Gibson Dunn | Europe | Data Protection – May 2025
Client Alert | June 16, 2025
Europe
28/05/2025
European Data Protection Board | Agenda | GDPR Simplification
The European Data Protection Board (EDPB) has published the agenda of its 106th plenary session, including discussions on a request for a joint opinion with the European Data Protection Supervisor (EDPS) on the European Commission’s draft proposal for the simplification of record-keeping obligations under Article 30(5) of the GDPR.
This follows a letter addressed by the EDPB and the EDPS to the European Commission on the upcoming proposal, expressing preliminary support for the proposed simplification. However, the EDPB and EDPS asked the Commission to better assess the impact on affected organizations and to ensure a fair balance between data protection and business interests.
For more information: Agenda of the 106th EDPB Meeting, Joint Letter
19/05/2025
European Digital Rights | Open Letter | Reopening of GDPR
The European Digital Rights (“EDRi”) and 107 other civil society organisations published an open letter calling on the European Commission not to reopen the GDPR.
The EDRi expresses concerns about ongoing efforts to reopen the GDPR, considering that this could make the regulation more vulnerable to broader deregulatory demands. It also points to the geopolitical context and the influence of foreign commercial and political actors on the EU digital regulatory landscape.
For more information: EDRi Website
16/05/2025
European Data Protection Board | Letter | In-Car Video Cameras and Dashcams
The European Data Protection Board (“EDPB”) published a letter in response to an inquiry from a member of the European Parliament outlining concerns on the growing use of in-car video cameras and dashcams.
The EDPB recalled that it has already issued relevant guidelines, in particular guidelines on processing of personal data through video devices, which are complemented by guidance and communication adopted by national data protection authorities.
For more information: EDPB Website
16/05/2025
European Supervisory Authorities | DORA | Registers of Information
The European Supervisory Authorities (“ESAs”) updated the Observations from reporting of Registers of Information (“ROI”) under the Digital Operational Resilience Act (DORA).
Originally published on April 16, 2025, the observations provide an overview of common issues identified in the reporting of the ROI and provide explanations of the most common errors.
For more information: EBA Website
07/05/2025
European Commission | Formal Requests | NIS 2 Directive
The European Commission has issued formal requests to 19 Member States to fully transpose the NIS2 Directive into national law.
As a reminder, the deadline for transposition was October 17, 2024. Member States – such as France, Germany, the Netherlands – now have two months to take the necessary measures. Failure to comply may result in referral to the Court of Justice of the European Union.
For more information: European Commission Website
06/05/2025
European Data Protection Board | Opinion | UK Adequacy Decisions
The European Data Protection Board (“EDPB”) adopted an opinion on the European Commission’s proposal to extend the validity of the UK adequacy decisions under the GDPR and the Law Enforcement Directive, which will expire on June 27, 2025.
The EDPB opinion acknowledges the need for an extension due to the ongoing data protection reform in the UK. However, it does not address the level of protection in the UK, which will be evaluated by the EDPB if new draft adequacy decisions are proposed.
For more information: EDPB Website
Denmark
15/05/2025
Danish Supervisory Authority | Guidance | Cookies
The Danish Supervisory Authority (“Datatilsynet”) and the Danish Agency for Digital Government have issued joint guidelines on cookies and similar technologies.
The guidelines are intended to help website and app providers comply with both the Danish Cookie Order and the GDPR. They clarify consent requirements, highlight common compliance pitfalls, and provide practical recommendations for implementing compliant practices.
For more information: Datatilsynet Website [DA]
France
22/05/2025
French Supervisory Authority | Fines | Simplified Procedure
The French Supervisory Authority (“CNIL”) announced ten new sanctions issued under its simplified procedure, totaling €104,000.
The majority of the cases involved employee monitoring, specifically through video surveillance and the geolocation of company vehicles. The CNIL found various breaches, including failure to comply with the principles of data minimization and storage limitation. In one instance, a company was fined for insufficient password policy and poor management of access rights to its video surveillance system.
