DPC Inquiry into TikTok Data Transfers to China

The Irish Data Protection Commission (DPC) has opened an inquiry into TikTok Technology Limited regarding the transfer of EEA users' personal data to servers in China. This follows TikTok's admission that limited data was stored in China, contrary to previous evidence provided to the DPC.

Data Protection Commission Opens Inquiry into Children's Health Ireland

The Data Protection Commission (DPC) has opened a formal inquiry into Children's Health Ireland (CHI) concerning the security of children's health records at Tallaght University Hospital. The inquiry follows protected disclosures and a breach notification, and will examine CHI's GDPR compliance regarding physical data security.

CJEU Rules Pre-Ticked Checkboxes Invalid for Cookie Consent

The European Court of Justice (CJEU) ruled that pre-ticked checkboxes are invalid for obtaining cookie consent. This decision, welcomed by data protection authorities, clarifies that active user behavior is required for valid consent regarding data processing.

Bundestag Strengthens Data Protection Authority

The German Bundestag's Budget Committee has allocated an additional 67 posts to the Federal Commissioner for Data Protection and Freedom of Information (BfDI) for the upcoming year. This funding aims to enhance supervision of security authorities, support new digitalization tasks in the health sector, and improve international cooperation.

BfDI Fines 1&1 Telecom EUR 9.55M and Rapidata EUR 10k under GDPR

Germany's Federal Commissioner for Data Protection and Freedom of Information (BfDI) has fined 1&1 Telecom GmbH EUR 9.55 million for insufficient technical and organizational measures to protect customer data and Rapidata GmbH EUR 10,000 for failing to appoint a data protection officer. These actions underscore the enforcement of GDPR provisions.

EDPB Agrees on GDPR Evaluation and Suggests Cooperation Improvements

The European Data Protection Board (EDPB) has agreed to contribute to the European Commission's evaluation of the GDPR. The EDPB suggests improvements in cooperation between data protection authorities and revisions to standard contractual clauses for data transfers.

ECJ Invalidates Privacy Shield, Impacts International Data Transfers

The European Court of Justice (ECJ) has declared the EU-US Privacy Shield invalid, impacting international data transfers. The German Federal Commissioner for Data Protection and Freedom of Information (BfDI) stated that companies and authorities can no longer rely on the Privacy Shield for data exchange with the USA, requiring special safeguards and adherence to fundamental rights.

France Travail fined €5 million for data security breach

The CNIL has fined FRANCE TRAVAIL (formerly Pôle Emploi) €5 million for failing to implement adequate security measures to protect job seeker data, following a hack in early 2024. The fine addresses inadequate technical and organizational measures, including weak authentication and logging.

CNIL Work Programme 2026-2028 on Data Economy

The CNIL has published its work programme for 2026-2028, focusing on understanding data-related business models and measuring the economic impact of its decisions. The programme aims to deepen expertise in data protection's economic implications and contribute to public debate on the data economy.

CNIL Annual Report: 2025 Fines and Sanctions

The CNIL reported imposing €486.8 million in fines and 83 sanctions in 2025, primarily for violations related to cookies, employee monitoring, and data security. The report details 143 compliance orders and 31 reminders of legal obligations issued during the year.