Data Economy, Privacy and Cybersecurity Newsletter - June 2025

Proposal by the European Commission to amend the GDPR: a critical review and practical suggestions

Alejandro Padín

The European Commission has recently presented a proposal to amend the GDPR with a view to reducing the bureaucratic burden on small and medium-sized companies. The main measure that has been introduced is to expand the exceptions to the obligation to keep a Record of Processing Activities (“RoPA”). Although the intention behind the amendment is positive, the approach taken has been criticized because it fails to bear in mind the essence of compliance with the Regulation. We analyze what this implies (not necessarily an improvement for small and medium-sized companies) and propose various alternatives to facilitate compliance with the GDPR.

KEEP READING

Data protection authorities’ decisions

• The AEPD imposes a penalty in the case of SIM swapping
• La Liga sanctioned with a million euros due to processing of biometric data
• The AEPD fines a mutual society 600,000 euros for a security breach that affected nearly 3,400 people
• The right to be forgotten is denied with respect to publicly accessible information linked to public employment
• A company is sanctioned for using employees’ personal WhatsApp accounts for work purposes
• Double penalty totaling 3,500,000 euros imposed on a bank for not ensuring the security of its clients’ personal data
• A fine of 500,000 euros is imposed for the failure to inform the data controller of the identity of the entities to which services were intended to be outsourced
• A bank is fined for failing to implement the appropriate measures to ensure the confidentiality of personal data
• A financial institution is fined 2,000,000 euros for demanding a client’s consent to the processing of their data as a requirement to open a bank account
• The Irish supervisory authority for data protection fines TikTok 530,000,000 euros for making unlawful international transfers
• The AEPD sanctions the Ministry for the Ecological Transition and the Demographic Challenge (MTERD)
• The AEPD sanctions the General Council of Notaries (CGN) for requiring and storing a copy of the Spanish national I.D. card of registrants in the Notarial Citizen Portal
• Pharmacy fined 16,000 euros for three infringements of the GDPR
• Sanctioned for improperly complying with the travelers' registration obligation
• The Polish Data Protection Authority issues a €132,000 fine because the DPO of a company did not fully exercise his independence and did not include profiling in the RoPA or in the DPIA
• The AEPD imposes a fine of 10,000 euros on a cosmetics brand for infringement of article 22.2 of the LSSI 

KEEP READING

Judgments

• The CJEU supports the determination of penalties under the GDPR based on the concept of 'undertaking' as used in competition law
• The CJEU rules on the extent of the data subject's right of access and the logic employed in the adoption of automated decisions
• The CJEU recognizes the right to rectification of data regarding a person’s gender without proof of gender reassignment surgery being required
• The CJEU's Advocate General issues an opinion on case C-654/23 concerning the relationship between the GDPR and the ePrivacy Directive
• The Supreme Court of Extremadura declares justified the dismissal of a security guard who disclosed personal data in a WhatsApp group
• The National Appellate Court confirms a fine of 40,000 euros imposed on a finance company for processing without legal grounds the data of a victim of identity theft
• The National Appellate Court recognizes the right of access to personal data blocked in delinquency files
• A bank and a file management company are found guilty of unlawful intrusion on a consumer’s right to honor
• A court in Murcia orders the wiping of delinquency files after granting a debtor exoneration from liability
• The CJEU clarifies that the advertising of payment arrangements constitutes a promotional offer which is protected by the E-Commerce Directive
• The Belgian Market Court confirms the penalty imposed on IAB Europe and its position as joint controller in the management of the 'Transparency & Consent Framework'
• The National Appellate Court rules on the multi-million-euro penalty imposed by the AEPD on a bank in 2021

KEEP READING

News update

• Reforms in the field of personal data protection in Latam and the effects thereof on labor relations
• Lorenzo Cotino Hueso and Francisco Pérez Bes take office as president and vice president respectively of the AEPD
• The AEPD participates in a European coordinated action to analyze the application of the right to erasure
• Green light for the draft AI bill in Spain
• Cataluña initiates an AI-based pilot scheme to help in the drafting of court judgments
• The Government approves the draft Law for the Protection of Minors in the digital environment
• The Information Commissioner’s Office (ICO) publishes publishes its guide on anonymization and pseudonymization
• The European Union publishes a draft regulation on regulatory technical standards for subcontracting pursuant to the Digital Operational Resilience Act (DORA)
• 23andMe files for bankruptcy following a security incident in 2023
• EDPD publishes a report on the risks involved in large language models and the mitigation measures available
• Publication of the European guidelines on processing of personal data through blockchain technologies
• The EDPS publishes an opinion on the extension of the adequacy decision for the United Kingdom

KEEP READING