ARTICLE
5 June 2025

Data Privacy Updates (April 2025)

WP
WH Partners

Contributor

We are a law firm with a strong focus on assisting businesses fuelling the digital economy and not only in the territories we operate in. We have offices in Malta, Italy, Romania, and we operate Czech, Polish and UAE desks, as well as having a worldwide network of correspondent firms. We have a well-established practice advising clients on (in no particular order) fintech, gaming & gambling, corporate, M&A, tax, dispute resolution, corporate finance, intellectual property, data privacy and personal data processing, consumer protection & advertising, real estate, employment & immigration matters, sports, technology & media, competition & state aid. Our firm and several of our lawyers are highly ranked by Chambers & Partners, Legal 500, IFLR1000 and Who’s Who Legal.
A natural person filed a complaint after the bank processed his personal data, without consent, under a natural disaster insurance policy...
Malta Privacy

SANCTIONING PRACTICES

ANSPDCP (Romanian DPA)

FACTS

A natural person filed a complaint after the bank processed his personal data, without consent, under a natural disaster insurance policy, through a third-party insurance company. The policy was issued by mistake, even though the person had paid off the real estate loan previously contracted with the bank.

WHAT SHOULD YOU DO?

  • Ensure that written procedures are in place for GDPR compliance, as well as regular training of data processors on behalf of the controller.
  • Ensure that each processing of personal data is based on a clear legal basis (consent, performance of a contract, legal obligation, etc.). Avoid automatic or "inertia" processing of data for ancillary services (e.g. insurance) when the main contractual relationship has ended.

  • Unsolicited marketing messages from an e-commerce website's operator – controller fined EUR 15000

FACTS

After an investigation, the DPA found that the controller processed the phone number of a petitioner for SMS information about offers without consent, but also an inadequate management of access and deletion requests.

WHAT SHOULD YOU DO?

FACTS

The controller notified the computer attack, and the DPA's investigation discovered that data from the controller's computer structure was accessed. More specifically, the third party accessed the data of the controller's employees.

WHAT SHOULD YOU DO?

  • It is essential to implement, but especially to periodically check and test the effectiveness of the technical and organisational measures that protect personal data. A seemingly robust security system can have exploitable vulnerabilities if it is not constantly assessed and updated.
  • Employee data is just as sensitive as customer data. Cyberattacks do not discriminate, and their disclosure can have serious legal and reputational consequences. Ensure confidentiality, integrity, and availability measures, and apply GDPR principles uniformly across all categories of data.

  • Surveillance cameras oriented towards the home of a natural person – controller fined EUR 1000

FACTS

A natural person submitted a complaint that the controller installed the surveillance camera facing the entrance to his home, without consent, and the controller's response to the natural person's request was not sent within the legal term.

WHAT SHOULD YOU DO?

  • There is a legal obligation to respond within 30 days to requests regarding the exercise of GDPR rights (deletion, opposition, access, etc.). Failure to provide an adequate response or ignorance of such a request may result in penalties, even if the processing of the data appears justified.
  • Video surveillance that captures images on the property of other people, without their consent, is illegal data processing. Make sure that the orientation of the rooms, the visible information and the legal basis are in compliance with the GDPR. Use information icons and avoid capturing private areas (e.g. access doors, neighboring yards).

  • Controller says that e-mail address was deleted, despite the data subject still receiving feedback forms – controller fined EUR 10000

FACTS

An individual complained that they still receive feedback forms from the controller, although the controller has confirmed several times that the email addresses associated with his account have been deleted. In addition, third-party collaborators of the controller could use these email addresses.

WHAT SHOULD YOU DO?

  • A confirmation sent to the customer is not sufficient if, in reality, the data has not been effectively deleted or remains accessible to collaborators. When a request for deletion is granted, it must be implemented immediately and completely, without undue delay and with the notification of all relevant parties.
  • Responses to GDPR rights requests must be clear, understandable and transparent, not ambiguous or vague. Lack of clarity in communication amounts to a violation of Article 12 of the GDPR and can lead to sanctions even if the answer seems formally correct. Staff training is essential to avoid these mistakes.

  • Cybersecurity operator sanctioned for programming error – controller fined EUR 10000

FACTS

The controller notified a data breach, and the DPA's investigation showed that a programming or implementation error regarding the security of emails led to the disclosure of a significant number of customers' personal data.

WHAT SHOULD YOU DO?

