Risk Assessment
Personal data protection should be the cornerstone of risk assessments for organisations. The Polish regulator UODO came to this conclusion after investigating a ransom attack in a children’s clinical hospital in Białystok. Access to IT systems was blocked, which resulted in a breach of confidentiality and availability of personal data of approximately 2,000 employees, including the possibility of obtaining unauthorized access to them. In the circumstances of this case, the risk assessment was conducted on the basis of a flawed procedure – from the perspective of the hospital as an organisation, and not from the perspective of protecting data subjects.
The documents, which were supposed to prove that the risk analysis had been conducted, were inconsistent and full of ambiguities. The hospital did not indicate which processes it was analysing, nor did it link these processes to identified threats, vulnerabilities and the final risk assessment. When explaining what technical measures it used to secure its IT systems, the administrator referred to an audit conducted for compliance with the act on the national cybersecurity. However, this act focuses primarily on ensuring a safe and uninterrupted system for providing services, and not – as is the case with the GDPR – on protecting the rights and freedoms of natural persons.
The hospital did not implement an appropriate procedure for performing and documenting recovery tests, and did not apply appropriate security measures for the backup copies created, which could have contributed to the fact that the hospital was unable to fully restore the data lost as a result of the attack.
Stay up to date! Sign up to receive our fortnightly digest via email.
Other legal developments
From 19 June, the Data Use and Access Act 2025 (DUAA) amends, but does not replace, the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA) and the Privacy and Electronic Communications Regulations (PECR), to promote innovation (eg, commercial scientific research, automated decision-making) and economic growth. Whilst it still protects people and their rights, the DUAA simplifies personal data usage in the following ways:
- New ‘recognised legitimate interests’ lawful basis of data processing (from public safety to direct marketing)
- Assumption of compatibility for some data reuses
- ‘Soft opt-in’ (eg, for charities)
- More flexible requirements on cookies
- Reasonable and proportionate subject access requests, etc.
At the same time, if you provide an online service that is likely to be used by children, the DUAA explicitly requires you to take their needs into account. The data subject complaints must also be facilitated by offering electronic complaint forms and respecting the 30-day legal time frame for acknowledgement and response. The changes will be phased in between June 2025 and June 2026. More summaries of changes can be found here and here.
GDPR enforcement ease: The Council of the European Union and the Parliament have reached a deal to make cross-border GDPR enforcement work better for citizens. Once adopted, the regulation will speed up the process of handling cross-border GDPR complaints, and any follow-up investigations. The co-legislators agreed on an overall investigation deadline of 15 months, which can be extended by 12 months for the most complex cases. The early resolution mechanism will allow data protection authorities to resolve a case before triggering the standard procedures for handling a cross-border complaint. This may be the case where the company or organisation in question has addressed the infringement and where the complainant has not objected to the early resolution of the complaint.
AI and web scraping
The GDPR, in many cases, applies to AI models trained on personal data, due to their memorisation capabilities. To that end, a French CNIL guide specifies the conditions for using legitimate interest in the development of AI in the case of web scraping. In line with the opinion adopted by the EDPB in December 2024, the CNIL considers that the development of AI systems does not systematically require the consent of individuals. Legitimate interest is a possible legal basis for the development of AI systems, subject to strong safeguards.
The guide offers examples of concrete safeguards adapted to the different types of AI systems: exclusion of certain data from collection, increased transparency, facilitation of the exercise of data subject rights, etc. For example, the reuse of future conversations of users with a chatbot for the improvement of the AI model can be based on legitimate interest provided that certain strong guarantees are put in place: information for individuals, right to object, restriction of processing towards pseudonymised/anonymised data, etc.
More from supervisory authorities worldwide
COPPA update: In the US, the amended Children’s Online Privacy Protection Rule took effect on 23 June. It includes a new definition for a mixed audience website or online service that is intended to provide greater clarity regarding an existing sub-category of child-directed services. The amendments also modify operators’ obligations concerning direct and online notices; information security, deletion, and retention protocols; annual assessment, disclosure, and reporting requirements. It also adopts rules related to parental consent requirements, methods of obtaining verifiable parental consent, and exceptions.
Biometric identifiers vs biometric data: The JDSupra legal blog explains the differences between the two categories, specified in the Colorado Privacy Act, which went into effect on July 1: Biometric identifiers is data generated by the technological processing, measurement, or analysis of a consumer’s biological, physical, or behavioral characteristics which can be processed for identification. Biometric data is a subset of biometric identifiers which are used or intended to be used for identification purposes. It does not include digital or physical photographs, audio or voice recordings, or any data generated from a digital or physical photograph or an audio or video recording unless any of these are used for identification purposes. Both categories can be considered sensitive data and can require a privacy notice and consent.
