Audit Logs
Logging and auditing of processing activities
audit log logging audit trail monitoring
Overview
21 sources · Feb 20, 2026Legal Framework
Audit obligations in EU data protection law operate across the GDPR and the AI Act. Under Article 30 GDPR, controllers and processors must maintain records of processing activities (ROPA) that enable reconstruction of data flows, forming the foundational audit trail for accountability. Article 5(2) reinforces this by requiring demonstrable compliance with processing principles. Article 32 mandates technical measures including the ability to restore data availability and integrity, which necessitates access and modification logging. Article 33 implicitly requires breach detection capabilities supported by audit mechanisms.
For high-risk AI systems, the AI Act imposes complementary logging obligations. Recital 81 requires providers to establish post-market monitoring systems and robust documentation as part of quality management. Recitals 55 and 57 specify that high-risk classifications for critical infrastructure and employment contexts entail monitoring capabilities that trace system performance and decision logic. These provisions intersect with GDPR requirements where AI processes personal data, creating dual obligations to maintain logs demonstrating both data protection compliance and AI system conformity.
Key Developments
The CJEU in WORTEN-EQUIPAMENTOS PARA O LAR SA V. ACT (2013) established strict parameters for workplace audit logs, ruling that working time records processed under Article 6(1)(c) GDPR (legal obligation) must be necessary and proportionate, with access strictly limited to authorities possessing legitimate monitoring powers rather than general management. This establishes a proportionality ceiling on logging scope and access privileges.
Data Protection Commissioner v. Facebook Ireland Ltd (Schrems) affirmed that supervisory authorities possess comprehensive powers to audit compliance with data transfer safeguards, implying controllers must maintain logs sufficient to demonstrate validity of transfer mechanisms under Chapter V GDPR.
Enforcement practice confirms these standards. The Finnish DPA's Yliopiston Apteekin decision (€1.1 million fine) penalized excessive web analytics logging, establishing that tracking mechanisms must align with the specific legal basis claimed and that voluminous data collection without proper grounding violates proportionality requirements.
Practical Guidance
- Maintain granular Article 30 records capturing processing purposes, data categories, and third-country transfers with sufficient detail to satisfy supervisory audit powers affirmed in Schrems
- Restrict log access to personnel with explicit compliance monitoring mandates per WORTEN, avoiding general operational access that would violate the principle that only legitimate supervisory authorities may review audit trails
- Implement technical security logs under Article 32 GDPR tracking access events and data modifications, configured to support Article 33 breach detection and notification timelines
- For high-risk AI systems in employment or critical infrastructure contexts, establish integrated audit trails covering both personal data processing and AI decision pathways to satisfy Recital 81 AI Act quality management requirements alongside GDPR accountability
- Apply necessity screening to all logging mechanisms, ensuring analytics and tracking systems collect only data essential for the stated legal basis, as excessive logging triggered enforcement in Yliopiston Apteekin
Laws (68)
View all 68Recital 133
Recital 155
Recital 158
Recital 162
Recital 163
Article 72
Post-market monitoring by providers and post-market monitoring plan for high-risk AI systems
Recital 113
Article 89
Monitoring actions
Recital 91
Recital 81
Recital 71
POST-MARKET MONITORING, INFORMATION SHARING AND MARKET SURVEILLANCE
Recital 4
Recital 55
Recital 57
Recital 71
Recital 81
Recital 91
Recital 113
Case Law (35)
View all 35Geen vernietiging persoonsgegevens dossier RvdK, maar wel schadevergoeding voor inzage derden gedurende periode dat deze verwijderd hadden moeten zijn
Rechtbank
AVG. Verzoek van eiser om vernietiging van alle persoonsgegevens die de RvdK over hem heeft verwerkt. De RvdK heeft onvoldoende aannemelijk gemaakt dat derden geen kennis hebben genomen of hebben kunnen nemen van de gegevens die al vernietigd hadden moeten zijn. Gelet op de inhoud van het dossier is het bovendien niet uit te sluiten dat deze gegevens wel degelijk voor het derden toegankelijk zijn geweest. Eiser heeft de gestelde schade in voldoende mate aannemelijk gemaakt. Recht op schadevergoeding. Beroep gegrond.
WS v European Commission
General Court EU
In deze zaak gaat het om WS, die bij deelname aan selectieprocedures voor EU-contract- en tijdelijk personeel een EPSO-account aanmaakte in het Talent-systeem en na succes in een procedure ook in de recruitmentportal werd opgenomen. WS deed vervolgens meerdere AVG-achtige verzoeken op grond van a...
XH v European Commission
CJEU
Gaat om een beroep van T-613/21. In beroep wordt gesteld dat het Gerecht de professionele context als reden zag om de gegevens niet als persoonsgegevens te zien, maar dit is niet juist volgens het HvJ EU. Het feit dat het hier om informatie verwerkt in een werkgerelateerde context is niet een doo...
