Gibson Dunn | Europe | Data Protection – January 2025
Client Alert | February 11, 2025
Europe
01/20/2025
European Data Protection Board | Case Digest & Report | Right of Access
The European Data Protection Board (“EDPB”) has published a “One-Stop-Shop case digest on right of access” and a report on the “Implementation of the right of access by controllers”.
On January 16, 2025, the EDPB published a case digest providing examples on the exercise of the right of access in different contexts and analyzes, in this respect, national Supervisory Authorities’ (SAs) decisions under the one-stop-shop mechanism. In addition, on January 20, 2025, the EDPB released a report on the “Implementation of the right of access by controllers”. The report aggregates the findings of the SAs on the level of compliance of organizations regarding Article 15 of the GDPR, following a survey they conducted among 1,185 controllers from different sectors.
For more information: EDPB Website (Case Digest), EDPB Website (Report)
01/17/2025
European Data Protection Board | Guidelines | Pseudonymization
The European Data Protection Board (“EDPB”) has published new guidelines on pseudonymization.
The guidelines aim to clarify in particular the definition of pseudonymization, its objectives and benefits. They also provide guidance on the technical and organizational measures to be implemented to ensure its effectiveness, as well as examples of how pseudonymization is applied in real-world scenarios. The guidelines are under public consultation until February 28, 2025.
For more information: EDPB Website
01/17/2025
European Data Protection Board | Position Paper | Competition law
The European Data Protection Board (“EDPB”) has published a position paper regarding the interplay between data protection and competition law.
The EDPB recognizes that data protection and competition law have different legal frameworks but carry nonetheless many commonalities, such as the protection of individuals and their decision making. It stresses the importance of the cooperation between the data protection and competition authorities, and of a better understanding of related concepts in both areas, in order to improve consistency and efficiency.
For more information: EDPB Website
01/17/2025
European Commission | Regulation | Digital Operational Resilience Act
The Digital Operational Resilience Act (“DORA”) is applicable as of January 17, 2025.
As a reminder, the DORA lays down new requirements for the security of network and information systems in the financial sector.
For more information: Official Journal of the EU
01/15/2025
European Data Protection Supervisor | Concept Note | Digital Clearinghouse
The European Data Protection Supervisor (“EDPS”) published a concept note proposing the creation of the Digital Clearinghouse (“DCH”) 2.0.
The DCH was conceived by the EDPS as a voluntary network to promote a coherent enforcement of the EU legislation in the digital sector. With the DCH 2.0, the EDPS suggest turning this initiative into a forum with a permanent secretariat in order to identify cross-regulatory areas and allow interested authorities to exchange and coordinate their efforts.
For more information: EDPS website
01/09/2025
Court of Justice of the European Union | Judgment | Concepts of a ‘Request’ and ‘Excessive Requests’
On January 9, 2025, the Court of Justice of the European Union (“CJEU”) provides clarifications on the concepts of a ‘request’ and ‘excessive requests’ as part of a preliminary question referred by the Austrian Supervisory Authority.
The CJEU held that (i) the notion of “request” under Article 57(4) of the GDPR should be understood as including complaints lodged; (ii) the concept of “excessiveness” must be interpreted restrictively and the authority must demonstrate that the excessiveness of the requests stems from the applicant’s abusive intent, and (iii) when faced with excessive requests, the authorities may choose between charging reasonable fees and refusing to act on the requests.
For more information: Curia
01/09/2025
Court of Justice of the European Union | Judgment | Title and Gender Identity
On January 9, 2025, the CJEU published its judgment in Case C‑394/23 ruling that a customer’s gender identity was not necessary for the purchase of a rail transport ticket.
The CJEU clarified that the processing of personal data is only lawful if necessary for fulfilling a contract or for legitimate interest purposes. It ruled that personalizing commercial communications based on presumed gender identity, determined by a customer’s civil title, is not necessary, as it is not essential for a rail transport contract and could risk discrimination based on gender identity.
