Gibson Dunn | Europe | Data Protection – March 2025
Client Alert | April 9, 2025
Europe
03/19/2025
European Data Protection Board | Approval Procedure | Binding Corporate Rules
The European Data Protection Board (“EDPB”) published a document outlining the cooperation procedure for approving Binding Corporate Rules (“BCRs”) for both controllers and processors.
Drawing from practical experience of the previous version of the Guidelines on BCR approval, the procedure presented aims to streamline the approval of BCRs, promoting consistent data protection practices across organizations operating within the EU.
For more information: EDPB Website
03/05/2025
European Commission | Publication | European Health Data Space Regulation
On March 5, 2025, the European Health Data Space Regulation was published in the Official Journal of the European Union.
The regulation aims to establish a common framework for the use and exchange of electronic health data across the EU. It will also enhance individuals’ access to and control over their personal electronic health data, for instance, patients will have the right to restrict the access for health professionals to all or parts of their personal electronic health data exchanged though EHDS infrastructures. The regulation will enter into force on March 26, 2025, and will become applicable two years later.
For further information: European Commission Website and Official Journal of the EU
03/05/2025
European Data Protection Board | Coordinated Enforcement | Right to Erasure
On March 5, 2025, the European Data Protection Board (EDPB) published that they are launching a Europe-wide review of the right to erasure.
This initiative involves 32 data protection authorities across Europe. The aim is to evaluate how well the right to erasure, which allows individuals to request the deletion of their personal data, is being implemented in practice. The assessment will be conducted using a standardized questionnaire to analyze and compare procedures established by various data controllers. The results will be published in a report by the EDPB, highlighting best practices and areas for improvement.
For further information: EDPB Website
03/04/2025
European Commission | EU Adequacy Decision | Article 45 GDPR
On March 4, 2025, the European Commission proposed the first EU adequacy decision under Article 45 GDPR for an international organization.
The European Commission proposed an EU adequacy decision for the European Patent Organisation (EPO). The decision, based on Article 45 GDPR, finds EPO’s data protection rules comparable to the EU’s. The EPO is an international organization comprising the member states of the EU and various other European states to grant patents. The adequacy decision will enable safe data flow between the EU and EPO. Once adopted, companies in the EU can transfer data such as for patent applications to EPO without extra safeguards. The draft will be reviewed by the European Data Protection Board (EDPB) and other EU bodies before final adoption.
For further information: European Commission Website
France
03/27/2025
French Supervisory Authority | Work Program | 2025 Priorities
As part of its mission to guide professionals towards compliance, the French Data Protection Authority (“CNIL”) issued the main guidance materials it will issue in 2025.
The CNIL regularly issues soft law guidance (e.g., recommendations, guidelines, code of practice) to clarify the applicable law and provide best practices. In 2025, the CNIL will issue fact sheets on artificial intelligence (help professionals balance innovation and data subject rights), recommendations on the use of pixels in emails, and continue clarifying the use of dashcams.
For more information: CNIL Website [FR]
03/25/2025
French Supervisory Authority | Public Consultation | Connected Vehicles and Location Data
The French Supervisory Authority (“CNIL”) is submitting for public consultation a draft recommendation on the use of location data of connected vehicles.
The CNIL indicated that location data is considered as highly personal data as it can reveal individuals’ frequently visited places, habits, or areas of interest. The draft focuses on the use of connected vehicles by private individuals and aims at helping main actors to ensure compliance with GDPR principles. The public consultation will end on 20 May 2025. Any public or private actor can participate in the consultation.
For more information: CNIL Website [FR]
03/21/2025
French Supervisory Authority | Investigation | 2025 Priorities
The French Supervisory Authority (“CNIL”) announced its 2025 data protection priorities.
This year, the CNIL announced that it will focus on enforcing rules with respect to mobile app data collection, local government cybersecurity, penitentiary data management, and the enforcement of the right to erasure.
For more information: CNIL Website [FR]
03/05/2025
French Supervisory Authority | Guidelines | Case Law and Doctrine
The French Supervisory Authority (“CNIL”) published its “Tables Informatiques et Libertés” and its recap books (“Cahiers récapitulatifs”) for the year 2024.
The Tables are designed to give access to data professionals and academics to the CNIL’s doctrinal positions as well as case law from national and European courts. This tool allows practitioners to easily find precedents based on thematic classification.
For more information: CNIL Website [FR]
03/06/2025
French National Cybersecurity Authority | Strategic Plan | 2025-2027
The French National Cybersecurity Authority (“ANSSI”) published its strategic plan for 2025-2027.
