News

Corrected and added some links, removed duplicate in short summary. }}}} An DPA denied a complaint against a public body under Articles 9 and 77 GDPR, holding that publication of a data subject’s political donation did not violate the GDPR because the controller had a lawful basis.An DPA denied a complaint against a public body under [[Article 9 GDPR|Articles 9]] and [[Article 77 GDPR|77 GDPR]], holding that publication of a data subject’s political donation did not violate them because the cont

A study published by EDRi member Asociația pentru Tehnologie și Internet (ApTI) Romania analysed how the recommender algorithms on Facebook, Instagram and TikTok distributed political content, during the 2025 presidential election. The quantitative analysis identified cases in which these social media platforms did not comply with either national electoral laws, nor with EU Regulations, such as the Digital Service Act (DSA). The post How recommender algorithms threaten election integrity appeare

Facts }}}} The Supreme Court upheld rules requiring legal counsels to keep a client register and ensure confidentiality. It held that processing client data to check conflicts of interest is lawful under [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]] as it fulfills a statutory duty.The Supreme Court upheld rules requiring legal counsels to keep a client register and to ensure confidentiality. It held that keeping a client register is necessary to comply with the legal obligation to check for potenti

Facts }}}} The Supreme Court of Poland upheld rules requiring legal counsels to keep client data confidential and maintain a client register. The Court held processing was lawful under [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]] to meet legal obligations.The Supreme Court upheld rules requiring legal counsels to keep a client register and ensure confidentiality. It held that processing client data to check conflicts of interest is lawful under [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]] as it fulf

In the second part of our series on the dodgy digital security practices underlying advanced AI tools, we examine how LLMs threaten information integrity. The post Artificial Insecurity: threats to information integrity appeared first on Access Now.

The event will give the opportunity to the researchers, the University of Amsterdam and Eurecat – Centre Tecnològic de Catalunya, to showcase the results of their analyses, presenting the policy options that can inform future policy-making. The post Information Integrity & Wikipedia: How community-governed platforms can inform future policy-making. appeared first on European Digital Rights (EDRi).

In the first part of our blog series on the dodgy digital security practices underlying advanced AI tools, we unpack how LLMs can jeopardize the confidentiality of people’s data. The post Artificial Insecurity: how AI tools compromise confidentiality appeared first on Access Now.

A university lecturer (the complainant) has requested access to the content of evaluation reports from independent reviewers and letters of recommendation that were prepared during the doctoral promotion process, from the University of Cyprus (the responsible party). A university lecturer (the complainant) has requested access to the content of evaluation reports from independent reviewers and letters of recommendation that were prepared during the doctoral promotion process, from the University of Cyprus (the responsible party).

Facts: A university lecturer (the complainant) requested access to the content of evaluation reports from independent reviewers and letters of recommendation that were prepared during the promotion process, from the University of Cyprus (the responsible party). A university lecturer (the complainant) requested access to the content of evaluation reports from independent reviewers and letters of recommendation that were prepared during the promotion process, from the University.

An Assistant Professor (the data subject) requested access to the content of evaluation reports by independent reviewers and letters of recommendation prepared during the academic promotion procedure from the University of Cyprus (the controller).An Assistant Professor (the data subject) requested access to the content of evaluation reports by independent reviewers and letters of recommendation prepared during the academic promotion procedure from the University of Cyprus (the controller). The c

Een universitair docent (de betrokkene) heeft toegang gevraagd tot de inhoud van beoordelingsrapporten van onafhankelijke beoordelaars en aanbevelingsbrieven die zijn opgesteld tijdens het promotieproces, bij de Universiteit van Cyprus (de verantwoordelijke). Een universitair docent (de betrokkene) heeft toegang gevraagd tot de inhoud van beoordelingsrapporten van onafhankelijke beoordelaars en aanbevelingsbrieven die zijn opgesteld tijdens het promotieproces, bij de Universiteit van Cyprus (de verantwoordelijke).

Facts === Facts ====== Facts === An Assistant Professor (the data subject) requested access to the content of evaluation reports by independent reviewers and letters of recommendation prepared during the academic promotion procedure from the University of Cyprus (the controller).An assistant professor (the data subject) requested access to the content of evaluation reports by independent reviewers and letters of recommendation prepared during the academic promotion procedure from the University

Een Oostenrijks mediabedrijf (de verantwoordelijke) dat lokaal nieuws publiceerde, beheerde een website die persoonlijke gegevens van bezoekers verzamelde met behulp van cookies en een banner voor toestemming voor het gebruik van cookies. De cookies bevatten unieke identificatiecodes om bezoekers te volgen. In augustus 2021.

An Austrian media company (the responsible party) that published local news operated a website that collected personal data from visitors using cookies and a banner requesting consent for the use of cookies. These cookies contained unique identification codes to track visitors. This occurred in August 2021.

