Searching in Data Privacy & Cybersecurity · Search everything
702 changes Data Privacy & Cybersecurity
ICO Upholds Westminster Council's Refusal of Information Request
The UK's Information Commissioner's Office (ICO) has upheld Westminster City Council's decision to refuse an information request regarding electric charging units. The ICO found the Council was entitled to refuse the request under the 'manifestly unreasonable' exemption of the Environmental Information Regulations (EIR). No further steps are required from the Council.
ICO Decision Notice: Lambeth Council FOI Data Handling
The UK's Information Commissioner's Office (ICO) has upheld Freedom of Information (FOI) complaints against Lambeth Council for its handling of data requests. The Council is required to provide specific requested information in the format specified within 30 days.
ICO Upholds FOI Complaint Against Chapel St Leonards Council
The UK's Information Commissioner's Office (ICO) has upheld a Freedom of Information (FOI) complaint against Chapel St Leonards Parish Council. The ICO ruled that the council wrongly cited section 14 of the FOIA (vexatious requests) and must now issue a fresh response to the complainant's request regarding a gardening contract.
ICO Orders Nottingham University Hospitals NHS Trust to Disclose Data
The UK's Information Commissioner's Office (ICO) has ordered Nottingham University Hospitals NHS Trust to disclose nurse and midwife referral data to the Nursing and Midwifery Council. The trust must comply within 30 days, or face potential contempt of court proceedings.
ICO Decision: DWP Does Not Hold Benefit Claimant Savings Limit Information
The UK's Information Commissioner's Office (ICO) has issued a decision regarding a complaint against the Department for Work and Pensions (DWP). The ICO found that the DWP does not hold the requested information concerning benefit claimant savings limits and deductions, and no further action is required from the DWP.
ICO Decision Notice: UKHSA FOI Breach
The Information Commissioner's Office (ICO) has issued a decision notice finding that the UK Health Security Agency (UKHSA) breached Section 10 of the Freedom of Information Act (FOIA) by failing to respond to a request within the statutory 20 working days. UKHSA is required to provide a substantive response.
ICO Decision: Core Education Trust request vexatious
The UK's Information Commissioner's Office (ICO) has ruled that a request made to Core Education Trust was vexatious and therefore not subject to compliance. The decision means the Trust is not obliged to provide the requested information.
ICO Decision on Ministry of Defence FOI Complaint
The UK's Information Commissioner's Office (ICO) issued a decision regarding a Freedom of Information (FOI) complaint against the Ministry of Defence (MOD). The ICO found that the MOD was justified in withholding information related to Porton Down range usage under FOIA section 26(1)(b) (defence), as the public interest favoured maintaining the exemption.
ICO Decision on Home Office Migration Data FOI Request
The UK's Information Commissioner's Office (ICO) has upheld the Home Office's decision to neither confirm nor deny holding information regarding cooperation with Turkey on migration programmes, citing Section 27(4) of the Freedom of Information Act. The ICO found no further action is required from the Home Office.
ICO Decision on East Kent Hospitals FOI Complaint
The UK's Information Commissioner's Office (ICO) issued a decision regarding a complaint against East Kent Hospitals University NHS Foundation Trust concerning Freedom of Information (FOI) requests. The ICO partly upheld and partly dismissed aspects of the complaint, clarifying the Trust's obligations regarding staff governor information and meeting minutes.
Tools for Humanity GDPR Operations Update
The Spanish Data Protection Agency (AEPD) received an update from Tools for Humanity regarding their GDPR operations. The company is relaunching operations in Spain in February 2026 with a new rewards model and has consolidated its data controller role within the EU.
EDPB Reply to Civil Society on EU Spyware Abuse
The European Data Protection Board (EDPB) has issued a reply to a civil society open letter concerning recent spyware abuse cases within the EU. This notice addresses concerns raised by civil society regarding the implications of spyware on data protection and fundamental rights.