The plan developed by ANSSI focuses on four key areas: (i) amplifying and coordinating the cyber response to the growing threat, (ii) developing the expertise needed to counter cyber threats, (iii) promoting effective European and international cyber action, and (iv) reinforcing the consideration of societal issues in ANSSI’s actions.
For further information: ANSSI Website [FR]
Germany
03/27/2025
German Federal Court of Justice | Judgement | GDPR and Competition Law
On March 27, 2025, the German Federal Court of Justice (BGH) ruled (I ZR 186/17) that a breach of information obligations by the controller may give rise to claims for injunctive relief under the German Act Against Unfair Competition (UWG). These can be pursued by consumer protection associations by way of an action before the civil courts.
According to the BGH, the Unfair Competition Act (UWG) and the Injunctions Act (UKlaG) provide for a legal basis under Article 80 Abs. 2 DSGVO for consumer protection associations to pursue violations of the GDPR. Consumer associations can take legal action against breaches of information obligations under Art. 12(1) and Art. 13(1)(c) and (e) GDPR, even without specific authorization from affected individuals. Breaches of data protection information obligations may constitute unfair competition if material information is withheld.
For further information: BGH Website [DE]
03/27/2025
German Federal Court of Justice | Judgement | GDPR and Competition Law
On March 27, 2025, the German Federal Court of Justice (BGH) ruled in two cases (I ZR 222/19, I ZR 223/19) that a breach of GDPR regulations regarding special categories of data by the controller may give rise to claims for injunctive relief under the German Act Against Unfair Competition (UWG). These can be pursued by competitors by way of an action before the civil courts.
According to the BGH, the Unfair Competition Act (UWG) provides a legal basis for competitors to pursue violations of the GDPR. In the decisions, the BGH ruled that a violation of Article 9(1) GDPR can be pursued by a competitor by way of a competition law action before the civil courts under Article 8(3)(1) UWG.
For further information: BGH Website (I ZR 222/19 [DE], I ZR 223/19 [DE])
03/20/2025
German Federal Office for Information Security | Certification | Cybersecurity Act
The German Federal Office for Information Security (“BSI”) was designated by the European Commission as the German certification body under the Cybersecurity Act.
The BSI is now the body in charge of the approval of applications from manufacturers seeking to obtain a European cybersecurity certificate for products with a high assurance level under the Implementing Regulation on the adoption of European Common Criteria-based cybersecurity certification scheme (EUCC).
For more information: BSI Website [DE]
03/19/2025
Hamburg Supervisory Authority | Recommendations | Data Retention
The Hamburg Supervisory Authority (“HmbBfDI”) recommends organizations to review and delete outdated data as part of a “digital spring cleaning”.
The HmbBfDI particularly recalls that, with the Fourth Bureaucracy Relief Act (BEG IV) , the federal legislator has reduced some retention periods defined under the German Fiscal and Commercial Codes, requiring businesses to adjust their data retention policies accordingly. In particular, the data retention period for accounting documents under tax law is reduced from ten to eight years which also affects the right to erasure under the GDPR.
For more information: HmbBfDI Website [DE]
03/13/2025
German Data Protection Conference | Statement | Data Act
On March 13, 2025, the German Data Protection Conference (DSK) published a statement on the implementation legislation for the EU Data Act.
The DSK, the conference of the independent data protection supervisory authorities of the German federal states, has published a position paper on the German legislation for the implementation of the EU Data Act, emphasizing the need for harmonized regulations across member states to be implemented effectively and in harmony with the legal requirements from the European legislation. The DSK criticizes the current German draft legislation in various aspects and emphasizes the interplay of EU regulations and their implementation in each member state, even in the case of regulation with direct application.
For further information: DSK Website [DE]
03/12/2025
Hamburg Supervisory Authority | Guest Orders | Online Retail
The Hamburg Supervisory Authority (“HmbBfDI”) announced having ordered a Hamburg-based online retailer to allow guest orders, without requiring users to create a customer account.
The HmbBfDI notes that in a resolution dated March 24, 2022, the German Data Protection Conference (DSK) stated that requiring users to create a customer account to place orders is incompatible with the principle of data minimization. As part of its enforcement actions, the HmbBfDI examined multiple online shops in January 2025 and will continue to monitor their practices. Online shops which are considered a marketplace do not have to allow guest orders.
For more information: HmbBfDI Website [DE]
03/06/2025
Bavarian Supervisory Authority | Guidance | Article 28 GDPR
On March 6, 2025, the Bavarian Supervisory Authority (“BayLDA”) published an updated version of their guidance on the correct classification of data controllers and data processors.
The new guidance focusses on explaining the different legal criteria for proper classification of controllers and processors by providing detailed elaborations on the exact wording of the GDPR to facilitate case by case decisions.
