Publications

Garrigues

ELIGE TU PAÍS / ESCOLHA O SEU PAÍS / CHOOSE YOUR COUNTRY / WYBIERZ SWÓJ KRAJ / 选择您的国家

Data Economy, Privacy and Cybersecurity Newsletter - April 2026

In this newsletter, we offer the latest updates on everything related to the data economy (technology law, technological innovations, artificial intelligence, digital law, e-Commerce), privacy (data protection and related fundamental rights), and cybersecurity (information security and the protection of the networks and systems that process it). We cover the most recent rulings from relevant authorities and agencies, key court decisions, and the most important news in this field.

The Supreme Court defines the scope of ‘processing’ and requires compliance with the GDPR from the moment personal data is requested 

Álvaro Blanco and Javier Enebral 

The Supreme Court issues a landmark ruling laying down case law in relation to the GDPR: a mere request for personal data constitutes data ‘processing’ for the purposes of the GDPR. The judgment stems from a cassation appeal brought by the AEPD, with Garrigues acting as legal counsel.

KEEP READING >

Evolution of person data rules in Peru: Implementation of the new regulations, administrative action and legislation forecasts

Franco Muschi and Mariana Ubidia 

Data protection rules have evolved at a particularly vigorous pace over recent years in Peru, fueled by a strengthened regulatory framework (driven by the entry into force of the new Regulations for the Data Protection Law) and increasingly active and technical oversight by the Peruvian data protection authority. These measures are aimed at consolidating and modernizing the protection system, by reaffirming the constitutional protection afforded to personal data in Peru. The result has been a regulatory environment that requires public and private entities to process data more responsibly and with greater security, in alignment with current international standards.

KEEP READING >

News update

  • Joint opinion of the European Data Protection Board and European Data Protection Supervisor on proposal for a Digital Omnibus Regulation for simplification of the European regulatory framework
  • Spanish government approves preliminary bill for new Organic Law on the right to honor, personal and family privacy, and own image
  • Public consultation on the implementation regulations for the legal framework on cybersecurity in Portugal
  • AEPD publishes guide on use of third-party images in artificial intelligence systems and the related risks
  • General Council of the Spanish Judiciary approves a direction on the use of artificial intelligence by judges
  • The Transparency and Data Protection Board for Andalucía analyzes an AI system for recruitment
  • European Data Protection Board warns European Commission that new proposals to modify the ESTA system entail collection of a disproportionate amount of data from European travelers
  • EDPB publishes results of public consultation on templates to facilitate organizations’ compliance with the GDPR
  • First regulations approved on use of AI in the Spanish parliament
  • European Commission opens two proceedings to assist Google in complying with interoperability and data-sharing obligations under the Digital Markets Act
  • European Data Protection Board and European Data Protection Supervisor issue joint opinion on the proposal for a European Biotech Act
  • European Union and Brazil adopt mutual adequacy decisions allowing personal data to flow freely
  • European Commission designates WhatsApp as a very large online platform under the Digital Services Act
  • South Korea launches the world’s first comprehensive AI regulations 

KEEP READING >

Decisions 

  • AEPD fines an energy company due to shortcomings in its customer identity verification protocol
  • Healthcare facility fined for deleting a CD containing MRI scans provided by a patient
  • AEPD imposes €500,000 fine on a bank due to the loss of a customer’s documentation
  • CNIL levies €42 million fine on a telecommunications group due to a security breach
  • Penalty imposed on energy supplier for cross-referencing the personal data of two customers
  • AEPD imposes fine on mobile phone company due to identity theft for a telephone line subscriber
  • AEPD reiterates that employees’ personal cell phones cannot be used as an authentication tool in the workplace
  • Potential changes to AEPD’s criteria regarding the use of biometric technologies
  • Penalty for the loss of medical records in a public place
  • Hotel fined for unlawful disclosure of customers’ personal data
  • Dental practice fined for recording video and audio inside the clinic
  • Healthcare union and its foundation fined for a data breach and lack of transparency regarding their shared responsibility
  • AEPD fines telecoms operator for sending customer login credentials in a plain-text email
  • AEPD fines online lending company for requiring customers to submit a photo with their ID to process a loan cancellation
  • AEPD upholds a complaint against the Balearic Islands Health Service over failure to comply with a citizen’s right of access
  • AEPD fines a courier company for unauthorized subprocessing in the processing chain
  • Healthcare provider mistakenly sends personal data of assisted reproduction patients to other service users
  • Fine imposed for unlawful processing of biometric data and excessive retention of personal data
  • AEPD fines company for unlawful processing of personal data by one of its sales representatives
  • Fine resulting from a security incident

KEEP READING >

Judgments 

  • CJEU rules on national legislation regarding the processing of biometric data
  • WhatsApp Ireland’s appeal against the binding decision of the European Data Protection Board is admissible
  • Annulment of several fines imposed by the AEPD on an insurance company for sending commercial communications to generic email addresses
  • National High Court upholds the dismissal of a complaint concerning the loss of a medical report, finding the events to be time-barred
  • Fine overturned on member of labor union staff committee for forwarding corporate emails to recipients outside the committee
  • A debt collection company does not violate the right to honor if it evidences a prior request for payment before including data on a delinquency file
  • Supreme Court overturns violation of right to honor on the ground of inclusion in a credit risk file of data relating to a tax debt obtained from an official gazette  
  • Supreme Court recalls key issues in relation to the inclusion of data in credit reporting systems
  • Fine for unlawful processing of data related to a credit card debt overturned, although the court upheld the fine for violation of the right of access
  • Confirmation of lawfulness of personal data processing for the ASNEF credit risk register
  • Worker's data protection right held to be violated after her name and pay details were disclosed in a dismissal letter sent to her partner

KEEP READING >

Europe, Spain, LatAm, Perú, European Union, Data Protection

Find a publication

Date of publication

News search engine