On 5 February 2026, Germany passed a new law transposing EU-Directive 2023/2673. Of particular importance are the new requirements regarding the right of consumers to withdraw from contracts via a new online interface: the so-called “withdrawal button”. These obligations will enter into force across the whole European Union at the latest on 19 June 2026. […]
data protection
Unlawful Profiling and Poor Transparency: Key Takeaways from the Garante’s Fine Against Intesa Sanpaolo
The Italian Data Protection Authority (Garante) has imposed a €17.6 million fine on Intesa Sanpaolo, one of the largest banking groups in Italy, for unlawful processing of personal data affecting approximately 2.4 million customers in the context of their transfer to the digital bank Isybank. What makes this case particularly relevant is not only its […]
Spanish AEDP v FC Barcelona: DPIA Required for Processing Biometric Data
The Spanish Data Protection Authority (AEPD) recently imposed a €500,000 fine on Fútbol Club Barcelona for failing to properly conduct a Data Protection Impact Assessment (DPIA) when implementing biometric systems used during the club’s membership census process. This complex decision ultimately focuses on Article 35 GDPR, with the AEPD concluding that the club failed to […]
Biometric Data: Key GDPR Lessons from an AEPD Decision
The Spanish Data Protection Authority (AEPD) recently imposed a €950,000 fine on a company offering digital identity and age verification services that rely on facial analysis technology. The decision is particularly relevant for organisations deploying facial analysis technologies, including AI-based age estimation and identity verification systems that generate biometric templates, as it illustrates how regulators […]
Digital Accessibility and Data Protection: Insights from the Italian Data Protection Authority
Digital accessibility is becoming a central compliance topic across Europe. With the entry into application of the European Accessibility Act (Directive (EU) 2019/882, EAA), EU Member States must ensure that a wide range of digital products and services meet accessibility requirements so that people with disabilities can access them without barriers. These requirements apply to […]
EU-Brazil Adequacy Decisions: What Changes in Practice
On 26 January 2026, Brazil and Europe adopted mutual adequacy decisions regarding international transfers of personal data. The European Commission adopted an adequacy decision for Brazil under Article 45 GDPR, enabling transfers from the EU to Brazil. The Brazilian data protection authority (ANPD) adopted Resolution No. 32/2026 recognizing the EU as providing an adequate level […]
Digital Omnibus Part 2: What Organisations Need to Know About the Joint Opinion of EDBP and EDPS
The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have published their Joint Opinion (the Joint Opinion) on the European Commission’s Digital Omnibus Proposal (the Proposal). Following our earlier analysis (Part 1) of the Proposal itself, this article examines how key elements of the reform are viewed by these supervisory bodies. […]
No Account, No Purchase? EDPB Pushes Back on Mandatory Registration
Requiring users to create an account in order to complete an online purchase is a widespread practice in e-commerce. Businesses commonly justify this requirement by reference to operational efficiency, customer convenience, or the development of long-term commercial strategies. With its Recommendations 2/2025, the European Data Protection Board (EDPB) addresses this practice directly and clarifies the […]
Reading Between the Lines of the Italian DPA’s 2026 Inspection Plan
With its Resolution of 30 December 2025, the Italian Data Protection Authority (Garante per la protezione dei dati personali) published its inspection plan for the period January to July 2026. The plan sets out the Authority’s inspection focus for the first semester of the year and provides for at least 40 targeted inspections across the […]
U.S. Data Privacy Developments in 2025 – A Year in Review
Every year at this time I sit down to write a blog article, tying the experiences that I have during the holiday season into the world of data privacy. This year I have struggled to come up with a topic that really spoke to me. But, as I sat down to write my family’s annual […]
Beyond the Theory: CNIL Sanctions Under the Light of the Digital Omnibus
As the French data protection authority (Commission nationale de l’informatique et des libertés, CNIL) recently imposed two high-amount sanctions, we take this opportunity to try and make a practical application of some rules from the recently published draft of the Digital Omnibus. What Happened? In the span of a week, the CNIL imposed major sanctions […]
EU Data Act: Practical Guidance from the Dutch AP’s Newsletter
The Data Act entered into force on 12 September 2025, and in the Netherlands its national Implementation Act (Dataverordening, Dv) followed on 21 November 2025. The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) published a newsletter this week explaining what the Data Act means in practice, particularly for organisations that work with data from connected […]
China’s Revised Cybersecurity Law: Key Changes and Compliance Implications
On 28 October 2025, the Standing Committee of the 14th National People’s Congress adopted the Decision on amending the Cybersecurity Law of People’s Republic of China. The revised Cybersecurity Law (the “Revised Law”) will take effect on 1 January 2026. This is the first substantial update to the Cybersecurity Law (“Original Law”) since its promulgation […]
India’s New Data Protection Framework: What Businesses Need to Know
India has entered a new phase in its privacy journey with the Digital Personal Data Protection Act (DPDPA), 2023 and its recently notified Rules. Together, they establish a comprehensive regulatory system governing digital personal data and operationalize the fundamental right to privacy enshrined in the Constitution of India. The government has chosen a staggered rollout […]
Finally Here: The Digital Omnibus Proposal and Practical Implications for Organisations Through the Lens of GDPR
The European Commission’s Digital Omnibus Package Proposal (the Proposal) represents one of the most comprehensive realignments of the EU’s digital regulatory landscape since the introduction of the GDPR. This comes in addition to the changes the European Commission proposed in May 2025 under Omnibus IV. The long-awaited text, leaked during the previous weekend and now […]