European Data Protection Newsletter Archives

Europe

03/19/2025

European Data Protection Board | Approval Procedure | Binding Corporate Rules

The European Data Protection Board (“EDPB”) published a document outlining the cooperation procedure for approving Binding Corporate Rules (“BCRs”) for both controllers and processors.

Drawing from practical experience of the previous version of the Guidelines on BCR approval, the procedure presented aims to streamline the approval of BCRs, promoting consistent data protection practices across organizations operating within the EU.

For more information: EDPB Website

03/05/2025

European Commission | Publication | European Health Data Space Regulation

On March 5, 2025, the European Health Data Space Regulation was published in the Official Journal of the European Union.

The regulation aims to establish a common framework for the use and exchange of electronic health data across the EU. It will also enhance individuals’ access to and control over their personal electronic health data, for instance, patients will have the right to restrict the access for health professionals to all or parts of their personal electronic health data exchanged though EHDS infrastructures. The regulation will enter into force on March 26, 2025, and will become applicable two years later.

For further information: European Commission Website and Official Journal of the EU

03/05/2025

European Data Protection Board | Coordinated Enforcement | Right to Erasure

On March 5, 2025, the European Data Protection Board (EDPB) published that they are launching a Europe-wide review of the right to erasure.

This initiative involves 32 data protection authorities across Europe. The aim is to evaluate how well the right to erasure, which allows individuals to request the deletion of their personal data, is being implemented in practice. The assessment will be conducted using a standardized questionnaire to analyze and compare procedures established by various data controllers. The results will be published in a report by the EDPB, highlighting best practices and areas for improvement.

For further information: EDPB Website

03/04/2025

European Commission | EU Adequacy Decision | Article 45 GDPR

On March 4, 2025, the European Commission proposed the first EU adequacy decision under Article 45 GDPR for an international organization.

The European Commission proposed an EU adequacy decision for the European Patent Organisation (EPO). The decision, based on Article 45 GDPR, finds EPO’s data protection rules comparable to the EU’s. The EPO is an international organization comprising the member states of the EU and various other European states to grant patents. The adequacy decision will enable safe data flow between the EU and EPO. Once adopted, companies in the EU can transfer data such as for patent applications to EPO without extra safeguards. The draft will be reviewed by the European Data Protection Board (EDPB) and other EU bodies before final adoption.

For further information: European Commission Website

France

03/27/2025

French Supervisory Authority | Work Program | 2025 Priorities

As part of its mission to guide professionals towards compliance, the French Data Protection Authority (“CNIL”) issued the main guidance materials it will issue in 2025.

The CNIL regularly issues soft law guidance (e.g., recommendations, guidelines, code of practice) to clarify the applicable law and provide best practices. In 2025, the CNIL will issue fact sheets on artificial intelligence (help professionals balance innovation and data subject rights), recommendations on the use of pixels in emails, and continue clarifying the use of dashcams.

For more information: CNIL Website [FR]

03/25/2025

French Supervisory Authority | Public Consultation | Connected Vehicles and Location Data

The French Supervisory Authority (“CNIL”) is submitting for public consultation a draft recommendation on the use of location data of connected vehicles.

The CNIL indicated that location data is considered as highly personal data as it can reveal individuals’ frequently visited places, habits, or areas of interest. The draft focuses on the use of connected vehicles by private individuals and aims at helping main actors to ensure compliance with GDPR principles. The public consultation will end on 20 May 2025. Any public or private actor can participate in the consultation.

For more information: CNIL Website [FR]

03/21/2025

French Supervisory Authority | Investigation | 2025 Priorities

The French Supervisory Authority (“CNIL”) announced its 2025 data protection priorities.

This year, the CNIL announced that it will focus on enforcing rules with respect to mobile app data collection, local government cybersecurity, penitentiary data management, and the enforcement of the right to erasure.

For more information: CNIL Website [FR]

03/05/2025

French Supervisory Authority | Guidelines | Case Law and Doctrine

The French Supervisory Authority (“CNIL”) published its “Tables Informatiques et Libertés” and its recap books (“Cahiers récapitulatifs”) for the year 2024.

The Tables are designed to give access to data professionals and academics to the CNIL’s doctrinal positions as well as case law from national and European courts. This tool allows practitioners to easily find precedents based on thematic classification.

For more information: CNIL Website [FR]

03/06/2025

French National Cybersecurity Authority | Strategic Plan | 2025-2027

The French National Cybersecurity Authority (“ANSSI”) published its strategic plan for 2025-2027.

The plan developed by ANSSI focuses on four key areas: (i) amplifying and coordinating the cyber response to the growing threat, (ii) developing the expertise needed to counter cyber threats, (iii) promoting effective European and international cyber action, and (iv) reinforcing the consideration of societal issues in ANSSI’s actions.

For further information: ANSSI Website [FR]

Germany

03/27/2025

German Federal Court of Justice | Judgement | GDPR and Competition Law

On March 27, 2025, the German Federal Court of Justice (BGH) ruled (I ZR 186/17) that a breach of information obligations by the controller may give rise to claims for injunctive relief under the German Act Against Unfair Competition (UWG). These can be pursued by consumer protection associations by way of an action before the civil courts.

According to the BGH, the Unfair Competition Act (UWG) and the Injunctions Act (UKlaG) provide for a legal basis under Article 80 Abs. 2 DSGVO for consumer protection associations to pursue violations of the GDPR. Consumer associations can take legal action against breaches of information obligations under Art. 12(1) and Art. 13(1)(c) and (e) GDPR, even without specific authorization from affected individuals. Breaches of data protection information obligations may constitute unfair competition if material information is withheld.

For further information: BGH Website [DE]

03/27/2025

German Federal Court of Justice | Judgement | GDPR and Competition Law

On March 27, 2025, the German Federal Court of Justice (BGH) ruled in two cases (I ZR 222/19, I ZR 223/19) that a breach of GDPR regulations regarding special categories of data by the controller may give rise to claims for injunctive relief under the German Act Against Unfair Competition (UWG). These can be pursued by competitors by way of an action before the civil courts.

According to the BGH, the Unfair Competition Act (UWG) provides a legal basis for competitors to pursue violations of the GDPR. In the decisions, the BGH ruled that a violation of Article 9(1) GDPR can be pursued by a competitor by way of a competition law action before the civil courts under Article 8(3)(1) UWG.

For further information: BGH Website (I ZR 222/19 [DE], I ZR 223/19 [DE])

03/20/2025

German Federal Office for Information Security | Certification | Cybersecurity Act

The German Federal Office for Information Security (“BSI”) was designated by the European Commission as the German certification body under the Cybersecurity Act.

The BSI is now the body in charge of the approval of applications from manufacturers seeking to obtain a European cybersecurity certificate for products with a high assurance level under the Implementing Regulation on the adoption of European Common Criteria-based cybersecurity certification scheme (EUCC).

For more information: BSI Website [DE]

03/19/2025

Hamburg Supervisory Authority | Recommendations | Data Retention

The Hamburg Supervisory Authority (“HmbBfDI”) recommends organizations to review and delete outdated data as part of a “digital spring cleaning”.

The HmbBfDI particularly recalls that, with the Fourth Bureaucracy Relief Act (BEG IV) , the federal legislator has reduced some retention periods defined under the German Fiscal and Commercial Codes, requiring businesses to adjust their data retention policies accordingly. In particular, the data retention period for accounting documents under tax law is reduced from ten to eight years which also affects the right to erasure under the GDPR.

For more information: HmbBfDI Website [DE]

03/13/2025

German Data Protection Conference | Statement | Data Act

On March 13, 2025, the German Data Protection Conference (DSK) published a statement on the implementation legislation for the EU Data Act.

