[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fY_dAdcam5NZ_hXSp5264lMPBxDBSR_FJU1HZT5swGi4":3},{"tableOfContents":4,"markDownContent":5,"htmlContent":6,"metaTitle":7,"metaDescription":8,"wordCount":9,"readTime":10,"title":11,"nbDownloads":12,"excerpt":13,"lang":14,"url":15,"intro":8,"featured":16,"state":17,"author":18,"authorId":19,"datePublication":23,"dateCreation":24,"dateUpdate":25,"mainCategory":26,"categories":42,"metaDatas":48,"imageUrl":49,"imageThumbUrls":50,"id":58},true,"Tired of general newsletters that skim over your real concerns? **Dastra Insights,** offers legal and regulatory monitoring **specifically designed for DPOs, lawyers, and privacy professionals**.\r\n\r\nEach month, we go beyond a simple recap: we select about ten decisions, news, or positions **that have a concrete impact on your missions and organizations**.\r\n\r\n🎯 **Targeted, useful monitoring grounded in the real-world realities of data protection and AI.**\r\n\r\nHere is our selection for **November 2025:**\r\n\r\n## Omnibus Project: the Commission paves the way for major simplification of the European Digital Framework\r\n\r\nOn **November 19, 2025**, the European Commission unveiled its initiative known as the **\"Digital Omnibus,\"** a comprehensive set of measures aimed at **simplifying and modernizing** the regulatory framework governing digital activities in Europe, from the **GDPR** to the **AI Act**, including the **ePrivacy Directive** and **cybersecurity** rules.The goal: to enhance **competitiveness**, reduce **administrative complexity**, and provide the **clarifications awaited** by professionals.\r\n\r\nAmong the proposed adjustments:\r\n\r\n- **Postponement of obligations under the AI Act** for high-risk systems (now scheduled for December 2027);\r\n\r\n- **Targeted modifications of the GDPR**;\r\n\r\n- **Simplification of cookie consent**;\r\n\r\n- Creation of a **one-stop shop** to centralize notifications of cybersecurity incidents.\r\n\r\nThis set of measures still needs to be reviewed by the **European Parliament** and the **Council**, but it already marks a turning point in the evolution of European digital law.\r\n\r\n> [For more information, click here.](https://ec.europa.eu/commission/presscorner/detail/en/ip_25_2718)\r\n\r\n## DMA and GDPR: Publication of Joint Guidelines by the Commission and EDPB\r\n\r\nThe **EDPB** and the **European Commission** have published their **first joint guidelines** to clarify the interplay between the **Digital Markets Act (DMA)** and the **GDPR**.Objective: to **simplify compliance**, enhance **application consistency**, and provide more **legal certainty** to *gatekeepers*, user companies, beneficiaries, and citizens.\r\n\r\nThe text reminds that the GDPR and DMA pursue complementary objectives:\r\n\r\n- the **GDPR** protects the **rights and freedoms** of individuals,\r\n\r\n- the **DMA** aims for **fairness and contestability** in digital markets.\r\n\r\nThe guidelines specifically explain:\r\n\r\n- how gatekeepers must apply the requirements for **specific choice** and **valid consent** (Art. 5(2) DMA) when they wish to combine or reuse personal data;\r\n\r\n- how to implement, in compliance with the GDPR, the obligations related to **data portability**, **access requests**, **distribution of third-party applications**, and the **interoperability** of messaging services.\r\n\r\n> 📅 **A public consultation is open until December 4, 2025.** Contributions will be published, and the final text will be jointly adopted by the EDPB and the Commission. > > Access the draft guidelines [here](https://www.edpb.europa.eu/system/files/2025-10/joint_com-edpb_gls_interplay_dma_gdpr_for_public_consultation_en.pdf).\r\n\r\n---\r\n\r\n## EDPB: Stakeholder Consultation on Anonymization and Pseudonymization\r\n\r\nThe EDPB is organizing a multi-stakeholder event dedicated to **anonymization and pseudonymization methods**, as several recent decisions (SRB vs EDPS, Meta) have undermined some common practices.The event aims to:\r\n\r\n- clarify the expectations of authorities,\r\n\r\n- identify genuinely reliable techniques,\r\n\r\n- prepare the update of the EDPB guidelines.