New adequacy decision for Brazil
The EU Commission adopted an adequacy decision for Brazil in its implementing decision of 26 January 2026. This means that personal data can
CNIL imposes fine of €3.5 million: Failure to conduct a DPIA can be costly
France’s data protection authority, CNIL, fined a company €3.5 million for, among other things, failing to conduct a data protection impact assessment (DPIA). What
Improper use of data by a processor: CNIL imposes million-euro fine
In December 2025, the French data protection authority CNIL imposed a fine of €1 million on Mobius Solutions, an IT service provider
Google reCAPTCHA: New GDPR responsibility
From 2 April 2026, Google will take on a new GDPR role for reCAPTCHA. Instead of acting as a controller, Google will act as
Berlin Administrative Court: businesses must provide information to data protection authorities
In a recent ruling, the Berlin Administrative Court strengthened the investigative powers of the data protection supervisory authorities. The plaintiff was a
Joint controllership in practice: Tracking providers are liable for missing cookie consents
Since the ECJ’s “Fashion ID” ruling in 2019, it has been clear that a website operator is a joint data controller with
How Privacy Certifications Drive Business Success
We’re proud to share that ZTE, one of our long-term clients and global leader in the Information and Communication Technology industry, has
NIS-2: The registration period has started
On January 6, 2026, the BSI portal for registering companies affected by NIS-2 was activated.Therefore, if you have not already done so,
EU “Omnibus” could mean a paradigm shift for cookie consent
In an earlier client update, we reported on the possible effects of the EU’s planned “Omnibus” reform. Of particular relevance is the
Digital Omnibus: Overview of proposed changes to the GDPR
With the Digital Omnibus, European legislators are planning important changes to the GDPR. Below is a brief overview of the current proposal