Data protection digest 3-17 Nov 2025: Consumer loan checks can reveal people’s lifestyle data 

Consumer loan checks

Consumer loan checks can reveal people’s lifestyles. The Dutch Data Protection Authority AP concluded this after reviewing a bill concerning consumer loans. It believes that lenders can assess a person’s ability to meet payment obligations with less information about them. It’s unlikely that all the information in a bank statement, including sender, recipient, or description, is always necessary. 

The bill introduces stricter rules for a consumer loan under 200 euros, (services like “buy now, pay later,” credit cards, and bank overdrafts). For these relatively small loans, the ability to pay the bill on time will also be checked, and whether there is a risk of default. People who use such loans will also be registered with the Credit Registration Office. The AP emphasises that the new rules need to be further developed for better data control and minimisation. 

Stay up to date! Sign up to receive our fortnightly digest via email.

EU Digital Omnibus package latest

The privacy advocacy group NOYB warns that the so-called Digital Omnibus, which is being prepared by the European Commission, brings fast-track deregulation, including ‘massive’ reform of the GDPR and e-Privacy legislations. Following the leaked internal proposals, the Commission envisages changes to core elements like the definition of personal data, consent requirements, and data subjects’ rights under the GDPR, as well as lesser protections for special categories of data. In parallel, AI companies could also benefit from easier access to European personal data through the implementation of the ‘legitimate interests’ legal basis for processing.  

ETIAS and data protection

As the clock ticks down to the launch of a new EU large-scale border management system, the European Travel Information and Authorisation System (ETIAS) in autumn 2026, momentum is building to prepare it for entry into operation and ensure its compliance with data protection laws. The EDPS follows the implementation of ETIAS at close quarters. To help mitigate the risks, legislators have established an ETIAS Fundamental Rights Guidance Board. 

Composed of representatives of the EDPS, EDPB, EU Fundamental Rights Agency, Frontex Fundamental Rights Office and Frontex Consultative Forum, the EFRGB is mandated to issue guidance on the fundamental rights impacts of processing ETIAS applications. A critical concern for individuals required to apply for an ETIAS is ensuring access to an effective judicial remedy. For instance, refusal of a travel authorisation could result from a data processing error.

Brazil draft adequacy decision

The EDPB also adopted an opinion regarding the European Commission draft implementing decision on Brazil’s adequacy. The General Data Protection Law in Brazil, LGPD, together with Presidential decrees and binding regulations issued by Brazil’s Data Protection Authority, ANPD, establish requirements, including in relation to the principles, data subject rights, transfers, oversight and redress, closely aligned with the GDPR and case law of the CJEU. At the same time, the EDPB invites the Commission to clarify further how certain exemptions and specific limitations of data subject rights in the LGPD correspond to the adequate level of data protection regarding:

• national security purposes relating to the collection and sharing of data between the public entities within the Brazilian intelligence systems
• personal data processing for criminal law enforcement purposes
• rights of information and access to the data 
• accountability principle and the requirements for the data protection impact assessment

More legal updates

NIS2 implementation in Germany: On 13 November, the law implementing the European Network and Information Systems (NIS) 2 Directive, passed in the German Bundestag. The directive increases the cybersecurity requirements for certain companies and the federal administration. The Federal Office for Information Security (BSI) occupies a key position in both areas. It will become the supervisory authority for the companies affected by the directive; in addition, in the role of Chief Information Security Officer (CISO), it will be the central body for the cybersecurity of the federal administration. 

Affected companies must register with the BSI, report significant security incidents, and implement technical and organisational risk management measures. It includes an amendment to the BSI Act, which previously covered approximately 4,500 entities in the economic area: operators of critical infrastructure, providers of digital services, and companies of particular public interest. With the entry into force of the NIS2, this scope is expanded to include the categories of “important institutions” and “particularly important institutions,” meaning that the BSI will supervise approximately 29,500 institutions in the future. 