Rechtbank Rotterdam
Rechtbank Rotterdam
Deze uitspraak gaat over de terugwijzing van een viertal zaken door de Afdeling bestuursrechtspraak van de Raad van State (de Afdeling). In twee van de in de uitspraak van de Afdeling genoemde zaken had de rechtbank verzuimd uitspraak te doen en in twee andere zaken kwam de Afdeling tot een ander oordeel dan de rechtbank. Daarom doet de rechtbank deels alsnog en deels opnieuw uitspraak in vier zaken. Deze zaken hadden oorspronkelijk de zaaknummers ROT 18/6136, ROT 18/6137, ROT 19/3464 en ROT 20/1173 en hebben na terugwijzing respectievelijk de volgende zaaknummers gekregen: ROT 22/5719, ROT 22/5717, ROT 22/5718 en ROT 22/5720. De rechtbank komt in deze uitspraak tot het oordeel dat zij in één zaak onbevoegd is, omdat eiseres niet duidelijk heeft gemaakt op welk te nemen besluit het beroep wegens niet tijdig beslissen ziet. In een andere zaak is het beroep ongegrond, omdat het bezwaar terecht niet-ontvankelijk is verklaard bij gebrek aan een primair besluit. De derde en vierde zaak horen bij elkaar. Volgens de rechtbank moet het beroep in de derde zaak worden geconverteerd in een beroep wegens niet tijdig beslissen en vormt de beslissing van het college van 6 augustus 2019 (de vervolmaking van) de beslissing op bezwaar. Dit besluit kan standhouden en het beroep wegens niet tijdig beslissen is niet-ontvankelijk wegens het ontvallen van procesbelang. Wel krijgt eiseres een schadevergoeding wegens overschrijding van de redelijke termijn door de rechtbank. Verder bevat de uitspraak beslissingen omtrent terugstorting en vergoeding van griffierecht.
Rechtbank Overijssel
Rechtbank Overijssel
De Gemeente heeft een aanbesteding gestart voor de uitvoering van jongeren(welzijns)werk in de Gemeente. Eiser en één andere aanbieder hebben op deze aanbesteding ingeschreven. De Gemeente heeft de opdracht aan de andere inschrijver gegund en eiser komt daar in deze zaak tegenop. Volgens eiser was de beoordelingscommissie van de Gemeente niet objectief en heeft de Gemeente fouten gemaakt bij de beoordeling van haar inschrijving. Die beoordeling was volgens eiser niet overeenkomstig het bestek en/of evident feitelijk onjuist. De voorzieningenrechter wijst de vorderingen van [eiser] af omdat de beoordelingscommissie voldoende objectief heeft gehandeld en er geen sprake is van de door eiser gestelde fouten bij de beoordeling. De gunningsbeslissing is deugdelijk en op transparante wijze gemotiveerd. Deze beslissingen worden hierna gemotiveerd.
Vordering inzage medisch dossier bij bedrijfsarts. Overeenkomstige toepassing 7:456 BW op medische begeleiding ook al is WGBO niet van toepassing.
Rechtbank
Kort geding. Vordering tot verstrekken medisch dossier in kader van begeleiding door bedrijfsarts. Overeenkomstige toepassing artikel 7:456 BW.
Inzage in patiëntendossier van zoon aan vader na overlijden van kind.
Rechtbank
Zonder toestemming van de patiënt mag een ziekhuis aan een externe deskundige geen toegang geven tot een patiëntendossier. Bepalend voor de beantwoording van de vraag of bepaalde gegevens of stukken tot het medische dossier behoren is de aard van de gegevens, in het bijzonder of de gegevens de goede hulpverlening dienen. Daarbij geldt dat de dossierplicht van art. 7:454 lid 1 BW niet meebrengt dat dezelfde gegevens meerdere malen in het medisch dossier moeten worden opgenomen. Vanwege de ‘veilig melden’-regeling van art. 9 lid 6 Wkkgz maakt een calamiteitenrapport geen deel uit van het patiëntendossier. Een DIM-melding behoort wel tot het medisch dossier, voor zover het betreft de aantekeningen over de aard en toedracht van het gemelde incident, het tijdstip waarop het incident heeft plaatsgevonden en de namen van de betrokkenen bij het incident. Omdat de patiënt aan zijn vader toestemming heeft gegeven om zijn medisch dossier in te zien en daarvan een afschrift te ontvangen kan de vader ingevolge het bepaalde in art. 7:458a lid 1 aanhef en onder a BW pro se tegenover het ziekenhuis aanspraak maken op inzage in en afschrift van gegevens uit dat dossier. Uit dat recht volgt niet dat het ziekenhuis aan een partijdeskundige van de vader toegang moet verlenen tot het elektronisch systeem van het ziekenhuis.
