The Italian Data Protection Authority (Garante) has taken urgent action against Clothoff, an AI-powered app capable of generating hyper-realistic “deep nude” images based on pictures of real people. On 3 October the regulator has issued an immediate order blocking the app – developed by a company based in the British Virgin Islands – from processing […]
Internationaler Datenschutz
Internationaler_Datenschutz
Whose Consent Is It Anyway? The Promise Behind India’s Consent Manager
This article is part of a series examining the features of India’s Digital Personal Data Protection Act, 2023 that are unique to, or diverge from, the GDPR. India’s Digital Personal Data Protection Act, 2023 (DPDPA) represents a new phase in the country’s data protection landscape. While inspired by global frameworks such as the GDPR, it […]
CNIL Fines Samaritaine €100,000 for Hidden Cameras: A Legal Analysis
On 18 September 2025, the French Data Protection Authority (CNIL) issued Deliberation SAN-2025-008, imposing a €100,000 fine on Samaritaine SAS for clandestinely installing surveillance cameras in employee areas. In August 2023, in response to a rise in stockroom thefts, the company installed five hidden cameras disguised as smoke detectors. The devices also recorded audio. Within […]
Automated Credit Scoring Under Scrutiny in Europe
The CJEU’s SCHUFA judgement (C-634/21) in 2023 clarified that producing and transmitting a credit score can itself amount to an automated decision under Article 22 GDPR where the score is determinative for contract outcomes. This ruling has now translated into concrete enforcement. In 2025, both the Austrian and Hamburg DPAs issued decisions that apply these […]
Datenschutzkonferenz veröffentlicht Anwendungshinweise zu Datenübermittlungen für medizinische Forschung in Drittländer
Die internationale Zusammenarbeit in der medizinischen Forschung gewinnt zunehmend an Bedeutung, bringt jedoch besondere datenschutzrechtliche Herausforderungen mit sich und stellt Forschende sowie Forschungseinrichtungen auf die Probe. Sobald dabei personenbezogene Daten verarbeitet oder übermittelt werden, müssen die datenschutzrechtlichen Anforderungen beachtet werden. Besonders bei Datenübermittlungen in sogenannte Drittländer ist sicherzustellen, dass das in der EU gewährte Datenschutzniveau […]
Understanding the ICO’s Encryption Guidance under UK GDPR
The United Kingdom’s Information Commissioner’s Office (ICO) has released detailed guidance on the use of encryption under the UK GDPR. This guidance is a part of the ICO’s wider information-security programme and is designed to help organisations use encryption effectively to safeguard personal information. This article outlines the key points of the ICO’s guidance on […]
Bibbidi Bobbidi Boo, Here’s a Fine for You – Disney’s $10M COPPA Case
Sometimes even the strongest magic cannot hide a compliance misstep, as the Federal Trade Commission (FTC) reminded Disney that even their enchantments must follow the rules. On September 2, 2025, a settlement of $10 million was reached between Disney Worldwide Service, Inc. and Disney Entertainment Operations LLC (Disney) and the FTC. Disney is one of […]
You Have Been Called Out: The ICO’s Warning Against Unlawful Marketing
Recently, the UK’s Information Commissioner’s Office (ICO) has imposed significant fines totaling in £550,000 against two companies relying on unlawful automated marketing calls, or “robo calls” (read here). Green Spark Energy Ltd was fined £250,000 for making 9.5 million unsolicited automated calls, while Home Improvement Marketing Ltd faced a £300,000 penalty for making 2.4 million […]
China Issues Measures on Personal Information Compliance Audits
On 14 February 2025, the Cyberspace Administration of China (CAC) issued the Administrative Measures on Compliance Audits for Personal Information Protection (the Measures), which has come into effect on 1 May 2025. The Measures mark the transition of the personal information compliance audit regime, first established under the Personal Information Protection Law of the People’s […]
Cookies are not always sweet in France
In the last three years, very high fines have been issued by the French data protection authority (Commission Nationale de l’Informatique et des Libertés or CNIL) to big companies for non-compliance in the area of cookies and tracking devices. Some examples are: the 35 million euros sanction imposed by the CNIL against Amazon in 2020 […]
EuG weist Klage zum Data Privacy Framework ab
Das jüngst verkündete Urteil des Gerichts der Europäischen Union (EuG) in der Rechtssache T-553/23 | Latombe / Kommission hat die Übermittlung personenbezogener Daten aus der Europäischen Union in die USA und das dort herrschende Schutzniveau zum Gegenstand. Sachverhalt und Rechtsrahmen der Entscheidung Das EuG hat in seinem Urteil grds. bestätigt, dass die USA ein angemessenes […]
The Data Act entered into force – what you need to know
On 12 September 2025, the Data Act (Regulation (EU) 2023/2854) became applicable in the EU member states. The Data Act creates a framework for fair access to and use of data across the EU and it is aimed at giving users more control over product-generated data and foster the principles of transparency, fairness, and GDPR […]
UK Data (Use and Access) Act 2025: Key Changes for Privacy Compliance
On 19 June 2025, the Data (Use and Access) Act 2025 (DUAA) received Royal Assent, becoming law in the UK and marking a significant development in the country’s data protection framework. The first provisions will take effect on 20 August 2025 under the Commencement No. 1 Regulations, with others phased in through mid‑2026; some changes (most […]
Übersehen belgische Unternehmen die Pflicht zur Benennung eines Datenschutzbeauftragten?
In einem vorherigen Artikel haben wir bereits erläutert, was Belgiens neues Gesetz zu privaten Ermittlungen (WPO) für Unternehmen bedeutet und wann es Anwendung findet. Wie wir betont haben, reicht der Anwendungsbereich des Gesetzes weit über professionelle Detekteien hinaus. Tatsächlich fallen viele alltägliche Maßnahmen am Arbeitsplatz inzwischen unter das WPO. Der Begriff „private Ermittlungsaktivitäten“ ist sehr […]
Belgiens neues Gesetz zu privaten Ermittlungen: Was es für Arbeitgeber und den Schutz der Privatsphäre von Beschäftigten bedeutet
Im Dezember 2024 hat Belgien eine bedeutende Aktualisierung seiner Gesetzgebung zu privaten Ermittlungen eingeführt: das Wet tot regeling van de private opsporing (WPO). Auf den ersten Blick könnte man meinen, dieses Gesetz betreffe nur Privatdetektive. Doch sein Anwendungsbereich ist weitaus breiter gefasst. Tatsächlich beeinflusst es maßgeblich, wie Unternehmen interne Untersuchungen durchführen und mit Vorfällen am […]