For further information: BayLDA Website [DE]
03/2025
German Supervisory Authorities | Activity Reports
In March 2025, several Supervisory Authorities published their annual Activity Reports.
In addition to the increasingly important interplay between AI regulations and the GDPR, the reports also focus on data protection in employment contexts. By way of example, the Supervisory Authority of Bremen (LfDI Bremen) highlighted that video surveillance of areas frequented by employees is only permissible in non-sensitive areas and always demands an assessment of interests. The Bavarian Supervisory Authority (LDA Bayern) recommends that the publishing of images of employees after their employment ends should be contractually agreed upon in advance to ensure GDPR compliance.
For further information: LfDI Baden-Württemberg Website [DE], LfDI Bremen Website [DE], LfDI Sachsen Website [DE] and LDA Bayern Website [DE]
02/25/2025
Higher Regional Court of Stuttgart | Judgement | Data Processing and Employment
In a recent decision (2 ORbs 16 Ss 336/24), the Higher Regional Court of Stuttgart (OLG Stuttgart) dealt with the so-called employee excess in data protection law. Of practical relevance is the OLG’s classification of when employees, who process personal data for non-work purposes, become data controllers themselves.Thus replacing the employer as addressee of potential GDPR fines.
If the data protection breach is committed deliberately and intentionally for reasons unrelated to work, the employee may be considered as an independent controller not solely acting contrary to employer instructions.
For further information: Official Court Website [DE]
02/21/2025
Higher Administrative Court of Bavaria | Judgement | Access to Controller Agreements
On February 21, 2025, the Higher Administrative Court of Bavaria (VGH Bayern) ruled (7 ZB 24.651) that data subjects cannot demand access to data processing agreements as part of their information rights under Art. 15 GDPR.
Art. 15 GDPR only grants data subjects a right to access their own personal data. The court argues that the supervisory authorities and not the data subjects are responsible for monitoring the application of the GDPR, including the data processing agreements and its requirements between a controller and the processor.
For further information: Official Court Website [DE]
Ireland
03/07/2025
Irish Supervisory Authority | Complaints | Data Access Requests
The Irish Supervisory Authority (“DPC”) has published a blog post on how it handles complaints related to data subjects’ access requests.
The DPC states that it regularly deals with complaints from data subjects concerned that their access requests have not been fulfilled. The authority details how it determines the validity of the restrictions that organizations use to refuse access requests, emphasizing that each restriction must be justified on an evidential basis.
For more information: DPC Website
03/05/2025
Irish Government | AI Act | Designation of Competent Authorities
The Irish Government approved the designation of eight public authorities as competent authorities, responsible for implementing and enforcing the AI Act.
These authorities are the Central Bank of Ireland, the Commission for Communications Regulation, the Commission for Railway Regulation, the Competition and Consumer Protection Commission, the Data Protection Commission, the Health and Safety Authority, the Health Products Regulatory Authority, the Marine Survey Office of the Department of Transport. Additional authorities, as well as a lead regulator, will be designated through a forthcoming decision.
For further information: Irish Government Website
Netherlands
03/06/2025
Dutch Supervisory Authority | Public Consultation | Human Intervention in Algorithmic Decision-making
The Dutch Supervisory Authority (“AP”) launched a public consultation on the tools it has developed to enable meaningful human intervention in algorithmic decision-making.
The AP recalls that organizations using algorithmic decision-making must comply with the obligation to ensure human intervention. Such intervention must be meaningful — not merely symbolic — and designed to guarantee that decisions are made carefully, without discrimination. Organizations must also ensure that human intervention is not undermined by factors such as time pressure or lack of knowledge about the system.
For further information: AP Website [NL]
United Kingdom
03/28/2025
Information Commissioner’s Office | Guidance | Data Anonymisation
The Information Commissioner’s Office (“ICO”) has published new guidance on data anonymisation.
This guidance explains the distinction between anonymisation and pseudonymisation, discusses what should be considered when anonymizing personal data, provides good practice advice and case studies, and discusses technical and organisational measures to mitigate the risks to people. It applies to all mediums, including tabular data, free text, video, images, and audio.
For more information: ICO Website
03/27/2025
Information Commissioner’s Office | Fine | Hacker Attack
The Information Commissioner’s Office (“ICO”) imposed a fine of £3.07 million (approx. €3.67 million) on a computer software company for security failures that compromised the personal data of 79,404 individuals.
In 2022, the company suffered a ransomware attack that was initiated through a customer account. The attack affected personal data processed on behalf of multiple organizations, including the National Health Service and healthcare providers. The ICO found that the software provider failed to implement appropriate technical and organizational measures in accordance with Article 32 of the GDPR (e.g., lack of multi-factor authentication, insufficient vulnerability scanning, and inadequate patch management).
