Data protection function in a group of companies
The Latvian data protection authority DVI explains that many Latvian companies are part of international business groups whose parent companies are located in other EU countries or outside Latvia. In such cases, the question often arises whether each company in the group needs its own DPO or whether it is possible to use one specialist for the entire group.
Stay up to date! Sign up to receive our fortnightly digest via email.
According to the GDPR, a group of companies can appoint a single data protection officer, provided that each company can easily contact them. This means that in a situation where a Latvian company is part of an international group, the DPO appointed by the parent company can also be used, ensuring effective communication and support. In international corporate groups, a centralised data protection function helps:
- Ensure a unified approach to personal data protection;
- Use resources more efficiently;
- Promote the application of uniform requirements across all group companies.
The DPO acts as an independent advisor, monitor and contact point between the company and the supervisory authority. They assist, advise and monitor, but do not make final decisions on behalf of the company. The involvement of the DPO does not reduce the company’s own responsibility for the decisions taken to ensure that data processing is secure, lawful and compliant with the GDPR. In essence, the functions and tasks are the same for the group of companies, but the challenges in practice are certainly greater.
Main developments
Social media ban for UK children: By next spring, minors under 16 will be prohibited from using TikTok, Instagram, Facebook, X, YouTube, Snapchat, Threads, and others in Britain. Australia became the first nation to do so in December, and Britain now follows. The decisions came due to the absence of an adequate legal basis for child data processing, a lack of adequate age assurance measures in place, and a broader regulatory framework that requires online services to incorporate higher protection for children.
Meta, YouTube and Snapchat say a ban stopping children using their platforms will drive them to ‘less safe services’.
Breach Notification template in the EU: The European Data Protection Board adopted a common personal data breach notification form at its last plenary session. The template will help ensure that notifications contain the information required by Art. 33 GDPR, making it easier for organisations to submit a timely notification and facilitate the responsible data protection authority’s assessment of the case. The template provides predefined options and further guidance on how to fill in the fields. This will help save time and costs, particularly for smaller organisations lacking dedicated Data Protection Officers or legal resources.
The template will be subject to public consultation until 5 August.
More official guidance
Security gaps “on your desktop”: The biggest security risks for online businesses lie not in complex hacking techniques, but in human choices and simple omissions, explains the Estonian data protection regulator’s recent analysis. If a website is hosted by a reputable service provider, it is assumed that everything is fine. In fact, this is one of the most common misconceptions. The service provider is responsible for the platform, but the content, passwords, users and software are the customer’s own.
For instance, the most dangerous thing with passwords is not hacking, but when they are stolen from a computer with malware. Another problem is shared user accounts. In a growing company, one user is often shared between several people, which makes a later investigation almost impossible. The simplest and most effective protection measures are: strong and unique passwords, a password manager, two-factor authentication, individual user accounts, software updates, working backups, and an informed choice of service provider.
Smart device industry: The UK Information Commissioner publishes guidance on consumer Internet of Things (IoT) products and services, setting out clear expectations for manufacturers and developers on how to use people’s personal information responsibly. Found in 70% of UK households, smart TVs can collect a large amount of data and use this information to serve targeted advertising – but this must be done transparently and with genuine consent. These include:
- Built-in protective settings
- data collection limited to what is strictly necessary
- real, specific, and freely given consent via a clear opt-in and easy withdrawal
- genuine transparency in information notices
- a prior Data Protection Impact Assessment
- Ongoing security (regular updates, encryption, and multifactor authentication throughout the product’s lifetime).
Clinical research streamlined in France
Hogan Lowell’s analysis explains the application of the new French Economic Simplification Act in the clinical research area. It aims to bring the French framework into line with advancements that have already been made at the EU level. While adjusting the regulatory framework to new research models, such as decentralised clinical trials, studies involving the international transfer of human biological materials, and the expanding use of health data for research purposes, it seeks to remove some procedural rigidities.
In other news
“Pay or Ok” legal challenge: The Norwegian Consumer Council and the data protection organisation NOYB have filed a complaint with the Norwegian Data Protection Authority against Schibsted (media house). Schibsted has introduced a “consent or pay” model on several of its platforms, which means that readers of VG, Aftenposten, Bergens Tidende and Stavanger Aftenblad, among others, must make a choice – either consent to tracking and behavioural marketing, or pay a monthly amount to opt out. The complainants argue, among other things, that consent to tracking cannot be considered voluntary and valid when the alternative is to pay.
Customer data storage and tracking fines: In Finland, the Supreme Administrative Court has upheld the data protection agency decision regarding the operations of Verkkokauppa.com. In 2024, the penalty board imposed a fine of 856,000 euros on the company, which had not specified how long the customer account information of its online store customers would be stored. Customer data was stored until the customer themselves requested the data to be deleted. At the same time, making online purchases was not possible without creating a customer account, which had led to data on individual online purchases being stored longer than necessary.
Another court finding in Finland validated the data protection regulator’s decision in 2025 over Yliopiston Apteekille’s (online pharmacy) usage of Google and Meta tracking technology. The court mostly maintained the remark about the online pharmacy’s data protection flaws, but questioned whether a 1.1 million euro punishment could be levied at all. The University of Helsinki owns the online pharmacy and is excluded from monetary fines as a public sector entity. However, the service participates in the same competitive market as private entities and processes most sensitive personal data related to health.
Receive our digest by email
Sign up to receive our digest by email every 2 weeks
Holiday reservations hack
Slovenia’s Information Commissioner warns everyone who has open reservations for accommodation in Slovenia, Croatia or elsewhere in the region: following a hack into the information system of a Croatian online reservation system provider, which is used by many accommodation establishments in the region, guests are receiving fake messages through which the attackers want to obtain their payment card details. Do not click on links in suspicious messages and do not enter your payment card details anywhere!
You can recognise a fake message by the fact that it mentions your actual reservation, requests reconfirmation or additional payment, contains a link to enter data, and urges you to take quick action. When receiving such a message, do not click on the links or enter any data! Check the authenticity of the claim directly with the accommodation provider, preferably by phone. Anyone who has already entered card details should immediately inform their bank.
And Finally
23andMe data breach compensation: The bankruptcy plan for the genetics-testing business 23andMe agreed to pay plaintiffs a total of 46.75 million dollars to settle litigation stemming from a 2023 data breach. The breach lasted about five months and affected nearly half of the 14.1 million customers. After declaring bankruptcy in 2025 and selling the majority of its assets, 23andMe (now Chrome Holding Co.) was sold back to co-founder Anne Wojcicki. California made an unsuccessful attempt to stop the transaction. It then filed a lawsuit against Chrome Holding for failing to safeguard the genetic and personal data of its clients.
AI Coding tools: Privacy International tested AI coding assistants by tasking an experienced developer with building a Matrix server, a messaging client, a health app, and a blogging site, finding that each project was riddled with hidden flaws ranging from broken cryptography, insecure data handling, and misleading outputs. Key findings were:
- AI coding tools enable rapid software creation without deep expertise, but obscure how the code actually works.
- The generated code is often flawed, insecure, or outdated despite claims of completeness.
- AI systems prioritise appearing correct, frequently misrepresenting functionality and avoiding genuine fixes.
- Privacy and security risks are significant, especially for sensitive data and users unable to audit the output.