10 years after the GDPR was adopted
The GDPR, which replaced the outdated EU Data Protection Directive 95/46/EC, aimed to respond to changes in Internet technology, an increase in cross-border data flows, and globalisation, which posed new challenges to the protection of personal data. In addition to supporting the digital market, legal certainty and uniform and strong enforcement of rules were also legislative goals.
Stay up to date! Sign up to receive our fortnightly digest via email.
Due to its technological neutrality and risk-based approach, the GDPR has proven suitable for providing a high level of protection for personal data in any new challenging environment, in line with the Charter of Fundamental Rights and the Treaty on the Functioning of the European Union.
Today, the GDPR is part of a broader and evolving European digital framework, alongside the Digital Services Act, the Digital Markets Act, and the AI Act.
However, due to competitiveness challenges facing the EU, in 2025, the Commission published its proposal to simplify digital rules and encourage innovation (the so-called Digital Omnibus package), which also aims to amend the GDPR text. The coming year will be about discussing and adopting these changes.
Main developments
Europrivacy certification updated: In April, the EDPB approved updated criteria for the Europrivacy certification mechanism. In addition, the use of it as a tool for international transfers of personal data was approved. The certification will be extended to cover operators outside the EU, those that are subject to the GDPR. These are organisations that offer products or services to Europeans or process personal data to monitor their behaviour.
UK Storage and Access Technology: The UK Information Commissioner published the finalised guidance on Storage and Access Technologies (SATs), alongside an update on its online tracking strategy. The guidance, which covers how the Privacy and Electronic Communications Regulations and the GDPR apply to cookies, tracking pixels, device fingerprinting and similar technologies, also incorporates updates following consultations and changes introduced by the new Data Use and Access Act.
New EU Anti-Corruption Directive: On 21 April, the EU approved the first Anti‑Corruption Directive, a long‑awaited framework to harmonise anti‑corruption rules across the union. EU countries have two years to transpose the Directive into national law and three years to adopt comprehensive national anti‑corruption strategies.
For organisations, these would mean implementing certain anti-corruption programs and whistleblowing tools, which would include a record retention and archiving system for documents and information and automated reporting to ensure an audit trail. Such programs must comply with data protection and privacy standards.
Real-time video surveillance falls under the GDPR
The Latvian data protection authority explains that, when conducting video surveillance, organisations not only record and store video footage, viewing it when necessary, but may choose to view the camera footage in real time. In cases where cameras capture a person in sufficient resolution, and this image is transmitted to a monitor where an employee watches it, personal data is processed. It is not important whether this image is stored for a longer period of time. It is sufficient that the employee, using automated means, views and interprets it.
The data controller must assess whether such surveillance is legal and proportionate, and whether the same purpose can be achieved by means that are less intrusive to people’s privacy. Finally, prioritising no further storing of the watched live images would significantly minimise privacy and data security risks in the future.
More official guidance
Agentic AI services deployment: Australian digital regulators offer new joint guidance that provides mitigations for careful adoption of agentic AI services. Agentic AI can automate repetitive, well-defined and low-risk tasks. However, these additional opportunities come with additional risks. Like other AI services, agentic AI can be misused or misappropriated, leading to productivity losses, service disruption, privacy breaches or cybersecurity incidents.
Organisations should adopt agentic AI systems carefully by deploying them incrementally and limiting them to low-risk tasks. Agentic AI deployments need to enforce strict privilege controls, continuous monitoring, strong identity management, human oversight and alignment with existing cybersecurity frameworks.
Cloud services sovereignty criteria: The German Federal Office for Information Security BSI explains that, alongside financial and state-sponsored cybercrimes and conflicts, a new type of threat is increasingly coming into focus for societies – cyber dominance. This is the ability of manufacturers of digital products to maintain permanent access to their customers’ systems and data. This especially affects cloud services. To that end, BSI has presented a new framework for action that makes the sovereignty characteristics of cloud services transparent (available in German).
Automated decision-making guidelines
The Dutch data protection authority AP is developing guidlines on the explanations organisations must provide in relation to automated decision-making, based on processing people’s personal data. To ensure these tools are well-aligned with practice, the AP is inviting companies, organisations, experts and stakeholders to provide their input on:
- why explanation is important;
- the difference between general and specific explanations;
- the underlying logic of a decision;
- the comprehensibility of the explanation;
- the balancing of interests;
- governance and ‘explainability-by-design’.
