The information assets include all IT resources \u2013 hardware, software, various data communication devices, etc. However, people working in an organisation and customers can also be considered information assets. Therefore, it can be said that data protection and information security are like two sides of the same coin: data protection determines the basic principles of personal data processing, while information security helps to implement these principles<\/strong>. <\/p>\n\n\n\n Beyond the simple fact that it makes good business sense to ensure information security and protect assets, the obligation to implement information security comes among other things from data protection laws, which state that personal data security must be ensured by appropriate and secure measures. This means that each situation must be assessed individually<\/strong>. To start with: <\/p>\n\n\n\n As a general approach, try to process as little personal data as necessary and only when needed, stresses the Estonian regulator.<\/p>\n\n\n\n <\/p>\n\n\n\n The Commission has published the full list of signatories to the EU’s generative AI Code of Practice initiative so far, known also as the Code of Practice<\/a> for General Purpose AIs (GPAIs), published on July 10, 2025. This will reduce their administrative burden and give them more legal certainty than if they proved compliance through other methods. <\/p>\n<\/div><\/div>\n\n\n\n <\/p>\n\n\n\n Among signatories there are: Amazon, Anthropic, Google, IBM, OpenAI, Microsoft, Mistral AI and a dozen other<\/a> companies, (some signatories may not appear immediately on the list). In addition, xAI signed up to the Safety and Security Chapter; this means that it will have to demonstrate compliance<\/a> with the AI Act\u2019s obligations concerning transparency and copyright via alternative adequate means.<\/p>\n\n\n\n The code has also been complemented by Commission guidelines<\/a> and the Q&A<\/a> on key concepts related to general-purpose AI models. <\/p>\n\n\n\n European Biotech Act: <\/strong>The Commission opened a consultation, until 10 November, as part of the development of the European Biotech Act. It will propose a series of measures to create an enabling environment to accelerate the transition of biotech products from laboratory to factory and to the market, while maintaining the highest safety standards for the protection of the population and the environment. The act will address growing dependencies in biotech on data, storage, computing power, and AI<\/a>. <\/p>\n\n\n\n In the EU, biotechnology reached a gross value added in 2022 of 38.1 billion euros: the highest contribution came from medical and pharmaceutical biotechnologies, and the fastest-growing area was industrial biotechnology. At the same time, European biotech companies face an opportunity gap, with the US having twice as many early-stage venture capital deals and three times as many late-stage deals. Over the last six years, 66 of the 67 biotech companies going public have targeted the US NASDAQ rather than European stock markets. <\/p>\n\n\n\n California privacy updates: <\/strong>The California Privacy Protection Agency (CPPA) has filed a judicial action seeking to enforce an investigative subpoena against Tractor Supply Company, a Fortune 500 company<\/a> that bills itself as the nation’s largest rural lifestyle retailer. The CPPA’s petition alleges that Tractor Supply failed to comply with a subpoena seeking information about the company’s compliance with the California Consumer Privacy Act of 2018. The petition marks the CPPA’s first public disclosure of an ongoing investigation into a company and its first judicial action to enforce an investigative request. The agency has been investigating whether Tractor Supply failed to honour Californians’ right to opt out of the sale and sharing of their personal information online. <\/p>\n\n\n\n <\/p>\n\n\n\n GDPR from A to Z:<\/strong> The German Federal Data Protection Commissioner (BfDI) has updated a catalogue that provides a compact compilation of the most important legal texts<\/a>: the European General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG). In addition to the legal texts and the references to the GDPR, it contains explanations of specific topics and vague legal terms.<\/p>\n<\/div><\/div>\n\n\n\n <\/p>\n\n\n\n Data memorisation in LLMs:<\/strong> Additionally, the BfDI has finished its consultation on processing personal data in large language models<\/a> in a way that complies with data protection laws. Civil society, industry, and scientific groups were all included in the consultation. It looked for information about the limits of anonymisation, the memorisation of personal information, the dangers of data extraction, and the protection of the rights of data subjects<\/a> under the GDPR in AI systems.