Rechtbank Noord-Holland
Rechtbank Noord-Holland
Verzoekschriftprocedure. Verzoek op grond van de AVG. Verzoek om gegevens te laten wissen bij Veilig Thuis afgewezen.
College van Beroep voor het bedrijfsleven
College van Beroep voor het bedrijfsleven
Wet ter voorkoming van witwassen en financieren van terrorisme (Wwft). DNB heeft een boete opgelegd aan een trustkantoor wegens het niet melden van een ongebruikelijke transactie. Het College verklaart het hoger beroep dat het trustkantoor tegen de boete heeft ingesteld ongegrond. Het College is van oordeel dat het trustkantoor op het moment van de transactie niet over voldoende informatie beschikte om aan te nemen dat het om een gebruikelijke transactie ging die zij niet hoefde te melden. Het hoger beroep van DNB tegen de door de rechtbank toegepaste matiging wegens overschrijding van de redelijke termijn slaagt. Het College vernietigt de uitspraak van de rechtbank voor zover de rechtbank de boete verder heeft gematigd dan € 72.500,-. Het hoger beroep van het trustkantoor tegen de publicatiebesluiten slaagt ook. Het College oordeelt dat DNB opnieuw moet beslissen op de bezwaren die het trustkantoor en de moedermaatschappij tegen de publicatiebesluiten hadden gemaakt.
Kort:
Rechtbank
Jeugdstrafrecht. In korte tijd verschillende geweldsdelicten. Doxing. Oplegging van vrijheidsbeperkende maatregel.
CASE OF IVAN KARPENKO v. UKRAINE (No. 2)
ECHR
Deze zaak gaat over een gedetineerde die klaagde over onrechtmatige monitoring van zijn correspondentie met de rechtbank. (r.o. 44). In deze zaak betwistten de partijen de feiten: de verzoeker beweerde dat hij een verzegelde envelop had overhandigd, terwijl de gevangenisadministratie beweerde dat...
Doxing
Rechtbank
De verdachte heeft zes ernstige strafbare feiten gepleegd, allemaal gericht tegen (de familie van) hetzelfde slachtoffer. Hij heeft zijn ex-partner gedurende een periode van ongeveer vier maanden belaagd en haar en haar moeder meermalen met de dood bedreigd. Daarnaast heeft de verdachte foto’s en video’s van seksuele aard en ook persoonsgegevens (doxing) van het slachtoffer verspreid op social media en in chatgroepen. Al deze feiten vinden hun oorsprong in het (naderende) einde van de relatie met de verdachte. Uit de rapporten die zijn opgemaakt over de verdachte blijkt dat de feiten hem verminderd toegerekend moeten worden. De rechtbank zal afzien van het opleggen van een geheel onvoorwaardelijke gevangenisstraf, omdat de psychiater en de reclassering behandeling, begeleiding en bijzondere voorwaarden noodzakelijk achten. Gevangenisstraf voor de duur van 12 maanden, waarvan 4 maanden voorwaardelijk en oplegging van 38v maatregel (gebieds- en contactverbod).
Strafbare belaging door in periode van twee maanden vrijwel dagelijks veelvuldig contact via e-mail, Instagram en Facebook te zoeken
Gerechtshof
Bewezen verklaard is belaging. Arrest bevat: - bewijsoverweging inzake het opzet, de frequentie en de aard van de door de verdachte verstuurde berichten en de inbreuk op de persoonlijke levenssfeer; - motivering van de opgelegde TBS-maatregel bij een verdachte die niet heeft meegewerkt aan gedragskundig onderzoek; - motivering van de opgelegde maatregel ex artikel 38z van het Wetboek van Strafrecht.
Deutsche Wohnen SE v Staatsanwaltschaft Berlin
C-807/21 (Deutsche Wohnen)
Fines can be imposed directly on legal persons without identifying responsible natural person.
Meta Platforms and Others v Bundeskartellamt
C-601/21 (Meta Platforms (Bundeskartellamt))
Competition authorities can assess GDPR compliance in context of competition law proceedings.
Meta Platforms v noyb
C-252/21 (Meta Platforms (noyb))
GDPR consent requirements and lead supervisory authority mechanism.
Rechtbank Midden-Nederland - rechten van betrokkenen - C/16/501697 / HA RK 20-117
Rechtbank Midden-Nederland - Europees civiel recht
Verzoek tot inzage toegewezen. Verweerster heeft de belangenafweging onjuist toegepast.
Privacy International v Secretary of State
C-623/17 (Privacy International)
General and indiscriminate transmission of traffic data to security agencies incompatible with EU law.
