Organisations are increasingly turning to AI-enabled tools throughout the recruitment lifecycle, from CV filtering and suitability scoring to online assessments and behavioural analysis. These tools can offer real advantages, including faster hiring processes and the potential to reduce human bias that inevitably exists in traditional recruitment. However, their use often creates a tension with data
Continue Reading UK: ICO Report on Automated Decision-Making in Recruitment
Summary
On 19 March 2026, the Court of Justice of the European Union (CJEU) handed down its judgment in Case C-526/24, Brillen Rottler, clarifying that a data subject’s first request for access to personal data under Article 15 of the General Data Protection Regulation (GDPR) may be refused as “excessive”.
Continue Reading EU: CJEU Rules That a Single DSAR Can Be Refused as Abusive
On 5 February 2026, the main changes to data protection legislation in Part 5 of the Data (Use and Access) Act 2025 (“DUAA“) came into force.
The DUAA was passed and received Royal Assent on 19 June 2025. Although some of the DUUA provisions came into force automatically, many of the reforms
Continue Reading UK: Commencement of the data protection provisions in the Data (Use and Access) Act
Over the last decade, the EU has launched an unprecedented constellation of laws: GDPR, the AI Act, the Data Act, NIS2, the Cyber Resilience Act, DORA, DSA, DMA, eIDAS 2.0 and more. Together – under the ‘Digital Decade’ banner – they aim to form a powerful framework to protect fundamental rights, promote trustworthy technology and
Continue Reading EU: Digital Autofocus – Will Europe’s Digital Omnibus bring clarity to Regulation?
In its judgment of May 13, 2025 (case number VI ZR 186/22), the German Federal Court of Justice (Bundesgerichtshof – “BGH”) continued its case law on the compensability of non-material damages under Article 82 GDPR, in particular with regard to whether the mere loss of control over personal data was sufficient for a
Continue Reading Germany: Further Judgment on Non-Material Damages for Loss of Control over Personal Data
The Irish Supreme Court, on 24 July 2025, issued a landmark decision offering greater clarity on non-material damages in the context of privacy claims under the General Data Protection Regulation (GDPR). The judgment in Dillon v Irish Life Assurance plc[1] (Dillon) marks a significant development for both individuals seeking compensation
Continue Reading Ireland: GDPR, PIAB, and the Personal Injury Puzzle – The Irish Supreme Court Decides
The Italian Data Protection Authority (Garante) has fined a company EUR 420,000 for violating privacy laws in the workplace. The decision focuses on the employer’s use of content from Facebook, WhatsApp, and Messenger— shared from the employee’s personal accounts—for disciplinary purposes.
This ruling will have serious repercussions for any employer operating in Italy, especially those
Continue Reading Italy: Garante issues fine for use of employee’s private chats in disciplinary actions
A recent and far-reaching decision by the Italian Data Protection Authority (Garante) has significantly altered the rules governing marketing privacy consent in Italy, introducing a potential obligation to adopt a double opt-in mechanism for collecting consent, that exceeds the requirements in other EU countries.
Why This Case Matters: A Shift in Privacy Consent
Continue Reading Italy: Marketing Privacy Consent – Is Double Opt-In Now Mandatory?
On 17th June 2025, the Spanish Data Protection Authority (“AEPD”) published guidance in relation to Royal Decree 933/2021, which regulates document registration and information obligations relating to accommodation and motor vehicle rental activities (“Royal Decree“). In particular, the AEPD has clarified that the Royal Decree does not authorise requests for copies
Continue Reading Spain: AEPD Guidance – Important Update on Royal Decree 933/2021
On 14 May 2025, the Brussels Court of Appeal (Market Court) delivered the long-awaited judgement in the case concerning the Transparency & Consent Framework (“TCF”) (case no. 2022/AR/292). The Court largely upheld the findings of the Belgian Data Protection Authority (“Belgian DPA”), concluding that the TCF’s use of the Transparency and Consent
Continue Reading EU: Brussels Court of Appeal rules on IAB Europe and the TC String – Implications for GDPR Compliance