For more information: Curia
France
01/31/2025
French Supervisory Authority | Guidelines | Transfer Impact Assessment
The French Supervisory Authority (“CNIL”) published the final version of its guidelines on Transfer Impact Assessments (“TIA”) to help organizations comply with the GDPR when transferring data to third countries.
The CNIL’s guidelines outlines a methodology for evaluating the adequacy of protection in third countries, assessing potential legal and practical risks, and implementing supplementary measures where necessary.
For more information: CNIL Website
01/28/2025
French Supervisory Authority | Guidelines | Data Breach
The French Supervisory Authority (“CNIL”) published guidelines on personal data security.
In 2024, the CNIL saw a 20% increase in data breaches compared to the previous year. It has issued guidelines to help organizations prevent and manage data breaches, with cybersecurity being one of its priorities for 2025-2028.
For more information: CNIL Website [FR]
01/23/2025
French Supervisory Authority | GDPR | Publicly Available Databases
On January 23, 2025, the French Supervisory Authority (CNIL) published an article on its website outlining the necessary checks for controllers when using publicly available or third-party databases.
Data controllers must ensure that the database complies with the GDPR and other relevant regulations, such as information system security and intellectual property rights. Key considerations include whether the data was processed with the consent of the individuals and if the processing is based on legitimate legal grounds, especially for sensitive data or data related to criminal offenses. Additionally, the CNIL recommends formalizing the relationship with the data provider through a contract.
For further information: CNIL Website [FR]
01/16/2025
French Supervisory Authority | Action Plan | Children, AI, cybersecurity and digital
The French Supervisory Authority (“CNIL”) published its strategic action plan for 2025 to 2028.
The CNIL will focus on four main priorities: AI, children’s online privacy, cybersecurity, and daily digital use (mobile applications and digital identity). The CNIL plans to diversify its support for organizations and strengthen its dialogue with stakeholders in these areas.
For more information: CNIL Website [FR]
Germany
01/15/2025
Higher Regional Court of Karlsruhe | Judgement | Right of Erasure
On January 15, 2025, the Higher Regional Court of Karlsruhe (OLG Karlsruhe) ruled on the right to erasure and the possibility to retain personal data for the use in future legal disputes.
The OLG Karlsruhe ruled that companies cannot indefinitely store personal data for potential future claims if the underlying incident has already been subject to legal proceedings. The court held that once data is no longer necessary for the purpose it was collected, it must be deleted. Even if future claims are possible, there must be more than just a theoretical possibility that these claims are pursued to justify continued data storage under Article 17(3)(e) GDPR and to deny the right to erasure. The decision emphasized that the mere abstract possibility of future claims is not sufficient for data retention.
For more information: Official Court Website [DE]
Italy
01/31/2025
Italian Supervisory Authority | Temporary Ban | Chatbot
The Italian Supervisory Authority (“Garante”) imposed a temporary ban on an AI-powered chatbot service.
This follows a request for information addressed by the Garante to the companies providing the chatbot service. According to the Garante, the responses communicated by the companies were not satisfactory. In addition to the limitation order on the processing of Italian users’ data, the Garante opened an investigation.
For more information: Garante Website
Spain
01/14/2025
Spanish Council of Ministers | Transposition | NIS 2 Directive
The Spanish Council of Ministers approved the Draft Law on Coordination and Governance of Cybersecurity, transposing the NIS 2 Directive.
The Draft Law specifies the public and private entities that fall under the scope of the NIS 2 Directive as well as their obligations in terms of cybersecurity (such as incident notification). It also designates several national supervisory authorities for enforcement purposes, and creates the National Cybersecurity Centre, which will be the sole point of contact with the European Union and be in charge of intersectoral and cross-border cooperation.
For more information: Ministry of Interior Website [ES]
United Kingdom
01/23/2025
UK Supervisory Authority | Online Tracking | 2025 Strategy
The UK Supervisory Authority (“ICO”) has introduced its 2025 online tracking strategy.