The DSK, the conference of the independent data protection supervisory authorities of the German federal states, has published a position paper on the German legislation for the implementation of the EU Data Act, emphasizing the need for harmonized regulations across member states to be implemented effectively and in harmony with the legal requirements from the European legislation. The DSK criticizes the current German draft legislation in various aspects and emphasizes the interplay of EU regulations and their implementation in each member state, even in the case of regulation with direct application.

For further information: DSK Website [DE]

03/12/2025

Hamburg Supervisory Authority | Guest Orders | Online Retail

The Hamburg Supervisory Authority (“HmbBfDI”) announced having ordered a Hamburg-based online retailer to allow guest orders, without requiring users to create a customer account.

The HmbBfDI notes that in a resolution dated March 24, 2022, the German Data Protection Conference (DSK) stated that requiring users to create a customer account to place orders is incompatible with the principle of data minimization. As part of its enforcement actions, the HmbBfDI examined multiple online shops in January 2025 and will continue to monitor their practices. Online shops which are considered a marketplace do not have to allow guest orders.

For more information: HmbBfDI Website [DE]

03/06/2025

Bavarian Supervisory Authority | Guidance | Article 28 GDPR

On March 6, 2025, the Bavarian Supervisory Authority (“BayLDA”) published an updated version of their guidance on the correct classification of data controllers and data processors.

The new guidance focusses on explaining the different legal criteria for proper classification of controllers and processors by providing detailed elaborations on the exact wording of the GDPR to facilitate case by case decisions.

For further information: BayLDA Website [DE]

03/2025

German Supervisory Authorities | Activity Reports

In March 2025, several Supervisory Authorities published their annual Activity Reports.

In addition to the increasingly important interplay between AI regulations and the GDPR, the reports also focus on data protection in employment contexts. By way of example, the Supervisory Authority of Bremen (LfDI Bremen) highlighted that video surveillance of areas frequented by employees is only permissible in non-sensitive areas and always demands an assessment of interests. The Bavarian Supervisory Authority (LDA Bayern) recommends that the publishing of images of employees after their employment ends should be contractually agreed upon in advance to ensure GDPR compliance.

For further information: LfDI Baden-Württemberg Website [DE], LfDI Bremen Website [DE], LfDI Sachsen Website [DE] and LDA Bayern Website [DE]

02/25/2025

Higher Regional Court of Stuttgart | Judgement | Data Processing and Employment

In a recent decision (2 ORbs 16 Ss 336/24), the Higher Regional Court of Stuttgart (OLG Stuttgart) dealt with the so-called employee excess in data protection law. Of practical relevance is the OLG’s classification of when employees, who process personal data for non-work purposes, become data controllers themselves.Thus replacing the employer as addressee of potential GDPR fines.

If the data protection breach is committed deliberately and intentionally for reasons unrelated to work, the employee may be considered as an independent controller not solely acting contrary to employer instructions.

For further information: Official Court Website [DE]

02/21/2025

Higher Administrative Court of Bavaria | Judgement | Access to Controller Agreements

On February 21, 2025, the Higher Administrative Court of Bavaria (VGH Bayern) ruled (7 ZB 24.651) that data subjects cannot demand access to data processing agreements as part of their information rights under Art. 15 GDPR.

Art. 15 GDPR only grants data subjects a right to access their own personal data. The court argues that the supervisory authorities and not the data subjects are responsible for monitoring the application of the GDPR, including the data processing agreements and its requirements between a controller and the processor.

For further information: Official Court Website [DE]

Ireland

03/07/2025

Irish Supervisory Authority | Complaints | Data Access Requests

The Irish Supervisory Authority (“DPC”) has published a blog post on how it handles complaints related to data subjects’ access requests.

The DPC states that it regularly deals with complaints from data subjects concerned that their access requests have not been fulfilled. The authority details how it determines the validity of the restrictions that organizations use to refuse access requests, emphasizing that each restriction must be justified on an evidential basis.

For more information: DPC Website

03/05/2025

Irish Government | AI Act | Designation of Competent Authorities

The Irish Government approved the designation of eight public authorities as competent authorities, responsible for implementing and enforcing the AI Act.

These authorities are the Central Bank of Ireland, the Commission for Communications Regulation, the Commission for Railway Regulation, the Competition and Consumer Protection Commission, the Data Protection Commission, the Health and Safety Authority, the Health Products Regulatory Authority, the Marine Survey Office of the Department of Transport. Additional authorities, as well as a lead regulator, will be designated through a forthcoming decision.

For further information: Irish Government Website

Netherlands

03/06/2025

Dutch Supervisory Authority | Public Consultation | Human Intervention in Algorithmic Decision-making

The Dutch Supervisory Authority (“AP”) launched a public consultation on the tools it has developed to enable meaningful human intervention in algorithmic decision-making.

The AP recalls that organizations using algorithmic decision-making must comply with the obligation to ensure human intervention. Such intervention must be meaningful — not merely symbolic — and designed to guarantee that decisions are made carefully, without discrimination. Organizations must also ensure that human intervention is not undermined by factors such as time pressure or lack of knowledge about the system.

For further information: AP Website [NL]

United Kingdom

03/28/2025

Information Commissioner’s Office | Guidance | Data Anonymisation

The Information Commissioner’s Office (“ICO”) has published new guidance on data anonymisation.

This guidance explains the distinction between anonymisation and pseudonymisation, discusses what should be considered when anonymizing personal data, provides good practice advice and case studies, and discusses technical and organisational measures to mitigate the risks to people. It applies to all mediums, including tabular data, free text, video, images, and audio.

For more information: ICO Website

03/27/2025

Information Commissioner’s Office | Fine | Hacker Attack

The Information Commissioner’s Office (“ICO”) imposed a fine of £3.07 million (approx. €3.67 million) on a computer software company for security failures that compromised the personal data of 79,404 individuals.

In 2022, the company suffered a ransomware attack that was initiated through a customer account. The attack affected personal data processed on behalf of multiple organizations, including the National Health Service and healthcare providers. The ICO found that the software provider failed to implement appropriate technical and organizational measures in accordance with Article 32 of the GDPR (e.g., lack of multi-factor authentication, insufficient vulnerability scanning, and inadequate patch management).

For more information: ICO Website

03/24/2025

Information Commissioner’s Office | Notice of Intent | Data Breach

The Information Commissioner’s Office (“ICO”) issued a notice of intent to fine a DNA testing company £4.59 million (EUR 5.5 million).

The ICO had launched a joint investigation with the Office of the Privacy Commissioner of Canada (“OPC”) after the company reported a data breach in October 2023. The breach concerned genetic information which the ICO considers is “among the most sensitive personal data that a person can entrust to a company”.

For more information: ICO Website

03/01/2025

Information Commissioner’s Office | Code of Practice | Children’s Data Protection

The Information Commissioner’s Office (“ICO”) has updated its Children’s Code of Practice to enhance the protection of children’s data in the digital world.

The revised code includes stronger guidelines for businesses regarding age-appropriate design and data minimization principles, aiming to ensure children’s privacy online. The code highlights the importance of high privacy by default settings, limitation of the processing of geolocation data, and switching off by default targeted advertisement for children.

For further information: ICO Code of practice and Press release

The following Gibson Dunn lawyers prepared this update: Ahmed Baladi, Vera Lukic, Kai Gesing, Joel Harrison; Thomas Baculard, Billur Cinar, Hermine Hubert, Christoph Jacob, and Yannick Oberacker.

