In this edition:
1. Sanctioning practices by the Romanian DPA:
-
- Banking company processes personal data without consent for an insurance policy
- Unsolicited marketing messages from an e-commerce website’s operator
- Cyber-attack on gambling operator generates GDPR infringements
- Surveillance cameras oriented towards the home of a natural person
- Controller says that e-mail address was deleted, despite the data subject still receiving feedback forms
- Cybersecurity operator sanctioned for programming error
2. Legislative updates:
-
- CNIL (French DPA) adopts an updated version of their guidelines from 2024 on mobile apps
- CNIL adopts recommendations on multifactor authentication
- AP (Dutch DPA) publishes guidelines on scraping by individuals and private organisations
- EDPB adopts guidelines 02/2025 on the processing of personal data through blockchain
- EDPB publishes 2024 activity report
3. Case law
