Over the past few months, the UK Information Commissioner’s Office (ICO) has issued a series of enforcement actions that underscore a recurring regulatory concern: data breaches that, in the ICO’s view, were not merely accidental but the result of organisations failing to implement even basic data protection safeguards—violations of their accountability obligations under the UK […]
Internationaler Datenschutz
Internationaler_Datenschutz
Strategie des Europäischen Datenschutzausschusses 2024 – 2027
In der Welt des Datenschutzes wird den meisten der Europäische Datenschutzausschuss (EDSA) ein Begriff sein. Gerade durch die Erstellung von Leitlinien oder Empfehlungen werden Dokumente des EDSA oftmals als Hilfestellung bei datenschutzrechtlichen Fragestellungen verwendet. Aber nicht nur die Erstellung von Leitlinien oder Empfehlungen sind Aufgabe und Ziel des EDSA. Der EDSA hat 2024 eine Strategie […]
TikTok receives fine of 530 million euros by Irish DPC
In September 2021 an investigation was started by the Irish Data Protection Commission (DPC), as Lead Supervisory Authority, to verify TikTok’s compliance with GDPR obligations in terms of: verification of age requirements for users under 13 or 18 years of age and lawfulness of the personal data transfers to the People’s Republic of China (China). […]
Belgian DPA Clarifies Company Liability for GDPR Breaches by Rogue Employees
Are companies always responsible if their employees cause a data breach under the General Data Protection Regulation (GDPR)? According to a recent decision by the Belgian Data Protection Authority (DPA), the answer appears to be yes, or at least in most cases. The Case In this case, a manager at a hospital accessed an employee’s […]
EuGH-Urteil zum „Bonitätsscoring“ – Umfang des Auskunftsanspruchs und Unionsrechtswidrigkeit des § 4 Abs. 6 DSG
Mit dem aktuellen Urteil des Europäischen Gerichtshofs (EuGH) vom 27. Februar 2025 (C‑203/22 – Dun & Bradstreet Austria GmbH) ist klargestellt, dass betroffene Personen gemäß Art. 15 Abs. 1 lit. h DSGVO einen umfassenden Auskunftsanspruch insbesondere in Bezug auf automatisierte Entscheidungsfindungen im Zusammenhang mit Bonitätsscoring-Verfahren haben. In diesem Zusammenhang hat sich der EuGH außerdem hinsichtlich […]
DPO Independence Is Not Optional: Key Takeaways from the Italian DPA
In a decision dated December 2024, the Italian Data Protection Authority (Garante) imposed a fine of 70,000 euros on a credit rehabilitation company for multiple violations of the General Data Protection Regulation (GDPR). While the monetary penalty addressed several issues—such as unlawful data retention and the absence of processor contracts—the most significant takeaway is the […]
Garante Fine for Employee Monitoring and GPS Tracking
The Italian Data Protection Authority (Garante) recently issued a significant decision, imposing a fine of 50,000 euros on a company for unlawful employee monitoring through GPS tracking systems. The sanction followed an investigation into the company’s failure to comply with both national labour law and the EU General Data Protection Regulation (GDPR)—despite having received prior […]
GDPR and Biometric Data: The Lessons from Atlético Osasuna’s Fine
Spanish football club Atlético Osasuna introduced a facial recognition system for stadium access, sparking a GDPR complaint. The case highlights the challenges of biometric data processing, questioning its legality under the GDPR. The issue goes beyond simple convenience, raising concerns about proportionality, necessity, and fundamental privacy rights. Similar concerns arise when businesses upgrade traditional CCTV […]
France – a pioneer in accessibility legislation
Accessibility to products and services has been on the agenda of the European and Frech regulatory authorities for a long time. The goal of the accessibility legislations has been to ensure (digital) inclusivity for all, particularly for people with disabilities. This means allowing everyone to have physical access to buildings and facilities, using telecommunications and […]
Noyb complaints regarding data transfers to China
Noyb (None of Your Business), the data protection organization founded by Max Schrems, has filed complaints regarding six major Chinese companies, namely, TikTok, AliExpress, SHEIN, Temu, WeChat and Xiaomi before the data protection authorities of Italy, Greece, Belgium, the Netherlands and Austria. Mirroring the complaints filed some years ago regarding data transfers to the US, […]
News from the UK: The ICO’s Online Tracking Strategy 2025
The UK data protection authority, Information Commissioner’s Officer (ICO), has recently published news regarding their online tracking strategy for 2025. Recognizing that “being tracked online is part of daily life for most people”, in 2024 the ICO implemented a number of initiatives to enhance people’s control over how they are tracked. Among such initiatives, the […]
Netflix en de boete van 4,75 miljoen euro: Wat bedrijven kunnen leren over privacy en de AVG
Wanneer je het iconische „Tadum“, het opstartgeluid van Netflix, hoort, denk je waarschijnlijk aan je favoriete tv-serie. Maar onlangs hoorde de Autoriteit Persoonsgegevens (AP) iets anders: een oproep tot strengere naleving van de privacywetgeving. Netflix kwam onder vuur te liggen vanwege zijn privacypraktijken, wat leidde tot een onderzoek en een boete van 4,75 miljoen euro. […]
Legislation on Web Accessibility in Spain
The Spanish legislation contemplates the need to guarantee the rights of people with disabilities since the Spanish Constitution of 1978. In the framework of information technologies, the „Law 51/2003, of 2 December, on equal opportunities, non-discrimination and universal accessibility for people with disabilities“, now repealed, established a period of two years to approve the basic […]
Italian Data Protection Authority bans DeepSeek for Italian market
In the past years, the Italian Data Protection Authority (Garante per la Protezione dei dati personali) has made clear statements towards big technology companies introducing their services in Italy, prior to the verification of GDPR and Italian Data Protection Act compliance. We are referring to the Clearview case of 2022, that caused a fine of […]
AI Literacy and the Dutch Data Protection Authority’s Recommendations
Is your business ready for the AI Act? As of February 2, 2025, businesses operating in the EU must ensure that their employees are AI-literate in accordance with the AI Act. This means that anyone working with AI, whether developing, implementing, or using AI-driven tools, must have the necessary knowledge, skills, and ethical awareness to […]