Searching in Data Privacy & Cybersecurity · Search everything
703 changes Data Privacy & Cybersecurity
Data Protection Authority Fines iHUNT TECHNOLOGY for Privacy Violations
The National Supervisory Authority for Personal Data Processing in Romania has fined S.C. iHUNT TECHNOLOGY IMPORT-EXPORT SA 20,000 lei for violating data protection laws regarding cookie consent. The investigation found that the company stored non-essential cookies without user consent.
National Supervisory Authority Fines Lenjeria Magică SRL for Data Processing Violation
The National Supervisory Authority for Personal Data Processing in Romania has fined Lenjeria Magică SRL 15,000 lei for violating data processing laws related to website cookies. The company stored non-essential cookies without explicit user consent, breaching provisions of Law no. 506/2004 and Regulation (EU) 2016/679.
GDPR Sanction for Roumasport S.R.L.
The National Supervisory Authority for Personal Data Processing in Romania has sanctioned Roumasport S.R.L. with a fine of 10,000 euros for violating GDPR provisions related to data security. The investigation followed a personal data security breach due to unauthorized access following cyberattacks.
GDPR Sanction for Ordonul Asistenților Medicali Neamț
The National Supervisory Authority for Personal Data Processing in Romania sanctioned Ordonul Asistenților Medicali Generaliști, Moașelor și Asistenților Medicali din România – Filiala Neamț for GDPR violations. The entity received a fine of 2,000 euros and two reprimands for issues related to video surveillance and data subject information.
Garante Monitors 'Family in Woods' Case, Recalls Child Protection
The Italian Data Protection Authority (Garante) is monitoring the "family in woods" case and has issued a press release reminding media outlets of their obligations regarding child protection and data privacy. The Garante urges caution in disseminating information that could identify minors.
Italian Privacy Authority Fines Intesa Sanpaolo €17.6 Million
The Italian Privacy Authority has fined Intesa Sanpaolo €17.6 million for unlawfully processing the data of approximately 2.4 million customers. The fine stems from the transfer of customer data to its wholly-owned subsidiary, Isybank, as part of a corporate operation.
Garante Privacy Fines Acea Energia €2 Million for Unauthorized Contracts
The Italian Garante privacy has fined Acea Energia spa €2 million for significant violations of personal data protection laws. The company was found to have used inaccurate customer data to activate over 1,200 unsolicited energy contracts through door-to-door agents.
Italian DPA Newsletter: Aldilapp Fine, Camera Rules, Delegation Platform, AI Concerns
The Italian Data Protection Authority (Garante) issued a newsletter on March 9, 2026, detailing several key actions. It includes a fine against Aldilapp for digital cemetery services, new rules for non-compliant cameras, approval for a delegation management platform, and global data protection authorities' concerns about AI-generated intimate content.
Garante Privacy Orders Amazon to Stop Worker Surveillance
The Italian Data Protection Authority (Garante privacy) has ordered Amazon Italia Logistica to immediately stop its worker surveillance system. The authority found that Amazon collected sensitive information on employees, including health conditions, union activities, and personal/family life, violating data protection regulations.
PIPEDA Investigation into Google Search Compliance
The Office of the Privacy Commissioner of Canada (OPC) has concluded its investigation into Google's search engine compliance with PIPEDA. The investigation found that Google's accuracy obligations do not extend to the underlying content of linked articles, but it must ensure personal information in search results is accurate.
Loblaw PC Optimum Data Retention Investigated Under PIPEDA
The Office of the Privacy Commissioner of Canada has concluded an investigation into Loblaw Companies Ltd.'s retention of PC Optimum loyalty program member data. The findings highlight the importance of ensuring anonymized data cannot be re-identified and that personal information is destroyed or anonymized when no longer necessary.
