Data protection digest 1-15 Sep 2025: The Data Act is fully applicable, “bossware” takes over workspaces

The Data Act

As of 12 September, the Data Act has become directly applicable in the EU. It offers harmonised rules on fair access to and use of data. The new rules cover manufacturers, users, data holders, data recipients, public sector bodies, and data processing services. It is designed to empower users, both consumers and businesses, by giving them greater control over the data generated by their connected devices (and related services), such as cars, smart TVs, industrial machinery and much more:

• It ensures that connected devices on the EU market are designed to allow data sharing
• Gives consumers the possibility to choose more services, without having to rely on the manufacturer of the device 
• Provides business users in industries like manufacturing or agriculture access to data about the performance of industrial equipment, opening up opportunities to enhance efficiency and optimise operations
• Allows consumers to easily transfer data and switch between cloud providers
• Prohibits unfair contracts that could prevent data-sharing

The Data Act does not exclude or replace the GDPR

On the contrary, it is fully compliant with data protection rules. In one example, where the user is not the data subject whose data is being requested, personal data can only be made available if there is a valid legal basis (eg, consent). This is an important consideration as the co-generated data often contains both personal and non-personal data, which may be difficult to separate.  Additionally, the Data Act includes a non-exhaustive list of measures to remedy situations where a third party or user has unlawfully accessed or used data.  The infringing party will be obliged to cease production of the product in question, destroy the data it has unlawfully obtained, or pay compensation. 

Stay up to date! Sign up to receive our fortnightly digest via email.

The Act also includes requirements for international transfers of non-personal data. The data processing service providers are required to adopt technical, legal, and organisational measures to prevent international transfer or governmental access to non-personal data that would breach national or EU law. Furthermore, the Act includes protections for trade secrets and trade secret holders, aiming at preventing data breaches or data transfers to jurisdictions that don’t provide sufficient data protection and preventing other entities from accessing the data to reverse-engineer the services of their competitors.

Data subject rights under the Data Act

The Hamburg data protection authority explains that, from electronic toothbrushes to wind turbines, many consumer goods and machines send sensor data to their manufacturers via the internet. Starting September 12, consumers will benefit from new access rights to the data of such connected devices, as the Data Act allows both users of these devices and third parties to request it. This is provided that the eligibility requirements under the Data Act are met, data protection law does not conflict, and trade secrets are protected.

If the data to be transmitted is personal, European law appoints data protection authorities to supervise compliance with the provisions of the Data Act. This task follows directly from Art. 37(3) of the Data Act: a) Accessing personal data from the manufacturer; b) Changing the provider of data processing services (so-called cloud switching); c) Protection of confidentiality through technical and organisational measures at the receiving body; d) Transparency obligations. The data protection authorities can now enforce these rights by issuing orders. Violations can sometimes be punished with fines. Alternatively, claims can be pursued independently through civil law. Any natural or legal person can file a complaint. 

EU-US Data Privacy Framework maintained

On 3 September, the CJEU ruled on a case in which a French politician had brought an action against the Commission regarding the adequacy decision for the EU-US Data Privacy Framework. The case was brought with a claim that the adequacy decision should be annulled. According to the complainant, the newly established appeal body in the US, the Data Protection Review Court (DPRC), was not independent, and American legislation did not ensure adequate guarantees for the data subjects in connection with the mass collection of personal data by the intelligence services. 

The Court found no basis for concluding that the DPRC was not independent at the time of the decision. In this context, the Court recalled the Commission’s obligation to continuously monitor developments in the US and to act if changes in the legal framework might lead to a lower level of protection. With regard to the activities of the intelligence services, the Court also found that US legislation at the time of its adoption ensured a level of protection of personal data that was essentially equivalent to that existing within the EU.

On that basis, the court dismissed the lawsuit in its entirety.

Digital Services Act

The EU General Court, meanwhile, has ruled that the Commission failed to properly adopt the method it used to assess very large online platforms’ user bases under the Digital Services Act (DSA). As a result, the supervisory fees the Commission imposed on the largest platforms (Facebook, Instagram, TikTok and others), as calculated by reference to their user bases, were invalid (however, the effects of the annulled decisions are provisionally maintained). The Commission now has 12 months to rectify the situation. 

