The Italian Data Protection Authority (the Garante) has issued its first GDPR fine for, among other breaches, unlawful retention of metadata from employees’ emails and web browsing activities. The decision applies, for the first time, the Garante’s highly discussed guidelines of 2024 on the use of metadata in workplace email systems.

The Processing

Continue Reading Italy: The Garante Issues First GDPR Fine Over Employees Email Metadata Privacy Breach

The European Commission has published its proposal for a new regulation simplifying the EU General Data Protection Regulation (“GDPR”) requirements for small mid-cap enterprises (“the Proposal“). The Proposal forms part of the European Commission’s Omnibus IV Simplification Package and comes after the European Data Protection Board (“EDPB”) and the

Continue Reading Europe: European Commission publishes proposal for simplification of the GDPR

In a decision on immaterial damages under Article 82 of the EU General Data Protection Regulation (GDPR), the Higher Regional Court of Dresden, Germany (case number 4 U 940/24), set out important monitoring and auditing obligations of controllers with respect to their processors.  

The controller (defendant) operates an online music

Continue Reading Germany: Monitoring and auditing obligations of controllers with respect to their processors

The seventh annual edition of DLA Piper’s GDPR Fines and Data Breach Survey has revealed another significant year in data privacy enforcement, with an aggregate total of EUR1.2 billion (USD1.26 billion/GBP996 million) in fines issued across Europe in 2024.

Ireland once again remains the preeminent enforcer issuing EUR3.5 billion (USD3.7 billion/GBP2.91 billion) in fines since

Continue Reading EU: DLA Piper GDPR Fines and Data Breach Survey: January 2025

If employers and works councils agree on ‘more specific rules’ in a works agreement regarding the processing of employees’ personal data in the employment context (Art. 88 (1) GDPR), these must take into account the general data protection principles, including the lawfulness of processing (Art. 5, Art. 6 and Art. 9 GDPR), according to the

Continue Reading Germany: Works agreements cannot legitimate inadmissible data processing.

In its judgement of November 18, 2024 (case number VI ZR 10/24) the German Federal Court of Justice (Bundesgerichtshof – “BGH”) clarified key legal issues regarding claims for damages under Article 82 GDPR in the event of a mere loss of control of personal data in the Facebook scraping complex. This blog

Continue Reading Germany: Update: Judgment on Non-Material Damages for Loss of Control over Personal Data

On 20 November 2024, the EU Cyber Resilience Act (CRA) was published in the Official Journal of the EU, kicking off the phased implementation of the CRA obligations.

What is the CRA?

The CRA is a harmonising EU regulation, the first of its kind focusing on safeguarding consumers and businesses from cybersecurity threats. 

Continue Reading EU: Cyber Resilience Act published in EU Official Journal

On November 18, 2024, the German Federal Court of Justice (Bundesgerichtshof – “BGH”) made a (to date unpublished) judgment under the case number VI ZR 10/24 regarding claims for non-material damages pursuant to Art. 82 GDPR, due to the loss of control over personal data.

The judgment is based on a personal

Continue Reading Germany: Judgment on Non-Material Damages for Loss of Control over Personal Data

This is Part 3 in a series of articles on the European Health Data Space (“EHDS“).  Part 1, which provides a general overview of the EHDS, is available here. Part 2, which deals with the requirements on the manufacturers of EHR-Systems under the EHDS, is available here.

This article provides an

Continue Reading EU: EHDS – Access to health data for secondary use under the European Health Data Space

The European Data Protection Board (“EDPB“) adopted an opinion on 7 October 2024, providing guidance for data controllers relying on processors (and sub-processors) under the GDPR. The two key themes are:

  1. supply chain mapping;
  2. verifying compliance with flow-down obligations.

For many financial institutions, the emphasis on these obligations should not come as a

Continue Reading EU: Engaging vendors in the financial sector: EDPB clarifications mean more mapping and management