On 18 September 2025, the French Data Protection Authority (CNIL) issued Deliberation SAN-2025-008, imposing a €100,000 fine on Samaritaine SAS for clandestinely installing surveillance cameras in employee areas. In August 2023, in response to a rise in stockroom thefts, the company installed five hidden cameras disguised as smoke detectors. The devices also recorded audio. Within […]
English Posts
Automated Credit Scoring Under Scrutiny in Europe
The CJEU’s SCHUFA judgement (C-634/21) in 2023 clarified that producing and transmitting a credit score can itself amount to an automated decision under Article 22 GDPR where the score is determinative for contract outcomes. This ruling has now translated into concrete enforcement. In 2025, both the Austrian and Hamburg DPAs issued decisions that apply these […]
Understanding the ICO’s Encryption Guidance under UK GDPR
The United Kingdom’s Information Commissioner’s Office (ICO) has released detailed guidance on the use of encryption under the UK GDPR. This guidance is a part of the ICO’s wider information-security programme and is designed to help organisations use encryption effectively to safeguard personal information. This article outlines the key points of the ICO’s guidance on […]
Bibbidi Bobbidi Boo, Here’s a Fine for You – Disney’s $10M COPPA Case
Sometimes even the strongest magic cannot hide a compliance misstep, as the Federal Trade Commission (FTC) reminded Disney that even their enchantments must follow the rules. On September 2, 2025, a settlement of $10 million was reached between Disney Worldwide Service, Inc. and Disney Entertainment Operations LLC (Disney) and the FTC. Disney is one of […]
You Have Been Called Out: The ICO’s Warning Against Unlawful Marketing
Recently, the UK’s Information Commissioner’s Office (ICO) has imposed significant fines totaling in £550,000 against two companies relying on unlawful automated marketing calls, or “robo calls” (read here). Green Spark Energy Ltd was fined £250,000 for making 9.5 million unsolicited automated calls, while Home Improvement Marketing Ltd faced a £300,000 penalty for making 2.4 million […]
China Issues Measures on Personal Information Compliance Audits
On 14 February 2025, the Cyberspace Administration of China (CAC) issued the Administrative Measures on Compliance Audits for Personal Information Protection (the Measures), which has come into effect on 1 May 2025. The Measures mark the transition of the personal information compliance audit regime, first established under the Personal Information Protection Law of the People’s […]
Cookies are not always sweet in France
In the last three years, very high fines have been issued by the French data protection authority (Commission Nationale de l’Informatique et des Libertés or CNIL) to big companies for non-compliance in the area of cookies and tracking devices. Some examples are: the 35 million euros sanction imposed by the CNIL against Amazon in 2020 […]
AI Meeting Transcripts: Efficiency Tool or Corporate Liability?
AI-powered meeting assistants have rapidly become one of the most adopted categories of workplace technology. These tools join video calls to record, transcribe, and summarize conversations, promising efficiency gains and more reliable documentation. The value proposition is clear: accurate records improve accountability, knowledge-sharing, and business continuity. But as with any technology deployed at scale, the […]
BSI White Paper on Bias in Artificial Intelligence
On July 24, 2025, the German Federal Office for Information Security (BSI), through authors Dr. Jonas Ditz und Elmar Lichtmeß, published an interesting white paper “Bias in Artifical Intelligence” (currently only available in German) that provides developers, providers, and operators of AI systems with an introduction to the issue of bias. What does the term […]
The Data Act entered into force – what you need to know
On 12 September 2025, the Data Act (Regulation (EU) 2023/2854) became applicable in the EU member states. The Data Act creates a framework for fair access to and use of data across the EU and it is aimed at giving users more control over product-generated data and foster the principles of transparency, fairness, and GDPR […]
Pseudonymised Data: Not Always Personal According to The Latest CJEU Judgement
On 4 September 2025, the Court of Justice of the European Union (CJEU) handed down its judgment in EDPS v Single Resolution Board (C-413/23 P). The ruling addresses a fundamental question in EU data protection law: when pseudonymised information qualifies as personal data, and for whom. This decision provides important clarification on the scope of […]
China‘s Latest Updates on PIPL and Clarifications on Sensitive Personal Information
Different legislative updates were recorded in China in the last couple of months. These concern several topics related to data protection and data security, such as the definition of sensitive personal information, appointment obligations and registration of a Data Protection Officer (DPO), reporting measures in case of data security incidents for financial services and the […]
The Weaponization of Data Protection
As data protection professionals, we see the value of strong individual rights under the GDPR. The right to access, rectify, and erase one’s personal data is foundational to the regulation’s spirit of informational self-determination. But there’s also a negative side to this that is becoming increasingly difficult to ignore: the weaponization of data protection rights […]
AI Literacy: What You Really Need to Know
Artificial intelligence (AI) is no longer a specialised technology reserved for a handful of tech companies. It now powers, at least tangentially, the tools, platforms, and processes of almost every business. AI’s presence in the workplace is now routine. Organisations must ensure their employees know how to use AI responsibly, both as a compliance requirement […]
Classifying ChatGPT under the AI Act: A Practical Walkthrough
This blog post explores two topics currently attracting significant attention in practice: ChatGPT and the AI Act. Using a practical example, we will show how ChatGPT can be classified under the Act. Our scenario: A company wants to provide its employees with ChatGPT and has chosen the paid ChatGPT Team licence. In this post, we […]