For more information: ICO Website
03/24/2025
Information Commissioner’s Office | Notice of Intent | Data Breach
The Information Commissioner’s Office (“ICO”) issued a notice of intent to fine a DNA testing company £4.59 million (EUR 5.5 million).
The ICO had launched a joint investigation with the Office of the Privacy Commissioner of Canada (“OPC”) after the company reported a data breach in October 2023. The breach concerned genetic information which the ICO considers is “among the most sensitive personal data that a person can entrust to a company”.
For more information: ICO Website
03/01/2025
Information Commissioner’s Office | Code of Practice | Children’s Data Protection
The Information Commissioner’s Office (“ICO”) has updated its Children’s Code of Practice to enhance the protection of children’s data in the digital world.
The revised code includes stronger guidelines for businesses regarding age-appropriate design and data minimization principles, aiming to ensure children’s privacy online. The code highlights the importance of high privacy by default settings, limitation of the processing of geolocation data, and switching off by default targeted advertisement for children.
For further information: ICO Code of practice and Press release
Gibson Dunn lawyers are available to assist in addressing any questions you may have about these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any leader or member of the firm’s Privacy, Cybersecurity & Data Innovation practice group:
Privacy, Cybersecurity, and Data Innovation:
United States:
Abbey A. Barrera – San Francisco (+1 415.393.8262, abarrera@gibsondunn.com)
Ashlie Beringer – Palo Alto (+1 650.849.5327, aberinger@gibsondunn.com)
Ryan T. Bergsieker – Denver (+1 303.298.5774, rbergsieker@gibsondunn.com)
Keith Enright – Palo Alto (+1 650.849.5386, kenright@gibsondunn.com)
Gustav W. Eyler – Washington, D.C. (+1 202.955.8610, geyler@gibsondunn.com)
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650.849.5203, cgaedt-sheckter@gibsondunn.com)
Svetlana S. Gans – Washington, D.C. (+1 202.955.8657, sgans@gibsondunn.com)
Lauren R. Goldman – New York (+1 212.351.2375, lgoldman@gibsondunn.com)
Stephenie Gosnell Handler – Washington, D.C. (+1 202.955.8510, shandler@gibsondunn.com)
Natalie J. Hausknecht – Denver (+1 303.298.5783, nhausknecht@gibsondunn.com)
Jane C. Horvath – Washington, D.C. (+1 202.955.8505, jhorvath@gibsondunn.com)
Martie Kutscher Clark – Palo Alto (+1 650.849.5348, mkutscherclark@gibsondunn.com)
Kristin A. Linsley – San Francisco (+1 415.393.8395, klinsley@gibsondunn.com)
Timothy W. Loose – Los Angeles (+1 213.229.7746, tloose@gibsondunn.com)
Vivek Mohan – Palo Alto (+1 650.849.5345, vmohan@gibsondunn.com)
Rosemarie T. Ring – San Francisco (+1 415.393.8247, rring@gibsondunn.com)
Ashley Rogers – Dallas (+1 214.698.3316, arogers@gibsondunn.com)
Sophie C. Rohnke – Dallas (+1 214.698.3344, srohnke@gibsondunn.com)
Eric D. Vandevelde – Los Angeles (+1 213.229.7186, evandevelde@gibsondunn.com)
Benjamin B. Wagner – Palo Alto (+1 650.849.5395, bwagner@gibsondunn.com)
Frances A. Waldmann – Los Angeles (+1 213.229.7914,fwaldmann@gibsondunn.com)
Debra Wong Yang – Los Angeles (+1 213.229.7472, dwongyang@gibsondunn.com)
Europe:
Ahmed Baladi – Paris (+33 1 56 43 13 00, abaladi@gibsondunn.com)
Patrick Doris – London (+44 20 7071 4276, pdoris@gibsondunn.com)
Kai Gesing – Munich (+49 89 189 33-180, kgesing@gibsondunn.com)
Joel Harrison – London (+44 20 7071 4289, jharrison@gibsondunn.com)
Lore Leitner – London (+44 20 7071 4987, lleitner@gibsondunn.com)
Vera Lukic – Paris (+33 1 56 43 13 00, vlukic@gibsondunn.com)
Lars Petersen – Frankfurt/Riyadh (+49 69 247 411 525, lpetersen@gibsondunn.com)
Christian Riis-Madsen – Brussels (+32 2 554 72 05, criis@gibsondunn.com)
Robert Spano – London/Paris (+44 20 7071 4000, rspano@gibsondunn.com)
Asia:
Connell O’Neill – Hong Kong (+852 2214 3812, coneill@gibsondunn.com)
Jai S. Pathak – Singapore (+65 6507 3683, jpathak@gibsondunn.com)
© 2025 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.