The UK Information Commissioner, in parallel, published research results on automated decision-making in employment offers. It can benefit both candidates and employers by improving the efficiency of the hiring process, helping to handle high volumes of applications consistently and quickly. However, it can also pose risks to candidates if not used lawfully, such as unfair or biased decisions. If organisations wish to use ADM in recruitment processes, they are expected to:
- Test regularly for biased outputs and take steps to mitigate this.
- Ask developers about their own bias testing when procuring tools and considering monthly bias reviews.
- Be transparent with job seekers if ADM is being used and explain how it works.
- Tell candidates how to exercise their right to challenge a decision and request a human review if they believe it is incorrect.
Receive our digest by email
Sign up to receive our digest by email every 2 weeks
DPO activity report
Prepared by the French regulator CNIL, the activity report of the data protection officer model document contributes to the management of GDPR compliance. The report document (drafted in French) makes it possible for a DPO to present to the top management, at least once a year:
- an independent overview of activities, opinions and recommendations;
- key data protection indicators: number of requests to exercise rights and response times, number of data breaches, templates of documents produced, etc.
This model can be adapted to your organisation’s needs (size, resources, nature of activities, volume and sensitivity of processing, internal reporting/reporting practices, etc.), and distinguishing, if necessary, processing carried out as a Data Controller from actions carried out as a Processor.
Retail Trade Code of Conduct
Finally, the French CNIL offers the first national code of conduct that helps French retailers in the clothing and footwear sector to commit to the protection of their customers. It translates the requirements of the GDPR into concrete terms and strengthens data protection in sales and distribution, both in-store and online. The GDPR ensures that a code of conduct is binding on those who adhere to it: it obliges its members to comply with the rules written in the code and to accept that a third party, other than the CNIL, controls its proper application.
It should be noted that only brands and stores whose decision-making centre is located in France or those that constitute a French establishment of international groups can adhere to this code.
In other news
Hospital data breaches survey: The Data Protection Commissioner in North Rhine-Westphalia surveyed 33 hospitals about their data breach management. In addition to positive developments, potential shortcomings were also identified. For example, 12 of the surveyed institutions stated that not a single data breach was reported to them in 2023 and 2024. However, over such a long time, human and technical errors are practically impossible to rule out, states the regulator.
The study revealed that hospitals are relatively unaffected by cyberattacks compared to the total number of data breaches reported in the state. This is likely due to the high IT security standards that hospitals have already implemented, partly due to other regulatory requirements. The most common data breaches involved misdirected data transmissions and other unauthorised disclosures, of which the affected individuals were informed promptly in most of the cases.
Banking services multimillion fine: The Italian Garante has fined Poste Italiane and Postepay over 12.5 million euros. The investigation was initiated following numerous complaints received since 2024, focused on the operating methods of the BancoPosta and Postepay apps. These apps required users to authorise the monitoring of a series of data contained on mobile devices, including installed and running applications, in order to identify any malicious software. According to the companies, this processing was necessary to ensure the security of transactions and comply with payment services regulations.
The regulator, however, noted that the method entailed an excessively invasive interference in the private sphere of users, as they were not strictly necessary for fraud prevention. There were also deficiencies in the information provided to users, the absence of an adequate data protection impact assessment (DPIA), the failure to adopt adequate security measures and appropriate data retention policies, and irregularities in the designation of the data controller.
Medical record access court case
The Spanish High Court of Justice of Castilla-La Mancha rejected the appeal of a nurse who unlawfully accessed her sister‑in‑law’s medical record, holding that unauthorised access to health data constitutes a criminal offence in itself, even without further disclosure. The case concerned a nurse who, in 2017, accessed the clinical record of her sister‑in‑law, related to an anxiety consultation, linked to a divorce.
The access lasted for 13 minutes using hospital credentials, without consent, medical necessity, or justification. The court also rejected arguments that the prosecution had to prove the exact medical documents accessed or any additional malicious intent. The court confirmed the sentence imposed by the first court of about 15 months imprisonment, absolute disqualification for three years, and 1000 euros in damages to the victim.
And Finally
Self-driving cars pilot in the UK: The Government presented the self-driving vehicle pilot scheme, which permits the operation of autonomous vehicles (AVs) on public roads without a human driver. The pilot scheme also extends to autonomous taxis, private hire vehicles, and bus services, which carry paying passengers. The detailed framework is still under development, but safety, cyber security and data protection will be the central part of it, with pilot operators required to meet exacting standards in these respects, sums up a JD Supra analysis.