The Italian Data Protection Authority (Garante) has taken urgent action against Clothoff, an AI-powered app capable of generating hyper-realistic “deep nude” images based on pictures of real people. On 3 October the regulator has issued an immediate order blocking the app – developed by a company based in the British Virgin Islands – from processing […]
Francesca Romana Di Costanzo
About Francesca Romana Di Costanzo
Posts by Francesca Romana Di Costanzo:
Cookies are not always sweet in France
In the last three years, very high fines have been issued by the French data protection authority (Commission Nationale de l’Informatique et des Libertés or CNIL) to big companies for non-compliance in the area of cookies and tracking devices. Some examples are: the 35 million euros sanction imposed by the CNIL against Amazon in 2020 […]
The Data Act entered into force – what you need to know
On 12 September 2025, the Data Act (Regulation (EU) 2023/2854) became applicable in the EU member states. The Data Act creates a framework for fair access to and use of data across the EU and it is aimed at giving users more control over product-generated data and foster the principles of transparency, fairness, and GDPR […]
China‘s Latest Updates on PIPL and Clarifications on Sensitive Personal Information
Different legislative updates were recorded in China in the last couple of months. These concern several topics related to data protection and data security, such as the definition of sensitive personal information, appointment obligations and registration of a Data Protection Officer (DPO), reporting measures in case of data security incidents for financial services and the […]
TikTok receives fine of 530 million euros by Irish DPC
In September 2021 an investigation was started by the Irish Data Protection Commission (DPC), as Lead Supervisory Authority, to verify TikTok’s compliance with GDPR obligations in terms of: verification of age requirements for users under 13 or 18 years of age and lawfulness of the personal data transfers to the People’s Republic of China (China). […]
France – a pioneer in accessibility legislation
Accessibility to products and services has been on the agenda of the European and Frech regulatory authorities for a long time. The goal of the accessibility legislations has been to ensure (digital) inclusivity for all, particularly for people with disabilities. This means allowing everyone to have physical access to buildings and facilities, using telecommunications and […]
Italian Data Protection Authority bans DeepSeek for Italian market
In the past years, the Italian Data Protection Authority (Garante per la Protezione dei dati personali) has made clear statements towards big technology companies introducing their services in Italy, prior to the verification of GDPR and Italian Data Protection Act compliance. We are referring to the Clearview case of 2022, that caused a fine of […]
UK Data Protection Commissioner (ICO) launched a Data Protection Audit Framework
The ICO has recently issued an instrument to support organisations in verifying data protection compliance. The online audit toolkits can be used to conduct both consensual and compulsory audits. The toolkits are designed for organization personnel having familiarity with data protection compliance or data protection professionals (for example: senior management, the data protection officer, internal […]
Email Marketing Compliance in Canada: Key Requirements for B2B Communication
In today’s digital landscape, email marketing remains one of the most effective tools for businesses to connect with clients and partners. However, ensuring compliance with local data protection and anti-spam laws is essential to avoid legal complications. For businesses operating in or communicating with recipients in Canada, the Canada’s Anti-Spam Legislation (CASL) and other data […]
Data Protection Officer (DPO) in Singapore – obligations, role and responsibilities
The Personal Data Protection Act (PDPA) of Singapore mandates organizations to safeguard the personal data they collect, use, or disclose. A key aspect of this responsibility is appointing a Data Protection Officer (DPO) or a team to ensure compliance with the PDPA. Appointing a DPO – requirements and obligations As part of the Accountability Obligation, […]
How to verify the implementation of Binding Corporate Rules? The CNIL published a monitoring tool
A number of multinational companies operating across multiple jurisdictions and sharing personal data between different countries, have adopted Binding Corporate Rules (BCRs) as a transfer mechanism under Art. 47 of the General Data Protection Regulation (GDPR). BCRs are internal data protection compliance rules to ensure that personal data transferred between their entities, particularly from the […]
How to protect data from web scraping? Guidelines from The Italian DPA
The Italian Data Protection Authority (Garante per la protezione dei dati personali, or short Garante) has released in May 2024 guidelines aimed to protect personal data published online by public and private entities (in a role of data controller) from web scraping performed by third parties. While the purposes to perform data scraping or web […]
Italian Data Protection Authority imposed the highest fine so far on electricity provider
Telemarketing activities and aggressive practices against the consumers are again in the spotlight of the Italian Data Protection Authority (Garante), that imposed the highest fine ever on the Italian electricity provider Enel Energia. It is unfortunately very common that Italian consumers are harassed by unwanted telephone calls from marketing agencies proposing contracts for different services […]
Unlawful use of a GPS tracking tool installed in company cars was found by the Austrian DPA
The installation of a GPS tracking tool on the company fleet cars has always been a pretty delicate and sometimes controversial topic, on which data protection implications have a critical role when deciding the way it is implemented, in accordance with the principles of privacy by design and by default. The case of the Austrian […]
Insurance company receives significant fine from Swedish SA
Another significant fine for the lack of adequate security measures on personal data was recently issued by a European Supervisory Authority (SA) to a controller responsible for private customers´ data. In the present case, the Swedish Supervisory Authority (IMY) imposed a fine of SEK 35 million (approx. EUR 2.9 million) to the insurance company Trygg-Hansa, […]