The EDPB has recently adopted guidance on the interaction between the Digital Services Act and the GDPR. The DSA aims to complement the rules of the GDPR to ensure the highest level of protection of fundamental rights in the digital space. It applies to online intermediary services, such as search engines and platforms. There are several provisions in the DSA which relate to the GDPR:

• Notice-and-action systems that help individuals or entities report illegal content
• Recommender systems used by online platforms to automatically present specific content to the users of the platform, with a certain relative order or prominence
• The provisions to ensure a high level of privacy, safety, and security of minors and to prohibit profile-based advertising using their data 
• Transparency of advertising by online platforms
• Prohibition of profiling-based advertising using special categories of data 

Pseudonymisation

In another ruling of September 4, the CJEU addressed various issues relating to personal data and pseudonymisation in connection with the transfer of this data to third parties: 

• Statements that reflect the personal opinions or views of the authors are information “about that person” because, as an expression of that person’s thoughts, they are necessarily closely linked to that person. 
• Pseudonymised data is not always considered personal data. Depending on the circumstances, pseudonymisation may actually prevent persons other than the controller from identifying the data subject, making them unidentifiable or no longer identifiable. 

The case concerned the obligation incumbent on controllers to inform data subjects, at the time of data collection, of the recipients or categories of recipients to whom their personal data are to be disclosed. Consequently, the identifiability of the data subject in such a case must be assessed from the perspective of the controller and not from that of the recipient. 

More from supervisory authorities

Brazil draft adequacy decision: On 4 September, the European Commission launched the process towards the adoption of a data protection adequacy decision with Brazil. The Commission has determined that Brazil ensures an adequate level of data protection, comparable to that of the EU. Once adopted, the decision would allow for free data flows for businesses, public authorities, and research projects between the EU and Brazil, one of the widest scopes possible for a data adequacy decision under the GDPR. The Brazilian authorities have also initiated a process to adopt an equivalent decision to allow for Brazilian data to flow freely to the EU.

Windows IT security guide for organisations: The German Federal Office for Information Security (BSI) provided recommendations for the secure configuration of Microsoft Office products for the Microsoft Windows operating system (in German). These recommendations were developed specifically for medium-sized to large organisations that manage their endpoints using Group Policies in an Active Directory environment. However, other experienced IT users can also apply the Group Policies locally. Implementing these policies offers the advantage of a wider range of configuration options compared to configuring them via the user interface. These recommendations are available for the Office applications Microsoft Access, Microsoft Excel, Microsoft Outlook, Microsoft PowerPoint, Microsoft Visio, and Microsoft Word.

Cybersecurity for teenagers: The BSI also published a comprehensive package to teach basic cybersecurity skills. It aims to support teachers and other educational professionals in raising young people’s awareness of digital risks at an early stage and teaching them how to use digital media safely. The media package includes educationally prepared worksheets, interactive activities, and background information for teachers and parents. It covers the three topics of smartphone and app security, cybercrime methods, and account protection. 

Personal recordings

Can recordings obtained for personal use be used for other purposes? The Latvian data protection regulator explains that such a recording is usually made without informing other people about it. In cases where the recording is planned to be used only for one’s own needs, without passing it on to others, the GDPR does not apply. However, before making a recording, you should consider whether it is not restricted by any other rules. For example, if the recording is made at a school event, you should make sure that the institution’s internal rules of procedure do not set any restrictions on the use of technical devices and the making of recordings. 

Over time, a person who has a recording made for personal purposes may want to use this information for other purposes. For example, it can serve as evidence in resolving a dispute or in detecting an offence. In this case, GDPR provisions must apply, in particular, when choosing the legal basis for processing, complying with fundamental principles in processing, including ensuring that the rights of the people heard and seen in the recordings are respected. 

Right to erasure

The EDPB launched a coordinated action earlier this year to examine how organisations handle the right to erasure (requests from individuals to have their personal data erased by the organisation). The Swedish Data Protection Authority IMY is now reporting its findings. Regarding the 20 Swedish businesses surveyed, despite handling large amounts of personal data, businesses have received few requests from individuals who want their data deleted. Among the problems and challenges that IMY has identified are: a) Lack of or inadequate internal routines and processes, b) Uncertainty about deletion in backups, and c) Difficulty verifying the identity of the person who wants their data deleted. IMY has identified examples of best practice for data deletion requests, such as:

• Create clear and updated procedures, control documents and checklists that specify who does what, how the assessment is carried out and what criteria apply for deletion
• Offer multiple channels to submit a deletion request, such as email, phone, web form, or physical visits
• Verify the individual’s identity only in cases of reasonable uncertainty
• Always provide a clear justification with reference to relevant provisions when rejecting a request

Google and Shein cookie fines

The French regulator CNIL fined Google 325 million and Shein 150 million euros, in particular for non-compliance with the rules on online trackers. The checks revealed that Google displayed, between the emails present in the ‘Promotions’ and ‘Social networks’ tabs of Gmail, advertisements in the form of emails. In the case of Shein, the CNIL noted that several trackers, particularly for advertising purposes, were deposited as soon as they arrived on the site, even before they interacted with the information banner to express a choice.