For more information: CNIL Website [FR]
06/05/2025
French Supervisory Authority | Guidance | Augmented Cameras at Self-checkouts
The French Supervisory Authority (“CNIL”) published guidance on the use of augmented cameras at self-checkouts.
The CNIL explains how augmented cameras function, and clarifies that the data processed cannot be considered anonymous since individuals can be re-identified. In addition, it considers that legitimate interest is a possible legal basis, provided that the use of such cameras is necessary for the intended purpose and does not disproportionately infringe on individuals’ rights.
For more information: CNIL Website [FR]
05/05/2025
French Council of State | CJEU Referral | Consent and Direct Marketing
A French media and entertainment company has appealed to the French Council of State (“Conseil d’Etat”) to annul a fine of €60,000 imposed by the French Supervisory Authority (“CNIL”) for conducting marketing campaigns without valid consent.
In 2023, the CNIL found that the company had run marketing campaigns using personal data obtained from internet service providers, which had collected such data via consent forms referring vaguely to “partners” without naming them. The CNIL concluded the company processed this data without obtaining an informed consent, which the company challenged before the Conseil d’Etat. To resolve the dispute, the Council has referred to the Court of Justice of the European Union the question of whether a data subject’s consent – given to a primary collector for use by unnamed “partners” – constitutes valid consent, or whether each recipient, if not identified at the time of collection, must obtain separate consent before using the data for marketing purposes.
For more information: Conseil d’Etat Website [FR]
02/05/2025
French Parliament | Transposition | Representative Actions Directive
France has transposed the EU Directive 2020/1828 on representative actions for the protection of collective interests of consumers through Law No. 2025-391 of 30 April 2025, published in the Official Journal on May 2, 2025.
The new framework strengthens consumers’ ability to seek collective redress by establishing a unified regime for representative actions, replacing the previous sector-specific approach.
For further information: Official Journal [FR]
Germany
05/20/2025
Federal Commissioner for Data Protection and Freedom of Information | AI Questionnaire
The Federal Commissioner for Data Protection and Freedom of Information (BfDI) has published a questionnaire providing guidance on the data protection-compliant implementation of AI.
The questionnaire is intended to help controllers assess data protection-related topics when implementing AI-systems. It includes core questions companies should evaluate when operating AI systems including on the legal basis for data processing, the differentiation between controller and processor, and the general compliance with principles relating to processing of personal data.
For more information: BfDI Website [DE]
05/20/2025
Hesse and Brandenburg Supervisory Authorities | Annual Activity Reports
The Hesse as well as the Brandenburg supervisory authorities (HBDI and LDA) published their annual activity reports.
The reports include assessments regarding the lawfulness of advertising practices, in particular on the practice that web shops send out electronic reminders to consumers whether they would like to finish their purchase. When visitors to a web shop select one or more goods, start the ordering process, including entering their e-mail address, and then cancel the order during the process and leave the web store without concluding a purchase then advertising (such as a reminder about their purchase) may only be sent to these persons under certain conditions. The HBDI concludes that such an electronic reminder constitutes advertising and is generally only permitted with express consent within the meaning of Article 6(1)(a) GDPR in conjunction with Section 7 of the Federal Act against Unfair Competition (UWG).
For more information: HBDI Website [DE]
03/19/2025
Administrative Court of Hannover | Judgement | Cookie Banners
In a recently published decision, the Administrative Court of Hannover (VG Hannover) stated again that a cookie consent banner must contain the option to reject all cookies.
According to the court, websites must include a clearly visible “Reject All” button on the first level of cookie consent banners if they offer an “Accept All” option, reinforcing users’ data protection rights. The court found that manipulative banner designs using misleading labels, and hiding key information, violate the GDPR and the Telecommunications-Digital Services Data Protection Act (TDDDG).
For more information: LfD Website [DE]
Italy
19/05/2025
Italian Supervisory Authorities | Fine | AI Chatbot
The Italian Supervisory Authority (“Garante”) fined a company operating an AI-powered chatbot €5 million for multiple GDPR violations.