\r\n\r\nAuthorities recognize the current tension between innovation, AI, and GDPR compliance, and seek to harmonize national approaches.\r\n\r\n> Access [here for the EDPB press release.](https://www.edpb.europa.eu/news/news/2025/anonymisation-and-pseudonymisation-take-part-stakeholder-event_en)\r\n\r\n## Adequacy Decision Brazil: EDPB Adopts Its Opinion\r\n\r\nOn **November 4, 2025**, the EDPB unanimously adopted its **opinion on the draft adequacy decision** presented by the European Commission for **Brazil**, in accordance with Article 45 of the GDPR.If adopted, this decision will allow European organizations to **transfer personal data to Brazil without additional guarantees**, as is the case with \"adequate\" countries.\r\n\r\nThe EDPB highlights:\r\n\r\n- the **strong convergence** between Brazilian law *LGPD* and the GDPR,\r\n\r\n- the consistency with the jurisprudence of the **CJEU**,\r\n\r\n- and the overall effectiveness of the guarantees provided under Brazilian law.\r\n\r\nHowever, the Committee invites the Commission to clarify and **monitor certain elements:** the obligation to conduct **Impact Assessments (AIPD)**; possible limits to **transparency**, related to commercial and industrial secrecy, and rules governing **subsequent transfers**.\r\n\r\nThe EDPB also notes that Brazilian law does not fully apply to processing carried out by public authorities for purposes of **national security** or **criminal prosecution**, but welcomes the fact that **partial application** is provided for criminal investigations and law enforcement, in accordance with Brazilian jurisprudence.\r\n\r\n> The draft is now to be examined by the Committee of Member States before final adoption. > > Fore more information, click [here.](https://www.edpb.europa.eu/news/news/2025/draft-adequacy-decision-brazil-edpb-adopts-opinion_en)\r\n\r\n## United Kingdom: ICO Consults on Its New Investigation and Enforcement Approach\r\n\r\nThe ICO has opened a **public consultation** on its future guidance governing the procedures it applies when it suspects a violation of the **UK GDPR** or the **Data Protection Act 2018**.\r\n\r\nThe text also specifies how the ICO will use its **new powers** granted by the *Data (Use and Access) Act 2025*, allowing it to demand responses and reports from organizations.\r\n\r\nThe draft notably addresses:\r\n\r\n- Criteria for initiating an investigation;\r\n\r\n- The course of an investigation;\r\n\r\n- Possible decisions (warning, reprimand, fine, injunction);\r\n\r\n- Conditions for reaching an amicable settlement with reduced penalties.\r\n\r\n> 📅 **Consultation open until January 23, 2026, [accessible via this link.](https://ico.org.uk/about-the-ico/ico-and-stakeholder-consultations/2025/10/ico-consultation-on-data-protection-enforcement-procedural-guidance/)**\r\n\r\n## Direct Marketing: CJEU Clarifies the Applicable Legal Basis\r\n\r\nIn its ruling **Inteligo Media SA of November 13, 2025**, the CJEU provides a significant clarification regarding **direct marketing via email**. Until now, organizations systematically associated these practices with a **GDPR legal basis** (Article 6), generally either consent or legitimate interest.\r\n\r\nThe Court now rules that **Article 13(2) of the ePrivacy Directive (2002/58)** — transposed in France to **L.34-5 CPCE** — constitutes **in itself a sufficient legal basis** to regulate electronic marketing, without the need to refer to Article 6 of the GDPR.\r\n\r\n**In practice:**\r\n\r\n- **Consent** remains valid and usable;\r\n\r\n- However, data controllers will need to **explicitly explain** that the legal basis derives from Article 13(2) ePrivacy (and its national transposition);\r\n\r\n- An update of registers, notices, and marketing policies may be required to reflect this clarification.