On June 19, 2025, the French Data Protection Authority (“CNIL”) published two recommendations for AI developers. The first recommendation covers reliance on the GDPR’s legitimate interest legal basis for developing an AI model. It provides examples of legitimate interests that can justify the use of personal data for AI development. The second recommendation discusses measures to implement when collecting personal data through “web scraping.” It provides a list of measures that, if followed, will ensure compliance with the GDPR’s accountability principle.Continue Reading CNIL Publishes Recommendations on Legitimate Interest as a Legal Basis for AI Training
Legal Basis
CJEU Finds Customers’ Title Is Not Necessary Data For The Purchase Of A Train Ticket
By Kristof Van Quathem & Alix Bertrand on
On January 9, 2025, the Court of Justice of the European Union (“CJEU”) issued a decision on the GDPR’s lawfulness and data minimization principles.
The case arose after a French association (“Mousse”) complained to the French Supervisory Authority (“CNIL”) about the fact that France’s main train company SNCF requires customers to indicate their title and gender identity by ticking either “Sir” or “Madam” when purchasing a train ticket online. Mousse considered that such a mandatory requirement could not be justified under the “contractual performance” or “legitimate interests” legal bases set out in Article 6 GDPR, and infringed the GDPR’s principles of lawfulness, data minimization and transparency.
The CNIL dismissed the complaint, and Mousse appealed the CNIL’s decision before the French Administrative Supreme Court (“Conseil d’Etat”), which stayed the proceedings to refer some questions to the CJEU.Continue Reading CJEU Finds Customers’ Title Is Not Necessary Data For The Purchase Of A Train Ticket
Austrian Supervisory Authority Issues Decision on the Collection of Personal Data by Credit Referencing Agency
Posted in European Union
On March 24, 2023, the Austrian Supervisory Authority (“Austrian SA”) held that a credit referencing agency (“Agency”) breached the GDPR by unlawfully processing personal data obtained from a third party in order to process it to conduct credit assessments. It decided that the Agency breached the GDPR’s principle of lawfulness because it did not have a valid legal basis to process the personal data. This case will be relevant for organizations assessing their lawful basis for processing personal data.Continue Reading Austrian Supervisory Authority Issues Decision on the Collection of Personal Data by Credit Referencing Agency
Brazil’s ANPD Launches Public Consultation on the Processing of Minors’ Personal Data
Posted in Children's Privacy, Data Privacy
On September 8, 2022, the Brazilian Data Protection Authority (“ANPD”) launched a public consultation on the processing of minors’ personal data (encompassing children under 12-years-old and adolescents between the ages of 12- and 18-years-old). The consultation will conclude on October 7, 2022. According to the ANPD, the purpose of the consultation is to resolve divergent interpretations among public authorities, academics, privacy professionals, and representatives of civil society regarding the Brazilian Data Protection Law’s (“LGPD”) provision on the processing of minors’ personal data (Article 14). The Authority will use the feedback it receives to draw up guidelines on the topic and, possibly, amend the LGPD.Continue Reading Brazil’s ANPD Launches Public Consultation on the Processing of Minors’ Personal Data
ICO Issues COVID-19 Guidance for Employers
By Dan Cooper on
Posted in COVID-19
On May 11, 2020, the UK Information Commissioner’s Office (“ICO”) published guidance on how employers should handle data in the event they choose to test their employees for COVID-19.
The guidance provides a clear reminder that employers must comply with both the General Data Protection Regulation (“GDPR”) and the Data Protection Act 2018 (“DPA”), and that health data, in particular, attracts additional protections.
Continue Reading ICO Issues COVID-19 Guidance for Employers
COVID-19, Scientific Research and the GDPR – Some Basic Principles
By Dan Cooper & Kristof Van Quathem on
As scientists work around the clock to gain insights into the Corona virus and how to fight it, public and private-sector stakeholders are in discussions to promote the rapid exchange of scientific data. During these discussions, the GDPR acronym inevitably rears its head and casts doubt over what is lawful.
Continue Reading COVID-19, Scientific Research and the GDPR – Some Basic Principles
French Supervisory Authority Publishes Guidance for Website and App Developers
On January 27, 2020, the French Supervisory Authority (“CNIL”) issued a guidance for developers of websites and applications which sets out the main principles of the General Data Protection Regulation (“GDPR”), expounds on their application in the online environment, and gives practical tips to help developers respect users’ privacy when deploying websites and apps.
The guidance consists of 17 recommendations, each covering a key principle supported by additional advice and examples. Below, we list all 17 of these recommendations and provide a brief summary of the CNIL’s advice related to each.Continue Reading French Supervisory Authority Publishes Guidance for Website and App Developers
Real Estate Company Fined € 14.5 Million in Germany for Violating GDPR Principle of Privacy By Design
By Lars Lensdorf on
Posted in EU Data Protection, European Union
On October 30, 2019, the supervisory authority (“SA”) of Berlin issued a € 14.5 million fine against the real estate company Deutsche Wohnen SE for storing personal data of tenants without a legal basis (Art. 6 GDPR) and for not implementing the GDPR principle of privacy by design (Art. 5…
Continue Reading Real Estate Company Fined € 14.5 Million in Germany for Violating GDPR Principle of Privacy By Design
European Data Protection Board Issues Opinion on U.S. CLOUD Act
By Kristof Van Quathem & Nicholas Shepherd on
On July 10, 2019, the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) issued a joint assessment of the impact of the U.S. Clarifying Overseas Use of Data Act (“CLOUD Act”) on the legal framework for the protection of personal data in the EU.
The EDPB is an independent body composed of representatives from the EU Member States’ Supervisory Authorities for data protection, the national bodies enforcing EU data protection law, such as the General Data Protection Regulation (“GDPR”). The EDPS is a separate European body whose primary role is to ensure that European institutions respect data protection law. Though separate bodies, the EDPB and EDPS (hereafter “the institutions”) work jointly on some matters. Opinions issued by the institutions are not legally binding, but may be influential and are indicative of the stance of European privacy regulators regarding certain issues.
The institutions note that the extraterritorial effect of the CLOUD Act could result in service providers being “susceptible to facing a conflict of laws between US law and the GDPR and other applicable EU or national law of the Member States.”Continue Reading European Data Protection Board Issues Opinion on U.S. CLOUD Act
EDPB Begins Consultation on New Guidelines on Use of the “Performance of a Contract” GDPR Legal Basis by Online Services
By Inside Privacy on
On 9 April 2019, the European Data Protection Board (“EDPB”) adopted new guidelines “on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects.”
In general, the GDPR requires that processing of personal data be justified under a legal…
Continue Reading EDPB Begins Consultation on New Guidelines on Use of the “Performance of a Contract” GDPR Legal Basis by Online Services