Child data: Also in the US, New York’s Child Data Protection Act (NYCDPA) went into effect on June 20. The Office of the Attorney General issues the practical guidance in advance concerning the application of NYCDPA to minors’ data and the federal COPPA Rules; operator responsibilities concerning user-provided age flags; requirements for schools, school districts, and their third-party contractors; parental requests for products and services, etc. The guidance refers to a website, online service, online application, mobile application, or connected devices directed at minors.
Receive our digest by email
Sign up to receive our digest by email every 2 weeks
DeepSeek AI
Germany’s data protection commissioner has asked Apple and Google to remove Chinese AI startup DeepSeek from their app stores in the country due to concerns about data protection, Reuters reports. According to its privacy policy, DeepSeek stores numerous pieces of personal data, such as requests to its AI or uploaded files, on computers in China. The commissioner took the decision after asking DeepSeek in May to meet the requirements for non-EU data transfers or else voluntarily withdraw its app. DeepSeek did not comply with this request. Across Europe the authorities have also been evaluating the app, but while Italy has completely blocked it on app stores, the UK government said that the use of DeepSeek remains a personal choice for members of the public.
In other news
Data access requests: The Swiss FDPIC concluded its investigation into Cembra Money Bank AG. After receiving complaints, the privacy regulator contacted Cembra with a view to a low-threshold intervention. Cembra replied that due to staff shortages, responses to requests for information were delayed. The company was reminded of the legal deadline for responding to requests for information within 30 days. The regulator also ordered the bank to provide all persons who had previously received only a standardised response to their requests with the actual information on their personal processed data.
Telemarketing and data subject rights: An organisation must provide the most important information about the processing of personal data immediately during the first direct marketing call, if it has obtained the person’s contact information from somewhere other than itself, states the Finnish data protection authority. If a person submits a request to delete their data to customer service, the request cannot be left unprocessed because it has not been submitted to the data protection officer.
The organisation must ensure that the request is transferred to the party that processes it. The same applies to the prohibition of direct marketing: If a person wants to prohibit direct marketing during a call, the request cannot be bypassed by giving instructions for prohibiting it.
Unjust dismissal
The Italian regulator Garante fined Autostrade per l’Italia Spa 420,000 euros for having unlawfully processed the personal data of an employee, which was then used to justify her dismissal. The authority’s intervention followed the complaint of the worker who had reported the use, by the company, of content extracted from her Facebook profile and private chats on Messenger and WhatsApp to justify the disciplinary proceedings against her. The content used also included excerpts of comments and photo descriptions in quotation marks.
The investigations revealed that the content had been used by the employer without a valid legal basis, through screenshots provided by some colleagues and a third party, present among the employee’s “friends” on Facebook and active in her private conversations on Messenger and WhatsApp. Furthermore, the communications concerned opinions and exchanges that took place in contexts outside the employment relationship, not relevant for the purposes of assessing professional suitability.
AI prohibited practices in the gaming sector
The Maltese data protection authority IDPC warns us that AI systems used for player profiling, personalised gaming experiences and monetisation are not just subject to Art. 22 of the GDPR, which restricts automated decisions that carry legal or similarly significant implications for individuals, but are also high-risk under the AI Act so as to qualify them as prohibited practices. Manipulative AI deploys subliminal or deceptive techniques with the object of distorting player behaviour by impairing their ability to make an informed decision, causing them to take a decision they would have otherwise not taken, (for eg, AI powered algorithms which regulate emotion-triggered loot boxes which distort player behaviour).
Other prohibited techniques in the gaming sector are exploitation of vulnerabilities and social scoring.
In case you missed it
Video integration into websites: Germany’s Federal Commissioner for Data Protection and Freedom of Information (BfDI) has carried out an automated website check for the first time and identified violations in the integration of YouTube videos on federal websites. YouTube videos can be used by public authorities and others on their websites in compliance with data protection regulations. However, this becomes problematic when videos are embedded directly.
When the website is accessed, the user’s browser automatically connects to YouTube servers and transmits, among other things, IP addresses. This data transfer takes place without the user’s prior consent and thus violates the Telecommunications Digital Services Data Protection Act (TDDDG). For implementing video integration in compliance with data protection regulations, the BfDI offers two other options:
- Self-hosting is the gold standard: Videos are hosted on your own servers and embedded on the website. This ensures complete control over data processing and user interactions.
- Two-click solutions: Users must actively click on a preview image before the connection to YouTube is established. (With this option, an equivalent alternative without a third-party provider should always be offered).