News

Brussels, 23 February - EDPB Chair Anu Talus has signed a Joint Statement on AI-Generated Imagery and the Protection of Privacy on behalf of the EDPB. The statement, coordinated by the Global Privacy Assembly's (GPA) International Enforcement Cooperation Working Group (IEWG), represents the united position of 61 authorities across the world. This reflects the Board’s commitment to contributing to the global dialogue on data protection as outlined in the fourth pillar of its work programme 2026-2

Corrected and added some links, removed duplicate in short summary. }}}} An DPA denied a complaint against a public body under Articles 9 and 77 GDPR, holding that publication of a data subject’s political donation did not violate the GDPR because the controller had a lawful basis.An DPA denied a complaint against a public body under [[Article 9 GDPR|Articles 9]] and [[Article 77 GDPR|77 GDPR]], holding that publication of a data subject’s political donation did not violate them because the cont

The term, however, still lacks a clear legal basis

The controller claimed it relied on the soft opt-in in Regulation 22(3) of the Privacy and Electronic Communications Regulations 2003 (PECR), where an organisation may send direct marketing communications to its customers even if they did not specifically consent to electronic mail. However, only the organisation that collected the contact details can rely on the soft opt-in rule. The controller claimed it relied on the soft opt-in in Regulation 22(3) of the Privacy and Electronic Communications

Facts }}}} The AEPD fined a right-wing political party €500 for publishing a proof of delivery on Facebook that showed a person’s name, ID number and signature without a legal basis under [[Article 6 GDPR]].The AEPD fined a political party €500 for publishing a document on Facebook that showed a person’s name, ID number and signature without a legal basis under [[Article 6 GDPR]]. == English Summary ==== English Summary ==

Facts }}}} The Supreme Court upheld rules requiring legal counsels to keep a client register and ensure confidentiality. It held that processing client data to check conflicts of interest is lawful under [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]] as it fulfills a statutory duty.The Supreme Court upheld rules requiring legal counsels to keep a client register and to ensure confidentiality. It held that keeping a client register is necessary to comply with the legal obligation to check for potenti

}}}} The DPA partially upheld a complaint and issued a reprimand against a travel company for unlawful direct marketing, excessive passport copy collection, inaccuracies in travel documents, lack of transparency, and an incomplete access response.The DPA partially upheld a complaint and issued a reprimand against a travel company for unlawful direct marketing, excessive passport copy collection, inaccuracies in travel documents, lack of transparency, and an incomplete response to an access reque

Facts }}}} The AEPD fined a right-wing political party €500 for publishing a proof of delivery on Facebook that showed a person’s name, ID number and signature without a legal basis under [[Article 6 GDPR|Article 6 GDPR]].The AEPD fined a right-wing political party €500 for publishing a proof of delivery on Facebook that showed a person’s name, ID number and signature without a legal basis under [[Article 6 GDPR]]. == English Summary ==== English Summary == VOX had sent a certified letter to a m

Link fixed. === Facts ====== Facts === The data subject had a mobile contract with the controller, a telecommunications company, starting 17 April 2019. The contract included privacy notices stating that personal data, including contract initiation, execution, and completion (“positive data”), could be sent to a credit scoring agency for credit scoring, under Articles 6(1)(b) and 6(1)(f) GDPR.The data subject had a mobile contract with the controller, a telecommunications company, starting 17 Ap

Facts }}}} The Supreme Court of Poland upheld rules requiring legal counsels to keep client data confidential and maintain a client register. The Court held processing was lawful under [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]] to meet legal obligations.The Supreme Court upheld rules requiring legal counsels to keep a client register and ensure confidentiality. It held that processing client data to check conflicts of interest is lawful under [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]] as it fulf

ManTechnologist moved page OLG Dresden - Az. 4 U 196/25 to OLG Dresden - 4 U 196/25 Misspelled title New page{{COURTdecisionBOX |Jurisdiction=Germany |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=OLG Dresden |Court_Original_Name=Oberlandesgericht Dresden |Court_English_Name=Higher Regional Court Dresden |Court_With_Country=OLG Dresden (Germany) |Case_Number_Name=Az. 4 U 196/25 |ECLI= |Original_Source_Name_1=beck-aktuell |Original_Source_Link_1=https://rsw.beck.de/aktuell/daily/

Facts === Facts ====== Facts === In December 2022, the National Council of Legal Counsels (Poland) adopted regulations on the practice of legal counsels. The Minister of Justice challenged parts of the regulations, particularly § 5 and § 6. § 5 required persons cooperating with legal counsels to keep information confidential. § 6 required legal counsels to maintain a client register to identify conflicts of interest. The Minister argued that these rules violated the [[Article 6 GDPR|Article 6]]

