It is a short overview of the guideline by the German Federal Office for Information Security (BSI) and French Agence nationale de la sécurité des systèmes d‘information Secrétariat général de la défense et de la sécurité nationale.

On 19 June 2025 new legislation - Data Use and Access Act - received a Royal Assent and brings changes to the DPA Act 2018, UK GDPR and PECR.

Tracking pixels are tiny, invisible images embedded in emails that report when and where messages are opened. Although they deliver useful insights for email campaigns, they also handle personal data and must comply with privacy rules such as the GDPR.

This is the practical guide which will help e-commerce business to follow the rules and protect privacy of its clients.

In March 2025, the California Privacy Protection Agency (CPPA) issued its enforcement decision under the California Consumer Privacy Act (CCPA) against American Honda Motor Co., Inc. The order followed an investigation that identified four major areas where Honda’s practices failed to comply with the CCPA and cost more than $600,000.

In a recent ruling, the Court of Justice of the European Union (CJEU) addressed the right of access to information in cases of automated decision-making and profiling under the GDPR. The case, CK v Magistrat der Stadt Wien and Dun & Bradstreet Austria GmbH (Case C-203/22), examined the extent to which individuals are entitled to receive meaningful information about the logic behind automated decision-making processes, as well as the balance between transparency and the protection of trade secrets.

This case study examines ILVA A/S v. Danish Public Prosecutor, a CJEU ruling that clarifies whether GDPR fines should be based on the revenue of an individual company or its entire corporate group. The case is significant because it aligns GDPR enforcement with EU competition law principles and could increase the financial penalties for subsidiaries of multinational groups.

The digitalization of services has led to increasingly complex interactions between data protection law and business practices. At the core of Mousse v. CNIL & SNCF Connect, the Court of Justice of the European Union (CJEU) was asked to determine whether a company can require customers to select a gendered title (“Mr.” or “Ms.”) when purchasing travel tickets.

We continue the exploration of direct marketing around the EU. This article describes the regulatory framework governing direct marketing in Denmark, Sweden and Norway.