The strategy aims to ensure that individuals have control over tracking within the context of online advertising. The ICO’s plan of action includes publishing guidelines on different subjects such as ‘consent or pay’ models or Internet of Things, engaging with different actors to promote and ensure compliance with the law (website publishers, consent management platforms, app developers, connected TV manufacturers). The ICO will also investigate data management platforms connecting advertisers and publishers.
For more information: ICO Website
The following Gibson Dunn lawyers prepared this update: Partners: Ahmed Baladi, Vera Lukic, and Kai Gesing; Associates: Thomas Baculard, Billur Cinar, Hermine Hubert, and Christoph Jacob.
Gibson Dunn lawyers are available to assist in addressing any questions you may have about these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any leader or member of the firm’s Privacy, Cybersecurity & Data Innovation practice groups:
Privacy, Cybersecurity, and Data Innovation:
United States:
Ashlie Beringer – Co-Chair, Palo Alto (+1 650.849.5327, aberinger@gibsondunn.com)
Ryan T. Bergsieker – Denver (+1 303.298.5774, rbergsieker@gibsondunn.com)
Gustav W. Eyler – Washington, D.C. (+1 202.955.8610, geyler@gibsondunn.com)
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650.849.5203, cgaedt-sheckter@gibsondunn.com)
Svetlana S. Gans – Washington, D.C. (+1 202.955.8657, sgans@gibsondunn.com)
Lauren R. Goldman – New York (+1 212.351.2375, lgoldman@gibsondunn.com)
Stephenie Gosnell Handler – Washington, D.C. (+1 202.955.8510, shandler@gibsondunn.com)
Natalie J. Hausknecht – Denver (+1 303.298.5783, nhausknecht@gibsondunn.com)
Jane C. Horvath – Co-Chair, Washington, D.C. (+1 202.955.8505, jhorvath@gibsondunn.com)
Martie Kutscher Clark – Palo Alto (+1 650.849.5348, mkutscherclark@gibsondunn.com)
Kristin A. Linsley – San Francisco (+1 415.393.8395, klinsley@gibsondunn.com)
Timothy W. Loose – Los Angeles (+1 213.229.7746, tloose@gibsondunn.com)
Vivek Mohan – Palo Alto (+1 650.849.5345, vmohan@gibsondunn.com)
Rosemarie T. Ring – Co-Chair, San Francisco (+1 415.393.8247, rring@gibsondunn.com)
Ashley Rogers – Dallas (+1 214.698.3316, arogers@gibsondunn.com)
Sophie C. Rohnke – Dallas (+1 214.698.3344, srohnke@gibsondunn.com)
Eric D. Vandevelde – Los Angeles (+1 213.229.7186, evandevelde@gibsondunn.com)
Benjamin B. Wagner – Palo Alto (+1 650.849.5395, bwagner@gibsondunn.com)
Debra Wong Yang – Los Angeles (+1 213.229.7472, dwongyang@gibsondunn.com)
Europe:
Ahmed Baladi – Co-Chair, Paris (+33 (0) 1 56 43 13 00, abaladi@gibsondunn.com)
Kai Gesing – Munich (+49 89 189 33-180, kgesing@gibsondunn.com)
Joel Harrison – Co-Chair, London (+44 20 7071 4289, jharrison@gibsondunn.com)
Lore Leitner – London (+44 20 7071 4987, lleitner@gibsondunn.com)
Vera Lukic – Paris (+33 (0) 1 56 43 13 00, vlukic@gibsondunn.com)
Lars Petersen – Frankfurt/Riyadh (+49 69 247 411 525, lpetersen@gibsondunn.com)
Robert Spano – London/Paris (+44 20 7071 4000, rspano@gibsondunn.com)
Asia:
Connell O’Neill – Hong Kong (+852 2214 3812, coneill@gibsondunn.com)
Jai S. Pathak – Singapore (+65 6507 3683, jpathak@gibsondunn.com)
© 2025 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.