Publications

Garrigues

ELIGE TU PAÍS / ESCOLHA O SEU PAÍS / CHOOSE YOUR COUNTRY / WYBIERZ SWÓJ KRAJ / 选择您的国家

Data Economy, Privacy and Cybersecurity Newsletter - November 2025

In this newsletter, we offer the latest updates on everything related to the data economy (technology law, technological innovations, artificial intelligence, digital law, e-Commerce), privacy (data protection and related fundamental rights), and cybersecurity (information security and the protection of the networks and systems that process it). We cover the most recent rulings from relevant authorities and agencies, key court decisions, and the most important news in this field.

Is pseudonymized data personal data? Key points following the European Court of Justice's judgment in the EDPSv SRB case

Ignacio Suárez

The judgment delivered by the European Court of Justice (CJEU) on September 4, 2025 in the EDPS v SRB case (case C 413/23 P) is an important landmark in the field of data protection, because it deals with the concept of “personal data” which is at the heart of the practice.

KEEP READING

Comparison of the transposition of NIS II by Portugal with that planned in Spain

Manuel Liberal and Luisa Cyrne

In July 2025, the Portuguese government resumed the process of transposing Directive (EU) 2022/2555 (NIS2) by presenting Bill no 7/XVII/1 Below we compare this transposition with the Spanish bill, examining the areas of application that are subject and exempt in each case, as well as the planned penalty system.

KEEP READING

Data protection authorities’ decisions

  • Local council fined for sending proof of payment of a fine to an outdated address
  • Dismissal of appeal by a telecommunications company against a penalty for fraudulent duplication of SIM cards
  • Chain of shopping malls fined for several personal data breaches and security measures
  • Fine imposed on gas and electricity company for fraudulent agreements for services
  • Electricity retail company fined €200,000 for entering a customer on an overdue payments file before notification of the request for payment was returned
  • Telecommunications company in Germany fined for supervision and security failures
  • AEPD concludes that the right to data portability does not apply in a state education context, but upholds a complaint for untimely response
  • Employee fined €300 for a breach consisting of processing personal data without any legal basis
  • AEPD dismisses complaint regarding the installation of a digital peephole viewer, and does not find a data protection breach
  • Finnish pharmaceutical company fined €1.1 million for deficiencies in the protection of data at its online store
  • Private party fined for installing cameras positioned towards a neighbor’s dwelling
  • Logistics company fined €100.000 for requesting a criminal record certificate and excessive personal data in recruitment processes
  • Entity fined €32,000 for disclosing a worker’s medical data to a third party
  • Entity fined €180.000 for breaching a final decision by the AEPD
  • AEPD endorses storage of personal data by a processor after the end of the engagement
  • AEPD finds that, to comply with article 28 GDPR, it is not sufficient to mention in the DPA that the data will be deleted or returned when the processing has ended
  • French supervisory authority fines Google and Shein for installing cookies and similar technology without consent
  • AEPD does not endorse use of employee photographs for working time monitoring
  • Football club fined for security breach caused by ransomware attack
  • AEPD fines technology company for transfer of personal data to third parties without having sufficient legal basis
  • Travel company fined for violating data minimization principle
  • Polish Data Protection Authority imposes separate fines on controller and processor for negligence in risk analysis and in adoption of security measures 

KEEP READING

Judgments

  • The National Appellate Court upholds a penalty imposed by the AEPD for processing without a legitimate basis due to the publication of lists with the names and surnames of civil service candidates
  • Galicia High Court examines use of algorithms in selection processes and confirms labor union discrimination by a port authority
  • The Supreme Court of Chile orders a telecommunications company to provide indemnification to a customer due to the breach of personal data
  • Latombe case: The GCEU validates the EU-US international transfer scheme
  • The National Appellate Court considers that requests for access to personal data must be sent to the channels set up for this purpose and not to generic addresses
  • The CJEU analyzes the possibility of disclosing employee data from a company to its parent company to test software and declares the use of real data without a legal basis to be unlawful
  • The courts admit the use of video surveillance images as evidence in criminal proceedings
  • A judgment clarifies that consent by the data subject does not replace judicial authorization when it comes to providing evidence in the context of legal proceedings
  • CNPD opinion on the online broadcasting of local authority meetings

KEEP READING

News update

  • The EU Data Act has been applicable since September 12, 2025
  • The European Commission publishes a decision concluding that Apple and Meta are in breach of the Digital Markets Regulation and imposes fines of €500 million and €200 million, respectively
  • The EDPB publishes the Helsinki Statement and announces new measures to simplify and reinforce the application of the GDPR
  • Chile: Implementation Commission for the new Data Protection Law publishes three reports
  • The EDPB adopts guidelines 3/2025 on the interaction between the DSA and the GDPR
  • AEPD Annual Report 2024: main results and trends
  • The European Commission has published a report on the implementation of the EU Global Health Strategy
  • Joint report published by the AEPD and the European Data Protection Supervisor (EDPS) on the privacy implications of the use of federated learning in artificial intelligence
  • The European Data Protection Board (EDPB) publishes the final version of Guidelines 02/2024 on article 48 GDPR
  • Council and European Parliament reach deal to make cross-border GDPR enforcement work better for citizens
  • AEPD analyzes whether it is mandatory for an artificial intelligence system used in automated commercial communications to understand and implement privacy policies
  • The AEPD responds to a prior consultation regarding the use of biometrics for access control at Civil Guard facilities
  • European Commission publishes guideline on the obligations of general-purpose AI models
  • The EDPB issues a statement on the non-binding model contractual terms of the Data Act
  • The EDPB contributes to the European Banking Authority (EBA) public consultation on draft regulatory technical standards (RTS) on anti-money laundering and countering the financing of terrorism (AML/CFT)
  • The AEPD and the Brazilian Data Protection Authority expand their institutional collaboration
  • Researchers from the European Commission's Joint Research Centre publish an article on 'AI Benchmarks'
  • The UK Information Commissioner's Office (ICO) publishes an article on how to ensure effective anonymization of personal data 

KEEP READING

Data Protection, Europe, Spain, European Union, LatAm, Chile, Portugal

Find a publication

Date of publication

News search engine