\r\n\r\n> A decision likely to lead to practical adjustments in marketing compliance efforts.\r\n>\r\n> [Access the ruling here.](https://eur-lex.europa.eu/legal-content/FR/SUM/?uri=CELEX:62023CJ0654)\r\n\r\n---\r\n\r\n## Capita: Data Breach Affecting 6 Million People\r\n\r\nThe ICO has imposed a fine of **£14 million** on Capita, following a **cyberattack in 2023** that resulted in the theft of data from **6.6 million people** (pension records, HR data, customer information, and sometimes sensitive or financial data).\r\n\r\nThe investigation concludes several serious shortcomings:\r\n\r\n- **Lack of sufficient technical and organizational measures**, leaving systems vulnerable.\r\n\r\n- **Failure to manage security alerts**: a critical report was ignored for **58 hours**, allowing the attacker to gain administrator permissions and exfiltrate nearly one terabyte of data.\r\n\r\n- **Lack of penetration testing**: some systems had only been tested upon commissioning.\r\n\r\n- **Failure to prevent lateral movements** in the network, despite several prior internal alerts.\r\n\r\nThe ICO reminds that **cybersecurity is an essential element of digital trust** and that no organization, even large ones, is exempt from its obligations.\r\n\r\nFor your information, initially, the authority considered a fine of **£45M**, which was reduced after corrective measures were taken, Capita’s cooperation, and an amicable settlement. Capita acknowledged its responsibility and accepted the sanction.\r\n\r\n> Click [here for more information.](https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/10/capita-fined-14m-for-data-breach-affecting-over-6m-people/)\r\n\r\n---\r\n\r\n## CNIL: €750,000 Fine Against Condé Nast Publications for Cookie Rule Violations\r\n\r\nThe CNIL has sanctioned **Condé Nast Publications** (publisher of *Vanity Fair*) with a **€750,000** fine for several ongoing violations of Article 82 of the French Data Protection Act regarding **cookies and trackers**.\r\n\r\nAfter an initial complaint filed in 2019 by the association NOYB, a formal notice in 2021, and a closure in 2022, the CNIL conducted **new inspections in 2023 and 2025** showing that the website [*vanityfair.fr*](http://vanityfair.fr) was still non-compliant.\r\n\r\n**The main violations identified:**\r\n\r\n- **Placement of cookies subject to consent before any choice**: cookies were installed upon arrival on the site, without prior consent.\r\n\r\n- **Insufficient information**: some cookies were presented as \"strictly necessary\" without clear explanation of their actual purposes.\r\n\r\n- **Impossibility to effectively refuse or withdraw consent**: even after clicking \"Reject All\" or withdrawing consent, cookies subject to consent continued to be placed or read.\r\n\r\nThe sanction takes into account: the existence of a **previous formal notice**, the **number of affected users**, and the repetition of the violations despite exchanges with the CNIL.\r\n\r\nA strong reminder to publishers: cookie compliance requires **effective implementation**, continuous **monitoring**, and genuinely functional **refusal mechanisms**.\r\n\r\n> For more information, click [here](https://www.cnil.fr/en/cookies-placed-without-consent-company-publishes-website-vanityfairfr-fined-750000-euros). \r\n\r\n## CNIL: Launch of the 2025 National Survey \"DPO and AI\"\r\n\r\nThe CNIL is launching a large-scale survey aimed at better understanding the **role of DPOs in the context of AI usage** in French organizations.The rise of AI is disrupting data processing practices. However, the CNIL seeks to answer the following questions:\r\n\r\n- What role does the DPO play in this new reality? How far does their scope of intervention extend?\r\n- What challenges do they face daily?\r\n- What tools and training do they need?