NIS upgrade in the UK: In parallel, on 12 November, the Cyber Security and Resilience Bill was introduced to the UK Parliament. The Bill will update the NIS Regulation from 2018 by expanding the regulatory scope to include a broader range of essential and digital service providers, including online marketplaces, cloud computing services, and search engines, as well as managed service providers (eg, data centres will be designated as essential services). It also places the Secretary of State in charge of maintaining consistency in implementation across sectors.

AI solutions legal basis

At the request of the Danish Agency for Higher Education and Science, the Danish Data Protection Agency has assessed whether the agency has the authority to develop and operate an AI solution that will function as support in the assessment of applications for disability allowance. The Danish Data Protection Authority assessed that the processing of personal data that takes place during the development and operation of an AI solution can, as a rule, be carried out based on what is necessary for reasons of substantial public interest – GDPR Art. 9(2)(g).

However, it requires a so-called supplementary national legal basis. In relation to the duty of information towards citizens whose historical cases are included in the training dataset, the Danish Agency for Higher Education and Science has, among other things, pointed out: 

• There is a large number of citizens (approx. 3,000).
• It would be resource-intensive to inform citizens individually.
• The processing of personal data is limited.
• The purpose of the processing is to improve case processing time.
• The treatment is not assessed to have direct consequences for citizens.

GDPR ready-to-use templates

The EDPB invites experts to participate in a public consultation aimed at proposing practical templates to help organisations comply with their obligations under the GDPR. The EDPB identified the need to develop standardised tools that could serve as guidance for both controllers and processors. The public consultation aims to find out which types of templates would be most beneficial in practice, for instance:  

• privacy notice,
• records of processing activities,
• data protection impact assessment,
• notification of a personal data breach.

It is possible to participate in the public consultation from November 5 to December 3, 2025. Experts, organisations, and individuals can submit their suggestions through this page.

More from supervisory authorities

Australia child privacy updates: From 10 December, platforms like Facebook, Instagram, Snapchat, TikTok, YouTube, X, Threads, Reddit and Kick must take reasonable steps to prevent under-16s from holding accounts on their services. Failure to do so will expose these platforms to fines of up to 49.5 million dollars. These services currently meet the criteria for under 16 restrictions as specified in the Social Media Minimum Age legislation, in particular the key requirement that their “sole or significant purpose is to enable online social interaction”.

Health data warehouses (EDS): The CNIL’s Digital Innovation Laboratory (LINC) has published a map of health data warehouses in France. An EDS, explains the CNIL, is a database built up over a long period of time and intended to be reused mainly for steering (management, control and administration of the activity) and research, studies and evaluations in the field of health. They can be set up by both public (such as a public healthcare institution) and private entities (such as a data broker or a startup), provided that they comply with the applicable legal framework.

AI risk assessment: The EDPS has published a new guidance document to help data controllers carry out data protection risk assessments when developing, acquiring and deploying AI systems. Although the new guidelines are aimed at EU institutions, organisations in both the public and private sectors that use or plan to adopt AI systems can use them as a valuable starting point. It focuses on the risk of non-compliance regarding: fairness, accuracy, data minimisation, security and certain data subjects’ rights. The list of risks and countermeasures is not exhaustive, but merely reflects some of the most pressing issues that controllers must address when procuring, developing and deploying AI systems. 

In other news

Cyber attack mitigation tools: The Dutch AP has issued recommendations for a strong data processing agreement in the event of a cyber attack. Organisations that collaborate with service providers must enter into a data processing agreement regarding the sharing and use of personal data. This agreement outlines agreements, for example, regarding security and the roles and responsibilities in the event of incidents such as data breaches. To that end, to limit the damage from cyber attacks, organisations can:

• Make agreements as concrete as possible
• Maintain control over the entire supply chain
• Give more priority to drafting and maintaining data processing agreements

Therefore, the regulator sums up, negotiate agreements carefully and promptly. And review agreements and appendices regularly to ensure they remain relevant in practice. Employee awareness and knowledge of the GDPR play a crucial role in this.

Misleading cookie banners: The AP also reports that three-quarters of websites modified misleading cookie banners after an investigation was launched on more than 200 websites in the Netherlands starting in April. The AP is now taking enforcement action against organisations that haven’t updated their cookie banners. The easiest way to respect this is to not use tracking software. In that case, a cookie banner isn’t necessary. Where organisations do use tracking software, they must adhere strictly to the rules and inform visitors honestly and clearly.