ICO Response to MPs' Letter on Tattle Life
The UK's Information Commissioner's Office (ICO) has issued a response to a letter from MPs concerning the social media platform Tattle Life. The response clarifies the ICO's position and ongoing actions regarding data protection and online safety issues raised by the MPs.
ICO FOI Decision: Legal Advice on EU Withdrawal Bill
The ICO has issued a decision regarding a Freedom of Information request made to the Northern Ireland Office (NIO). The request sought legal advice on the EU Withdrawal Bill. The ICO determined that the advice is exempt from disclosure under FOIA section 42(1), upholding the NIO's decision not to release the information.
ICO Decision Notice: FOI 17 Upheld Against Public Authority
The UK's Information Commissioner's Office (ICO) has upheld a Freedom of Information (FOI) request against a public authority, finding it failed to complete public interest test considerations within a reasonable time. The authority must now provide a substantive response within 30 days.
ICO Decision Notice: BBC FOI Request on Spanish PM Title
The ICO has issued a decision notice regarding a BBC Freedom of Information (FOI) request concerning the Spanish Prime Minister's title. The ICO upheld the BBC's position that the information, if held, is for journalistic purposes and therefore exempt from FOIA.
ICO Decision on Ealing Council EIR and Personal Data
The UK's Information Commissioner's Office (ICO) issued a decision regarding Ealing Council's handling of an Environmental Information Regulations (EIR) request. The ICO found that the Council correctly withheld information under regulation 13 (third party personal data) and did not require further steps.
ICO Decision Notice: Cornwall Council EIR Complaints
The UK's Information Commissioner's Office (ICO) issued a decision notice regarding complaints against Cornwall Council concerning the Environmental Information Regulations (EIR). The ICO found that while the council disclosed all requested information, it failed to do so within the statutory timeframe and that its internal review was late.
ICO Decision Notice: Greater Manchester Police FOI Complaint
The ICO has upheld a Freedom of Information (FOI) complaint against Greater Manchester Police (GMP). GMP failed to respond to a request for information within the statutory timeframe and did not conduct adequate searches, breaching FOI Act sections 1(1) and 10(1). GMP is now required to disclose specific property-related information.
ICO Decision Notice: FOI 44 Not Upheld
The UK Information Commissioner's Office (ICO) issued a decision notice regarding FOI 44. The ICO found that the Valuation Office Agency (VOA) was entitled to withhold information concerning Council Tax banding changes under section 44(1)(a) of the Freedom of Information Act (FOIA). No further action is required by the VOA.
Spanish DPA Resolution on Procedure Termination
The Spanish Data Protection Agency (AEPD) has issued a resolution terminating procedure EXP202416460. This action signifies the closure of a specific enforcement or administrative process initiated by the agency.
EDPB Adopts 2026-2027 Work Programme for GDPR Compliance
The European Data Protection Board (EDPB) has adopted its work programme for 2026-2027, focusing on making GDPR compliance easier. Key initiatives include developing ready-to-use templates for organizations on legitimate interest assessments, records of processing activities, and privacy notices.
FTC Warns Apple CEO Over Alleged Bias in Apple News Content
The FTC has issued a warning letter to Apple CEO Tim Cook regarding alleged bias in Apple News content. The letter states that if Apple misrepresents its news service or violates its terms of service, it could be in violation of the FTC Act.
FTC Finalizes Order Against Adamas for No-Hire Agreements
The FTC has finalized a consent order against Adamas Amenity Services LLC, requiring the company to cease enforcing no-hire agreements. These agreements restricted building owners from hiring Adamas's employees without penalty, impacting wage and job growth for workers in New Jersey and New York City.
ICO Guidance: Data Protection Complaints Process
The UK's Information Commissioner's Office (ICO) has published new guidance detailing requirements for organisations to establish a data protection complaints process. These requirements, stemming from the Data (Use and Access) Act 2025, will become legally effective on June 19, 2026, but are presented as good practice in the interim.