\r\n\r\nTo answer these questions, the CNIL opens a national survey targeting DPOs, whether they operate in the public or private sector. Its position is as follows: while the DPO must be associated with any use of personal data, they are not necessarily the lead on compliance with the Artificial Intelligence Regulation (RIA), which involves other specific competencies.However, the RIA presents a major opportunity: its principles (risk-based approach, responsibility, transparency, and protection of fundamental rights) build upon those of the GDPR. DPOs thus have a strong foundation to guide their organizations toward compliant and responsible AI.\r\n\r\n> 🔗 DPOs, your opinion matters: participate in the survey [before December 15, 2025 here](https://www.cnil.fr/fr/dpo-a-lheure-de-lia-lancement-enquete-2025)\r\n\r\n---\r\n\r\n## Hungary: Adoption of a National AI Law\r\n\r\nHungary becomes one of the first member states to adopt a **national law on artificial intelligence**, complementing the AI Act.The law introduces:\r\n\r\n- sector-specific obligations,\r\n\r\n- strengthened transparency requirements,\r\n\r\n- new administrative penalties.  It illustrates a growing trend towards **complementary nationalization** of AI rules in Europe.\r\n\r\n> [Access the law here.](https://cdn.kormany.hu/uploads/document/c/c0/c0d/c0dfdbd37cfa520ae37361a168d244c85e7295af.pdf)\r\n\r\n## AI and CJEU: A New Preliminary Question Before the CJEU\r\n\r\nThe CJEU is seized with a new case (C-245/25) regarding the use, by an expert witness, of AI-assisted accident simulation software. The central question: does this type of tool fall under **high-risk AI systems** as defined by the **AI Act**?\r\n\r\nThe case arises from a road accident. The designated expert used the software *Virtual Crash 4.0*, designed for the American market, which one party contests. They argue that the tool wasn't suitable and that an expert report must detail all the calculations conducted, which the expert couldn't provide, merely claiming to have \"verified\" the results.\r\n\r\nThe Bulgarian court then decided to refer to the CJEU, invoking notably:\r\n\r\n- the principle of **explainability**,\r\n\r\n- the requirement for understanding decision-making processes,\r\n\r\n- the potential impact on the **right to a fair trial** (Art. 19 TEU).\r\n\r\nThe questions posed concern:\r\n\r\n- the qualification of the software as **high-risk AI** (Annex III, point 8, AI Act),\r\n\r\n- the scope of **Article 86 AI Act** regarding the right to an explanation,\r\n\r\n- the possibility for a court to rely on a report based solely on an algorithmic result simply \"validated\" by the expert.\r\n\r\n> It remains to be seen whether the CJEU will address all these questions… [More details here!](https://curia.europa.eu/juris/showPdf.jsf?text=2024%252F1689&docid=306404&pageIndex=0&doclang=en&mode=req&dir=&occ=first&part=1&cid=9524520)\r\n\r\n## The European Commission Launches a Code of Practice on Marking AI-Generated Content\r\n\r\nThe European Commission has announced the creation of a working group tasked with developing a **code of practice** for the **marking and labeling of AI-generated content**.Objective: to ensure a **clear identification** of synthetic content, including deepfakes, to enhance the transparency mandated by the AI Act.The code will cover:\r\n\r\n- marking formats (watermarks, metadata, visual warnings),\r\n\r\n- obligations for generative AI providers,\r\n\r\n- technical measures ensuring the reliability of marking.\r\n\r\nThis future code, to be developed over a period of seven months by independent **experts** under the coordination of the **EU AI Office**, will be a **voluntary tool** for providers and users of generative AI systems.