Data Protection Commissioner v. Facebook Ireland Ltd, and Maximillian Schrems
Schrems II
“the national supervisory authorities are responsible for monitoring compliance with the EU rules concerning the protection of natural persons with regard to the processing of personal data. Each of those authorities is therefore vested with the power to check whether a transfer of personal data from its own Member State to a third country complies with the requirements laid down in that regulation” / “The exercise of that responsibility is of particular importance where personal data is tra
Data Protection Commissioner v Facebook Ireland and Maximillian Schrems
C-311/18 (Schrems II)
Invalidated Privacy Shield adequacy decision and upheld validity of Standard Contractual Clauses with additional safeguards required.
Guidance (38)
View all 38Richtsnoeren 04/2022 voor de berekening van administratieve geldboeten krachtens de AVG
guidelines berekenen administratieve boetes
Het Europees Comité voor gegevensbescherming (EDPB) heeft deze richtsnoeren vastgesteld met het oog op de harmonisatie van de methode die de toezichthoudende autoriteiten gebruiken om het bedrag van de geldboete te berekenen. Deze richtsnoeren vormen een aanvulling op de eerder vastgestelde Richtsnoeren voor de toepassing en vaststelling van administratieve geldboeten in de zin van Verordening (EU) 2016/679 (WP 253), die betrekking hebben op de omstandigheden waarin een geldboete moet worden opg...
Guidelines 06/2020 on the interplay of the Second Payment Services Directive and the GDPR
Guidelines on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR
Version history
Guidelines 05/2022 on the use of facial recognition technology in the area of law enforcement
Guidelines on the use of facial recognition technology in the area of law enforcement
More and more law enforcement authorities (LEAs) apply or intend to apply facial recognition technology (FRT). It may be used to authenticate or to identify a person and can be applied on videos (e.g. CCTV) or photographs. It may be used for various purposes, including to search for persons in police watch lists or to monitor a person's movements in the public space. FRT is built on the processing of biometric data , therefore, it encompasses the processing of special categories ...
Guidelines 9/2022 on personal data breach notification under GDPR
Guidelines on personal data breach notification under GDPR
Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679
Guidelines on codes of conduct and monitoring bodies
Guidelines 3/2019 on processing of personal data through video devices
Guidelines on processing of personal data through video devices
Guidelines 10/2020 on restrictions under Article 23 GDPR
Guidelines on restrictions under Article 23 GDPR
Version history
Guidelines on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR
The GDPR does not provide for a legal definition of the notion 'transfer of personal data to a third country or to an international organisation'. Therefore, the EDPB provides these guidelines to clarify the scenarios to which it considers that the requirements of Chapter V should be applied and, to that end, it has identified three cumulative criteria to qualify a processing operation as a transfer: - 1) A controller or a processor ('exporter') is subject to the GDPR for the given processing. -...
Version history
Guidelines on the accreditation of certification bodies
Guidelines 02/2022 on the application of Article 60 GDPR
Guidelines on the application of Article 60 GDPR
With the introduction of the GDPR, the concept of the one-stop shop was established as one of the main innovations. In cross-border processing cases, the supervisory authority in the Member State of the controller's or processor's main establishment is the authority leading the enforcement of the GDPR for the respective cross-border processing activities, in cooperation with all the authorities which may face the effects of the processing activities at stake: be it through the establishments ...
Guidelines 04/2022 on the calculation of administrative fines under the GDPR
Guidelines on the calculation of administrative fines under the GDPR
The European Data Protection Board (EDPB) has adopted these guidelines to harmonise the methodology supervisory authorities use when calculating of the amount of the fine. These Guidelines complement the previously adopted Guidelines on the application and setting of administrative fines for the purpose of the Regulation 2016/679 (WP253), which focus on the circumstances in which to impose a fine. The calculation of the amount of the fine is at the discretion of the supervisory authority, ...
Guidelines 07/2020 on the concepts of controller and processor in the GDPR
Guidelines on the concepts of controller and processor in the GDPR
The concepts of controller, joint controller and processor play a crucial role in the application of the General Data Protection Regulation 2016/679 (GDPR), since they determine who shall be responsible for compliance with different data protection rules, and how data subjects can exercise their rights in practice. The precise meaning of these concepts and the criteria for their correct interpretation must be sufficiently clear and consistent throughout the European Economic Area (EEA). The conc...