Gibson Dunn lawyers are available to assist in addressing any questions you may have about these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any leader or member of the firm’s Privacy, Cybersecurity & Data Innovation practice group:

Privacy, Cybersecurity, and Data Innovation:

United States:
Abbey A. Barrera – San Francisco (+1 415.393.8262, abarrera@gibsondunn.com)
Ashlie Beringer – Palo Alto (+1 650.849.5327, aberinger@gibsondunn.com)
Ryan T. Bergsieker – Denver (+1 303.298.5774, rbergsieker@gibsondunn.com)
Keith Enright – Palo Alto (+1 650.849.5386, kenright@gibsondunn.com)
Gustav W. Eyler – Washington, D.C. (+1 202.955.8610, geyler@gibsondunn.com)
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650.849.5203, cgaedt-sheckter@gibsondunn.com)
Svetlana S. Gans – Washington, D.C. (+1 202.955.8657, sgans@gibsondunn.com)
Lauren R. Goldman – New York (+1 212.351.2375, lgoldman@gibsondunn.com)
Stephenie Gosnell Handler – Washington, D.C. (+1 202.955.8510, shandler@gibsondunn.com)
Natalie J. Hausknecht – Denver (+1 303.298.5783, nhausknecht@gibsondunn.com)
Jane C. Horvath – Washington, D.C. (+1 202.955.8505, jhorvath@gibsondunn.com)
Martie Kutscher Clark – Palo Alto (+1 650.849.5348, mkutscherclark@gibsondunn.com)
Kristin A. Linsley – San Francisco (+1 415.393.8395, klinsley@gibsondunn.com)
Timothy W. Loose – Los Angeles (+1 213.229.7746, tloose@gibsondunn.com)
Vivek Mohan – Palo Alto (+1 650.849.5345, vmohan@gibsondunn.com)
Rosemarie T. Ring – San Francisco (+1 415.393.8247, rring@gibsondunn.com)
Ashley Rogers – Dallas (+1 214.698.3316, arogers@gibsondunn.com)
Sophie C. Rohnke – Dallas (+1 214.698.3344, srohnke@gibsondunn.com)
Eric D. Vandevelde – Los Angeles (+1 213.229.7186, evandevelde@gibsondunn.com)
Benjamin B. Wagner – Palo Alto (+1 650.849.5395, bwagner@gibsondunn.com)
Frances A. Waldmann – Los Angeles (+1 213.229.7914,fwaldmann@gibsondunn.com)
Debra Wong Yang – Los Angeles (+1 213.229.7472, dwongyang@gibsondunn.com)

Europe:
Ahmed Baladi – Paris (+33 1 56 43 13 00, abaladi@gibsondunn.com)
Patrick Doris – London (+44 20 7071 4276, pdoris@gibsondunn.com)
Kai Gesing – Munich (+49 89 189 33-180, kgesing@gibsondunn.com)
Joel Harrison – London (+44 20 7071 4289, jharrison@gibsondunn.com)
Lore Leitner – London (+44 20 7071 4987, lleitner@gibsondunn.com)
Vera Lukic – Paris (+33 1 56 43 13 00, vlukic@gibsondunn.com)
Lars Petersen – Frankfurt/Riyadh (+49 69 247 411 525, lpetersen@gibsondunn.com)
Christian Riis-Madsen – Brussels (+32 2 554 72 05, criis@gibsondunn.com)
Robert Spano – London/Paris (+44 20 7071 4000, rspano@gibsondunn.com)

Asia:
Connell O’Neill – Hong Kong (+852 2214 3812, coneill@gibsondunn.com)
Jai S. Pathak – Singapore (+65 6507 3683, jpathak@gibsondunn.com)

Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.

Europe

02/26/2025

European Parliament | Report | Algorithmic Discrimination

The European Parliament published a report on algorithmic discrimination under the AI Act and the GDPR.

The Parliament underlines the legal uncertainties regarding the interaction between the AI Act and the GDPR. Indeed, the AI Act allows processing of special categories of personal data to detect and correct bias, while the GDPR imposes stricter conditions on such data usage, potentially limiting AI bias mitigation efforts.

For further information: European Parliament Report

02/26/2025

Court of Justice of the European Union | Decision | Automated Decision-making System

The Court of Justice of the European Union (“CJEU”) ruled that when their data is used by automated decision-making systems, data subjects may require the controller to explain the procedure and principles actually applied when processing personal data to obtain a specific result.

The decision stems from a case filed by an Austrian customer who was denied a mobile phone contract based on an automatic decision-making system. The Court highlighted that when asked by data subjects to provide explanations, information should be provided in a “concise, transparent, intelligible and easily accessible form”. This decision also addresses the concept of trade secrets.

For further information: CJEU Decision

02/13/2025

Court of Justice of the European Union | Decision | Calculation of GDPR Fines

The Court of Justice of the European Union (“CJEU”) clarifies the calculation of the fines for undertakings (C-383/23).

The CJEU considers that the maximum amount of the fine that can be imposed on an undertaking must be determined “on the basis of a percentage of the undertaking’s total worldwide annual turnover in the preceding business year”.

For further information: CJEU Decision

02/04/2025

Cyber Solidarity Act | Entry Into Force | High Critical Sectors Concerned

On February 4, 2025, the Cyber Solidarity Act entered into force.

This regulation enhances the EU’s capacity to prepare for, detect, and respond to cybersecurity incidents. Entities operating in highly critical sectors or other critical sectors, as defined by Directive (EU) 2022/2555 (NIS 2), may be required to undergo “coordinated preparedness testing” to verify their compliance with minimum standards and expectations for critical services and infrastructure.

For further information: Commission Website and Cyber Solidarity Act

France

02/26/2025

CNIL | Work Program | Connected Vehicles

The French Supervisory Authority (“CNIL”) published the “compliance comity” work program for 2025 on connected vehicles and location data.

The comity’s work focuses on the use of location data from connected vehicles and will lead to the drafting of a recommendation which will soon be published for public consultation. Because of the lack of legal certainty surrounding the use of dashcams and associated privacy risks, the comity’s work program for 2025 is dedicated to the use of these devices by private individuals.

For further information: CNIL Press release [FR]

02/07/2025

French Supervisory Authority | Recommendations | Artificial Intelligence

On February 7, 2025, the French Supervisory Authority (“CNIL”) published two new recommendations on how AI should be used to comply with GDPR requirements.

The CNIL’s first recommendation focuses on data subject information and essentially provides that companies must ensure individuals are given sufficient information at the appropriate moment and that the processing of their data is entirely transparent. More specifically, it provides examples of information notices to be used in relation to web scraping or development of GPAI model. The second recommendation focuses on data subject rights and provide specific details on how companies can deal with their requests whether they apply to training data or to the model more generally.

For further information: CNIL Recommendations on Right of information, and Data subjects’ rights [FR]

02/05/2025

French Supervisory Authority | GDPR | 2024 Report

The French Supervisory Authority (“CNIL”) has published a 2024 report on sanctions issued during the year.

The report provides that a total of 331 decisions were handed down, including 87 sanctions, for a total of 55,212,400 euros in fines, 180 formal notices and 64 reminders of legal obligations. The recurring breaches found usually concern commercial prospecting and health data.

For further information: CNIL Report [FR]

01/31/2025

French Supervisory Authority | GDPR | Access Right

On January 31, 2025, the French Supervisory Authority (“CNIL”) updated its guidance on employees’ right of access to their work-related data and emails.

In this update, the authority clarifies that if a request involves a very large number of emails (though it did not define what constitutes “very large”), the employer may first provide the employee with a summary table listing the relevant messages. This allows the employee to specify which content they wish to receive. However, given the lack of further clarification, it appears that if the employee does not specify the data he wants, the employer remains obligated to provide all the requested data unless the employer identifies an actual risk for third party rights. Moreover, the French Authority published a case-law summary regarding the GDPR access right.

For further information: CNIL Guidance and Case-law Summary [FR]

Germany

02/14/2025

German Supervisory Authorities | Investigation | AI and Privacy

On February 14, 2025, several German Data Protection Supervisory Authorities announced a coordinated investigation into an AI provider.