A media company in Austria (the controller), which was publishing local news, operated a website which collected personal data from visitors using cookies and a cookie consent banner. Cookies included unique identifiers for tracking visitors. A media company in Austria (the controller), which was publishing local news, operated a website which collected personal data from visitors using cookies and a cookie consent banner. Cookies included unique identifiers for tracking visitors. In August 2021

}}}} Een Oostenrijks mediabedrijf is door de Autoriteit voor Gegevensbescherming een boete van 6.820 euro opgelegd, omdat het nalatig was bij het implementeren van een bindende aanwijzing om het cookiebanner op zijn website te wijzigen. Hierdoor werden de opties voor toestemming van gebruikers vertraagd, ondanks dat alle bezwaren werden afgewezen. De Autoriteit voor Gegevensbescherming heeft een mediabedrijf een boete van 6.820 euro opgelegd omdat het cookiebanner niet was aangepast om te voldoen aan de wetgeving, en er geen visueel gelijkwaardige optie was om cookies te weigeren. De Autoriteit had eerder aan het bedrijf opgedragen dit te doen, in overeenstemming met artikel 58(2)(d) van de AVG.

}}}} An Austrian media company was fined €6,820 by the Data Protection Authority for negligently failing to implement a binding order to modify its website’s cookie banner, delaying user consent options despite all appeals being rejected.The DPA fined a media company €6,820 for failing to bring its cookie banner into compliance by implementing a visually equivalent option to reject cookies. The DPA previously ordered the controller to do so in accordance with Article 58(2)(d) GDPR. == English Su

An Austrian media company has been fined €6,820 by the Data Protection Authority because it failed to implement a binding instruction to modify the cookie banner on its website. This resulted in delays in providing users with consent options, despite all objections being rejected. The Data Protection Authority imposed a fine of €6,820 on the media company because the cookie banner had not been adjusted to comply with the law, and there was no visually equivalent option for users to reject cookies. The Authority had previously instructed the company to do so, in accordance with Article 58(2)(d) of the GDPR.

Een mediabedrijf in Oostenrijk (de verantwoordelijke) dat lokaal nieuws publiceerde, beheerde een website die persoonlijke gegevens van bezoekers verzamelde met behulp van cookies en een banner voor toestemming voor het gebruik van cookies. De cookies bevatten unieke identificatienummers om bezoekers te volgen. Een mediabedrijf in Oostenrijk (de verantwoordelijke) dat lokaal nieuws publiceerde, beheerde een website die persoonlijke gegevens van bezoekers verzamelde met behulp van cookies en een banner voor toestemming voor het gebruik van cookies. De cookies bevatten unieke identificatienummers om bezoekers te volgen. In augustus 2021.

A media company in Austria (the controller), which was publishing local news, operated a website which collected personal data from visitors using cookies and a cookie consent banner. Cookies included unique identifiers for tracking visitors. A media company in Austria (the controller), which was publishing local news, operated a website which collected personal data from visitors using cookies and a cookie consent banner. Cookies included unique identifiers for tracking visitors. In August 2021

Powered by EDRi member Metamorphosis, e-Society.mk brings together top experts & decision makers to discuss the future of the e-society. The post e-Society.mk 2025: Integrity at the core of digital transformation appeared first on European Digital Rights (EDRi).

Aangestuurd door Metamorphosis, een lid van EDRi, brengt e-Society.mk topexperts en beslissingsmakers samen om de toekomst van de digitale samenleving te bespreken. Het artikel "e-Society.mk 2025: Integriteit als kern van de digitale transformatie" verscheen oorspronkelijk op European Digital Rights (EDRi).

Driven by Metamorphosis, a member of EDRi, e-Society.mk brings together leading experts and decision-makers to discuss the future of the digital society. The article "e-Society.mk 2025: Integrity as the core of digital transformation" originally appeared on European Digital Rights (EDRi).

On November 19th, the European Commission published two so-called "omnibus" proposals: one revising key aspects of the General Data Protection Regulation (GDPR) and the ePrivacy rules, along with other data-related laws, and the other an amendment to the AI Act. This article focuses on the first proposal. It explains how the proposed changes could weaken fundamental rights related to data protection and the confidentiality of communications, and why the combined effect risks undermining long-standing safeguards for individuals within the EU.