Staples Canada ULC Investigated for Privacy Practices on Resold Devices
The Office of the Privacy Commissioner of Canada investigated Staples Canada ULC regarding its Openbox program for resold electronic devices. The investigation found deficiencies in data wiping procedures and employee training, leading to recommendations for Staples to improve its practices within nine months.
Joint Investigation of TikTok by Canadian Privacy Commissioners
Canadian privacy commissioners have concluded a joint investigation into TikTok's collection, use, and disclosure of personal information, particularly concerning children. The findings address appropriate purposes for data handling and the validity of user consent for ad targeting and content personalization.
Accessible Deletion Mechanism for Data Brokers
The California Privacy Protection Agency has finalized regulations establishing an Accessible Deletion Mechanism (DROP) for data brokers, effective January 1, 2026. This system allows consumers to request the deletion of their personal information from registered data brokers through a single request to the agency.
California Adopts CCPA Regulations on Risk Assessments and Cybersecurity
The California Privacy Protection Agency has adopted final regulations updating the CCPA. These regulations implement requirements for risk assessments, annual cybersecurity audits, and consumers' rights regarding automated decision-making technology, effective January 1, 2026.
CPPA Seeks Comments on Reducing Privacy Rights Friction
The California Privacy Protection Agency (CPPA) is seeking preliminary comments on potential regulatory changes to reduce friction in how consumers exercise their privacy rights. The comment period is open from March 6, 2026, until April 6, 2026.
CPPA Seeks Comments on Opt-out Preference Signals Rulemaking
The California Privacy Protection Agency (CPPA) is seeking preliminary public comments on potential rulemaking regarding Opt-out Preference Signals (OOPS). The agency is gathering information to explore whether regulatory changes are necessary to reduce friction in exercising privacy rights. Comments are due by April 6, 2026.
Data Broker Registration Fee Regulations
The California Privacy Protection Agency (CPPA) is now responsible for the state's data broker registry, effective January 1, 2024. Data brokers must pay an annual registration fee, which the CPPA may adjust. Final regulations for the fee structure have been published for 2024, 2025, and 2026 registrations.
South Korea Overhauls PIPA with 10% Turnover Fines and CEO Accountability
South Korea has significantly amended its Personal Information Protection Act (PIPA), introducing fines up to 10% of total turnover and assigning direct supervisory liability to CEOs. These changes, effective September 11, 2026, aim to strengthen deterrence and promote proactive data protection investment.
AI Training Compliance Guidance Post-SRB Ruling
This guidance analyzes the impact of the EU Court of Justice's Single Resolution Board ruling on AI training compliance for engineers. It outlines two pathways for compliance, emphasizing engineering choices in defining identifiability and data protection.
EU AI Act Omnibus: New Compliance Deadlines and Deepfake Ban
Members of the European Parliament have reached a preliminary agreement on amendments to the EU AI Act, including extended compliance deadlines for high-risk systems and a ban on non-consensual deepfakes. The agreement aims to provide legal certainty and allow more time for technical standards and guidance development.
US House Committee Advances KIDS Act and Other Online Safety Bills
The U.S. House Committee on Energy and Commerce advanced the KIDS Act, Sammy's Law, and the App Store Accountability Act to a full House vote. These bills aim to enhance children's online safety by addressing issues like dangerous content, age verification, and app store policies.
Maine Privacy Bill Advances, Oregon AI Chatbot Bill Clears Legislature
Maine's legislature has advanced a comprehensive privacy bill, the Maine Online Data Privacy Act, through both chambers. Oregon's Senate Bill 1546, an AI chatbot safety bill, has also cleared its state legislature and is heading to the governor. Both bills represent significant state-level regulatory developments.
AEPD Resolution on GDPR Rights Procedure
The Spanish Data Protection Agency (AEPD) has issued a resolution regarding a GDPR rights procedure. The resolution addresses a complaint where a data subject exercised their right of access, and the data controller failed to provide a legally established response within the stipulated timeframe. The AEPD admitted the claim for processing.