Several German state data protection supervisory authorities, including those from Rhineland-Palatinate, Baden-Württemberg, Thuringia, Saxony-Anhalt, Hesse, Bremen, and Berlin, initiated coordinated investigations into the AI provider. This collaborative effort aims to ensure compliance with Article 27(1) of the General Data Protection Regulation (GDPR), which mandates that companies not established in the European Union appoint a representative within the EU. This effort underscores the impact of GDPR enforcement on AI development. In addition to this investigation, the Lower Saxony Supervisory Authority (“LfD Niedersachsen”) published a statement on February 21, 2025, drawing attention to the risks associated with the use of the Chinese AI-powered chatbot. The LfD Niedersachsen pointed out in particular that according to the privacy policy of the company providing the chatbot, user inputs including the uploaded documents are recorded, transmitted, stored and analyzed without any restriction.

For more information: Website of the Baden Württemberg Supervisory Authority [DE] and Website of the Lower Saxony Supervisory Authority [DE]

02/12/2025

Bremen Supervisory Authority | Recommendation | AI and Privacy

On February 12, 2025, the Data Protection Authority of Bremen (LfD Bremen) provided recommendations on the use of AI applications from providers outside the European Union that have not appointed a legal representative in the EU.

The LfD Bremen recommends, in order to ensure compliance with data protection regulations and mitigate risks associated with AI applications, to select AI providers who demonstrate transparency and provide documentation confirming GDPR compliance. Before installing AI models, the user should ensure that no personal data can be leaked, for example through a secure IT environment. According to the LfD Bremen, inputs of personal or confidential data into online interfaces should be avoided unless effective protective measures are in place. Users, especially workers, should be made aware of the risks involved, and AI competence as required by Article 4 of the AI Regulation from February 2, 2025, should be ensured. If the AI provider is based outside the EU, they should appoint a representative under Article 27 GDPR to facilitate the enforcement of data subjects’ rights and failure to do so can result in fines under Article 83(4) GDPR.

For more information: Website of the Bremen Supervisory Authority [DE]

01/29/2025

German Federal Administrative Court | Judgement | Advertisement

On January 29, 2025, the German Federal Administrative Court (BVerwG) ruled on the interplay of data processing under Article 6(1)(f) GDPR and consent for advertisement necessary under German competition law.

The BVerwG ruled that processing the contact data of dental practices taken from publicly accessible sources for the purpose of telephone advertising without at least presumed consent is impermissible. The court held that merely obtaining contact details from publicly accessible directories to conduct phone advertising does not constitute a legitimate interest under Article 6(1)(f) GDPR unless there is at least implied consent from the data subjects per § 7 Sec 2 No 1 UWG. Consequently, the company’s appeal was denied, as the interest in data processing for phone advertising did not outweigh the privacy protection guaranteed by GDPR and national law. The court confirmed that the prohibition on such data processing remains justified under the current legal framework, given its alignment with the need to protect the privacy of individuals from unsolicited advertising.

For more information: Official Court Website [DE]

Sweden

02/18/2025

Swedish Supervisory Authority | GDPR Guidance | Impact Assessment

On February 18, 2025, the Swedish Supervisory Authority (“IMY”) published a guidance on impact assessments.

The guidance consists of a practical guide and an annex with legal interpretative support.

For further information: IMY Website [SV] and Guidance for Impact Assessment [SV]

02/04/2025

Stockholm Administrative Court | Fine | Cookies

In February 2025, the Stockholm Administrative Court upheld a SEK 13 million (approx. €1.16M) fine against a media company for failure to comply with the principle of lawfulness provided under the GDPR.

The company was relying on legitimate interests for the processing of personal data collected via cookies. Such data was combined with purchase history and third-party data for creating profiles, including for marketing purposes. The court ruled that legitimate interest cannot serve as a legal basis and therefore upheld the administrative fine imposed by the Swedish Supervisory Authority (“IMY”). In its decision, the IMY stated that pursuant to Article 5(3) of the ePrivacy Directive, consent was required for the collection of data via cookies. This is the first publicly known case in Sweden where IMY explicitly referenced Article 5(3) of the ePrivacy Directive in its reasoning for a GDPR fine.

For further information: Stockholm Administrative Court Website [SV]

Switzerland

02/03/2025

Federal Data Protection and Information Commissioner | Guidelines | Cookies

The Swiss Supervisory Authority (“FDPIC”) published its guidelines on data processing using cookies and similar technologies.

The FDPIC describes the data protection requirements controllers must abide by when using cookies and similar technologies.

For further information: FDPIC Website

United Kingdom

02/22/2025

Information Commissioner’s Office | Report | Technologies

The Information Commissioner’s Office (“ICO”) published its Tech Horizons report of 2025.

The ICO’s Tech Horizons report examines emerging technologies and the regulatory challenges they face from a privacy perspective. This third edition of the report focuses on four technologies: connected transport; quantum sensing and imaging; digital diagnosis, therapeutics and healthcare infrastructure; and synthetic media and its identification and detection.

For further information: ICO Website

02/10/2025

Information Commissioner’s Office| Response | Data (Use and Access) Bill

The Information Commissioner’s Office (“ICO”) published its updated response to the Data (Use and Access) (DUA) Bill.

The ICO welcomed the recent changes introduced to the Bill and expressed its position on some of the recent amendments, including those related to the protection of children’s data and the expansion of the soft opt-in in direct marketing to cover charities.

For further information: ICO Website

02/06/2025

Information Commissioner’s Office | Guidance | Employment Practices and Data Protection

On February 5, 2025, the Information Commissioner’s Office (“ICO”) issued new guidance for employers on the management of employment records.

The guidance addresses key questions employers may encounter in relation to the collection, retention and use of employment records. For instance, the guidance covers various questions including: what lawful bases might apply to employment records, when employers can share workers’ personal data with other people or organizations, and how employers can handle sickness and injury records.

For further information: ICO Guidance

The following Gibson Dunn lawyers prepared this update: Partners: Ahmed Baladi, Vera Lukic, Joel Harrison, and Kai Gesing; Associates: Thomas Baculard, Billur Cinar, Hermine Hubert, and Christoph Jacob.

Privacy, Cybersecurity, and Data Innovation:

Asia:
Connell O’Neill – Hong Kong (+852 2214 3812, coneill@gibsondunn.com)
Jai S. Pathak – Singapore (+65 6507 3683, jpathak@gibsondunn.com)

Europe

01/20/2025

European Data Protection Board | Case Digest & Report | Right of Access

The European Data Protection Board (“EDPB”) has published a “One-Stop-Shop case digest on right of access” and a report on the “Implementation of the right of access by controllers”.

On January 16, 2025, the EDPB published a case digest providing examples on the exercise of the right of access in different contexts and analyzes, in this respect, national Supervisory Authorities’ (SAs) decisions under the one-stop-shop mechanism. In addition, on January 20, 2025, the EDPB released a report on the “Implementation of the right of access by controllers”. The report aggregates the findings of the SAs on the level of compliance of organizations regarding Article 15 of the GDPR, following a survey they conducted among 1,185 controllers from different sectors.

For more information: EDPB Website (Case Digest), EDPB Website (Report)

01/17/2025

European Data Protection Board | Guidelines | Pseudonymization

The European Data Protection Board (“EDPB”) has published new guidelines on pseudonymization.

The guidelines aim to clarify in particular the definition of pseudonymization, its objectives and benefits. They also provide guidance on the technical and organizational measures to be implemented to ensure its effectiveness, as well as examples of how pseudonymization is applied in real-world scenarios. The guidelines are under public consultation until February 28, 2025.

For more information: EDPB Website

01/17/2025

European Data Protection Board | Position Paper | Competition law

The European Data Protection Board (“EDPB”) has published a position paper regarding the interplay between data protection and competition law.