<\/p>\n\n\n\n AI in healthcare: <\/strong>The EU Publication Office offers a study on on the deployment of AI in healthcare. Present-day healthcare systems face several complex challenges, including rising demand due to an ageing population, increasing prevalence of chronic and complex conditions, rising costs, and shortages in the healthcare workforce. AI has the potential to address some of these by improving operational efficiency, reducing administrative burdens, and enhancing diagnosis and treatment<\/a> pathways. <\/p>\n\n\n\n The Latvian DVI explains what is the minimum amount of data to place an order in an e-store<\/a>. In order to ensure the fulfillment of an order, certain personal data must be collected and processed. This process can be conditionally called a mutual agreement. The following data is required to place an order:<\/p>\n\n\n\n The merchant must be able to clearly indicate why each type of data is necessary. For example, first and last name is necessary to fulfill a legal obligation. Other data, on the other hand, is necessary to fulfill the requirements of the contract. For example, if the service is \u201cintangible\u201d (online courses), first name, last name and email address are sufficient, which are necessary for sending the invoice and access data<\/a>. A merchant may also need additional information if the product or service is individually tailored to the customer (eg, tailored clothing, selection of skin care products manufacturing of spectacles). <\/p>\n\n\n\n <\/p>\n\n\n\n Customer data may only be used for the purposes originally specified. It may not be transferred to other parties unless there is a legal basis for this, such as the customer’s consent, a legal obligation or a legitimate interest. It may also be justified to use the data for related purposes such as archiving, if this does not conflict with the original purpose of obtaining the data.<\/p>\n<\/div><\/div>\n\n\n\n <\/p>\n\n\n\n The DVI has also tried to answer the question: Should the deletion request itself be erased if someone has asked for data processed with their consent to be deleted?<\/a> If a person withdraws consent to the processing of their data and requests the deletion of all data related to this consent, the organisation is obliged to stop processing this data as soon as possible and delete it, unless there is another legal basis for continuing to store or use it. This means that all data that was collected on the basis of consent must be deleted (eg, the person being removed from the list of recipients of commercial communications).<\/p>\n\n\n\n However, the request document itself, by which the person withdraws consent, as well as the organisation’s response to it, cannot be deleted at the same time as the aforementioned data, since the basis for processing such information is not the person’s consent within the meaning of the GDPR. They may be stored to fulfill the institution’s interests in managing its documentation and ensuring the protection of its rights (so that, if necessary, it can be confirmed that the request has been received, fulfilled and when it occurred).<\/p>\n\n\n\n Biometrics: <\/strong>Canada\u2019s Privacy Commissioner has published guidance on biometrics for the public and private sectors. While biometrics can enhance security and help in service delivery, they can also raise privacy issues. Biometric information is intimately linked to an individual\u2019s body and is often unique, and unlikely to vary significantly over time<\/a>. It can reveal sensitive information such as health information or information about race and gender characteristics. The guidance among other things addresses key considerations for organisations when planning and implementing initiatives involving biometric technology – transparency, safeguarding data, and accuracy, including testing for biometric systems.<\/p>\n\n\n\n IoT data security: <\/strong>America\u2019s NIST finalized its \u2018Lightweight Cryptography\u2019<\/a> Standard to Protect Small Devices. Four relevant algorithms are now ready for use to protect data created and transmitted by the Internet of Things and other electronics. The standard is built around a group of cryptographic algorithms in the Ascon family, which NIST selected in 2023<\/a> as the planned basis for its lightweight cryptography standard . They require less computing power and time than more conventional cryptographic methods do, making them useful for securing data from resource-constrained devices. For more technical information on the standard, visit the NIST Lightweight Cryptography Project page<\/a>. <\/p>\n\n\nStay up to date! Sign up to receive our fortnightly digest via email.<\/mark><\/strong><\/code><\/a><\/h4>\n\n\n\n\n
List of AI companies signed up to the EU Code of Practice<\/strong><\/h4>\n\n\n\n
![\"\"](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXfP2EhexOLHckb7cHDN02vNFXrCzII2HkhShProckz88KuBCgu3yikEBp4eXHfiExUAs06ENaymi0OUhbHtI4gymSXtkSP_96XfnwvmKE3_PT9atE--RxlP2E33w64nhDdzqAPpGQ?key=ljFrlDUcHoy4fWtTbATh1g\")
More legal updates<\/h4>\n\n\n\n
More from supervisory authorities<\/h4>\n\n\n\n
![\"information](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXc8TX1lqtUz7cj-0GowdJiZOE6vwXxB2Bx5PQG8lr5ztQ3kPJqTjO1FM-yG9y62ydhmr0eQUPCLwXa8IwsN3tIxobzFi7v0UIxmbOgJwsTWemXmf__TqURc2NIUco0TJfXoUZFtpg?key=ljFrlDUcHoy4fWtTbATh1g\")
E-store data minimisation<\/strong><\/h4>\n\n\n\n
\n
![\"information](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXcN0I2h21ATnDOPNsI9Dm1zTA2u5TC3jlj1TzWFhbA01Mvo4fAc_fOABmlcTeOcSA4qhqzlmikkObcGLZOQz312PBftCNnElO3oiz2eBYDweMrEDJdo8bM1DKrs2e7VvMqFnaItQw?key=ljFrlDUcHoy4fWtTbATh1g\")
Data deletion request<\/strong><\/h4>\n\n\n\n
More official guidance<\/h4>\n\n\n\n