Guidelines 8/2020 on the targeting of social media users
Guidelines on the targeting of social media users
Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)
Guidelines on the territorial scope of the GDPR
Guidelines 01/2021
Guidelines on Examples regarding Personal Data Breach Notification
Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation
Guidelines on certification and identifying certification criteria
Version history
Guidelines on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies
Guidelines 05/2020 on consent under Regulation 2016/679
Guidelines on consent
Guidelines 4/2019 on Article 25 Data Protection by Design and by Default Version 2.0 Adopted on 20 October 2020
Guidelines on data protection by design and by default
Enforcement (38)
View all 38Yliopiston Apteekin: Non-compliance with general data processing principles
€1,100,000 fine - Deputy Data Protection Ombudsman
The Finish DPA has imposed a fine of EUR 1,100,000 on Yliopiston Apteekin. The controller, who runs an online pharmacy, used various web analytics and monitoring tools. These tools were implemented in a way that allowed the providers, who are based outside the EU, to access personal data. The controller also failed to ensure that the tools complied with the principle of data minimization.
Universiteitsapotheek: Niet-naleving van algemene principes voor gegevensverwerking.
1.100.000 euro boete - Waarnemend ombudsman gegevensbescherming.
De Finse beschermingsautoriteit (DPA) heeft Yliopiston Apteekin een boete van 1.100.000 euro opgelegd. De verantwoordelijke, die een online apotheek runt, gebruikte verschillende webanalyse- en monitoringtools. Deze tools werden op een manier geïmplementeerd waardoor aanbieders, die gevestigd zijn buiten de EU, toegang kregen tot persoonlijke gegevens. De verantwoordelijke heeft er ook niet voor gezorgd dat de tools voldeden aan het principe van dataminimalisatie.
Hospital: Insufficient technical and organisational measures to ensure information security
€20,000 fine - Croatian Data Protection Authority (azop)
The Croatian DPA (AZOP) imposed a fine of EUR 20,000 on a hospital for failing to implement adequate technical and organizational measures to protect personal data in line with Art. 32 (1) (b) and (d), and Art. 32 (2) GDPR. Following a cyberattack, it was revealed that over a period of seven days, at least 3 GB of personal data had been unlawfully copied from the system. The attacker allegedly gained access through social engineering and a VPN connection, exploited an outdated operating system,
Company: Insufficient legal basis for data processing
€80,000 fine - Croatian Data Protection Authority (azop)
The Croatian DPA (AZOP) has imposed a fine of EUR 80,000 on a company. The company was responsible for monitoring parking lots at several supermarkets and a hospital. However, it accessed personal data – in particular license plate numbers and owner information – from the Croatian Ministry of the Interior's (MUP) vehicle registry without a valid legal basis. Access was gained via a web service that the company had secured the right to use in certain areas on the basis of a concession. However, t
Real estate company: Non-compliance with general data processing principles
€40,000 fine - French Data Protection Authority (CNIL)
The French DPA imposed a fine of EUR 40,000 on a real estate company for inappropriately monitoring its employees. A software program recorded “periods of inactivity” and regularly took screenshots of the computers of employees working from home. The program automatically detected when an employee made no keyboard or mouse movements for a period of 3 to 15 minutes. In addition, the employees in the offices were continuously filmed. These measures were deemed disproportionate and were considered
Schockholm School borard: Non-compliance with general data processing principles
€70,000 fine - Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)
The Swedish DPA has fined the Stockholm School Board EUR 70,000 for excessive video surveillance in a school. A school had installed extensive video surveillance due to past problems with incendiary crimes. During its investigation, the DPA found that there were about 50 fixed cameras in the school monitoring hallways, stairwells and corridors in conjunction with doors, toilets and student lockers. Surveillance was taking place 24/7 with image recording. The DPA concluded that video surveillance
Municipality of Modica: Non-compliance with general data processing principles
€45,000 fine - Italian Data Protection Authority (Garante)
The Italian DPA has imposed a fine of EUR 45,000 on the municipality of Modica for monitoring waste disposal sites with CCTV without providing sufficient information to citizens. During its investigation, the DPA also found that the municipality had not properly regulated the processing with the companies responsible for the CCTV management. The municipality also failed to appoint a data protection officer and stored the recorded images excessively.
