Data Economy, Privacy and Cybersecurity Newsletter - April 2025

The European Commission continues unpacking the Artificial Intelligence Act: definition of artificial intelligence system and the general-purpose AI code of practice

Alejandro Padín

On February 6, the European Commission published guidelines to assist the various operators in the artificial intelligence environment to determine whether they are dealing with an artificial intelligence system within the meaning of Regulation (EU) 2024/1689 on artificial intelligence. Additionally, on March 11, it published the third draft of the general-purpose AI code of practice. In the following article, we unpack the key points of both documents. 

KEEP READING

Data protection authorities’ decisions

• AEPD fines an insurance company €5 million for leaking the data of millions of customers
• A streaming platform has been fined €4.75 million for not properly informing about the processing of data
• Polish data protection supervisory authority imposes a €928,498.06 fine on a bank for failing to inform its customers of a personal data breach
• CNIL imposes a €40,000 fine on a company in the real estate sector for carrying out excessive monitoring of its employees
• Telecommunications company fined twice for infringing article 5.1 f) and article 32 GDPR due to a security breach
• Two entities fined for publishing images of minors online without their consent
• Finnish supervisory authority imposes €2.4 million fine on a postal service company for breach of article 5 and article 6.1 GDPR 
• According to the AEPD, the use of encrypted biometric templates for attendance control constitutes a processing of biometric data
• CNIL imposes €50 million fine on telephone operator for displaying covert advertising without proper consent
• Double sanction in relation to video surveillance for installing a system that captures images on a public thoroughfare without administrative authorization and without providing the mandatory information
• A media outlet has been fined €10,000 for publishing an individual's name
• Italian data protection authority fines OpenAI €15 million for collecting personal data to train ChatGPT
• Confirmation of a €200,000 fine on a telecommunications company for making a duplicate SIM card requested by a person who was not the owner of the line
• Vacation rental property owner sanctioned for unlawfully obtaining images of guests' ID cards
• A cardboard packaging company has been sanctioned for two GDPR infringements 
• A team’s club has been fined €200,000 for infringing article 5.1. c) GDPR by installing a facial recognition system for access to its stadium 
• A securities brokerage firm is asked to comply with the right of access requested by the complainant
• Catalan data protection authority fines a health care services company €30,000 for accessing medical records 

KEEP READING

Judgments

• The EU General Court reaffirms the EDPB's ability to require additional investigations where preliminary decisions by a lead supervisory authority do not adequately address relevant aspects of a case
• The exception to the obligation to inform the data subject applies to all personal data that the controller has not obtained directly
• Supreme Court permits an appeal on public authorities’ duties of transparency in the use of computer programs
• Confirmation of sanction against CSIC for publishing incorrectly anonymized information online
• Member states can lay down more specific rules to ensure the protection of rights and freedoms, but without circumventing the obligations under other GDPR provisions 
• The collection of data regarding titles such as "Mr" or "Mrs" cannot be covered by the legal basis for the performance of a contract
• CJEU limits the denial of claims on the ground of excess in data access requests

KEEP READING

News update

• Approval of new list of unwanted advertising validated by the AEPD: Stop Advertising List
• Italian data protection authority (GARANTE) orders blocking of DeepSeek in Italy
• European Commission publishes guidelines on practices prohibited by the Artificial Intelligence Act
• Catalan data protection authority (APDCAT) unveils a groundbreaking model in Europe for developing AI solutions respectful of fundamental rights
• Chile adopts new Personal Data Law 
• Royal Decree 1154/2024, of November 19, 2024 on the issuing of provisional passports and laissez passer secure travel documents 
• AEPD supports the storage of data in hospitality records, but suggests safeguarding copies to guests
• EDPB clarifies rules on the exchange of data with third-country authorities and approves EU data protection seal certification
• EDPB submits a letter to the European Commission on the review of its eleven adequacy decisions adopted under Directive 95/46/EC (December 6, 2024)
• EDPS reprimands the European Commission for use of targeted ads on X
• EDPB adopts an opinion on use of personal data for development and deployment of AI models 
• Noyb sues TikTok, Shein and Xiaomi for unlawful transfer of data from Europeans to China
• A European action analyses implementation the right of access by controllers
• EDPB publishes Opinion 01/2025 on the draft decision of the French supervisory authority regarding the Controller Binding Corporate Rules of the Coface Group
• Chilean National Cybersecurity Agency starts operating and Daniel Álvarez Valenzuela is appointed as director
• Mexico: The new Federal Law on the Protection of Personal Data in Possession of Private Parties introduces concepts such as the privacy notice and eliminates the INAI

KEEP READING