Data Protection

CJEU Judgment: Online Marketplace Operator as Data Controller

The Court of Justice of the European Union ruled in Case C-492/23 that an online marketplace operator is a data controller under GDPR. The operator must identify and verify sensitive data in advertisements before publication and obtain explicit consent.

GDPR Sanction for Ordonul Asistenților Medicali Neamț

The National Supervisory Authority for Personal Data Processing in Romania sanctioned Ordonul Asistenților Medicali Generaliști, Moașelor și Asistenților Medicali din România – Filiala Neamț for GDPR violations. The entity received a fine of 2,000 euros and two reprimands for issues related to video surveillance and data subject information.

National Supervisory Authority Fines Lenjeria Magică SRL for Data Processing Violation

The National Supervisory Authority for Personal Data Processing in Romania has fined Lenjeria Magică SRL 15,000 lei for violating data processing laws related to website cookies. The company stored non-essential cookies without explicit user consent, breaching provisions of Law no. 506/2004 and Regulation (EU) 2016/679.

GDPR Sanction for Roumasport S.R.L.

The National Supervisory Authority for Personal Data Processing in Romania has sanctioned Roumasport S.R.L. with a fine of 10,000 euros for violating GDPR provisions related to data security. The investigation followed a personal data security breach due to unauthorized access following cyberattacks.

Italian DPA Newsletter: Aldilapp Fine, Camera Rules, Delegation Platform, AI Concerns

The Italian Data Protection Authority (Garante) issued a newsletter on March 9, 2026, detailing several key actions. It includes a fine against Aldilapp for digital cemetery services, new rules for non-compliant cameras, approval for a delegation management platform, and global data protection authorities' concerns about AI-generated intimate content.

Garante Privacy Fines Acea Energia €2 Million for Unauthorized Contracts

The Italian Garante privacy has fined Acea Energia spa €2 million for significant violations of personal data protection laws. The company was found to have used inaccurate customer data to activate over 1,200 unsolicited energy contracts through door-to-door agents.

Garante Monitors 'Family in Woods' Case, Recalls Child Protection

The Italian Data Protection Authority (Garante) is monitoring the "family in woods" case and has issued a press release reminding media outlets of their obligations regarding child protection and data privacy. The Garante urges caution in disseminating information that could identify minors.

Italian Privacy Authority Fines Intesa Sanpaolo €17.6 Million

The Italian Privacy Authority has fined Intesa Sanpaolo €17.6 million for unlawfully processing the data of approximately 2.4 million customers. The fine stems from the transfer of customer data to its wholly-owned subsidiary, Isybank, as part of a corporate operation.

Garante Privacy Orders Amazon to Stop Worker Surveillance

The Italian Data Protection Authority (Garante privacy) has ordered Amazon Italia Logistica to immediately stop its worker surveillance system. The authority found that Amazon collected sensitive information on employees, including health conditions, union activities, and personal/family life, violating data protection regulations.

GDPR Rights Procedure Resolution Against CaixaBank Payments

The Spanish Data Protection Agency (AEPD) has issued a resolution regarding a GDPR rights procedure against CaixaBank Payments & Consumer. The case involves a consumer's complaint about inclusion in a debt collection file without proper notification or justification of debt assignment.