Thirteen days later, he sent a request for access under Article 15 of the GDPR. The company refused the request, considering it to be abusive. According to various reports and blog articles, the individual systematically subscribes to newsletters of various companies before submitting an access request<\/a> and then a compensation claim. The individual maintained that his access request was legitimate and claimed compensation of at least 1,000 euros<\/strong>.\u00a0<\/p>\n\n\n\n Protecting children online: <\/strong>On 3 April, the Regulation on the Extension of Derogation from the ePrivacy Directive for the purpose of identifying Child Sexual Abuse Material (CSAM) online expired, digitalpolicyalert.org reports. The extension concerns an exemption from data protection regulations, which grants hundreds of providers offering number-independent interpersonal communication services<\/a>, such as messaging services, the authority to use technologies for processing personal and other data to identify, report, and remove instances of online child sexual abuse on their platforms<\/strong>.\u00a0In addition, providers must ensure that information regarding reports of detected online child sexual abuse submitted to authorities and the Commission is accessible in a structured format.<\/p>\n\n\n\n \u2018Legitimate interests\u2019 analysis: <\/strong>The EDPB has published a One-Stop-Shop case digest on the legal basis of “legitimate interest”. It provides useful examples of how regulators analyse controllers\u2019 reliance on this legal basis in specific contexts, providing positive and negative compliance examples. In particular, it explains and summarises how regulators apply the three-step test to assess whether a controller can lawfully rely<\/a> on legitimate interests. Relevant cases before the CJEU and national courts are also mentioned. <\/p>\n\n\n\n <\/p>\n\n\n\n On World Backup Day, 31 March, the German Federal Office for Information Security (BSI) called on consumers to back up important data. Data backup is not a complicated process: most operating systems guide users through the process. Nonetheless, only one-fifth of internet users regularly create backups. Backups can be performed in the cloud or on a physical storage medium, such as an external hard drive<\/a>. <\/p>\n<\/div><\/div>\n\n\n\n Those who opt for a physical storage medium should keep it in a different location than, for example, the source computer for the data being backed up.\u00a0\u00a0<\/p>\n\n\n\n The CNIL has published a reference framework (in French) to help data controllers identify retention periods for their personnel management activities. This document is particularly useful for data protection officers, GDPR referents, but also for staff working in human resources departments or for the information systems department.<\/a> This repository is organised by processing activities and includes:<\/p>\n\n\n\n Cookies user guide: <\/strong>The Swiss regulator, FDPIC, has published a factsheet on the use of cookies (in English) that explains how users can retain control over their own data and minimise the digital footprint they leave behind while browsing<\/a>. Although cookies and similar technologies can enhance the online browsing experience, for example, by saving the contents of a shopping basket or certain preferences, they can also enable third parties to track users\u2019 online activities.\u00a0<\/p>\n\n\n\n AI red lines:<\/strong> The Future of Privacy Forum continues its series of publications on Red Lines under the EU AI Act<\/a>. This time, it pays attention to the prohibition on biometric categorisation for \u201ccertain sensitive characteristics\u201d to deduce or infer race, political opinions, trade union membership, religious or philosophical beliefs<\/a>, etc. The risks associated with biometric categorisation also reflect broader concerns under EU data protection legislation, as sensitive characteristics may themselves constitute special categories of personal data under the GDPR.\u00a0<\/p>\n\n\n\n Previous analysis by FPF also looked at prohibition and emotion recognition in the workplace and educational institutions<\/a>.<\/p>\n\n\n\n Health data in the cloud:<\/strong> More and more organisations are using cloud solutions for processing health data. The Dutch data protection authority AP has therefore published an updated and broadened version of AP’s practice guide on patient data in the cloud<\/a>. The practice guide now focuses not only on patient data within the treatment relationship, but on health data in a broader sense<\/strong>. <\/p>\n\n\n\n <\/p>\n\n\n\n Police biometric data: <\/strong>A police authority may,in a criminal investigation, collect biometric data solely because the collection is strictly necessary<\/a>. The Maltese data protection agency looked at a recent ruling by the CJEU, which stated that the gathering of identification data may not be required systematically and clear reasons must be given for it, failing which the criminal penalty laid down for refusing to consent to that gathering will be invalid.<\/p>\n<\/div><\/div>\n\n\n\n In a related case, a person was detained in Paris for organising a demonstration without prior notice and for disobedience. While he was in police custody, he refused to consent to the gathering of identification data (fingerprints and photo)<\/a>. That refusal resulted in his being charged, even though he was acquitted of the offence forming the basis of the envisaged gathering of identification data. <\/p>\n\n\n\n Credit information checks should be free of charge:<\/strong> The Finnish data protection ombudsman considers that the regular practice of the credit information company Dun&Bradstreet, in which a person has only been able to check their own credit information once a year, free of charge, is not in accordance with data protection legislation<\/a>. Customers had been regularly charged a fee if they had requested information more than once within a year. The company also had shortcomings in responding to requests for personal data. <\/p>\n\n\n\n According to the law, a fee can only be charged in situations where the request is manifestly unfounded or unreasonable, for example, if the same information is requested repeatedly. <\/p>\n\n\n\u00a0Stay up to date! Sign up to receive our fortnightly digest via email.<\/mark><\/a><\/h6>\n\n\n\n
Main developments<\/h4>\n\n\n\n
Back up!<\/h4>\n\n\n\n
![\"access](\"https:\/\/techgdpr.com\/wp-content\/uploads\/2026\/04\/image-1024x633.png\")
<\/figure>Human resources management<\/h4>\n\n\n\n
\n
More official guidance<\/h4>\n\n\n\n
In other news<\/h4>\n\n\n\n
![\"\"](\"https:\/\/techgdpr.com\/wp-content\/uploads\/2026\/04\/image-1024x683.jpeg\")
<\/figure>