\r\n\r\n> A first version is expected in early 2026. The Commission's press release is [accessible here.](https://digital-strategy.ec.europa.eu/en/news/commission-launches-work-code-practice-marking-and-labelling-ai-generated-content)\r\n\r\n---\r\n\r\n## Data Act: Draft Model Contract Clauses\r\n\r\nThe European Commission has published the recommendation on **new non-binding model contractual clauses** intended to facilitate the implementation of the **Data Act**, particularly for **SMEs**.These models, freely usable and adaptable, aim to assist organizations in structuring their data-sharing and cloud service contracts.\r\n\r\n### **Model Contractual Terms (MCT) – Mandatory Data Sharing**\r\n\r\nThree sets of MCT have been developed to cover relationships where **data sharing is mandatory** (chapters II and III of the Data Act):\r\n\r\n1. **MCT Holder ↔ User**: access, use, and sharing of data generated by a connected product or associated service.\r\n\r\n2. **MCT User ↔ Recipient**: conditions of use of data by the recipient chosen by the user.\r\n\r\n3. **MCT Holder ↔ Recipient**: terms of sharing and possible financial compensation.\r\n\r\nA fourth model addresses **voluntary data sharing** between businesses, in compliance with the rules of Chapter IV on **abusive clauses**.\r\n\r\n### **Standard Contractual Clauses (SCC) – Cloud Services (Chapter VI)**\r\n\r\nThree SCC translate the obligations related to **switching between providers**:\r\n\r\n- **Switching & Exit**: conditions for changing service provider.\r\n\r\n- **Termination**: applicable provisions at the end of the contract.\r\n\r\n- **Security & Business Continuity**: obligations in case of incidents and guarantees during migration.\r\n\r\n> The **next step is to translate and publish the MCT and SCC** in all EU languages, which should take three to four months.\r\n>\r\n> Access [here for the Commission's press release.](https://digital-strategy.ec.europa.eu/en/library/draft-recommendation-non-binding-model-contractual-terms-data-access-and-use-and-non-binding)","\u003Cp>Tired of general newsletters that skim over your real concerns? \u003Cstrong>Dastra Insights,\u003C/strong> offers legal and regulatory monitoring \u003Cstrong>specifically designed for DPOs, lawyers, and privacy professionals\u003C/strong>.\u003C/p>\r\n\u003Cp>Each month, we go beyond a simple recap: we select about ten decisions, news, or positions \u003Cstrong>that have a concrete impact on your missions and organizations\u003C/strong>.\u003C/p>\r\n\u003Cp>🎯 \u003Cstrong>Targeted, useful monitoring grounded in the real-world realities of data protection and AI.\u003C/strong>\u003C/p>\r\n\u003Cp>Here is our selection for \u003Cstrong>November 2025:\u003C/strong>\u003C/p>\r\n\u003Ch2 id=\"omnibus-project-the-commission-paves-the-way-for-major-simplification-of-the-european-digital-framework\">Omnibus Project: the Commission paves the way for major simplification of the European Digital Framework\u003C/h2>\r\n\u003Cp>On \u003Cstrong>November 19, 2025\u003C/strong>, the European Commission unveiled its initiative known as the \u003Cstrong>\"Digital Omnibus,\"\u003C/strong> a comprehensive set of measures aimed at \u003Cstrong>simplifying and modernizing\u003C/strong> the regulatory framework governing digital activities in Europe, from the \u003Cstrong>GDPR\u003C/strong> to the \u003Cstrong>AI Act\u003C/strong>, including the \u003Cstrong>ePrivacy Directive\u003C/strong> and \u003Cstrong>cybersecurity\u003C/strong> rules.\u003Cbr />\r\n\u003Cbr />\r\nThe goal: to enhance \u003Cstrong>competitiveness\u003C/strong>, reduce \u003Cstrong>administrative complexity\u003C/strong>, and provide the \u003Cstrong>clarifications awaited\u003C/strong> by professionals.\u003C/p>\r\n\u003Cp>Among the proposed adjustments:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cp>\u003Cstrong>Postponement of obligations under the AI Act\u003C/strong> for high-risk systems (now scheduled for December 2027);\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Targeted modifications of the GDPR\u003C/strong>;\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Simplification of cookie consent\u003C/strong>;\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>Creation of a \u003Cstrong>one-stop shop\u003C/strong> to centralize notifications of cybersecurity incidents.