The EDPB recognizes that data protection and competition law have different legal frameworks but carry nonetheless many commonalities, such as the protection of individuals and their decision making. It stresses the importance of the cooperation between the data protection and competition authorities, and of a better understanding of related concepts in both areas, in order to improve consistency and efficiency.

For more information: EDPB Website

01/17/2025

European Commission | Regulation | Digital Operational Resilience Act

The Digital Operational Resilience Act (“DORA”) is applicable as of January 17, 2025.

As a reminder, the DORA lays down new requirements for the security of network and information systems in the financial sector.

For more information: Official Journal of the EU

01/15/2025

European Data Protection Supervisor | Concept Note | Digital Clearinghouse

The European Data Protection Supervisor (“EDPS”) published a concept note proposing the creation of the Digital Clearinghouse (“DCH”) 2.0.

The DCH was conceived by the EDPS as a voluntary network to promote a coherent enforcement of the EU legislation in the digital sector. With the DCH 2.0, the EDPS suggest turning this initiative into a forum with a permanent secretariat in order to identify cross-regulatory areas and allow interested authorities to exchange and coordinate their efforts.

For more information: EDPS website

01/09/2025

Court of Justice of the European Union | Judgment | Concepts of a ‘Request’ and ‘Excessive Requests’

On January 9, 2025, the Court of Justice of the European Union (“CJEU”) provides clarifications on the concepts of a ‘request’ and ‘excessive requests’ as part of a preliminary question referred by the Austrian Supervisory Authority.

The CJEU held that (i) the notion of “request” under Article 57(4) of the GDPR should be understood as including complaints lodged; (ii) the concept of “excessiveness” must be interpreted restrictively and the authority must demonstrate that the excessiveness of the requests stems from the applicant’s abusive intent, and (iii) when faced with excessive requests, the authorities may choose between charging reasonable fees and refusing to act on the requests.

For more information: Curia

01/09/2025

Court of Justice of the European Union | Judgment | Title and Gender Identity

On January 9, 2025, the CJEU published its judgment in Case C‑394/23 ruling that a customer’s gender identity was not necessary for the purchase of a rail transport ticket.

The CJEU clarified that the processing of personal data is only lawful if necessary for fulfilling a contract or for legitimate interest purposes. It ruled that personalizing commercial communications based on presumed gender identity, determined by a customer’s civil title, is not necessary, as it is not essential for a rail transport contract and could risk discrimination based on gender identity.

For more information: Curia

France

01/31/2025

French Supervisory Authority | Guidelines | Transfer Impact Assessment

The French Supervisory Authority (“CNIL”) published the final version of its guidelines on Transfer Impact Assessments (“TIA”) to help organizations comply with the GDPR when transferring data to third countries.

The CNIL’s guidelines outlines a methodology for evaluating the adequacy of protection in third countries, assessing potential legal and practical risks, and implementing supplementary measures where necessary.

For more information: CNIL Website

01/28/2025

French Supervisory Authority | Guidelines | Data Breach

The French Supervisory Authority (“CNIL”) published guidelines on personal data security.

In 2024, the CNIL saw a 20% increase in data breaches compared to the previous year. It has issued guidelines to help organizations prevent and manage data breaches, with cybersecurity being one of its priorities for 2025-2028.

For more information: CNIL Website [FR]

01/23/2025

French Supervisory Authority | GDPR | Publicly Available Databases

On January 23, 2025, the French Supervisory Authority (CNIL) published an article on its website outlining the necessary checks for controllers when using publicly available or third-party databases.

Data controllers must ensure that the database complies with the GDPR and other relevant regulations, such as information system security and intellectual property rights. Key considerations include whether the data was processed with the consent of the individuals and if the processing is based on legitimate legal grounds, especially for sensitive data or data related to criminal offenses. Additionally, the CNIL recommends formalizing the relationship with the data provider through a contract.

For further information: CNIL Website [FR]

01/16/2025

French Supervisory Authority | Action Plan | Children, AI, cybersecurity and digital

The French Supervisory Authority (“CNIL”) published its strategic action plan for 2025 to 2028.

The CNIL will focus on four main priorities: AI, children’s online privacy, cybersecurity, and daily digital use (mobile applications and digital identity). The CNIL plans to diversify its support for organizations and strengthen its dialogue with stakeholders in these areas.

For more information: CNIL Website [FR]

Germany

01/15/2025

Higher Regional Court of Karlsruhe | Judgement | Right of Erasure

On January 15, 2025, the Higher Regional Court of Karlsruhe (OLG Karlsruhe) ruled on the right to erasure and the possibility to retain personal data for the use in future legal disputes.

The OLG Karlsruhe ruled that companies cannot indefinitely store personal data for potential future claims if the underlying incident has already been subject to legal proceedings. The court held that once data is no longer necessary for the purpose it was collected, it must be deleted. Even if future claims are possible, there must be more than just a theoretical possibility that these claims are pursued to justify continued data storage under Article 17(3)(e) GDPR and to deny the right to erasure. The decision emphasized that the mere abstract possibility of future claims is not sufficient for data retention.

For more information: Official Court Website [DE]

Italy

01/31/2025

Italian Supervisory Authority | Temporary Ban | Chatbot

The Italian Supervisory Authority (“Garante”) imposed a temporary ban on an AI-powered chatbot service.

This follows a request for information addressed by the Garante to the companies providing the chatbot service. According to the Garante, the responses communicated by the companies were not satisfactory. In addition to the limitation order on the processing of Italian users’ data, the Garante opened an investigation.

For more information: Garante Website

Spain

01/14/2025

Spanish Council of Ministers | Transposition | NIS 2 Directive

The Spanish Council of Ministers approved the Draft Law on Coordination and Governance of Cybersecurity, transposing the NIS 2 Directive.

The Draft Law specifies the public and private entities that fall under the scope of the NIS 2 Directive as well as their obligations in terms of cybersecurity (such as incident notification). It also designates several national supervisory authorities for enforcement purposes, and creates the National Cybersecurity Centre, which will be the sole point of contact with the European Union and be in charge of intersectoral and cross-border cooperation.

For more information: Ministry of Interior Website [ES]

United Kingdom

01/23/2025

UK Supervisory Authority | Online Tracking | 2025 Strategy

The UK Supervisory Authority (“ICO”) has introduced its 2025 online tracking strategy.

The strategy aims to ensure that individuals have control over tracking within the context of online advertising. The ICO’s plan of action includes publishing guidelines on different subjects such as ‘consent or pay’ models or Internet of Things, engaging with different actors to promote and ensure compliance with the law (website publishers, consent management platforms, app developers, connected TV manufacturers). The ICO will also investigate data management platforms connecting advertisers and publishers.

For more information: ICO Website

The following Gibson Dunn lawyers prepared this update: Partners: Ahmed Baladi, Vera Lukic, and Kai Gesing; Associates: Thomas Baculard, Billur Cinar, Hermine Hubert, and Christoph Jacob.