Biometric processing

In New Zealand, the Privacy Commissioner has issued a Biometric Processing Privacy Code that creates specific privacy rules for agencies (businesses and organisations) using biometric technologies to collect and process biometric information. The Code, which is now law made under the Privacy Act, will help make sure agencies implementing biometric technologies are doing it safely and in a way that is proportionate. Guidance has also been developed to support the Code. 

Direct marketing and free-of-charge services

On 13 November, the CJEU released its ruling in Inteligo Media SA v ANSPDCP (Romanian data protection regulator) (C-654/23), where a media website provided information about new legislation in Romania, Bird&Bird law blog reports.  Six articles per month could be viewed completely free of charge. Users might also subscribe for free to an additional two articles and a daily newsletter. They could also pay for unlimited access and a fuller newsletter. ANSPDCP claimed that Inteligo could only process subscriber registration details and deliver the free newsletter if it had approval, which it did not. 

Inteligo argued it was covered by the soft opt-in exception. The ePrivacy Directive does demand that organisations obtain consent before sending direct marketing emails, but there is an exception: where the organisation acquires the subscriber’s information after selling a product or service, and the direct marketing is for that organisation’s similar product or service. The top EU court concluded that the free subscription did constitute a sale: a sale requires payment in exchange for goods or services, as well as remuneration. However, the reimbursement might be indirect, when a particular customer does not have to pay, but it is rather covered by the premium version of the subscription. 

Continue reading the original analysis here. 

Telecommunications multimillion fine

Following ex officio proceedings, the Croatian data protection agency imposed an administrative fine on a telecommunications operator, in its capacity as controller, for the total amount of 4.5 million euros for violations of the GDPR. The infringements concerned the transfer of personal data to third countries without a valid transfer instrument and without transparent information to data subjects, the processing of copies of employees’ identity cards and certificates of no criminal proceedings without a legal basis, as well as the failure to carry out appropriate prior checks of a processor.

Customer service fine

The EDPB sums up a recent enforcement case in Italy, when a customer, who was the victim of fraud, contacted their bank to obtain recordings of calls made to customer service, which would be useful in contesting a transfer of approximately 10,000 euros and reconstructing what had happened. Having received no satisfactory response, they complained to the privacy regulator Garante. Only after the authority had opened proceedings did the bank provide the recordings, but by then the 30-day deadline set by the GDPR had already passed. Garante imposed an administrative fine of 100,000 euros, taking into account the bank’s turnover, its cooperation during the investigation and the absence of previous infringements.

 In case you missed it

Children’s data lifecycle: Privacy International states that in England’s schools, children are tracked from birth through a vast, opaque network of digital systems that turn education into a lifelong exercise in data collection and surveillance. Children’s data in education starts from the day they are born until they are 25 years old:

• during pre-school, with personal data submitted by legal guardians during the school admissions process 
• every child is assigned a unique pupil record and a unique pupil number that stays with them forever
• the student’s educational setting gets added to the record, which includes its religious character and location, etc.

The next layer of data added to those records is created by school staff – absence and attendance records, assessments, etc. Separately, children’s data can be generated and collected by the EdTech tools used by staff. Some schools use a broad range of tools, such as behaviour tracking apps, which can take the form of scores but also of more complex profiles and predictions in relation to a child. Further personal data is collected and added to the National Pupil Database (NPD), and is kept indefinitely. 

Keep reading the original analysis here.

Agentic AI explained: The JD Supra law blog outlines the rise of “agentic AI”. Unlike traditional AI systems, which are designed to perform specific, narrowly defined tasks (generating text or images or analysing inputs) and rely on human input and oversight, agentic AI systems can complete far more complex, multi-step tasks autonomously and make context-dependent decisions. The emergence of these systems could transform a wide range of industries and business functions, including: a) consumer-facing systems, b) customer support, c) internal operations, and d) sales and marketing.