\u003C/p>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003Cp>This set of measures still needs to be reviewed by the \u003Cstrong>European Parliament\u003C/strong> and the \u003Cstrong>Council\u003C/strong>, but it already marks a turning point in the evolution of European digital law.\u003C/p>\r\n\u003Cblockquote>\r\n\u003Cp>\u003Ca href=\"https://ec.europa.eu/commission/presscorner/detail/en/ip_25_2718\" rel=\"nofollow\">For more information, click here.\u003C/a>\u003C/p>\r\n\u003C/blockquote>\r\n\u003Ch2 id=\"dma-and-gdpr-publication-of-joint-guidelines-by-the-commission-and-edpb\">DMA and GDPR: Publication of Joint Guidelines by the Commission and EDPB\u003C/h2>\r\n\u003Cp>The \u003Cstrong>EDPB\u003C/strong> and the \u003Cstrong>European Commission\u003C/strong> have published their \u003Cstrong>first joint guidelines\u003C/strong> to clarify the interplay between the \u003Cstrong>Digital Markets Act (DMA)\u003C/strong> and the \u003Cstrong>GDPR\u003C/strong>.\u003Cbr />\r\n\u003Cbr />\r\nObjective: to \u003Cstrong>simplify compliance\u003C/strong>, enhance \u003Cstrong>application consistency\u003C/strong>, and provide more \u003Cstrong>legal certainty\u003C/strong> to \u003Cem>gatekeepers\u003C/em>, user companies, beneficiaries, and citizens.\u003C/p>\r\n\u003Cp>The text reminds that the GDPR and DMA pursue complementary objectives:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cp>the \u003Cstrong>GDPR\u003C/strong> protects the \u003Cstrong>rights and freedoms\u003C/strong> of individuals,\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>the \u003Cstrong>DMA\u003C/strong> aims for \u003Cstrong>fairness and contestability\u003C/strong> in digital markets.\u003C/p>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003Cp>The guidelines specifically explain:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cp>how gatekeepers must apply the requirements for \u003Cstrong>specific choice\u003C/strong> and \u003Cstrong>valid consent\u003C/strong> (Art. 5(2) DMA) when they wish to combine or reuse personal data;\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>how to implement, in compliance with the GDPR, the obligations related to \u003Cstrong>data portability\u003C/strong>, \u003Cstrong>access requests\u003C/strong>, \u003Cstrong>distribution of third-party applications\u003C/strong>, and the \u003Cstrong>interoperability\u003C/strong> of messaging services.\u003C/p>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003Cblockquote>\r\n\u003Cp>📅 \u003Cstrong>A public consultation is open until December 4, 2025.\u003C/strong> Contributions will be published, and the final text will be jointly adopted by the EDPB and the Commission. \u003Cbr />\r\n\u003Cbr />\r\nAccess the draft guidelines \u003Ca href=\"https://www.edpb.europa.eu/system/files/2025-10/joint_com-edpb_gls_interplay_dma_gdpr_for_public_consultation_en.pdf\" rel=\"nofollow\">here\u003C/a>.\u003C/p>\r\n\u003C/blockquote>\r\n\u003Chr />\r\n\u003Ch2 id=\"edpb-stakeholder-consultation-on-anonymization-and-pseudonymization\">EDPB: Stakeholder Consultation on Anonymization and Pseudonymization\u003C/h2>\r\n\u003Cp>The EDPB is organizing a multi-stakeholder event dedicated to \u003Cstrong>anonymization and pseudonymization methods\u003C/strong>, as several recent decisions (SRB vs EDPS, Meta) have undermined some common practices.\u003Cbr />\r\n\u003Cbr />\r\nThe event aims to:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cp>clarify the expectations of authorities,\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>identify genuinely reliable techniques,\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>prepare the update of the EDPB guidelines.\u003C/p>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003Cp>Authorities recognize the current tension between innovation, AI, and GDPR compliance, and seek to harmonize national approaches.