Holding === Holding ====== Holding === The DPA upheld the complaint and found an infringement of [[Article 6 GDPR#1|Article 6(1) GDPR]]. The Authority clarified that the necessity for the performance of a contract must be interpreted strictly and covers only processing that is objectively necessary, not merely useful or convenient.The DPA upheld the complaint and found an infringement of [[Article 6 GDPR#1|Article 6(1) GDPR]]. The DPA clarified that the necessity for the performance of a contrac

Facts }}}} The DPA fined a business support company with 80,000 euros for transferring personal data from its employees to a third party without the proper legal basis, in violation of Art. 6 (1) GDPR.The DPA fined a customer support provider €80,000 for unlawfully transferring its employees’ private phone numbers to its business customer without a valid legal basis. == English Summary ==== English Summary == === Facts ====== Facts === MAJOREL SP SOLUTIONS, S.A. (the controller) entered into an

added links to GDPR articles === Holding ====== Holding === The DPA found that, since the membership form did not contain information on the transmission of members' data to the social media platform, or even on targeted advertising, the consent was not informed nor specific. Therefore, it found the processing to be unlawful, violating Article 6(1)(a) GDPR. The DPA found that, since the membership form did not contain information on the transmission of members' data to the social media

Surveillance technology vendors, federal agencies, and wealthy private donors have long helped provide local law enforcement “free” access to surveillance equipment that bypasses local oversight. The result is predictable: serious accountability gaps and data pipelines to other entities, including Immigration and Customs Enforcement (ICE), that expose millions of people to harm. The cost of “free” surveillance tools — like automated license plate readers (ALPRs), networked cameras, face recognit

}}}} The DPA held that an event organiser’s use of a data subject’s email address, provided for ticket purchase, to send a marketing email without consent and to disclose the address via an open CC field violated the subject’s right to secrecyThe DPA held that an event organiser violated a customer’s right to privacy when it submitted them marketing emails without their prior consent and by sending them those emails in CC, disclosing their address to a large group of third parties. == English Su

Flock contracts have quietly spread to cities across the country. But Flock ALPR (Automated License Plate Readers) erode civil liberties from the moment they're installed. While officials claim these cameras keep neighborhoods safe, the evidence tells a different story. The data reveals how Flock has enabled surveillance of people seeking abortions, protesters exercising First Amendment rights, and communities targeted by discriminatory policing. This is exactly why cities are saying no. Fr

}}}} The DPA imposed a fine of €400,000 on Verisure Italy for unlawful marketing communications. The controller lacked a valid legal basis for marketing activities towards both former and prospective clients, failed to properly inform data subjects, applied excessive or indeterminate retention periods, and responded late to data subject rights requests.The DPA imposed a fine of €400,000 on Verisure Italy, a provider of alarm systems, for unlawful marketing communications. The controller lacked a

=== Holding ====== Holding === The dispute related to the processor’s responsibility for implementing adequate security measures, under article 32 GDPR. The dispute related to the processor’s responsibility for implementing adequate security measures, under Article 32 GDPR. '''On the fairness of the procedure:''' '''On the fairness of the procedure:''' '''About responsibilities:''' '''About r

}}}} The DPA fined a subcontractor €1 million for failing to delete the personal data of users, processing it for purposes contrary to contract stipulations and for failing to keep a record of its processing activities.The DPA fined a processor €1 million for failing to delete the personal data of users, processing it for purposes contrary to contract stipulations and for failing to keep a record of its processing activities. == English Summary ==== English Summary ==

}}}} The DPA fined a processor €1 million for failing to delete the personal data of users, processing it for purposes contrary to contract stipulations and for failing to keep a record of its processing activities.The DPA fined a processor €1,000,000 for failing to delete the personal data of users, processing the data for purposes contrary to contract stipulations, and for failing to keep a record of its processing activities. == English Summary ==== English Summary == Finally, the DPA found t

Fixed Link The controller did not respond adequately, providing unclear information or referring the data subject to third parties. As a result, the data subject lodged a complaint with the DPA.The controller did not respond adequately, providing unclear information or referring the data subject to third parties. As a result, the data subject lodged a complaint with the DPA. The DPA issued a final decision warning the controller for violating [[Article 6(1) GDPR|Article 6(1)]] and [[Article 5(1)

Facts }}}} The DPA fined a bank €500,000 after it lost a customer’s documents sent through a courier. The authority held that the bank failed to ensure adequate security and proper supervision of its processor under [[Article 32 GDPR|Article 32 GDPR]].The DPA fined a bank €500,000 for losing a customer’s documents when transporting them via a courier. The DPA held that the bank failed to ensure adequate security and proper supervision of its processor under [[Article 32 GDPR]]. == English Summar

