Over recent months, data protection authorities have issued rulings that expose common failings in the handling of data subject rights requests (DSRs). While these were isolated complaints, the supervisory authorities found that the organisations involved lacked internal procedures, failed to provide legally reasoned responses, and could not demonstrate accountability when challenged. These rulings confirm that […]
GDPR

Belgium’s new Private Investigations Law: what it means for employers and employee privacy
In December 2024, Belgium introduced a significant update to its legislation on private investigations: the Wet tot regeling van de private opsporing (WPO). At first glance, this might seem relevant only to private detectives, but the law’s scope is much broader. In fact, it affects how companies conduct internal investigations and manage workplace incidents. If […]

TikTok receives fine of 530 million euros by Irish DPC
In September 2021 an investigation was started by the Irish Data Protection Commission (DPC), as Lead Supervisory Authority, to verify TikTok’s compliance with GDPR obligations in terms of: verification of age requirements for users under 13 or 18 years of age and lawfulness of the personal data transfers to the People’s Republic of China (China). […]

DPO Independence Is Not Optional: Key Takeaways from the Italian DPA
In a decision dated December 2024, the Italian Data Protection Authority (Garante) imposed a fine of 70,000 euros on a credit rehabilitation company for multiple violations of the General Data Protection Regulation (GDPR). While the monetary penalty addressed several issues—such as unlawful data retention and the absence of processor contracts—the most significant takeaway is the […]

Garante Fine for Employee Monitoring and GPS Tracking
The Italian Data Protection Authority (Garante) recently issued a significant decision, imposing a fine of 50,000 euros on a company for unlawful employee monitoring through GPS tracking systems. The sanction followed an investigation into the company’s failure to comply with both national labour law and the EU General Data Protection Regulation (GDPR)—despite having received prior […]

GDPR and Biometric Data: The Lessons from Atlético Osasuna’s Fine
Spanish football club Atlético Osasuna introduced a facial recognition system for stadium access, sparking a GDPR complaint. The case highlights the challenges of biometric data processing, questioning its legality under the GDPR. The issue goes beyond simple convenience, raising concerns about proportionality, necessity, and fundamental privacy rights. Similar concerns arise when businesses upgrade traditional CCTV […]
Italian Data Protection Authority bans DeepSeek for Italian market
In the past years, the Italian Data Protection Authority (Garante per la Protezione dei dati personali) has made clear statements towards big technology companies introducing their services in Italy, prior to the verification of GDPR and Italian Data Protection Act compliance. We are referring to the Clearview case of 2022, that caused a fine of […]
The GDPR and the AI Act: A Harmonized Yet Complex Regulatory Landscape
The European Union has recently introduced the AI Act, poised to become the cornerstone of AI governance across the EU. This groundbreaking regulation is designed to address the risks AI systems pose to health, safety, and fundamental rights, complementing the protections already established by the General Data Protection Regulation (GDPR). Together, these frameworks create a […]
Benelux Authorities Tighten Scrutiny on DPO Appointments
Authorities in Belgium, the Netherlands, and Luxembourg are paying closer attention to how organizations appoint their Data Protection Officers (DPOs). They are especially focused on making sure DPOs can work independently, without a conflict of interest and have enough resources to do their job properly. In the Netherlands, the Dutch Authority for Personal Data (AP) […]
Liability: Responsibility for Processing Personal Data
New Years Eve is a time when we all tend to look back on the past year and revel in achievements and berate ourselves for mistakes made or goals not yet achieved. I also find that this is a time when I start to regret some of the holiday gifts I purchased. Things I thought […]
The Icelandic DPA Upholds Legitimate Interest of Cross-Checking Caller Information and Follow-Up Surveys
In a recent decision, the Icelandic Data Protection Authority (DPA), Persónuvernd, upheld the legitimate interest of companies sending customer satisfaction surveys and cross-referencing caller information. The case involved the insurance company VÍS and one of its customers and addressed whether a data controller could lawfully cross-check a (anonymous) caller’s phone number with its customer database […]
Biometric Data and GDPR Compliance – a Case Analysis
The growing use of biometric systems in workplaces has brought new challenges for data protection, especially with the General Data Protection Regulation (GDPR) in Europe. A recent case in Belgium highlights these issues after a company introduced a fingerprint-based time-tracking system without properly adhering to GDPR rules. Facts In 2020, a Belgian company began using […]
The landscape of online proctoring and the intersection of GDPR and US laws
With the rise of remote learning, online proctoring – used to ensure academic integrity during virtual exams – has become widely adopted by schools and universities across the U.S. These tools use methods like identity verification, video and audio monitoring, eye-tracking, and even AI-based behavioral analysis. As this technology proliferates, concerns about how such software […]
Navigating Employee Email Privacy: Lessons from a recent Fine by Italy’s DPA
The Italian Data Protection Authority (Garante) recently imposed a significant fine of 80,000 euros on a company, for mishandling a sales agent’s email data, highlighting once again the challenges and complexities of managing employee data, in particular when access to employees’ emails is required. The issue arose when the company used a backup of the […]
Unsolicited Email Marketing – Ensuring compliance worldwide
In today’s interconnected world, businesses increasingly depend on email marketing to effectively expand and engage their international customer base. However, when sending unsolicited emails internationally, balancing data protection obligations and the requirements of local laws is crucial for maintaining compliance. This article delves into best practices, outlines the most appropriate legal bases, and examines the […]