processing roles and obligations elaborated by EU top court appeared first on TechGDPR.