}}}} The Court awarded €100 in non-material damages for the storage and processing of cookies without the data subject’s consent. Although the infringement was considered minor, and the data subject suffered no loss of control over his data, the court held that the feeling of being monitored constituted non-material damage.A Court awarded €100 in non-material damages for the storage and processing of cookies without the data subject’s consent. Although the infringement was considered minor, and

Facts }}}} A court sentenced an individual to six months in prison with suspended sentence for unlawfully accessing and using personal data of 334 clients without consent, violating [[Article 6 GDPR#1|Article 6(1) GDPR]], and for illegal access to company systems.A court sentenced an individual to six months in prison on probation for unlawfully accessing and using personal data of 334 clients without consent, violating the national Criminal Code and [[Article 6 GDPR#1|Article 6(1) GDPR]]. == En

=== Holding ====== Holding === Firstly, the DPA found that the processor should have deleted the users' data at the end of the contractual relationship with the controller. Failing to do so, the DPA found a violation of [[Article 28 GDPR#3g|Article 28(3)(g) GDPR]]. Firstly, the DPA found that the processor should have deleted the users' data at the end of the contractual relationship with the controller. Failing to do so, even if the data were retained as a result of an unauthorised co

}}}} The DPA fined a company €1 million for failing to delete the personal data of users, processing it for purposes contrary to contract stipulations and for failing to keep a record of its processing activities.The DPA fined a subcontractor €1 million for failing to delete the personal data of users, processing it for purposes contrary to contract stipulations and for failing to keep a record of its processing activities. == English Summary ==== English Summary == === Facts ====== Facts === DE

Facts }}}} The DPA held that a gambling operator lawfully transferred data to a processor for sending invitations to sporting events, but found that the controller breached transparency obligations by not informing the data subject about the categories of data recipients.The DPA held that the operator of a gambling site lawfully transferred data to a processor for sending invitations to sporting events since the engagement of a processor does not require a separate legal basis. However, the cour

Facts }}}} The DPA fined a telephone operator company €400,000 for unlawfully changing a mobile line’s ownership and issuing a duplicate SIM card without proper identity verification, breaching [[Article 6 GDPR]] after a SIM swap fraud.The DPA fined a telecommunications provider €300,000 for unlawfully changing a mobile line’s ownership and issuing a duplicate SIM card to a third party impersonating a customer. According to the DPA, the provider failed to properly verify the customer’s identity.

}}}} An Austrian media company was fined €6,820 by the Data Protection Authority for negligently failing to implement a binding order to modify its website’s cookie banner, delaying user consent options despite all appeals being rejected.The DPA fined a media company €6,820 for failing to bring its cookie banner into compliance by implementing a visually equivalent option to reject cookies. The DPA previously ordered the controller to do so in accordance with Article 58(2)(d) GDPR. == English Su

Holding === Holding ====== Holding === The DSB held that the controller violated [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]], which grants supervisory authorities the power to issue binding instructions to data controllers to ensure compliance with the GDPR. The violation arose from the controller’s failure to implement the binding instruction requiring modification of the website cookie banner to allow users to refuse consent as easily as giving it.The DSB held that the controller violated [[A

Facts }}}} The Court ruled that the storage period for settled payment default data by private credit agencies is not automatically limited by debtor register deletion rules, and that GDPR codes of conduct may guide the balancing of interests under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]].The Federal Court of Justice held that a credit information agency's maximum storage period for data about an already settled payment default is not limited by national deletion rules for a public debtor

|Initial_Contributor=|Initial_Contributor= || }}}}The Supreme Court held that Meta has to provide its user with full access to all personal data, including sources, recipients, and purposes; a mere exemplary list is insufficient. Further, the court held that personalized advertising and processing of (sensitive) personal data from third party websites require the data subject’s consent. The Austrian Supreme Court held that Meta must provide users full access to all personal data, including sourc

Facts }}}} A Court annulled the DPA dismissal of a GDPR complaint, ruling it must examine whether a data subject’s personal data was unlawfully disclosed.A court held that the DPA is required to investigate a data subject’s complaint and issue a decision on the merits. In the specific case, the court ordered the DPA to issue a decision regarding an alleged unlawful disclosure of personal data within 60 days. == English Summary ==== English Summary == === Facts ====== Facts === On 28 January 2025

Facts Finally, the court reiterated that consent was not required because Article 6 GDPR offers alternative lawful bases for processing. Since Article 6(1)(f) was satisfied, the absence of consent was irrelevant. Concluding that AZOP had properly applied the law and that the interference with the data subject’s privacy was proportionate, the court upheld the decision and denied the data subject’s claim and costs.Finally, the court reiterated that consent was not required because Article 6 GDPR o

