Tired of general newsletters that skim over your real concerns? DastraNews, offers legal and regulatory monitoring specifically designed for DPOs, lawyers, and privacy professionals.
Each month, we go beyond a simple recap: we select about ten decisions, news, or positions that have a concrete impact on your missions and organizations.
🎯 Targeted, useful monitoring grounded in the real-world realities of data protection and AI.
Here is our selection for August 2025:
Luxembourg – Publication of guidelines on AI Literacy by the CNPD
On August 2, 2025, the National Commission for Data Protection (CNPD) released guidance regarding Article 4 of Regulation (EU) 2024/1689 on artificial intelligence (AI Act). This article requires all individuals involved in the operation or use of AI systems to have a sufficient level of AI Literacy.
The CNPD emphasizes a proportional approach: training must be tailored to the experience level of employees, the risks posed by the systems to individuals, and the supervision mechanisms that are in place.
Effective since February 2, 2025, this requirement represents a major challenge for employers, who must ensure that their teams possess appropriate skills to use and supervise AI in a professional context. This requirement adds to other AI Act obligations, such as the prohibition of AI systems posing unacceptable risks.
👉 Read the CNPD article here.
👉 For more information, read our article here on AI Literacy and Shadow AI.
United Kingdom – The Law Commission opens the debate on the legal personality of AI
The Law Commission of the United Kingdom has released a major discussion paper on the question of the legal personality of AI systems. This report analyzes the unique characteristics of AI, including its autonomy, adaptability, and evolving learning modes, to assess whether these systems could eventually be recognized with a specific form of legal personality.
The study explores two scenarios: on one hand, granting legal personality to directly attribute rights and obligations to certain AI systems; on the other hand, maintaining the current framework, where responsibilities continue to rest exclusively with the natural or legal persons who design, deploy, or operate these technologies.
The Commission stresses the need for legal evolution that matches the pace of technological innovation, while warning against the risks of a status quo that could create blurred areas of responsibility in cases of harm caused by AI. The paper invites stakeholders (lawyers, businesses, public institutions) to contribute to this foundational debate for the future of law.
The European Commission publishes the list of signatories of the GPAI Code of Conduct
The European Commission has unveiled the complete list of companies that have adhered to the EU Code of Good Practice for Generative Artificial Intelligence, also known as the Code of Practices for General-Purpose AI (GPAI).
This voluntary code, developed through a multistakeholder process with independent experts, serves as a practical tool to assist the industry in complying with the obligations of the AI Regulation (AI Act) applicable to GPAI model suppliers. Published on July 10, 2025, it is accompanied by the Commission's guidelines on several key concepts related to these models.
The Commission and the AI Council have confirmed that this code constitutes an adequate instrument for voluntary compliance. By signing it, model suppliers can more easily demonstrate their adherence to the AI Act while benefiting from reduced administrative burdens and enhanced legal certainty.
AI Act: What changes on August 2, 2025
As of August 2, 2025, several essential provisions of Regulation (EU) 2024/1689 or the Regulation on Artificial Intelligence (AI Act) came into force and are now legally binding. These provisions include:
Governance rules, namely governance at the Union level and the competent national authorities; and
Obligations concerning general-purpose AI models.
Germany – Update of BfDI guidelines
The Federal Commissioner for Data Protection (BfDI) has published a new version of its guidelines.
This document provides a comprehensive analysis of the relationship between the GDPR and the BDSG, details the legal bases for processing, recalls data protection principles, the obligations of the DPO, and the rights of data subjects, and illustrates each of these points with practical examples.
United Kingdom – ICO consultations on the Data Use and Access Act (DUA)
Following the entry into force of the Data Use and Access Act 2025 (DUAA), the Information Commissioner’s Office (ICO) has opened a series of public consultations intended to prepare the publication of final guidelines.
The first consultation addresses the introduction of a new legal basis, "acknowledged legitimate interest," as well as processing complaints related to data protection from organizations.
The ICO invites the concerned actors to submit substantive contributions to inform the development of clear and operational rules.
CNIL sanction procedure: a constitutional turning point
On August 8, 2025, the Constitutional Council issued a major ruling (QPC n° 2025-1154) that modifies the sanction procedure before the CNIL. This evolution directly affects data controllers and their processors.
Until now, implicated entities could submit written comments or be heard, but without being informed of their right to remain silent. In practice, responding could lead to self-incrimination.
Citing Article 9 of the Declaration of Rights of 1789, the Council ruled that the right to silence, recognized in criminal matters, should also apply to administrative sanctions of a punitive nature, such as the fines imposed by the CNIL. The failure to inform about this right was deemed unconstitutional.
The repeal of the relevant provisions is postponed to October 1, 2026. However, from now on, the CNIL must explicitly notify implicated companies of their right to silence. Sanctions imposed before August 8, 2025, remain final.
This decision aligns CNIL sanctions more closely with criminal logic and requires companies to adopt a defensive approach in their interactions with the regulator.
👉 Check out the decision here.
Spain – €200,000 fine for violating the principle of data accuracy
The Spanish data protection authority (AEPD) imposed a fine of €200,000 on ENDESA ENERGÍA, S.A.U., a subsidiary of the ENDESA group, for a serious breach of the principle of data accuracy under Article 5.1(d) of the GDPR.
The case originated from a complaint filed in May 2023, after an individual had their electricity and gas contracts terminated without consent. The investigation revealed that the company mistakenly assigned the complainant's universal supply point codes (CUPS) to a third party due to a data entry error during a change of ownership. This unverified confusion before execution led to the abusive suspension of services.
In addition to the financial penalty, the AEPD ordered the company to implement enhanced procedures within six months to ensure the reliability of data processing during supplier or ownership changes. Failure to comply with this requirement could lead to further administrative violations.