In April 2026, Microsoft introduced a new feature for Microsoft 365 Copilot: „Flex Routing„. The name sounds harmless. The data protection implications are not. What Is Flex Routing? Flex Routing allows Microsoft to reroute Copilot AI requests to data centres in the US, Canada, or Australia when European data centre capacity runs short. What is […]
Internationaler Datenschutz
Internationaler_Datenschutz
China’s New Draft Rules for Small Personal Information Controllers
On 3 April 2026 China’s Cyberspace Administration (CAC) published a draft regulation titled the Provisions on Simplified Measures for Personal Information Protection by Small Personal Information Controllers (Draft for Comment) (the „Draft“). The Draft is open for public comment and, once finalized, will introduce a tiered compliance framework under China’s Personal Information Protection Law (PIPL). […]
The Italian DPA’s Fine Against Intesa Sanpaolo: Lessons for Access Management and Data Breach Handling
On 26 March 2026, the Italian data protection authority (Garante per la protezione dei dati personali, „Garante“) fined Intesa Sanpaolo S.p.A. €31,800,000. This is one of the largest fines the Garante has ever imposed, and it carries clear lessons for any organisation that processes personal data at scale – not just banks. What Happened Between […]
China’s Face Recognition Regulation: What the New Rules Mean for Businesses
On 1 June 2025, China’s Cyberspace Administration (CAC) brought into force the Measures for the Security Management of Face Recognition Technology Applications (the „Measures“). This landmark regulation is the first piece of dedicated legislation in China governing the use of biometric facial data, and it carries significant implications for any organization processing face recognition data […]
When Access Requests Become Abusive: Key Takeaways from C-526/24 Brillen Rottler
The Court of Justice of the European Union (CJEU) has clarified in Brillen Rottler (C-526/24) that, in exceptional circumstances, even a first data subject access request (DSAR) may be refused as “manifestly unfounded or excessive” under Article 12 para. 5 GDPR. This is an important development. However, the judgment should not be misunderstood. The Court […]
ICO Guidelines on the New Complaint Handling Requirements in the UK
The Data (Use and Access) Act 2025 introduced several important regulatory changes to the existing UK data protection framework. One of the most notable changes is the introduction of a formal right for individuals to complain directly to organisations about how their personal data has been handled. This has consequently necessitated organisations to have in […]
Unlawful Profiling and Poor Transparency: Key Takeaways from the Garante’s Fine Against Intesa Sanpaolo
The Italian Data Protection Authority (Garante) has imposed a €17.6 million fine on Intesa Sanpaolo, one of the largest banking groups in Italy, for unlawful processing of personal data affecting approximately 2.4 million customers in the context of their transfer to the digital bank Isybank. What makes this case particularly relevant is not only its […]
Spanish AEDP v FC Barcelona: DPIA Required for Processing Biometric Data
The Spanish Data Protection Authority (AEPD) recently imposed a €500,000 fine on Fútbol Club Barcelona for failing to properly conduct a Data Protection Impact Assessment (DPIA) when implementing biometric systems used during the club’s membership census process. This complex decision ultimately focuses on Article 35 GDPR, with the AEPD concluding that the club failed to […]
Biometric Data: Key GDPR Lessons from an AEPD Decision
The Spanish Data Protection Authority (AEPD) recently imposed a €950,000 fine on a company offering digital identity and age verification services that rely on facial analysis technology. The decision is particularly relevant for organisations deploying facial analysis technologies, including AI-based age estimation and identity verification systems that generate biometric templates, as it illustrates how regulators […]
Italian DPA Orders Amazon Entity to Stop Unlawful Employee Data Processing
The Italian Data Protection Authority (Garante per la protezione dei dati personali) has issued an urgent order with immediate effect requiring Amazon Italia Logistica S.r.l. to stop processing personal data relating to more than 1,800 employees at one of its logistics facilities. The investigation revealed multiple violations from a data protection perspective. In particular, the […]
Digital Accessibility and Data Protection: Insights from the Italian Data Protection Authority
Digital accessibility is becoming a central compliance topic across Europe. With the entry into application of the European Accessibility Act (Directive (EU) 2019/882, EAA), EU Member States must ensure that a wide range of digital products and services meet accessibility requirements so that people with disabilities can access them without barriers. These requirements apply to […]
EU-Brazil Adequacy Decisions: What Changes in Practice
On 26 January 2026, Brazil and Europe adopted mutual adequacy decisions regarding international transfers of personal data. The European Commission adopted an adequacy decision for Brazil under Article 45 GDPR, enabling transfers from the EU to Brazil. The Brazilian data protection authority (ANPD) adopted Resolution No. 32/2026 recognizing the EU as providing an adequate level […]
Umsetzung von Betroffenenrechten in Drittländern
Eines der Kernanliegen der Datenschutz-Grundverordnung (DSGVO) ist, dass natürliche Personen die Kontrolle über ihre eigenen personenbezogenen Daten innehaben. Eine transparente Verarbeitung dieser Daten soll dies sicherstellen. Das mutmaßlich wichtigste Instrument hierfür sind die sog. „Betroffenenrechte“ nach Art. 12-23 DSGVO, wobei insbesondere das Recht auf Auskunft (Art. 15 DSGVO) und das Recht auf Löschung (Art. 17 […]
Digital Omnibus Part 2: What Organisations Need to Know About the Joint Opinion of EDBP and EDPS
The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have published their Joint Opinion (the Joint Opinion) on the European Commission’s Digital Omnibus Proposal (the Proposal). Following our earlier analysis (Part 1) of the Proposal itself, this article examines how key elements of the reform are viewed by these supervisory bodies. […]
Reading Between the Lines of the Italian DPA’s 2026 Inspection Plan
With its Resolution of 30 December 2025, the Italian Data Protection Authority (Garante per la protezione dei dati personali) published its inspection plan for the period January to July 2026. The plan sets out the Authority’s inspection focus for the first semester of the year and provides for at least 40 targeted inspections across the […]