\u003C/p>\r\n\u003Cblockquote>\r\n\u003Cp>Access \u003Ca href=\"https://www.edpb.europa.eu/news/news/2025/anonymisation-and-pseudonymisation-take-part-stakeholder-event_en\" rel=\"nofollow\">here for the EDPB press release.\u003C/a>\u003C/p>\r\n\u003C/blockquote>\r\n\u003Ch2 id=\"adequacy-decision-brazil-edpb-adopts-its-opinion\">Adequacy Decision Brazil: EDPB Adopts Its Opinion\u003C/h2>\r\n\u003Cp>On \u003Cstrong>November 4, 2025\u003C/strong>, the EDPB unanimously adopted its \u003Cstrong>opinion on the draft adequacy decision\u003C/strong> presented by the European Commission for \u003Cstrong>Brazil\u003C/strong>, in accordance with Article 45 of the GDPR.\u003Cbr />\r\n\u003Cbr />\r\nIf adopted, this decision will allow European organizations to \u003Cstrong>transfer personal data to Brazil without additional guarantees\u003C/strong>, as is the case with \"adequate\" countries.\u003C/p>\r\n\u003Cp>The EDPB highlights:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cp>the \u003Cstrong>strong convergence\u003C/strong> between Brazilian law \u003Cem>LGPD\u003C/em> and the GDPR,\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>the consistency with the jurisprudence of the \u003Cstrong>CJEU\u003C/strong>,\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>and the overall effectiveness of the guarantees provided under Brazilian law.\u003C/p>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003Cp>However, the Committee invites the Commission to clarify and \u003Cstrong>monitor certain elements:\u003C/strong> the obligation to conduct \u003Cstrong>Impact Assessments (AIPD)\u003C/strong>; possible limits to \u003Cstrong>transparency\u003C/strong>, related to commercial and industrial secrecy, and rules governing \u003Cstrong>subsequent transfers\u003C/strong>.\u003C/p>\r\n\u003Cp>The EDPB also notes that Brazilian law does not fully apply to processing carried out by public authorities for purposes of \u003Cstrong>national security\u003C/strong> or \u003Cstrong>criminal prosecution\u003C/strong>, but welcomes the fact that \u003Cstrong>partial application\u003C/strong> is provided for criminal investigations and law enforcement, in accordance with Brazilian jurisprudence.\u003C/p>\r\n\u003Cblockquote>\r\n\u003Cp>The draft is now to be examined by the Committee of Member States before final adoption. \u003Cbr />\r\n\u003Cbr />\r\nFore more information, click \u003Ca href=\"https://www.edpb.europa.eu/news/news/2025/draft-adequacy-decision-brazil-edpb-adopts-opinion_en\" rel=\"nofollow\">here.\u003C/a>\u003C/p>\r\n\u003C/blockquote>\r\n\u003Ch2 id=\"united-kingdom-ico-consults-on-its-new-investigation-and-enforcement-approach\">United Kingdom: ICO Consults on Its New Investigation and Enforcement Approach\u003C/h2>\r\n\u003Cp>The ICO has opened a \u003Cstrong>public consultation\u003C/strong> on its future guidance governing the procedures it applies when it suspects a violation of the \u003Cstrong>UK GDPR\u003C/strong> or the \u003Cstrong>Data Protection Act 2018\u003C/strong>.\u003C/p>\r\n\u003Cp>The text also specifies how the ICO will use its \u003Cstrong>new powers\u003C/strong> granted by the \u003Cem>Data (Use and Access) Act 2025\u003C/em>, allowing it to demand responses and reports from organizations.\u003C/p>\r\n\u003Cp>The draft notably addresses:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cp>Criteria for initiating an investigation;\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>The course of an investigation;\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>Possible decisions (warning, reprimand, fine, injunction);\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>Conditions for reaching an amicable settlement with reduced penalties.\u003C/p>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003Cblockquote>\r\n\u003Cp>📅 \u003Cstrong>Consultation open until January 23, 2026, \u003Ca href=\"https://ico.org.uk/about-the-ico/ico-and-stakeholder-consultations/2025/10/ico-consultation-on-data-protection-enforcement-procedural-guidance/\" rel=\"nofollow\">accessible via this link.