The European Commission has taken a significant step forward in ensuring robust cybersecurity across the Union with the adoption of the Commission Implementing Regulation C(2024) 7151 on October 17, 2024. This regulation delineates the technical and methodological requirements for cybersecurity risk management under the NIS2 Directive. It also specifies when incidents are to be considered […]
English Posts
Copyright Lawsuit Against OpenAI in India
Indian news agency ANI has filed a lawsuit against OpenAI, accusing the company of using copyrighted material without authorization. ANI joins a growing group of publishers worldwide challenging OpenAI and other AI developers over similar practices. The lawsuit, filed in the Delhi High Court, centers on OpenAI’s use of publicly available content for training its […]
The Icelandic DPA Upholds Legitimate Interest of Cross-Checking Caller Information and Follow-Up Surveys
In a recent decision, the Icelandic Data Protection Authority (DPA), Persónuvernd, upheld the legitimate interest of companies sending customer satisfaction surveys and cross-referencing caller information. The case involved the insurance company VÍS and one of its customers and addressed whether a data controller could lawfully cross-check a (anonymous) caller’s phone number with its customer database […]
Biometric Data and GDPR Compliance – a Case Analysis
The growing use of biometric systems in workplaces has brought new challenges for data protection, especially with the General Data Protection Regulation (GDPR) in Europe. A recent case in Belgium highlights these issues after a company introduced a fingerprint-based time-tracking system without properly adhering to GDPR rules. Facts In 2020, a Belgian company began using […]
The landscape of online proctoring and the intersection of GDPR and US laws
With the rise of remote learning, online proctoring – used to ensure academic integrity during virtual exams – has become widely adopted by schools and universities across the U.S. These tools use methods like identity verification, video and audio monitoring, eye-tracking, and even AI-based behavioral analysis. As this technology proliferates, concerns about how such software […]
Navigating Employee Email Privacy: Lessons from a recent Fine by Italy’s DPA
The Italian Data Protection Authority (Garante) recently imposed a significant fine of 80,000 euros on a company, for mishandling a sales agent’s email data, highlighting once again the challenges and complexities of managing employee data, in particular when access to employees’ emails is required. The issue arose when the company used a backup of the […]
LinkedIn hit with Fine of 310 Million Euros
LinkedIn Ireland has been fined 310 million euros by the Irish Data Protection Commission (DPC) for breaching several key provisions of the GDPR. The DPC issued this fine following a two-year investigation, which began in 2021. In particular, the investigation focused on LinkedIn’s processing of personal data for the purposes of behavioural analytics and targeted […]
Online Proctoring and Data Protection in Germany and France
Online proctoring refers to the use of digital tools and technologies to remotely monitor students during online exams. This technology typically involves video and audio recording capabilities such as screen and web traffic recording, room recording, periodic desk scans and sometimes methods such as biometric recognition to reduce the potential for academic dishonesty and maintain […]
Fines remain discretionary
Does anyone remember 12 September 2019? The GDPR was still new, but the initial excitement had died down and the first practical experiences with the new law had crystallised. Much was unclear, but some things were slowly becoming clearer. On 12 September, around 200 data protection lawyers met in Bremen, Germany for the 20th Autumn […]
UK Data Protection Commissioner (ICO) launched a Data Protection Audit Framework
The ICO has recently issued an instrument to support organisations in verifying data protection compliance. The online audit toolkits can be used to conduct both consensual and compulsory audits. The toolkits are designed for organization personnel having familiarity with data protection compliance or data protection professionals (for example: senior management, the data protection officer, internal […]
Unsolicited Email Marketing – Ensuring compliance worldwide
In today’s interconnected world, businesses increasingly depend on email marketing to effectively expand and engage their international customer base. However, when sending unsolicited emails internationally, balancing data protection obligations and the requirements of local laws is crucial for maintaining compliance. This article delves into best practices, outlines the most appropriate legal bases, and examines the […]
EDPB publishes opinion on the “Code of Conduct for Service Providers in Clinical Research” submitted by EUCROF
According to Art. 40 GDPR, associations and other bodies representing categories of controllers or processors are encouraged to prepare codes of conduct, or amend or extend such codes, for the purpose of contributing to the proper application of the GDPR in specific sectors. When such codes of conduct – or amendments to existing ones – […]
AI Innovation at Risk? A Showdown Between Privacy Laws and Tech Giants
AI is transforming the world at an unprecedented speed, and yet, a growing regulatory storm seems ready to slow it down. Recently, LinkedIn was forced to halt its AI-powered data processing in the UK after concerns raised by the ICO (Information Commissioner’s Office). But could this be just the tip of the iceberg for a […]
CJEU Broadens Definition of Health Data in Pivotal GDPR Ruling
The Court of Justice of the European Union (CJEU) has recently issued a landmark decision (C-21/23 “Lindenapotheke”) that expands the interpretation of what constitutes health data under the General Data Protection Regulation (GDPR). This ruling has significant implications for businesses, especially those involved in the sale of medicinal products online. A Wider Scope of Health […]
Legitimate Interest: new CJEU ruling challenges Dutch Authority’s strict interpretation
On October 4, 2024, the Court of Justice of the European Union (CJEU) issued a ruling in the case C-621/22, addressing whether purely commercial interests can qualify as a legitimate interest for processing personal data under Article 6 para. 1 lit. f of the General Data Protection Regulation (GDPR). This decision challenges the strict stance […]