Privacy, Cybersecurity, and Data Innovation:

United States:
Ashlie Beringer – Co-Chair, Palo Alto (+1 650.849.5327, aberinger@gibsondunn.com)
Ryan T. Bergsieker – Denver (+1 303.298.5774, rbergsieker@gibsondunn.com)
Gustav W. Eyler – Washington, D.C. (+1 202.955.8610, geyler@gibsondunn.com)
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650.849.5203, cgaedt-sheckter@gibsondunn.com)
Svetlana S. Gans – Washington, D.C. (+1 202.955.8657, sgans@gibsondunn.com)
Lauren R. Goldman – New York (+1 212.351.2375, lgoldman@gibsondunn.com)
Stephenie Gosnell Handler – Washington, D.C. (+1 202.955.8510, shandler@gibsondunn.com)
Natalie J. Hausknecht – Denver (+1 303.298.5783, nhausknecht@gibsondunn.com)
Jane C. Horvath – Co-Chair, Washington, D.C. (+1 202.955.8505, jhorvath@gibsondunn.com)
Martie Kutscher Clark – Palo Alto (+1 650.849.5348, mkutscherclark@gibsondunn.com)
Kristin A. Linsley – San Francisco (+1 415.393.8395, klinsley@gibsondunn.com)
Timothy W. Loose – Los Angeles (+1 213.229.7746, tloose@gibsondunn.com)
Vivek Mohan – Palo Alto (+1 650.849.5345, vmohan@gibsondunn.com)
Rosemarie T. Ring – Co-Chair, San Francisco (+1 415.393.8247, rring@gibsondunn.com)
Ashley Rogers – Dallas (+1 214.698.3316, arogers@gibsondunn.com)
Sophie C. Rohnke – Dallas (+1 214.698.3344, srohnke@gibsondunn.com)
Eric D. Vandevelde – Los Angeles (+1 213.229.7186, evandevelde@gibsondunn.com)
Benjamin B. Wagner – Palo Alto (+1 650.849.5395, bwagner@gibsondunn.com)
Debra Wong Yang – Los Angeles (+1 213.229.7472, dwongyang@gibsondunn.com)

Europe:
Ahmed Baladi – Co-Chair, Paris (+33 (0) 1 56 43 13 00, abaladi@gibsondunn.com)
Kai Gesing – Munich (+49 89 189 33-180, kgesing@gibsondunn.com)
Joel Harrison – Co-Chair, London (+44 20 7071 4289, jharrison@gibsondunn.com)
Lore Leitner – London (+44 20 7071 4987, lleitner@gibsondunn.com)
Vera Lukic – Paris (+33 (0) 1 56 43 13 00, vlukic@gibsondunn.com)
Lars Petersen – Frankfurt/Riyadh (+49 69 247 411 525, lpetersen@gibsondunn.com)
Robert Spano – London/Paris (+44 20 7071 4000, rspano@gibsondunn.com)

Asia:
Connell O’Neill – Hong Kong (+852 2214 3812, coneill@gibsondunn.com)
Jai S. Pathak – Singapore (+65 6507 3683, jpathak@gibsondunn.com)

Personal Data | Cybersecurity | Data Innovation

Europe

03/14/2023 – European Union Agency for Cybersecurity | Report | Cybersecurity of AI and Standardisation

On 14 March 2023, the European Union Agency for Cybersecurity published a report on Cybersecurity of AI and Standardisation.

The objective of the report is to provide an overview of standards (existing, being drafted, under consideration and planned) related to cybersecurity of artificial intelligence, assess their scope and identify gaps in standardisation.

For further information: ENISA Website

03/14/2023 – European Parliament | Regulation | Data Act

On 14 March 2023, the European Parliament adopted the draft Data Act.

The Data Act aims to boost innovation by removing barriers obstructing access by consumers and businesses to data.

For further information: European Parliament Website

02/28/2023 – European Data Protection Board | Opinion | EU-US Data Privacy Framework

On 28 February 2023, the European Data Protection Board adopted its opinion on the draft adequacy decision regarding the EU-US Data Privacy Framework.

The European Data Protection Board welcomes substantial improvements such as the introduction of requirements embodying the principles of necessity and proportionality for US intelligence gathering of data and the new redress mechanism for EU data subjects. At the same time, it expresses concerns and requests clarifications on several points.

For further information: EDPB Website

02/24/2023 – European Data Protection Board | Guidelines | Transfers, Certification and Dark Patterns

On 24 February 2023, the European Data Protection Board published final version of three guidelines.

Following public consultation, the European Data Protection Board has adopted three sets of guidelines in their final version: the Guidelines on the interplay between the application of Article 3 and the provisions on international transfers as per Chapter V GDPR; the Guidelines on certification as a tool for transfers; and the Guidelines on deceptive design patterns in social media platform interfaces.

For further information: EDPB Website

02/15/2023 – European Commission | Decision | Whistleblowing

On 15 February 2023, the European Commission announced its decision to refer eight Member States to the Court of Justice of the European Union for failing to transpose the Directive (EU) 2019/1937 on the Protection of Persons who Report Breaches of Union Law before 17 December 2021.

The relevant Members States include the Czech Republic, Germany, Estonia, Spain, Italy, Luxembourg, Hungary, and Poland.

For further information: European Commission Website

01/18/2023 – European Data Protection Board | Report | Cookie Banner Taskforce

On 18 January 2023, the European Data Protection Board adopted its final report of the cookie banner task force.

The French Supervisory Authority and its European counterparts adopted the report summarizing the conclusions of the task force in charge of coordinating the answers to the questions on cookie banners raised by the complaints of the None Of Your Business Association. The main points of attention that were discussed concern the modalities of acceptance and refusal to the storage of cookies and the design of banners.

For further information: EDPB Website

01/16/2023 – European Union | Regulation | Digital Operational Resilience Act

The Digital Operational Resilience Act (“DORA”) entered into force on 16 January 2023.

The DORA aims to ensure that financial-sector information and communication technology (“ICT”) systems can withstand security threats and that third-party ICT providers are monitored.

For further information: Official Journal Website

01/12/2023 – Court of Justice of the European Union | Decision | Right of access

On 12 January 2023, the Court of Justice of the European Union ruled that everyone has the right to know to whom their personal data has been disclosed.

The data subject’s right of access to personal data under the GDPR entails, where those data have been or will be disclosed to recipients, an obligation on the part of the controller to provide the data subject with the actual identity of those recipients, unless it is impossible to identify those recipients or the controller demonstrates that the data subject’s requests for access are manifestly unfounded or excessive within the meaning of the GDPR, in which cases the controller may indicate to the data subject only the categories of recipient in question.

For further information: Press Release

Austria

02/01/2023 – Austrian Parliament | National Council | Whistleblowing

On February 1st 2023, the Directive (EU) 2019/1937 on the protection of persons who report breaches of union law (“the Whistleblowing Directive”) was implemented by the Austrian National Council.

For further information: Austrian Parliament Website

Belgium

02/15/2023 – House of Representatives | Legislation | Whistleblowing

On 15 February 2023, the Whistleblowing law for the private sector which partially transposes the Whistleblowing Directive entered into force.

For further information: Whistleblowing Law

Bulgaria

01/27/2023 – Bulgarian National Assembly | Legislation | Whistleblowing

On 27 January 2023, the Bulgarian National Assembly (“CPDP”) adopted the Whistleblower Protection and Public Disclosure Act (“PWIPDA”) transposing the Whistleblowing Directive.

For further information: CPDP Website [BG]

Czech Republic

03/07/2023 – Czech Supervisory Authority | FAQ | Cookies

On 7 March 2023, the Czech Supervisory Authority (“UOOU”) published a FAQ on cookie banners and consent.

For further information: UOOU Website [CZ]

Denmark

02/20/2023 – Danish Supervisory Authority | Decision | Cookie Walls

The Danish Supervisory Authority issued two decisions regarding the use of cookie walls on websites and published general guidelines for the use of such consent solutions.

The Danish Supervisory Authority generally found that a method whereby the website visitor can access the content of a website in exchange for either giving consent to the processing of his personal data or paying an access fee, meets the requirements of the data protection rules for a valid consent.

For further information: Danish DPA Website [DK]

01/20/2023 – Danish Supervisory Authority | Guidelines | Storage and Consent

On 20 January 2023, the Danish Supervisory Authority has prepared guidance dealing with the storage of personal data with the aim of being able to demonstrate compliance with data protection rules on consent.

