The Dutch Data Protection Authority (“AP“) has imposed a fine of €2.7 million on Experian Nederland B.V. (“Experian“) for breaches the General Data Protection Regulation (“GDPR“).
This fine comes after Experian filed an objection against the AP’s initial decision and imposition of a fine in December 2023 (the value of
Continue Reading Dutch DPA fines Experian €2.7m for breaches of the GDPR
The EU General Court has dismissed a French MEP’s challenge to the EU-U.S. Data Privacy Framework (“DPF”) for the transfer of personal data between the European Union (“EU”) and the United States (“U.S”). While the decision is welcome news to organisations relying on the DPF for transfers underpinning their
Continue Reading EU-U.S. Data Privacy Framework Survives First Challenge
In its judgment of May 13, 2025 (case number VI ZR 186/22), the German Federal Court of Justice (Bundesgerichtshof – “BGH”) continued its case law on the compensability of non-material damages under Article 82 GDPR, in particular with regard to whether the mere loss of control over personal data was sufficient for a
Continue Reading Germany: Further Judgment on Non-Material Damages for Loss of Control over Personal Data
On June 26, 2025, the European Union Agency for Cybersecurity (ENISA) published two sets of guidelines to help businesses ensure their organizational compliance with the NIS2 Directive.
The aim of the guidelines is to support companies in understanding how legal requirements translate into operational activities, particularly regarding (i) roles and skills for professionals within essential
Continue Reading EU: ENISA Guidelines on Compliance with NIS 2 Directive Published
The Italian Data Protection Authority’s recent decision provided guidance on the true meaning of personal data anonymization and the crucial distinction between the DPO as a monitor – not an executor. In a world driven by AI and public surveillance, both concepts are more relevant than ever.
On April 10, 2025, the Garante issued a
Continue Reading ITALY: Personal data anonymization and the risk of the DPO being an executor
The Italian Data Protection Authority (Garante) has fined a company EUR 420,000 for violating privacy laws in the workplace. The decision focuses on the employer’s use of content from Facebook, WhatsApp, and Messenger— shared from the employee’s personal accounts—for disciplinary purposes.
This ruling will have serious repercussions for any employer operating in Italy, especially those
Continue Reading Italy: Garante issues fine for use of employee’s private chats in disciplinary actions
A recent and far-reaching decision by the Italian Data Protection Authority (Garante) has significantly altered the rules governing marketing privacy consent in Italy, introducing a potential obligation to adopt a double opt-in mechanism for collecting consent, that exceeds the requirements in other EU countries.
Why This Case Matters: A Shift in Privacy Consent
Continue Reading Italy: Marketing Privacy Consent – Is Double Opt-In Now Mandatory?
The Spanish Data Protection Authority (“AEPD“) has published its 2024 annual report, which includes the AEPD’s awareness-raising activities; the collaboration and inspection activities of the Spanish authorities; relevant reports and procedures published during 2024; and an analysis of regulatory trends and key privacy challenges for the coming months. The annual report’s key elements
Continue Reading Spain: Spanish Data Protection Authority Publishes Annual Report
The potential criminalization of activities associated with ransomware cyber attacks, including ransom payments by victims, has long been an unresolved issue. This concern has now led Italy to introduce a ground breaking legislative proposal aimed at enhancing cybersecurity and mitigating threats posed by digital extortionists.
Recognizing ransomware cyberattacks not merely as economic disturbances but as
Continue Reading Italy: Ransomware and Crime – A Proposal to Tackle Cyber Extortion in Italy
On 17th June 2025, the Spanish Data Protection Authority (“AEPD”) published guidance in relation to Royal Decree 933/2021, which regulates document registration and information obligations relating to accommodation and motor vehicle rental activities (“Royal Decree“). In particular, the AEPD has clarified that the Royal Decree does not authorise requests for copies
Continue Reading Spain: AEPD Guidance – Important Update on Royal Decree 933/2021