EDPB Work Programme 2026-2027
The European Data Protection Board (EDPB) has published its Work Programme for 2026-2027. This document outlines the EDPB's priorities and planned activities for the upcoming two-year period, focusing on data protection and GDPR compliance across the EU.
EDPB Report on GDPR Compliance Templates Consultation
The European Data Protection Board (EDPB) has published a report on its public consultation regarding helpful templates for organizations to facilitate GDPR compliance. This report summarizes the feedback received from stakeholders on potential template needs.
AEPD Resolution on Data Protection Access Right Procedure
The Spanish Data Protection Agency (AEPD) issued a resolution regarding a data protection rights procedure, specifically concerning the right of access. The resolution details the process followed after a complaint was filed and notes that the data controller ultimately provided the requested response.
AEPD Resolution: Simyo Denied Voice Recording Access
The Spanish Data Protection Agency (AEPD) issued a resolution against Simyo (Orange España Virtual, S.L.) for denying a consumer's right of access to voice recordings related to a SIM swap. Simyo initially conditioned access on a judicial order, which is not required by law, but later provided the recordings after the complaint.
AEPD resolves identity theft data use complaint against TELFY TELECOM
The Spanish Data Protection Agency (AEPD) has resolved a complaint against TELFY TELECOM for alleged misuse of personal data in an identity theft case. The company failed to respond to a data access request from a customer who was a victim of identity theft, leading to a formal resolution by the AEPD.
ICO Enforcement: Eight Guilty in Nuisance Call Investigation
The UK's Information Commissioner's Office (ICO) announced further convictions in its largest nuisance call investigation, bringing the total prosecuted to 10 individuals. The investigation involved the unlawful accessing and sale of personal data from garages and claims management companies.
EDPB Work Programme 2026-2027
The European Data Protection Board (EDPB) has adopted its work programme for 2026-2027, focusing on enhancing harmonisation, promoting compliance with GDPR, and strengthening enforcement cooperation. The programme outlines key initiatives including new guidelines on AI, consent, and anonymisation, alongside efforts to simplify GDPR compliance for stakeholders.
FTC Sends $103,420 in Refunds to Consumers for Deceptive Marketing
The FTC is sending over $40,700 in refunds to 578 consumers who purchased deceptively marketed products from Golden Sunrise Nutraceutical between July 2017 and July 2020. The refunds stem from a court order against the company and its director for making false health claims.
EDPB-EDPS Joint Opinion on Digital Omnibus Legislative Proposal
The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have issued a joint opinion on the Digital Omnibus legislative proposal. This opinion provides their assessment and recommendations on the proposed legislation, which impacts data protection and privacy within the EU.
Belgian DPA Orders Diocese to Delete Baptized Person's Data
The Belgian Data Protection Authority (DPA) has ordered the diocese of Ghent to delete a baptized person's data from the baptismal register. The DPA ruled that the church's legitimate interest in retaining the data does not override the individual's right to erasure under GDPR when they expressly wish to leave the church.
CJEU Rules on IAB EUROPE Case, Belgian DPA Fine
The Court of Justice of the European Union (CJEU) ruled that a structured character string capturing user preferences is personal data and that IAB EUROPE can be considered a joint controller. This decision impacts the Belgian DPA's prior €250,000 fine against IAB EUROPE.
Market Court confirms €250,000 DPA fine in IAB Europe case
The Market Court has confirmed a €250,000 fine imposed by the Belgian Data Protection Authority on IAB Europe. While the original decision was annulled on procedural grounds, the court upheld the reasoning that IAB Europe acts as a joint data controller for user preferences within its Transparency and Consent Framework.
Market Court refers FATCA data transfer questions to CJEU
The Belgian Market Court has referred 13 preliminary questions to the Court of Justice of the European Union (CJEU) regarding the FATCA agreement and data transfers to the US. This action seeks clarification on the compatibility of the agreement with EU data protection laws, including GDPR and Directive 95/46/EC.
