Live Blog

The Dutch Data Protection Authority (AP) has fined International Card Services B.V. (ICS) 150,000 euros for not conducting a required Data Protection Impact Assessment (DPIA), as mandated by the General Data Protection Regulation (GDPR). DPIAs are crucial for organizations to systematically identify and mitigate privacy risks associated with processing personal data.The CNIL investigated Amazon France after press articles were published on the practices implemented by Amazon France and after receiving numerous complaints from employees.

In December 2023, the Court of Justice of the European Union (CJEU) ruled on the matter of data controller liability for processing activities carried out by its processor. In case C-683/21, the Court stated that there are limits to this. In other words, the controller-processor relationship is not by itself sufficient, if:

On 20 July 2021, the European Commission adopted a proposal for an anti-money laundering (AML) legislative package that has a major impact on financial institutions. This package aims to harmonize the existing AML legal framework in the European Union and to increase the effectiveness of the fight against money laundering and terrorist financing. In May 2022, the European Data Protection Board (EDPB) raised concerns about the proposed legislation. Specifically, the proposed AML package contains a Regulation for the prevention of money laundering and terrorist financing for the financial sectors (the Proposed Regulation) which appears to contradict with the GDPR on several counts and poses challenges for financial institutions in terms of data protection and GDPR compliance. On the one hand, you have a regulation which compels financial institutions to collect vast amounts of (special) personal data on a person in the name of combatting money-laundering and terrorist financing, while on the other hand, the GDPR compels those same institutions to collect as little personal data as possible. This blog aims to assess what the implications of the opinion of the EDPB are and what steps you can take as a financial institution to comply with seemingly contradictory legal obligations.

Since the introduction of the European Artificial Intelligence Act (“AI Act”) in March this year, guidance and recommendations by various Data Protection Authorities (“DPAs”) has been published. The most recent recommendations of the French Data Protection Authority (“CNIL”) are no different.