GDPR Rights Procedure Resolution Against CaixaBank Payments
The Spanish Data Protection Agency (AEPD) has issued a resolution regarding a GDPR rights procedure against CaixaBank Payments & Consumer. The case involves a consumer's complaint about inclusion in a debt collection file without proper notification or justification of debt assignment.
EDPB Letter to EC on US Entry Privacy Implications
The European Data Protection Board (EDPB) has sent a letter to the European Commission expressing concerns regarding the privacy implications of recent US legislative developments affecting entry conditions for EEA citizens. The letter highlights potential risks to data protection and fundamental rights.
EDPB-EDPS Opinion on Biotech Act Privacy Implications
The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have issued a joint opinion on the privacy implications of the proposed European Biotech Act. The opinion provides guidance on the GDPR compliance aspects of the proposed legislation.
ICO Open Letter to Tech Firms on Age Checks and Child Data Protection
The UK's Information Commissioner's Office (ICO) has issued an open letter to social media and video-sharing platforms, urging them to strengthen age assurance measures to prevent underage children from accessing services. The ICO expects platforms to move beyond self-declaration and utilize available technology to enforce minimum age requirements.
ICO Fines Police Scotland £66,000 for Data Mishandling
The ICO has fined Police Scotland £66,000 and issued a reprimand for serious data mishandling. Failures included excessive mobile phone data extraction and unlawful disclosure of sensitive personal information to a third party, violating UK GDPR and the Data Protection Act 2018.
Pyramid Global Hospitality Data Breach Notification
Pyramid Global Hospitality is notifying current and former employees of a data breach discovered on September 30, 2025, impacting personal information. The company is offering credit monitoring and identity restoration services and has notified relevant state regulators and federal law enforcement.
Data Breach Notification for CommonSpirit Health and Pinnacle Holdings
Washington State's Office of the Attorney General has been notified of a data breach impacting CommonSpirit Health, reported by vendor Northgauge Healthcare Advisors. The breach occurred at Pinnacle Holdings, a vendor to Northgauge, and may have exposed personal information of Washington residents.
Lakeside Pediatrics Data Breach Notification
Lakeside Pediatric & Adolescent Medicine PLLC is notifying 1314 Washingtonians of a data security incident that occurred on or about November 1, 2024. An unauthorized party accessed their systems, potentially exposing personal information. The company is offering credit monitoring services.
Drivestream Data Breach Notification
Drivestream, Inc. is notifying Washington residents of a data breach that occurred between December 4-9, 2024. An unauthorized actor accessed systems and potentially exfiltrated sensitive personal information, affecting 505 Washington residents. Drivestream is offering credit monitoring services.
New American Funding Data Breach Notification
New American Funding has notified the Washington Attorney General's office of a data breach affecting 699 state residents. The incident, which occurred at a service provider, may have exposed personal information including names, addresses, and Social Security numbers. Affected individuals are being notified and offered credit monitoring services.
Brown Advisory Security Incident and Data Breach Notification
Brown Advisory reported a security incident on January 21, 2026, involving unauthorized access to certain systems by a threat actor. Personal data, including names, contact information, and sensitive identification details, may have been accessed. The company is offering 24 months of free identity protection services from Experian.
Insightin Health Data Breach Notification
Insightin Health is notifying Washington residents and regulators of a data breach affecting 11,740 individuals due to a cyberattack exploiting a zero-day vulnerability. The breach, which occurred in September 2025, potentially exposed names, dates of birth, medical, and health insurance information. Insightin is offering 12 months of free credit monitoring services.
GDPR Resolution: School Used Health Data Without Consent
The Spanish Data Protection Agency (AEPD) initiated a sanctioning procedure against HOLY MARY CATHOLIC SCHOOL, S.L. for allegedly using student health data without proper consent. The procedure was initiated following a complaint filed on April 24, 2024, regarding the use of 'Google Workspace for Education' and its potential access to non-educational content.
