In our previous article, we explained what Belgium’s new Private Investigations Law (WPO) means for companies and when the law applies. As we highlighted, the law’s scope extends well beyond professional detective firms. In fact, many common workplace actions now fall within the WPO. The term “private investigation activities” is defined broadly. It includes any […]
pb-international
Enforcement Trends in DSR Handling: Key Lessons from Recent EU Decisions
Over recent months, data protection authorities have issued rulings that expose common failings in the handling of data subject rights requests (DSRs). While these were isolated complaints, the supervisory authorities found that the organisations involved lacked internal procedures, failed to provide legally reasoned responses, and could not demonstrate accountability when challenged. These rulings confirm that […]
Belgium’s new Private Investigations Law: what it means for employers and employee privacy
In December 2024, Belgium introduced a significant update to its legislation on private investigations: the Wet tot regeling van de private opsporing (WPO). At first glance, this might seem relevant only to private detectives, but the law’s scope is much broader. In fact, it affects how companies conduct internal investigations and manage workplace incidents. If […]
AI Regulation in the US: A Question of Federal Preemption or State Autonomy?
In the realm of data protection, the United States has long been a patchwork of sector-specific laws and state-led initiatives. Despite repeated federal attempts, the United States still lacks a comprehensive data privacy framework. To fill the void left by the inaction of the federal government, the individual states started to act. Currently, there are […]
Preventable Data Breaches: Compliance Takeaways from Recent ICO Cases
Over the past few months, the UK Information Commissioner’s Office (ICO) has issued a series of enforcement actions that underscore a recurring regulatory concern: data breaches that, in the ICO’s view, were not merely accidental but the result of organisations failing to implement even basic data protection safeguards—violations of their accountability obligations under the UK […]
TikTok receives fine of 530 million euros by Irish DPC
In September 2021 an investigation was started by the Irish Data Protection Commission (DPC), as Lead Supervisory Authority, to verify TikTok’s compliance with GDPR obligations in terms of: verification of age requirements for users under 13 or 18 years of age and lawfulness of the personal data transfers to the People’s Republic of China (China). […]
Belgian DPA Clarifies Company Liability for GDPR Breaches by Rogue Employees
Are companies always responsible if their employees cause a data breach under the General Data Protection Regulation (GDPR)? According to a recent decision by the Belgian Data Protection Authority (DPA), the answer appears to be yes, or at least in most cases. The Case In this case, a manager at a hospital accessed an employee’s […]
ECJ Judgement on „Credit Scoring“ – Scope of the Right of Access and Illegality of Section 4 (6) of the DSG under EU Law
The recent ruling of the European Court of Justice (ECJ) of 27 February 2025 (C-203/22 – Dun & Bradstreet Austria GmbH) clarifies that data subjects have a comprehensive right to information pursuant to Art. 15 para. 1 lit. h GDPR, in particular with regard to automated decision-making in connection with creditworthiness scoring procedures. In this […]
DPO Independence Is Not Optional: Key Takeaways from the Italian DPA
In a decision dated December 2024, the Italian Data Protection Authority (Garante) imposed a fine of 70,000 euros on a credit rehabilitation company for multiple violations of the General Data Protection Regulation (GDPR). While the monetary penalty addressed several issues—such as unlawful data retention and the absence of processor contracts—the most significant takeaway is the […]
Garante Fine for Employee Monitoring and GPS Tracking
The Italian Data Protection Authority (Garante) recently issued a significant decision, imposing a fine of 50,000 euros on a company for unlawful employee monitoring through GPS tracking systems. The sanction followed an investigation into the company’s failure to comply with both national labour law and the EU General Data Protection Regulation (GDPR)—despite having received prior […]
Legal Landscape on Digital Accessibility in Germany
Over recent years, Germany has taken significant strides in legislating accessibility for both public and private sectors. The German Disability Equality Act (BGG) laid the groundwork by providing a framework to support the participation of people with disabilities, although its application is limited to federal public authorities. Building on these efforts, Germany then introduced the […]
GDPR and Biometric Data: The Lessons from Atlético Osasuna’s Fine
Spanish football club Atlético Osasuna introduced a facial recognition system for stadium access, sparking a GDPR complaint. The case highlights the challenges of biometric data processing, questioning its legality under the GDPR. The issue goes beyond simple convenience, raising concerns about proportionality, necessity, and fundamental privacy rights. Similar concerns arise when businesses upgrade traditional CCTV […]
France – a pioneer in accessibility legislation
Accessibility to products and services has been on the agenda of the European and Frech regulatory authorities for a long time. The goal of the accessibility legislations has been to ensure (digital) inclusivity for all, particularly for people with disabilities. This means allowing everyone to have physical access to buildings and facilities, using telecommunications and […]
Noyb complaints regarding data transfers to China
Noyb (None of Your Business), the data protection organization founded by Max Schrems, has filed complaints regarding six major Chinese companies, namely, TikTok, AliExpress, SHEIN, Temu, WeChat and Xiaomi before the data protection authorities of Italy, Greece, Belgium, the Netherlands and Austria. Mirroring the complaints filed some years ago regarding data transfers to the US, […]
News from the UK: The ICO’s Online Tracking Strategy 2025
The UK data protection authority, Information Commissioner’s Officer (ICO), has recently published news regarding their online tracking strategy for 2025. Recognizing that “being tracked online is part of daily life for most people”, in 2024 the ICO implemented a number of initiatives to enhance people’s control over how they are tracked. Among such initiatives, the […]