  • Prior to implementation, any update that influences the processing of personal data must be verified through clear testing and validation procedures to prevent accidental disclosures.
  • The implementation of technical measures is not sufficient if there are no regular evaluations of their effectiveness. Organisations must be able to demonstrate that the measures taken continuously ensure the confidentiality, integrity and resilience of their systems. Include these checks in your internal audit plans.

LEGISLATIVE UPDATES

Even if the changes are not significant, and the update initiative is meant for transparency, the main tips of the French Authority are the following:

  • CNIL stresses the importance of clearly defining the roles of each actor involved in the development and distribution of mobile applications — including publishers, developers, software development kit providers, operating system providers and app stores. This clarification is essential to ensure compliance with the GDPR and avoid legal ambiguities.
  • Apps must obtain users' consent for data processing that is not strictly necessary for the operation of the app, such as for advertising or analytics. The CNIL insists that this consent be granted freely, specifically, informed and without constraints, and that users have the possibility to withdraw it as easily as they have granted it.
  • SDK providers must ensure that their tools comply with data protection principles from the design phase. The CNIL recommends that SDKs collect only the necessary data, provide transparency about the processing carried out and allow application publishers to respect user rights.
  • GDPR compliance doesn't stop when launching app. The CNIL recommends the implementation of continuous processes for evaluating and updating data protection measures, including periodic audits, updates of privacy policies and effective management of user requests regarding their rights.

  • CNIL (French DPA) adopts recommendations on multifactor authentication

The recommendations aim to assure users of the security of data processing, but also to encourage the integration of this solution from the design of digital services, through the following ideas:

  • The CNIL emphasises that multi-factor authentication must be implemented according to the risks associated with each system or service. It is essential to carry out a risk analysis to determine whether the MFA is appropriate, thus avoiding its excessive use in low-risk contexts, which could lead to user fatigue and a decrease in the effectiveness of the measure.
  • Before implementing MFA, it is crucial to establish a GDPR-compliant legal basis. MFA can be considered either a security measure related to other data processing, or a data processing itself, with a specific purpose of securing access. The choice of legal basis (legitimate interest, legal obligation, etc.) must be justified and properly documented.
  • The CNIL recommends using at least two of the following three categories of authentication factors:
    • something that the user knows (e.g. password).
    • something the user owns (e.g., hardware token or authenticator app).
    • something that the user is (e.g. fingerprint).
  • It is important to note that certain methods, such as sending codes via SMS or email, are not considered secure enough to be used as authentication factors in MFA.

  • AP (Dutch DPA) publishes Guidelines on scraping by individuals and private organisations

AP conducts a detailed analysis of the phenomenon of scraping and its legality based on the GDPR. Scraping is the automated process of collecting information from the internet. It differs from simple web crawling in that the information is stored in a database and can be used for AI training, but also for monitoring at a very large level.

  • If the scraping involves personal data — which is almost always the case — then the processing is subject to GDPR rules. Even the automatic collection of data from public websites (including social networks or reviews) requires a legal basis, most often "legitimate interest".
  • Scraping can unintentionally lead to the collection of sensitive data (e.g. religion, health) or criminal data. They are protected by Articles 9 and 10 of the GDPR and, in most cases, cannot be legally processed by private organisations.
  • Before using scraping, a complete analysis of how the data will be collected, stored, and used must be done. Measures such as pseudonymisation, respect for robots.txt files and limiting internal access to data are essential to reduce the risks of breaches of data subjects' rights.

  • EDPB adopts Guidelines 02/2025 on the processing of personal data through blockchain

  • The storage of personal data on blockchain is discouraged – due to the immutable and transparent nature of blockchain, the EDPB recommends that personal data should not be stored directly "on-chain", but through mechanisms such as "off-chain" storage, hashes or cryptographic commitments, which allow some control over the data (e.g., its subsequent deletion or anonymisation).
  • Assessment and justification of the use of blockchain – before implementation, controllers must demonstrate that the use of blockchain is necessary and proportionate to the purpose of the processing and that there are no less intrusive alternatives to the rights of data subjects.
  • Difficulties in ensuring the rights of data subjects – due to the immutable nature of blockchain, rights such as deletion, rectification or opposition can become impossible to enforce if adequate technical measures are not provided for at the design stage of the system.
  • The importance of data protection by design and by default (Art. 25 GDPR) – technical and organisational measures must be implemented to ensure, by design, compliance with data protection principles, including data minimisation, storage limitation and confidentiality.
  • Obligation to carry out a DPIA (Data Protection Impact Assessment) – if the blockchain is used in a context that involves high risks to the rights and freedoms of individuals, a DPIA is mandatory that includes the assessment of the technical architecture, security measures, international transfers and network governance.