GDPR Resolution: No Fine for DILCAR Gestión S.L.
The Spanish Data Protection Agency (AEPD) has closed an investigation into DILCAR Gestión S.L. regarding the misuse of municipal resources for private business, which involved personal client data. No fine was imposed on the company.
ICO Decision on Isle of Wight Council Planning Complaints
The UK's Information Commissioner's Office (ICO) issued a decision regarding Isle of Wight Council's handling of planning complaint information requests. The ICO found the council was entitled to withhold some information but had breached regulations in its initial handling of the request under FOIA.
ICO Decision: University entitled to withhold student data
The UK's Information Commissioner's Office (ICO) issued a decision finding that Ulster University was entitled to withhold student enrolment data under commercial interests provisions of the Freedom of Information Act. The complainant's request was not upheld, and no further steps are required.
ICO Decision Notice: Cabinet Office FOI Exemptions for Saudi Visit
The ICO has issued a decision notice regarding the Cabinet Office's use of FOI exemptions for information related to a visit to Saudi Arabia. The ICO found that while some exemptions were valid, others were not, and ordered the disclosure of specified information.
ICO Decision Notice: Manchester City Council FOI Breach
The ICO found Manchester City Council breached FOI laws by failing to disclose all requested information and conduct adequate searches. The Council must now conduct fresh searches and disclose specific emails related to the rescheduling of an event.
ICO Decision on Cabinet Office FOI Exemptions
The UK's Information Commissioner's Office (ICO) issued a decision regarding the Cabinet Office's use of FOI exemptions. The ICO found that the Cabinet Office was entitled to rely on sections 36(2)(b)(i) and (c) of the FOIA to withhold certain information related to interactions with BlackRock.
Dartford Council Ordered to Reply to EIR Request
The ICO has ordered Dartford Borough Council to respond to an Environmental Information Request (EIR) that was not answered within the statutory 20-working-day period. The council must now provide the complainant with a response within 30 calendar days.
ICO Decision Notice: FOI Complaint Against London Borough of Croydon
The UK's Information Commissioner's Office (ICO) has upheld a Freedom of Information (FOI) complaint against the London Borough of Croydon. The authority failed to respond to a request within the statutory 20 working days. The ICO has ordered the council to respond within 30 calendar days.
ICO Decision Notice: Lambeth Failed FOI Request
The UK's Information Commissioner's Office (ICO) has issued a decision notice upholding a complaint against the London Borough of Lambeth for failing to respond to a Freedom of Information (FOI) request within the statutory 20-day period. The ICO requires Lambeth to respond to the complainant within 30 calendar days.
Ofcom - Vexatious FOI Request Regarding Channel 4 Chairs
The ICO has decided that Ofcom was entitled to refuse a request for information about Channel 4's former and interim Chairs, deeming the request vexatious under FOI law. No further action is required by Ofcom.
ICO Decision: Royal Air Force Museum Failed to Respond to FOI Request
The UK's Information Commissioner's Office (ICO) issued a decision notice against the Royal Air Force Museum for failing to respond to a Freedom of Information (FOI) request within the statutory 20 working days. The ICO requires the museum to respond within 30 calendar days.
ICO Decision on Home Office FOI Request - EU Border Checks
The UK's Information Commissioner's Office (ICO) issued a decision regarding a Freedom of Information request made to the Home Office concerning the Entry/Exit System (EES). The ICO found that the Home Office was justified in withholding information related to potential queue lengths and delays under section 35(1)(a) of the FOI Act.
ICO Upholds EIR 5(2) Against London Borough of Bromley
The UK's Information Commissioner's Office (ICO) has upheld an Environmental Information Regulations (EIR) 5(2) decision against the London Borough of Bromley. The authority failed to respond to a request within the statutory 20 working days. The ICO has ordered Bromley to respond within 30 calendar days.