For further information: Danish DPA Website [DK]

Finland

02/17/2023 – Finnish Supervisory Authority | Sanction | GDPR Violation

On 17 February 2023, the Finnish Supervisory Authority issued an administrative fine of €440,000 against a company for failing to comply with the authority’s order to rectify its practices.

In particular, the authority stated that the company failed to erase inaccurate payment default entries saved into the credit information register due to inadequate practices. The authority stresses that the processing of payment default information has a significant impact on the rights and freedoms of individuals.

For further information: Finnish DPA Website

France

03/28/2023 – French Supervisory Authority | Sanction | Geolocation Data

On 28 March 2023, the French Supervisory Authority (“CNIL”) announced that it imposed a fine of €125,000 on a company of rental scooters because it geolocated its customers almost permanently.

The CNIL noted a failure to comply with several obligations, namely to ensure data minimization, to comply with the obligation to provide a contractual framework for the processing operations carried out by a processor, to inform the user and obtain his or her consent before writing and reading information on his or her personal device.

For further information: CNIL Website

03/15/2023 – French Supervisory Authority | Investigation | Smart Cameras

On 15 March 2023, the French Supervisory Authority (“CNIL”) announced setting “smart” cameras, mobile apps, bank and medical records as priority topics for investigations in 2023.

The CNIL carries out investigations on the basis of complaints received, current events, but also annual priority topics. In 2023, it will focus on the use of “smart” cameras by public actors, the use of the file on personal credit repayment incident, the management of health files and mobile apps.

For further information: CNIL Website

02/09/2023 – French Supervisory Authority | Guidance | Data Governance Act

On 9 February 2023, the French Supervisory Authority (“CNIL”) published a guidance on the economic challenges of implementing the Data Governance Act.

For further information: CNIL Website

01/26/2023 – French Supervisory Authority | Statement | Artificial Intelligence

On 26 January 2023, the French Supervisory Authority (“CNIL”) announced creating an Artificial Intelligence (“AI”) Department and starting to work on learning databases.

The CNIL is creating an AI Department to strengthen its expertise on these systems and its understanding of the risks to privacy while preparing for the implementation of the European regulation on AI. In addition, the CNIL has announced that it will propose initial recommendations on machine learning databases.

For further information: CNIL Website

01/24/2023 – Ministry of Home Affairs | Legislation | Cyberattack Risk Insurance

On 24 January 2023, the French Parliament adopted the LOPMI Act that authorizes the insurability of “cyber-ransoms” paid by victims, subject to the prompt filing of a complaint.

For further information: LOPMI

01/04/2023 – French Supervisory Authority | Sanction | Consent

On 4 January 2023, the French Supervisory Authority (“CNIL”) imposed an administrative €8 million fine on a technology company because it did not collect the consent of French users before depositing and/or writing identifiers used for advertising purposes on their terminals.

The CNIL found that the advertising targeting settings were pre-checked by default. Moreover, the user had to perform a large number of actions in order to deactivate this setting.

The CNIL explained the amount of the fine by the scope of the processing, the number of people concerned in France, the profits the company made from advertising revenues indirectly generated from data collected by these identifiers and the fact that since then, the company has reached compliance.

For further information: CNIL Website

01/17/2023 – French Supervisory Authority | Sanction | Consent

On 17 January 2023, the French Supervisory Authority (“CNIL”) imposed a €3 million fine on a company which publishes video games for smartphones.

The company was using an essentially technical identifier for advertising purposes without the user’s consent.

For further information: CNIL Website

Germany

03/22/2023 – Supervisory Authorities| Opinion | “Pure Subscription Models”

The Conference of the Independent Data Protection Authorities of Germany (DSK) adopted an opinion on so-called “pure subscription models” on websites.

The opinion assesses pure (no-tracking) subscription models and alternative free consent-based tracking models and provides criteria to assess these alternative access instruments on websites.

For further information: DSK Website [DE]

03/15/2023 – Supervisory Authorities| BfDI | Activity Report

The Federal Commissioner for Data Protection and Freedom of Information (BfDI), Ulrich Kelber, has presented the BfDI’s Activity Report for 2022.

For further information: BfDI [DE]

03/15/2023 – Supervisory Authorities| Activity Reports

The Commissioners for Data Protection and Freedom of Information of Baden-Württemberg, Hamburg and Schleswig Holstein have presented their activity reports on the year 2022.

The activity reports cover various data protection and information freedom topics. For example in Schleswig-Holstein data breaches remained frequent while the number of complaints dropped, with video surveillance being the main cause of complaints. The reports emphasize the need to proactively address risks such as artificial intelligence and data sharing.

For further information: ULD Website [DE] and LfDI-BW Website [DE] and HmbBfDI Website [DE]

03/01/2023 – Supervisory Authorities| Opinion | EU-US Privacy Framework

The Hamburg Supervisory Authority (on 1 March 2023) and the German Supervisory Authority (on 28 February 2023) both issued an opinion on the draft adequacy decision on the EU-US Data Privacy.

For further information: Bundestag Website [DE] and BfDI [DE]

02/13/2023 – German Competition Authority | Decision | US Data Transfers

On 13 February 2023 the German Competition Authority (“BKartA”) issued a ruling on data transfers under the GDPR.

In particular, the authority ruled that a company relying on a German subsidiary of a US parent company as a data processor cannot be excluded from a contract bid due to possible violations of the GDPR.

For further information: BKartA Website [DE]

02/09/2023 – ArbG Oldenburg | Decision | Claim for Damages

On 9 February 2023, the Oldenburg Labor Court has ordered a company to pay a former employee damages in the amount of 10,000 euros under Article 82 of the GDPR for failing to comply with an information request under Article 15 (1) of the GDPR without establishing any additional (immaterial) harm.

In the opinion of the court the violation of the GDPR itself already resulted in immaterial harm to be compensated; according to the court, no additional proof of harm was required.

Italy

03/30/2023 – Italian Supervisory Authority | Temporary limitation | AI Chatbot

The Italian Supervisory Authority (“Garante”) imposed an immediate temporary limitation on the processing of Italian users’ data by an US-based company developing and managing an AI chatbot.

The Garante opened a probe over a suspected breach of GDPR. The authority alleged “the absence of any legal basis that justifies the massive collection and storage of personal data in order to ‘train’ the algorithms underlying the operation of the platform”. The authority also accused the company of failing to check the age of its users.

For further information: Garante Website [IT]

03/09/2023 – Council of Ministers | Legislation | Whistleblowing

On 9 March 2023, the Italian Council of Ministers approved the whistleblowing legislative decree.

The Council of Ministers announced, on 9 March 2023, the approval, after final review, of the legislative decree to transpose into Italian law the Whistleblowing Directive.

For further information: Governo Italiano Website [IT]

02/21/2023 – Italian Supervisory Authority | Sanction | Marketing Practices

The Italian Supervisory Authority (“Garante”) announced, on 21 February 2023, that it issued, on 15 December 2022, a €4.9 million fine against an energy company for various non-compliances with the GDPR, including unlawful marketing practices.

For further information: Garante Website [IT]

02/03/2023 – Italian Supervisory Authority | Temporary limitation | AI Chatbot

The Italian Supervisory Authority (“Garante”) issued an order on an AI chatbot noting that tests performed identified risks for minors and vulnerable individuals.

The US-based developer was ordered to terminate processing of data relating to Italian users and to inform the Garante within 20 days on any measures taken to implement its orders.

For further information: Garante Website

Ireland

02/27/2023 – Irish Supervisory Authority | Sanction | Security

On 27 February 2023, the Irish Supervisory Authority (“DPC”) imposed a fine of €750,000 on a banking company for inadequate data security measures.

The inquiry was initiated after the notification to the DPC of a series of 10 data breaches. In this context, the DPC found that the technical and organizational measures in place at the time were not sufficient to ensure the security of the personal data processed.