On 19 November, the European Commission has published two Omnibus proposals: one that rewrites key parts of the General Data Protection Regulation (GDPR) and ePrivacy rules, along with other data-related laws, and another that amends the AI Act. This article focuses on the first proposal. It explains how the changes would weaken core rights to data protection and the confidentiality of communications, and why the combined effect risks reshaping long-standing safeguards for people in the EU. The

Op 19 november heeft de Europese Commissie twee zogenaamde "omnibus"-voorstellen gepubliceerd: het ene herziening van belangrijke onderdelen van de Algemene Verordening Gegevensbescherming (AVG) en de ePrivacy-regels, samen met andere wetten met betrekking tot gegevens, en het andere een amendement op de AI-wet. Dit artikel richt zich op het eerste voorstel. Het legt uit hoe de voorgestelde wijzigingen fundamentele rechten op gegevensbescherming en de vertrouwelijkheid van communicatie zouden verzwakken, en waarom het gecombineerde effect het risico loopt om lang bestaande beschermingsmaatregelen voor mensen in de EU te veranderen.

Legislation.

A bill has been submitted to amend the Law on DNA testing for convicted individuals and the Code of Criminal Procedure, concerning the introduction of precautionary collection of cell samples and several other changes related to DNA testing. Documents 1 through 4 have been published, including appendices.

Government.

Three recommendations from the Dutch Authority for the Financial Markets (Autoriteit Financiële Markten - AP) combined: (regarding the handling of data breaches; a task to improve the privacy organization of the Tax Authority; and exemption from the obligation of tax confidentiality in cases of suspected violations of tax integrity under Article 67, paragraph 3, of the Act on Financial Supervision).

Government

Drie AP adviezen gebundeld (inzake afhandelen datalekken; Opdracht ter verbetering van de privacyorganisatie van de Belastingdienst; en Ontheffing fiscale geheimhoudingsplicht in gevallen van vermoedelijke fiscale integriteitsschending op grond van artikel 67, derde lid van de Awr)

> Read through the most interesting developments at the intersection of human rights and technology from the Netherlands. This is the second update in this series.

> Personal data protection and whistleblowing are two different topics — different regulations with different purposes, scope and requirements. But, in fact, they are closer than they seem, especially for practical reasons. Both data protection governance and whistleblowing systems are often exercised by the same unit —  the compliance department — or even by the same person. This solution offers several advantages, but also some problematic points that need to be highligh

De GDPR-risicoanalyse is bedoeld om controllers en verwerkers te helpen bij het identificeren van de risicofactoren voor de rechten en vrijheden van de betrokkenen, wiens gegevens worden verwerkt. Het doel is om een eerste inschatting te maken van het inherente risico, inclusief de noodzaak om een Privacy Impact Assessment (DIA) uit te voeren, en om het resterende risico te schatten als maatregelen en beveiligingsmechanismen worden gebruikt om specifieke risicofactoren te verminderen.

> GDPR RISK ASSESSMENT is intended to assist controllers and processors to identify the risk factors for the rights and freedoms of data subjects whose data are present in the processing, to make an initial assessment of the intrinsic risk, including the need to perform a DPIA, and to estimate the residual risk if measures and safeguards are used to mitigate the specific risk factors.

The Danish Data Protection Agency has looked into the tool Google Analytics and its settings, and the terms under which the tool is provided. On the basis of this review, the Danish Data Protection Agency concludes that the tool cannot, without more, be used lawfully. Lawful use requires the implementation of supplementary measures in addition to the settings provided by Google.

De Deense Autoriteit voor Persoonsgegevens heeft onderzoek gedaan naar het instrument Google Analytics en de bijbehorende instellingen, evenals de voorwaarden waaronder het instrument wordt aangeboden. Op basis van dit onderzoek concludeert de Deense Autoriteit voor Persoonsgegevens dat het instrument, zonder aanvullende maatregelen, niet op een wettelijke manier kan worden gebruikt. Wettelijk gebruik vereist de implementatie van aanvullende maatregelen, naast de instellingen die door Google worden aangeboden.

De Europese Toezichthouder op de Bescherming van Persoonsgegevens heeft Europol opgedragen om persoonlijke gegevens over te dragen aan de Nederlandse activist Frank van der Linde. Dit besluit is het resultaat van een onderzoek van twee jaar naar de manier waarop Europol de persoonlijke gegevens van Van der Linde bewaart en verwerkt.

The European Data Protection Supervisor ordered Europol to hand over personal data to Dutch activist Frank van der Linde. The decision is the result of a two-year investigation into Europol's possession and storage of van der Linde's personal data.

The new data governance regulation sets out the conditions for the reuse of certain government data. In addition, the regulation provides a notification and oversight framework for the provision of data mediation services. Furthermore, the regulation contains a framework for the voluntary registration of entities that collect and process data made available for altruistic purposes. The rules will apply from September 2023.

> DeFine is a translation into a calculator of part of the methodology proposed by the European Data Protection Board to calculate GDPR fines (see EDPB, Guidelines 04/2022 on the calculation of administrative fines under the GDPR, 12 May 2022, available online; it was subject to a public consultation until 27 June 2022).