In a remarkable development that has sent shockwaves across the digital domain, Ireland’s Data Protection Commission (DPC) has imposed a €1.2 billion fine to conclude its long-term investigation into Meta Platforms Ireland Limited – formerly Facebook Ireland – over its data transfers from the EU/EEA to the United States. Let us take a look at […]
GDPR

“Decreto Trasparenza”: Italian businesses to comply with new obligations for automated processing of employee data
In August 2022, Italy implemented the EU Directive No. 2019/1152 of the European Parliament and of the Council of 20 June 2019 on transparent and predictable working conditions in the European Union by adopting the new Legislative Decree 2022/104 (so called “Decreto Trasparenza”, meaning the “Transparency Decree”). What areas does the Decree cover? The new […]

The Artificial Intelligence Revolution Taking the World by Storm – Are You Ready?
The term “Artificial Intelligence” (AI) has many possible meanings, although a simple one defines it as the ability of a computer to perform tasks that have traditionally required human intelligence. AI has been a part of our lives for many years now as it is used in everyday consumer products such as spam filters for […]

Privacy matters: the intrinsic value of data protection
Records of processing activities. Data processing agreements. Data processing impact assessments. Privacy notices. Cookie banners. Data subject requests. Data flow mapping…The world of data privacy can be overwhelming, even for those of us who work with it professionally. It is especially frustrating when companies feel that they are losing their competitive edge due to limiting […]

Synthetic data and data protection-related challenges
Synthetic data are information artificially generated by computer simulations or algorithms such as AI and ML tools, including ‚deep learning‘ methods. They are generated from real data with the goal to capture, represent and reproduce the characteristics, patterns, and structure observed in the authentic data. Although they are not real data, they allow the same […]
EU – most relevant GDPR fines of the last years
More than four years after the General Data Protection Regulation 2016/679 (GDPR) came into force, companies and organizations that process personal data inside and outside the EU have come to realize the benefits that a privacy-friendly business management can entail. Moreover, in the last years it became evident that processing personal data in violation of […]
Italian Sunshine Act: a GDPR oriented analysis
In June 2022, Law 62/2022 known as the Sunshine Act entered into force in Italy, introducing new transparency regulations on transfers of value established between companies operating in the pharmaceutical and health care sector and health care professionals (HCPs) as well as health care organizations (HCOs). The Italian Sunshine Act is one of the newest […]
The priorities set by the Belgian Data Protection Authority for the 2023 Agenda
At the end of last year, in the context of setting the 2023 budget, the Belgian Data Protection Authority (Autorité de protection des données/ Gegevensbeschermingsautoriteit or APD) has highlighted the main topics that will be the focus of this year’s agenda, depending on the capacity of the authority, as the APD mentioned in its press […]
Irish DPC: Facebook Data Scraping not in line with Art. 25 of the GDPR
In 2021, media reports raised serious questions about how Facebook was dealing with the collected personal data of around 530 million Facebook users. Between 2018 and 2019, these datasets, which also included the email addresses and mobile phone numbers of Facebook users, were exposed on the internet. Following the media reports of these serious data […]
The highest fine ever imposed by the Greek DPA on Clearview AI
The U.S.-based company Clearview AI (hereafter Clearview) known for its facial recognition services received a fine of €20.000.000 by the Greek Data Protection Authority for the non-compliant collection and processing of personal data. This is the first time that the Hellenic DPA has imposed such a high data protection fine. Clearview develops facial recognition software […]
„Old“ Standard Contractual Clauses to be Invalid as of the End of December (27.12.2022)
The European Commission decided on new Standard Contractual Clauses (SCCs) in June 2021. After 27 December 2022, only these „new“ SCCs may be used without exception. What does that mean for companies and organizations? If personal data is transferred to processors (or their sub-processors) or to controllers in a country outside the EU or the […]
Clearview AI fined again, this time in France
The French Data Protection Authority, Commission Nationale de L’Informatique et des Libertés (CNIL), has issued a fine of €20 million against Clearview AI (hereafter Clearview), a company that now claims to have more than 30 billion images used for facial recognition. Clearview collects photos from all sorts of directly accessible websites, social media platforms and […]
Spanish Supreme Court: Data subjects can submit their complaint directly to a supervisory authority
According to a decision of the Spanish Supreme Court (Tribunal Supremo) of July 2022, filing a request to exercise the data subject rights with the data controller is not a prerequisite for filing a complaint to the relevant Supervisory Authority for an alleged breach of the GDPR. The decision was issued after a complaint of […]
China passed new data protection law
China issued its comprehensive data protection law, the Personal Information Protection Law (“PIPL”), on August 20, 2021. The PIPL will come into effect on November 1, 2021. This marks a new era in China’s data protection development. Before the PIPL, the main legislations regulating data processing activities in China are the Cybersecurity Law, the Data […]
Italian Data Protection Authority Fines Bologna Airport in Connection with Whistleblowing Application
In an injunction of July 10, 2021, published the following month, the Italian data protection authority (Garante per la protezione dei dati personali) has fined the Airport of Bologna € 40,000 for not having implemented adequate technical and organizational measures for a whistleblowing application. Further, the authority held that for that application, a data protection […]