For further information: #DPC Website

02/23/2023 – Irish Supervisory Authority | Sanction | Security

On 23 February 2023, the Irish Supervisory Authority (“DPC”) imposed a €460,000 fine against a health care provider.

The DPC initiated an enquiry after receiving a personal data breach notification related to a ransomware attack affecting patient data (70,000 people). The DPC considered that the health care provider failed to ensure that the personal data were processed in a manner that ensured appropriate security.

For further information: DPC Website

01/16/2023 – Irish Supervisory Authority | Sanction | CCTV

On 16 January 2023, the Irish Supervisory Authority (“DPC”) imposed a €50,000 fine and a temporary ban on the processing of personal data with CCTV cameras on a company for violations of the GDPR.

For further information: DPC Website

Netherlands

02/22/2023 – Dutch Supervisory Authority | Statement | Camera Settings

The Dutch Supervisory Authority (“AP”) published a statement on changes made by a car manufacturer in the settings of the built-in security cameras of its cars, following an investigation of these cameras by the AP.

For instance, the car may still take camera images, but only when the user activates that function.

For further information: AP Website [NL]

02/18/2023 – House for Whistleblowers | Legislation | Whistleblowing

On 18 February 2023, the House for Whistleblowers announced the entry into force of the Whistleblower Protection Act.

For further information: AP Website [NL]

Norway

03/01/2023 – Norwegian Supervisory Authority | Preliminary conclusion | Analytics Tool

On 1st March 2023, the Norwegian Supervisory Authority (“Datatilsynet”) published its preliminary conclusion on a case related to the use of the analytics tool of a US-based company considering that the use of this tool is not in line with the GDPR.

For further information: Datatilsynet Website [NO]

02/06/2023 – Norwegian Supervisory Authority | Sanction | GDPR Violation

On 6 February 2023, the Norwegian Supervisory Authority (“Datatilsynet”) fined a company operating fitness centers NOK 10 million (approximately €912,940) for various GDPR violations (e.g., lawfulness of processing, transparency and data subjects rights).

For further information: Datatilsynet Website [NO]

Portugal

01/27/2023 – Portuguese Supervisory Authority | Guidelines | Security Measures

The Portuguese Supervisory Authority (“CNPD”) published guidelines on security measures in order to minimize consequences in case of attacks on information systems.

These guidelines aim to inform controllers and processors about their legal obligations, with the increase of cyberattacks on information systems, listing organizational and technical measures that must be considered by organizations.

For further information: Press release [PT]

Romania

03/28/2023 – President of Romania | Legislation | Whistleblowing

The Law No. 67/2023 which amends article 6 (2) of the Law no. 361/2022 on the protection of whistleblowers in the public interest, was published in the Official Gazette on 28 March 2023 and entered into force on 31 March 2023.

For further information: CDEP Website [RO]

Spain

03/16/2023 – Spanish Supervisory Authority | Sanction | Data Minimization

The Spanish Supervisory Authority (“AEPD”) published, on 16 March 2023, its decision in which it imposed a fine of €100,000 on a telecommunications company for violation of the data minimization principle.

For further information: AEPD Website [ES]

03/15/2023 – Spanish Supervisory Authority | Sanction | GDPR Violation

The Spanish Supervisory Authority (“AEPD”) fined a bank €100,000 for violation of the GDPR.

In particular, the bank used the information provided by the claimant and her child to open several accounts in the name of the child without consent and while it was not necessary for the services requested.

For further information: AEPD Website [ES]

03/15/2023 – Spanish Supervisory Authority | Sanction | Data Portability

The Spanish Supervisory Authority (“AEPD”) published, on 15 March 2023, a decision in which it imposed a fine of €136,000 on a telecommunications company for completing a data portability request without ensuring the security of the personal data of the client.

For further information: AEPD Website [ES]

03/13/2023 – Spanish Senate | Legislation | Whistleblowing

The Spanish Law 2/2023 implementing the EU Whistleblower Directive was published in the Official Gazette on 20 February 2023 and entered into force on 13 March 2023.

For further information: BOE Website [ES]

United Kingdom

03/28/2023 – UK Supervisory Authority | Guidance | Direct Marketing

On 28 March 2023, the UK Supervisory Authority (“ICO”) issued guidance to businesses operating in regulated private sectors (e.g., finance, communications or utilities) on direct marketing and regulatory communications.

The guidance aims to help businesses identify when a regulatory communication message might count as direct marketing. If the message is direct marketing, it also covers what businesses need to do to comply with data protection and ePrivacy law.

For further information: ICO Website

03/16/2023 – UK Supervisory Authority | Sanction | GDPR Violations

The UK Supervisory Authority (“ICO”) reached an agreement with a retailer to reduce the monetary penalty notice issued for breaching the GDPR from £1,350,000 to £250,000.

The ICO found that the company was making assumptions about customers’ medical conditions, based on their purchase history, to sell them further health related products. The processing involved special category data and the ICO concluded that the processing had been conducted without a lawful basis. The retailer appealed the decision which led to an agreement to reduce the monetary penalty notice, taking into account that the retailer has stopped the unlawful processing.

For further information: ICO Website

03/15/2023 – UK Supervisory Authority | Guidelines | AI and Data Protection

The UK Supervisory Authority (“ICO”) announced on 15 March 2023 that it had updated its guidance on artificial intelligence (“AI”) and data protection.

The ICO indicates that the changes respond to requests from UK industry to clarify requirements for fairness in AI.

For further information: ICO Website

03/13/2023 – UK Supervisory Authority | Guidance | Data Protection by Default

The UK Supervisory Authority (“ICO”) has produced new guidance to help user experience designers, product managers and software engineers embed data protection into their products and services by default.

The guidance looks at key privacy considerations for each stage of product design, from kick-off to post-launch. It includes both examples of good practice and practical steps that organisations can take to comply with data protection law when designing websites, apps or other technology products and services.

For further information: ICO Website

03/08/2023 – UK Government | Legislation | Cookies

The government re-introduced new laws on 8 March 2023 aiming to cut down paperwork for businesses and reduce unnecessary cookie pops-up.

The Data Protection and Digital Information Bill was first introduced last summer and paused in September 2022 so ministers could engage in a co-design process with business leaders and data experts. According to the government, this was to ensure that the new regime built on the UK’s high standards for data protection and privacy, and seeks to ensure data adequacy while moving away from the “one-size-fits-all” approach of the European Union’s GDPR.

For further information: UK Government Website

02/16/2023 – UK Supervisory Authority | Guidance | Protection of Children

The UK Supervisory Authority (“ICO”) issued a series of recommendations to game developers to ensure the protection of children and compliance with data protection laws.

For further information: ICO Website

This newsletter has been prepared by the EU Privacy team of Gibson Dunn. For further information, you may contact us by email:

Ahmed Baladi – Partner, Partner, Co-Chair, PCCP Practice, Paris (abaladi@gibsondunn.com)
Vera Lukic – Partner, Paris (vlukic@gibsondunn.com)
Kai Gesing – Partner, Munich (kgesing@gibsondunn.com)
Joel Harrison – Partner, London (jharrison@gibsondunn.com)
Alison Beal – Partner, London (abeal@gibsondunn.com)
Thomas Baculard – Associate, Paris (tbaculard@gibsondunn.com)
Roxane Chrétien – Associate, Paris (rchretie@gibsondunn.com)
Christoph Jacob – Associate, Munich (cjacob@gibsondunn.com)
Yannick Oberacker – Associate, Munich (yoberacker@gibsondunn.com)
Clémence Pugnet – Associate, Paris (cpugnet@gibsondunn.com)

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice. Please note, prior results do not guarantee a similar outcome.