Also, when a user visiting the “shein.com” site clicked on the “Refuse all” button in the banner, or when they decided to withdraw consent to the registration of trackers on their terminal, new trackers were nevertheless deposited. 

Toymaker fine

America’s FTC  just settled with Apitor Technology, a Chinese toymaker, for allegations that the company violated the Children’s Online Privacy Protection Rule (COPPA). Apitor develops, markets, and distributes robot toys for kids ages 6-14. To program the robots, users need to download Apitor’s free companion app. It incorporated a third party’s software development kit (SDK), enabling app functionalities like push notifications and usage tracking. The SDK allowed the third party to collect geolocation data from children playing with the robot toys using an Android device. At the same time, companies providing online services directed at children must notify parents if they’re collecting, using, or disclosing personal information from juveniles. They also have to get parents’ verified consent to do so, even if a third party is the one collecting the data on a company’s behalf. 

Online banking authentication

In Finland, the data protection agency has imposed a penalty of 1.8 million euros on S-Bank for neglecting information security in online banking authentication. Due to a software error in the authentication service in 2022, it was possible to log in to online banking and online services using strong authentication with another customer’s credentials. The agency investigated the data breach based on a notification made by S-Bank in 2022. The bank had implemented a new login functionality in S-mobile. 

The bank had not tested the new software sufficiently before implementing it, and it had not identified vulnerabilities before the functionality was implemented. It also did not respond adequately to customer complaints about irregularities in online banking logins. A security vulnerability had been exploitable for more than three months. It affected a significant portion of the bank’s customers. Misuse of bank codes caused financial damage to customers. S-Bank has announced that it has compensated customers for direct losses.

In other news

Disney: Another settlement by the FTC with Disney alleges that it failed to properly designate their YouTube videos as directed to children. When Disney uploaded videos to YouTube, its policy was to set the audience at the channel level, rather than checking the audience for each video. As a result, some child-directed videos were incorrectly designated as “not made for kids.” Personal information of children viewing these videos was collected and used for targeted advertising without parental notice or consent as required under COPPA. Kids were also exposed to YouTube features not meant for kids: autoplay to other “not made for kids” videos and access to unrestricted public comments.

Recruitment agency: North Rhine-Westphalia data protection commissioner imposed a fine of over 35,000 euros on a Düsseldorf-based recruitment agency which had not only consistently ignored the data protection rights of job seekers, but also requests from the regulator. The focus was on requests from employees asking whether and which data the company had processed about them. Some of the individuals also demanded that their data be deleted.  

Health data: In Estonia, Allium UPI, the company that manages the Apotheka loyalty program, received a fine of 3 million euros for failing to protect customer data and using insufficient security measures. The company’s reckless attitude towards its customers’ data put the privacy of more than 750,000 people, including children and other vulnerable groups, at risk. A security incident occurred in the information system of the Apotheka loyalty program in early 2024.

The leaked files contained personal data and purchase history of those who joined the Apotheka customer program between 2014 and 2020: purchased medicines, health measurement services, and other sensitive pharmacy products, such as pregnancy and ovulation tests, hearing aid accessories, blood pressure supplements, intimate hygiene products, and medications for skin problems. 

In case you missed it

Football fans face recognition in Denmark:  The Danish Data Protection Authority has granted permission for the clubs in the Super League (season 2025/2026) to use automatic facial recognition during football matches, in order to support the enforcement of the rules on club quarantines. The permits for the Super League clubs state, among other things, that the processing must comply with the rules on the preparation of an impact assessment: it must be carried out before the processing begins.

Bossware in the UK: A third of UK companies use “bossware” to track employees‘ activities, according to an article in the Guardian. One in seven employers are monitoring or evaluating screen activity, and private organisations are the most likely to implement in-work surveillance, according to a UK-wide poll. The fact that about one-third of managers said their companies watch employees’ internet activity on company-owned devices, however, is likely an underestimation because the same percentage stated they had no idea what tracking their companies do. Preventing insider threats, protecting sensitive data, and identifying productivity declines are the goals of many monitoring systems.