Ew Business Machines S.p.A.: Non-compliance with general data processing principles
€20,000 fine - Italian Data Protection Authority (Garante)
The Italian DPA has imposed a fine of EUR 20,000 on Ew Business Machines S.p.A.. The controller had installed a video surveillance system that not only recorded images in real time, but also made audio recordings, capturing employees. Both the company's legal representative and their family had access to these recordings via a smartphone. During its investigation, the DPA found that the employees were not adequately informed about the additional audio monitoring. In addition, the company used an
REGENCY COMPANY SRL: Non-compliance with general data processing principles
€3,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
The Romanian DPA has imposed a fine of EUR 3,000 on REGENCY COMPANY SRL. The controller had installed video surveillance cameras in its premises for the purpose of monitoring access of people and security of premises and property. However, this allowed it to monitor its employees extensively. In the course of its investigation, the DPA found that the video surveillance was partly carried out without the consent of the employees and that the purposes underlying the surveillance could also be achi
Tehnoplus Industry SRL: Non-compliance with general data processing principles
€5,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
The Romanian DPA has imposed a fine of EUR 5,000 on Tehnoplus Industry SRL. An employee of the company had filed a complaint with the DPA because the controller had installed a GPS system in their company vehicle for the purpose of monitoring the vehicle without providing them with sufficient information about such installation. During its investigation, the DPA also found that the controller was processing the GPS data outside working hours and for purposes other than originally intended. The D
Lazio Region: Insufficient legal basis for data processing
€100,000 fine - Italian Data Protection Authority (Garante)
The Italian DPA has fined Lazio Region EUR 100,000. A trade union had filed a complaint with the DPA alleging that the Region had monitored the e-mail accounts of employees of the Region's legal department. The Region had initiated such monitoring on suspicion of possible disclosure of information protected by official secrecy to third parties. The Region stored and analyzed the employees' data for 180 days. The data included not only information related to work, but also personal data of the da
Senseonics Inc.: Non-compliance with general data processing principles
€45,000 fine - Italian Data Protection Authority (Garante)
The Italian DPA has imposed a fine of EUR 45,000 on Senseonics Inc. The company had reported a data breach to the DPA pursuant to Art. 33 GDPR, involving an employee accidentally sending an information campaign by email to a large number of recipients in an open distribution list. This made it possible for all recipients to view the email addresses of the other recipients. The recipients of the e-mails were diabetic patients, making it possible to obtain information about the health status of th
Amiu S.p.A.: Insufficient legal basis for data processing
€200,000 fine - Italian Data Protection Authority (Garante)
The Italian DPA has imposed a fine of EUR 200,000 on Amiu S.p.A.. The company operates the waste collection service for the city of Taranto and acted as a processor for this service. The company had installed several video surveillance cameras for the purpose of monitoring illegal waste disposal. The DPA found that Amiu had posted some images from the cameras on Facebook, showing individuals sufficiently visible making it possible to identify them. During its investigation, the DPA found that Am
Brussels Airport Zaventem: Insufficient legal basis for data processing
€200,000 fine - Belgian Data Protection Authority (APD)
The Belgian DPA has fined Brussels Airport Zaventem EUR 200,000. The DPA had launched an investigation against the airport following media reports about temperature monitoring of persons at the airport. Due to the Covid-19 pandemic the airport used thermal imaging cameras to filter out people with body temperatures above 38 degrees. Those filtered out were then required to answer questions about possible coronavirus symptoms. The DPA particularly noted that the airport did not have a valid legal
Brussels Airport Charleroi: Insufficient legal basis for data processing
€100,000 fine - Belgian Data Protection Authority (APD)
The Belgian DPA has fined Brussels Airport Charleroi EUR 100,000. The DPA had launched an investigation against the airport following media reports about temperature monitoring of persons at the airport. Due to the Covid-19 pandemic the airport used thermal imaging cameras to filter out people with body temperatures above 38 degrees. Those filtered out were then required to answer questions about possible coronavirus symptoms. The DPA particularly noted that the airport did not have a valid lega
Employer: Insufficient fulfilment of data subjects rights
€2,000 fine - Hellenic Data Protection Authority (HDPA)
The Hellenic DPA has imposed a fine of EUR 2,000 on an employer. An employee had filed a complaint due to the employer's failure to comply with the employee's right to object. The employee had objected to continuous monitoring of his online courses offered via zoom. However, the employer had continued the monitoring. In addition, the DPA found that the employer could not provide a sufficient legal basis for processing the data.
Company: Non-compliance with general data processing principles
Data Protection Authority of Bremen
The DPA of Bremen has imposed a five-digit fine on a company. The controller had unlawfully used GPS software in its company vehicles, allowing unrestricted monitoring of its employees over a long period oftime. The DPA found that such extensive monitoring was not necessary and therefor unlawful.