The Garante found that the company had not identified a valid legal basis for processing, failed to provide sufficient information in its privacy policy, and did not implement effective age verification mechanisms.
For more information: Garante Website
07/05/2025
Italian Supervisory Authority | Fine | Telemarketing
The Italian Supervisory Authority (“Garante”) imposed a €3 million fine on a gas and electricity provider and €850,000 on other companies for unlawful telemarketing practices.
The Garante noted that the companies operated within a network of procurement of energy supply contracts. It concluded that they engaged in promotional phone calls without individuals’ consent, and did not implement adequate security measures to ensure that such activities complied with data protection regulations.
For more information: Garante Website [IT]
05/05/2025
Italian Supervisory Authority | Public Consultation | Consent or Pay Model
The Italian Supervisory Authority (“Garante”) launched a public consultation to assess the lawfulness of “Consent or Pay” model.
As a reminder, the “Consent or Pay” model requires users whether to consent to the processing of their personal data or to agree to paid subscription in order to access online content, services or features. The consultation more specifically focuses on newspaper publishers. Stakeholders can contribute until June 28, 2025.
For more information: Garante Website [IT]
Spain
26/05/2025
Spanish Supervisory Authority | Annual Report | 2024
The Spanish Supervisory Authority (“AEPD”) published its 2024 annual report.
The AEPD received 18,855 complaints in 2024, primarily concerning video surveillance, online services, commerce, transport and hospitality. The authority issued 281 resolutions, which included administrative fines totaling over €35,5 million. Data breaches accounted for 37% of the total fines (€13.18 million).
For more information: AEPD Website [ES]
07/05/2025
Spanish Supervisory Authority | FAQs | Chatbot
The Spanish Supervisory Authority (“AEPD”) has implemented a virtual assistant on its website to facilitate the quick resolution of common questions related to data protection and privacy.
According to the AEPD, the chatbot handles more than 3,000 questions per month and maintains a user satisfaction rate of nearly 80%.
For more information: AEPD Website [ES]
Sweden
19/05/2025
Swedish Supervisory Authority | Guidance | Customer Data Sharing Between Banks
The Swedish Supervisory Authority (“IMY”) published a report on the sharing of customer data between banks in order to combat money laundering, terrorist financing and fraud.
The report was prepared in collaboration with Swedish banks as part of IMY’s regulatory sandbox initiative. The IMY highlights the need for a legislative change to enable effective data sharing in the sector.
For more information: IMY Website [SW]
United Kingdom
19/05/2025
National Cyber Security Centre | Guidance | Cybersecurity for Organizations
The National Cyber Security Centre (“NCSC”) has released “Top Tips for Staff”, an e-learning package to help organizations address common cybersecurity challenges.
The training covers essential topics such as using strong passwords, securing devices, recognizing phishing attempts, and reporting security incidents. It is particularly aimed at supporting SMEs, charities and the voluntary sector.
For more information: NCSC Website
13/05/2025
Information Commissioner’s Office | Consultation | Encryption
The Information Commissioner’s Office (“ICO”) has opened a consultation on its draft updated guidance on encryption.
The draft guidance focuses on the relationship between encryption and data protection and concentrates on data storage and data transfer as the primary use cases for encryption. The consultation remains open until June 24, 2025.
For more information: ICO Website
07/05/2025
National Cyber Security Centre | Code of Practice | Software Security
The National Cyber Security Centre (“NCSC”) and the Department for Science, Innovation and Technology (“DSIT”) have published the Software Security Code of Practice, a voluntary framework for technology providers.
The code establishes a baseline for cybersecurity expectations across the software industry. It provides a framework to help organizations to measure their progress and includes practical guidance for software vendors.
For more information: NCSC Website
02/05/2025
Information Commissioner’s Office & National Cyber Security Centre | Statement | Cyber Incidents Impacting Retailers
The Information Commissioner’s Office (“ICO”) and the National Cyber Security Centre (“NCSC”) have issued statements on recent cyber incidents impacting retailers.