Facts }}}} A court held that a television broadcaster lawfully published a video containing personal data about a public company board member as the information served the public interest thus complying with [[Article 6 GDPR|Article 6 GDPR]] and outweighting the right to erasure.A court held that a television broadcaster lawfully published a video containing personal data about a public company board member as the information served the public interest thus complying with [[Article 6 GDPR]] and

A media company in Austria (the controller), which was publishing local news, operated a website which collected personal data from visitors using cookies and a cookie consent banner. Cookies included unique identifiers for tracking visitors. A media company in Austria (the controller), which was publishing local news, operated a website which collected personal data from visitors using cookies and a cookie consent banner. Cookies included unique identifiers for tracking visitors. In August 2021

Facts }}}} A court held that a television broadcaster lawfully published a video containing personal data about a public company board member as the information served the public interest thus complying with [[Article 6 GDPR]] and outweighting the right to erasure.A court held that a television broadcaster lawfully published a video concerning the resignation of a public company’s board member as well as their personal data. According to the court, the information served the public interest and

This guide was co-written by Andrew Zuker with support from the Heinrich Boell Foundation. The U.S. government publishes volumes of detailed data on the money it spends, but searching through it and finding information can be challenging. Complex search functions and poor user interfaces on government reporting sites can hamper an investigation, as can inconsistent company profiles and complex corporate ownership structures. This week, EFF and the Heinrich Boell Foundation released an update to

Holding |Date_Published=05.01.2026|Date_Published=05.01.2026 |Year=|Year= |Fine=400.000|Fine=300.000 |Currency=EUR|Currency=EUR }}}} The DPA fined a telephone operator company €400,000 for unlawfully changing a mobile line’s ownership and issuing a duplicate SIM card without proper identity verification, breaching [[Article 6 GDPR|Article 6 GDPR]] after a SIM swap fraud.The DPA fined a telephone operator company €400,000 for unlawfully changing a mobile line’s ownership and issuing a duplicate S

A media company in Austria (the controller), which was publishing local news, operated a website which collected personal data from visitors using cookies and a cookie consent banner. Cookies included unique identifiers for tracking visitors. A media company in Austria (the controller), which was publishing local news, operated a website which collected personal data from visitors using cookies and a cookie consent banner. Cookies included unique identifiers for tracking visitors. In August 2021

Brussels, 4 December - During its latest plenary, the EDPB adopted recommendations on the legal basis for requiring the creation of user accounts on e-commerce websites. In addition, the Board had a preliminary discussion on the Digital Omnibus proposal and appointed the new EDPB Deputy Chair. Internet users visit e-commerce websites for a variety of reasons, including making online purchases, taking advantage of promotions, or simply browsing products. When interacting with these websites, they

The French DPA has fined the Vanity Fair publisher Conde Nast €750.000

Georgetown University Law Center researchers propose that every IoT device manufacturer build a switch into their devices that disables any smart feature that contributes to security or privacy risks. This will render a smart thermostat just a thermostat and a smart doorbell just a doorbell, and will disable microphones, sensors, and wireless connectivity. Any user should find it easy to use and easy to verify whether the switch has been toggled.

Background information Following a complaint by the PRIVACY INTERNATIONAL association, the CNIL carried out four investigations into DOCTISSIMO. The doctissimo.fr website mainly offers articles, tests, quizzes and discussion forums related to health and well-being for the general public. During its investigations, the CNIL noted several infringements, in particular concerning the duration of data retention, the collection of health data via online tests, the security of data as well as the wayco

> Procurement. Claim for damages against contracting authority. Reliance on estoppel succeeds. Plaintiff did not challenge the award decision in interlocutory proceedings within 20 days. Pursuant to the tender conditions, she thereby also processed her right to damages. Applying this sunset clause here is not unreasonable or disproportionate. (Machine translated)

The main thing is: The CNIL has been undertaking work for several years to anticipate and respond to the issues raised by AI. In 2023, it will extend its action on augmented cameras and wishes to expand its work to generative AIs, large language models and derived applications (especially chatbots). Its action plan is structured around four strands: to understand the functioning of AI systems and their impact on people; enabling and guiding the development of privacy-friendly AI; federate and

> On December 1, 2020, a cyber attack took place at the municipality, encrypting and making inaccessible the municipality's network and backup systems and deleting many virtual servers. The municipality holds company responsible for this. The court rejected the municipality's claim. There is no evidence that company failed to meet contractual obligations ni... (Machine translated)

Background information CLEARVIEW AI collects photographs from a wide range of websites, including social networks, and sells access to its database of images of people through a search engine in which an individual can be searched using a photograph. The company offers this service to law enforcement authorities. Facial recognition technology is used to query the search engine and find an individual based on its photograph. In a decision of 17 October 2022, the restricted committee – the CNIL bo