Psykoterapiakeskus Vastaamo: Non-compliance with general data processing principles
€608,000 fine - Deputy Data Protection Ombudsman
The Finnish DPA has fined Vastaamo psychotherapy center EUR 608,000. In September 2020, the psychotherapy center reported an attack on its patient database to the DPA. An unauthorized third party had gained access to Vastaamo's medical database on at least two occasions, in December 2018 and March 2019. The attacker had also siphoned off data and left a ransom note on the servers. Due to insufficient logging, neither the exact date of the breach nor the network addresses used by the attacker cou
Østre Toten municipality: Insufficient technical and organisational measures to ensure information security
€412,000 fine - Norwegian Supervisory Authority (Datatilsynet)
The Norwegian DPA has fined Østre Toten municipality EUR 412,000. The municipality suffered a cyberattack in January 2021, as a result of which the municipality's data was encrypted as well as backups were deleted. A larger amount of data was later published on the dark web. Approximately 30,000 documents were affected by the attack. The documents contained, among other things, information on ethnic origin, political opinion, religious beliefs, union memberships, sexual orientation, health statu
Bocconi University: Non-compliance with general data processing principles
€200,000 fine - Italian Data Protection Authority (Garante)
The Italian DPA (Garante) has imposed a fine of EUR 200,000 on Bocconi University. A student had filed a complaint with the DPA about possible GDPR violations related to the use of a monitoring system during written exams. In the context of the emergency situation triggered by the Covid-19 pandemic, the university had equipped itself with the remote monitoring software Respondus provided by the American company Respondus Inc. to ensure the normal running of the exams, since it was not possible t
News (41)
View all 41UODO (Poland) - DKN.5131.4.2025
English Summary }}}} The DPA fined the Polish national postal operator €232k for a DPO conflict of interest. The DPO concurrently served as a Security Director and company proxy, effectively monitoring their own decisions regarding the means of data processing.The DPA fined the national postal operator €232,000 for appointing a DPO with a conflict of interest. The DPO concurrently served as a Security Director and representative of the controller, effectively monitoring their own decisions regar
EFF Joins Internet Advocates Calling on the Iranian Government to Restore Full Internet Connectivity
Earlier this month, Iran’s internet connectivity faced one of its most severe disruptions in recent years with a near-total shutdown from the global internet and major restrictions on mobile access. EFF joined architects, operators, and stewards of the global internet infrastructure in calling upon authorities in Iran to immediately restore full and unfiltered internet access. We further call upon the international technical community to remain vigilant in monitoring connectivity and to support
Kort:
EU News
'This briefing analyses the establishment of the European Anti-Money Laundering Authority (AMLA) as a cornerstone of the EU’s 2024 Anti-Money Laundering/Countering the Financing of Terrorism (AML/CFT) legislative reform. As AMLA formally began its operations in the summer of 2025, a key question ...
In short:
News from the European Union.
"This briefing analyzes the establishment of the European Authority for the Prevention of Money Laundering and the Financing of Terrorism (AMLA) as a key component of the reform of EU legislation on anti-money laundering and counter-terrorism financing (AML/CFT) in 2024. Now that AMLA has officially commenced its operations in the summer of 2025, a crucial question arises..."
The "policy situation" surrounding Transaction Monitoring Netherlands.
Government.
A partial granting of a request under the Public Access of Information Act (Ministry of Finance) regarding the "policy situation" surrounding Transaction Monitoring Netherlands (TMNL).
de 'beleidssituatie' rondom Transactie Monitoring Nederland
Government
Een gedeeltelijke inwilliging van een Woo-besluit (Ministerie van Financiën) inzake de 'beleidssituatie' rondom Transactie Monitoring Nederland. (TMNL)
Artikel 41 van de AVG (Algemene Verordening Gegevensbescherming).
Juridische tekst: Toelichting ==Toelichting====Toelichting== Artikel 41 van de AVG vult [[Artikel 40 van de AVG]] aan door te bepalen dat de naleving van een goedgekeurd gedragscode moet worden gecontroleerd door een erkende instantie met het juiste niveau van expertise in de sector die door de code wordt bestreken. Hoewel de Richtlijn gegevensbescherming 95/46/EG (AVG) een bepaling bevatte over gedragscodes (artikel 27(1) AVG), bevatte deze geen informatie over hoe de naleving van dergelijke codes moest worden gecontroleerd. Daarom, i
Article 41 GDPR
(a) Demonstrated independence and expertise ===== (a) Demonstrated independence and expertise ========== (a) Demonstrated independence and expertise ===== It is clear from Article 41(1) GDPR that the body must have an “''appropriate level of expertise''” in the subject matter the code of conduct aims to ensure effective compliance with. This is also a requirement of the process specified in Article 41(2)(a) GDPR, according to which the monitoring entity “''may be ac
Article 41 of the GDPR (General Data Protection Regulation).