The ICO confirmed that it has received reports from impacted retailers and sent enquiries to these organizations. Meanwhile, the NSCS stated that it is working closely with them to provide support and mitigate the impact of the incidents.
For more information: ICO Website and NSCS Website
Gibson Dunn lawyers are available to assist in addressing any questions you may have about these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any leader or member of the firm’s Privacy, Cybersecurity & Data Innovation practice group:
Privacy, Cybersecurity, and Data Innovation:
United States:
Abbey A. Barrera – San Francisco (+1 415.393.8262, abarrera@gibsondunn.com)
Ashlie Beringer – Palo Alto (+1 650.849.5327, aberinger@gibsondunn.com)
Ryan T. Bergsieker – Denver (+1 303.298.5774, rbergsieker@gibsondunn.com)
Keith Enright – Palo Alto (+1 650.849.5386, kenright@gibsondunn.com)
Gustav W. Eyler – Washington, D.C. (+1 202.955.8610, geyler@gibsondunn.com)
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650.849.5203, cgaedt-sheckter@gibsondunn.com)
Svetlana S. Gans – Washington, D.C. (+1 202.955.8657, sgans@gibsondunn.com)
Lauren R. Goldman – New York (+1 212.351.2375, lgoldman@gibsondunn.com)
Stephenie Gosnell Handler – Washington, D.C. (+1 202.955.8510, shandler@gibsondunn.com)
Natalie J. Hausknecht – Denver (+1 303.298.5783, nhausknecht@gibsondunn.com)
Jane C. Horvath – Washington, D.C. (+1 202.955.8505, jhorvath@gibsondunn.com)
Martie Kutscher Clark – Palo Alto (+1 650.849.5348, mkutscherclark@gibsondunn.com)
Kristin A. Linsley – San Francisco (+1 415.393.8395, klinsley@gibsondunn.com)
Timothy W. Loose – Los Angeles (+1 213.229.7746, tloose@gibsondunn.com)
Vivek Mohan – Palo Alto (+1 650.849.5345, vmohan@gibsondunn.com)
Rosemarie T. Ring – San Francisco (+1 415.393.8247, rring@gibsondunn.com)
Ashley Rogers – Dallas (+1 214.698.3316, arogers@gibsondunn.com)
Sophie C. Rohnke – Dallas (+1 214.698.3344, srohnke@gibsondunn.com)
Eric D. Vandevelde – Los Angeles (+1 213.229.7186, evandevelde@gibsondunn.com)
Benjamin B. Wagner – Palo Alto (+1 650.849.5395, bwagner@gibsondunn.com)
Frances A. Waldmann – Los Angeles (+1 213.229.7914,fwaldmann@gibsondunn.com)
Debra Wong Yang – Los Angeles (+1 213.229.7472, dwongyang@gibsondunn.com)
Europe:
Ahmed Baladi – Paris (+33 1 56 43 13 00, abaladi@gibsondunn.com)
Patrick Doris – London (+44 20 7071 4276, pdoris@gibsondunn.com)
Kai Gesing – Munich (+49 89 189 33-180, kgesing@gibsondunn.com)
Joel Harrison – London (+44 20 7071 4289, jharrison@gibsondunn.com)
Lore Leitner – London (+44 20 7071 4987, lleitner@gibsondunn.com)
Vera Lukic – Paris (+33 1 56 43 13 00, vlukic@gibsondunn.com)
Lars Petersen – Frankfurt/Riyadh (+49 69 247 411 525, lpetersen@gibsondunn.com)
Christian Riis-Madsen – Brussels (+32 2 554 72 05, criis@gibsondunn.com)
Robert Spano – London/Paris (+44 20 7071 4000, rspano@gibsondunn.com)
Asia:
Connell O’Neill – Hong Kong (+852 2214 3812, coneill@gibsondunn.com)
Jai S. Pathak – Singapore (+65 6507 3683, jpathak@gibsondunn.com)
© 2025 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.