Garante Privacy Fines Nursery, Approves IT-Wallet, CEREBRO, AI in Schools
The Italian Garante Privacy has fined a nursery school €10,000 for privacy violations related to children's photos and video surveillance. The authority also approved the experimentation of IT-Wallet, the use of CEREBRO for asset investigations, and issued guidelines for AI in schools.
GDPR Fines and Guidance on AI, Healthcare, and Public Transparency
The Italian Data Protection Authority (Garante privacy) issued a newsletter detailing several enforcement actions and guidance. Fines were issued to a bank (€100,000) and a municipality for transparency violations, and a hospital (€80,000) for improper access to patient health records. Global data protection authorities also affirmed that data protection fully applies to AI.
Hospital Fined €70k for Data Breach; FAQs on Public Tender Data Published
The Italian Data Protection Authority (Garante privacy) has fined a company managing a hospital €70,000 for the unauthorized disposal of a patient's tissue sample and failure to notify a data breach. The newsletter also announced new FAQs on data processing and transparency in public tenders.
Garante Privacy Fines Verisure Italia and Aimag for GDPR Violations
The Italian Data Protection Authority (Garante Privacy) has fined Verisure Italia €400,000 for unlawful marketing practices and Aimag for inadequate security measures. Both companies are ordered to cease unlawful data processing and comply with GDPR.
GDPR Fines for Employee Monitoring and Email Privacy
The Italian DPA has issued a €120,000 fine to an agricultural seed company for unlawfully monitoring employee driving habits via company vehicles. The newsletter also covers GDPR implications for accessing a dismissed employee's email and new tools against telemarketing.
IMY Fines Trygg-Hansa SEK 35 Million for Data Exposure
The Swedish Authority for Privacy Protection (IMY) has issued an administrative fine of SEK 35 million against Trygg-Hansa. This action follows a data exposure incident where information for 650,000 customers was accessible to unauthorized persons via the internet for over two years.
Administrative Fine for Data Collection Without Security
The Swedish Privacy Protection Authority (IMY) has issued an administrative fine of SEK 100,000 against the Equality Ombudsman (DO) for insufficient security measures during personal data collection via a web form. The incident led to the inadvertent disclosure of approximately 500 tips and complaints.
GDPR Breach Fines for SL Group Companies
The Swedish Authority for Privacy Protection (IMY) has issued administrative fines of SEK 75,000 each to Aktiebolaget Storstockholms Lokaltrafik (SL) and Waxholms Ã…ngfartygs AB (WÃ…AB). The fines were imposed for processing personal data related to employee sobriety tests in breach of the GDPR, specifically regarding excessive data storage and handling of potentially sensitive health data.
Apoteket and Apohem Fined for GDPR Violations
The Swedish Authority for Privacy Protection (IMY) has fined Apoteket AB SEK 37 million and Apohem AB SEK 8 million for GDPR violations. The companies improperly transferred sensitive personal data to Meta via the Meta Pixel tool, failing to implement adequate protective measures.
Sportadmin Fined SEK 6 Million for GDPR Data Leak
The Swedish Authority for Privacy Protection (IMY) has imposed an administrative fine of SEK 6 million on Sportadmin following a data leak that exposed personal data of over 2.1 million individuals. The authority found that Sportadmin did not maintain an appropriate level of security to protect the data, violating GDPR Article 32.
AEPD Resolves GDPR Breach: 492 Individuals' Data Published
The Spanish Data Protection Agency (AEPD) has initiated a sanctioning procedure against the ConsejerÃa de Hacienda y Administración Pública of the Junta de Extremadura for publishing the personal data (name, surname, and DNI) of 492 individuals on its website. The data was published without consent as part of a public employment selection process and has been accessible since September 2019.
Spanish DPA Resolution on Data Rights Claim
The Spanish Data Protection Agency (AEPD) has issued a resolution regarding a data rights claim (EXP202517310). The claimant exercised their right of access, and after initial non-compliance, the respondent has now demonstrated that the right was attended to and a response was provided.