Legal text: Explanation ==Explanation====Explanation== Article 41 of the GDPR supplements [[Article 40 of the GDPR]] by stipulating that compliance with an approved code of conduct must be monitored by a recognized body with the appropriate level of expertise in the sector covered by the code. While the Data Protection Directive 95/46/EC (GDPR) contained a provision regarding codes of conduct (article 27(1) GDPR), it did not provide information on how compliance with such codes should be monitored. Therefore, i
Article 40 GDPR
Commentary CoC are a voluntary accountability tool providing for specific data protection rules for categories of controllers and processors. In other words, CoC can provide a rule book for a group of controllers and processors describing how a GDPR compliant processing operation looks like in the specific processing situation.<ref>EDPB, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 4 June 2019 (Version 2.0), margin number 7 (available [https://ww
Article 41 GDPR
Legal Text: Commentary ==Commentary====Commentary== Article 41 GDPR complements [[Article 40 GDPR]] by providing that compliance with any approved code of conduct must be monitored by an accredited body with the appropriate level of expertise in the sector covered by the code. Although the Data Protection Directive 95/46/EC (DPD) included a provision on codes of conduct (Article 27(1) DPD), this did not include any information on how compliance with such codes should be monitored. Accordingly, i
Article 40 GDPR
(1) Encouragement of CoC <u>EDPB Guidelines</u>:<u>EDPB Guidelines</u>: * EDPB, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 4 June 2019 (Version 2.0) (available here), and * EDPB, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 4 June 2019 (Version 2.0) (available [https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201901_v2.0_codesofconduct_en.pdf here]), and * E
Article 40 GDPR
(3) Controllers and Processors not Subject to the Territorial Scope of the GDPR The focus on a particular sector is supposed to allow for a cost effective way to achieve data protection compliance by taking into account all the specific characteristics of processing carried out in that sector - with particular emphasis on the needs of micro, small and medium enterprises.<ref>EDPB, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 4 June 2019 (Version
States Tried to Censor Kids Online. Courts, and EFF, Mostly Stopped Them: 2025 in Review
Lawmakers in at least a dozen states believe that they can pass laws blocking young people from social media or require them to get their parents’ permission before logging on. Fortunately, nearly every trial court to review these laws has ruled that they are unconstitutional. It’s not just courts telling these lawmakers they are wrong. EFF has spent the past year filing friend-of-the-court briefs in courts across the country explaining how these laws violate young people’s First Amendment right
States attempted to censor the online activities of children. Courts and the Electronic Frontier Foundation (EFF) largely managed to prevent this: a look back at 2025.
In at least a dozen states, lawmakers believe they can pass laws that prohibit young people from accessing social media, or that require them to obtain parental consent before logging in. Fortunately, almost all courts that have reviewed these laws have ruled that they violate the constitution. It's not just the courts telling these lawmakers they are wrong. The Electronic Frontier Foundation (EFF) has filed briefs with courts across the country over the past year, explaining how these laws violate the freedom of speech of young people, as protected by the First Amendment.
EFF investigations reveal abuse of surveillance by Flock Safety: a look back at 2025.
Throughout 2025, EFF conducted groundbreaking research into Flock Safety's automated license plate recognition (ALPR) system, uncovering a system designed to enable mass surveillance and vulnerable to serious abuse. Our research led to investigations at the state and federal levels, resulted in significant legal challenges, and exposed a dangerous expansion into voice recognition technology. We documented how Flock's surveillance infrastructure allowed law enforcement to track protestors exercising their right to...
From "chat monitoring" to solutions that truly protect children and their privacy.
This article highlights alternatives that are evidence-based and strengthen the safety of children, while simultaneously protecting encryption and fundamental rights. It advocates for better enforcement, more targeted tools, and meaningful support for services that focus on child protection, rather than broad surveillance measures. The article "Beyond 'Chat Control': Towards solutions that truly protect children and privacy" originally appeared on European Digital Rights (EDRi).
Support the work of the EDPB as an expert.
Brussels, November 28th - The European Data Protection Board (EDPB) has published a call for expressions of interest for the creation of a new reserve pool for the "Support Pool of Experts" (SPE) program. The objective is to assemble a reserve pool of legal and technical experts. The legal expertise sought covers a wide range of areas, including data protection, policy monitoring, technology, cybersecurity, competition law, healthcare, online intermediary services, and content moderation. Regarding technical expertise, relevant areas include IT.
Support the EDPB’s work as an expert
Brussels, 28 November - The EDPB launched a call for expression of interest to establish a new reserve list for the Support Pool of Experts (SPE) programme. The objective is set up a reserve list of legal and technical experts. The legal expertise sought includes a wide range of fields, such as data protection, policy monitoring, technology, cybersecurity, competition, healthcare, online intermediary services and content moderation. As for the technical expertise, the relevant areas include IT a
Steun het werk van het EDPB als expert.
Brussel, 28 november - Het EDPB heeft een oproep gepubliceerd om interesse te tonen voor het opstellen van een nieuwe reservepool voor het programma "Support Pool of Experts" (SPE). Het doel is het samenstellen van een reservepool van juridische en technische experts. De gezochte juridische expertise omvat een breed scala aan gebieden, zoals gegevensbescherming, beleidsmonitoring, technologie, cyberveiligheid, concurrentierecht, gezondheidszorg, online intermediaire diensten en contentmoderatie. Met betrekking tot de technische expertise omvatten de relevante gebieden onder meer IT.