  • EDPB publishes 2024 Activity Report

  • The EDPB Strategy 2024–2027 focuses on four key pillars: harmonisation and compliance, a common law enforcement culture, technological challenges (in particular AI) and strengthening the EDPB's global role. It reflects the commitment to adapt data protection to the new digital and regulatory realities.
  • The EDPB issued important opinions in 2024, including on "Consent or Pay" models, the use of facial recognition at airports, and the use of personal data in training AI models, clarifying the limits of valid consent and the legality of legitimate interest in these contexts.
  • The EDPB has strengthened cross-border cooperation between national authorities, in particular through coordinated enforcement actions on the right of access (Art. 15 GDPR), demonstrating a model of uniform application of the regulation across the EU.

CASE LAW

FACTS

In the context of a request to lift the banking secrecy of magistrates and their families, the court has the obligation to thoroughly verify the request from a data protection perspective, including: (i) the status of the court as a possible "controller" or "supervisory authority" within the meaning of the GDPR, (ii) the obligation to verify the existence of data security safeguards, in particular after previous serious incidents of unlawful disclosure, and (iii) the obligation to carry out a substantive review of the merits of the claim, not just a formal one, in order to ensure the effectiveness of the provisions of Article 79 of the GDPR and Article 47 of the Charter of Fundamental Rights.

JUDGMENT

  • Does Article 2 of the GDPR apply to the disclosure to a court of the bank details of magistrates and their families, in the context of the verification of asset declarations?
    • Yes, such disclosure constitutes the processing of personal data within the meaning of Article 4 (2) GDPR and falls within the material scope of the regulation. The fact that the processing concerns judges or activities related to their functions does not exclude the applicability of the GDPR, and the exception in art. 2 para. (2) letter (a) on national security must be interpreted strictly.
  • Can a court be considered a 'controller' within the meaning of Article 4(7) of the GDPR when it authorises the disclosure of bank details relating to magistrates and their families?
    • No, the court that only authorises access to the data, without establishing the purposes and means of the processing, does not have the status of controller. This capacity lies with the body that initiates the request and determines the purpose of the processing – in this case, the Judicial Inspectorate.
  • Is Article 51 of the GDPR to be interpreted as meaning that a court competent to authorise the disclosure of personal data to another judicial body constitutes a supervisory authority within the meaning of that article?
    • A national court authorising the disclosure of personal data is not a 'supervisory authority' within the meaning of Article 51 of the GDPR if it has not been appointed by the Member State to monitor the application of the Regulation and does not exercise the powers provided for in Article 58 of the GDPR.
  • Is the court authorising the disclosure of personal data obliged to verify ex officio compliance with the GDPR rules on data security, when it is known that the requesting authority has previously committed breaches?
    • No, in the absence of an express national legal provision, the court is not obliged to carry out an ex officio review. However, in order to ensure the effectiveness of the right to a remedy guaranteed by Article 79 of the GDPR and Article 47 of the Charter, data subjects must be sufficiently informed to be able to exercise their rights, including to object to processing.

FACTS

L.H. lodged a request with the Ministry of Health for information concerning the identification of persons who had signed contracts for the purchase of COVID-19 screening tests concluded by that ministry. That ministry partially granted L.H.'s request and sent him the certificates relating to those tests, redacting the information relating to the natural persons who had signed those certificates on behalf of the legal persons, for GDPR reasons. L.H. brought an action for annulment of the Ministry of Health's decision to disclose before the Městský soud v Praze (Prague City Court, Czech Republic) in so far as it redacted that information.

JUDGMENT

  • Does the disclosure of the first name, surname, signature, and contact details of a natural person representing a legal entity constitute processing of personal data, even if the sole purpose is to identify that person as the legal representative?
    • Yes, such information qualifies as personal data under Article 4(1) of the GDPR, and its disclosure constitutes processing under Article 4(2), regardless of the professional context or the fact that the sole purpose is the identification of the legal representative.
  • Do Article 6(1)(c) and (e) of the GDPR preclude national case-law that requires a public authority to inform and consult the data subject before disclosing official documents containing personal data?
    • No, such national case-law is not precluded. Informing and consulting the data subject helps ensure lawful and transparent processing. However, authorities cannot systematically refuse disclosure solely on the grounds that consulting the data subject is impractical, as this would undermine the balance required by Article 86 GDPR between public access and data protection.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More