\u003C/a>\u003C/strong>\u003C/p>\r\n\u003C/blockquote>\r\n\u003Ch2 id=\"direct-marketing-cjeu-clarifies-the-applicable-legal-basis\">Direct Marketing: CJEU Clarifies the Applicable Legal Basis\u003C/h2>\r\n\u003Cp>In its ruling \u003Cstrong>Inteligo Media SA of November 13, 2025\u003C/strong>, the CJEU provides a significant clarification regarding \u003Cstrong>direct marketing via email\u003C/strong>. \u003Cbr />\r\n\u003Cbr />\r\nUntil now, organizations systematically associated these practices with a \u003Cstrong>GDPR legal basis\u003C/strong> (Article 6), generally either consent or legitimate interest.\u003C/p>\r\n\u003Cp>The Court now rules that \u003Cstrong>Article 13(2) of the ePrivacy Directive (2002/58)\u003C/strong> — transposed in France to \u003Cstrong>L.34-5 CPCE\u003C/strong> — constitutes \u003Cstrong>in itself a sufficient legal basis\u003C/strong> to regulate electronic marketing, without the need to refer to Article 6 of the GDPR.\u003C/p>\r\n\u003Cp>\u003Cstrong>In practice:\u003C/strong>\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cp>\u003Cstrong>Consent\u003C/strong> remains valid and usable;\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>However, data controllers will need to \u003Cstrong>explicitly explain\u003C/strong> that the legal basis derives from Article 13(2) ePrivacy (and its national transposition);\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>An update of registers, notices, and marketing policies may be required to reflect this clarification.\u003C/p>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003Cblockquote>\r\n\u003Cp>A decision likely to lead to practical adjustments in marketing compliance efforts.\u003C/p>\r\n\u003Cp>\u003Ca href=\"https://eur-lex.europa.eu/legal-content/FR/SUM/?uri=CELEX:62023CJ0654\" rel=\"nofollow\">Access the ruling here.\u003C/a>\u003C/p>\r\n\u003C/blockquote>\r\n\u003Chr />\r\n\u003Ch2 id=\"capita-data-breach-affecting-6-million-people\">Capita: Data Breach Affecting 6 Million People\u003C/h2>\r\n\u003Cp>The ICO has imposed a fine of \u003Cstrong>£14 million\u003C/strong> on Capita, following a \u003Cstrong>cyberattack in 2023\u003C/strong> that resulted in the theft of data from \u003Cstrong>6.6 million people\u003C/strong> (pension records, HR data, customer information, and sometimes sensitive or financial data).\u003C/p>\r\n\u003Cp>The investigation concludes several serious shortcomings:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cp>\u003Cstrong>Lack of sufficient technical and organizational measures\u003C/strong>, leaving systems vulnerable.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Failure to manage security alerts\u003C/strong>: a critical report was ignored for \u003Cstrong>58 hours\u003C/strong>, allowing the attacker to gain administrator permissions and exfiltrate nearly one terabyte of data.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Lack of penetration testing\u003C/strong>: some systems had only been tested upon commissioning.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Failure to prevent lateral movements\u003C/strong> in the network, despite several prior internal alerts.\u003C/p>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003Cp>The ICO reminds that \u003Cstrong>cybersecurity is an essential element of digital trust\u003C/strong> and that no organization, even large ones, is exempt from its obligations.\u003C/p>\r\n\u003Cp>For your information, initially, the authority considered a fine of \u003Cstrong>£45M\u003C/strong>, which was reduced after corrective measures were taken, Capita’s cooperation, and an amicable settlement. Capita acknowledged its responsibility and accepted the sanction.\u003C/p>\r\n\u003Cblockquote>\r\n\u003Cp>Click \u003Ca href=\"https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/10/capita-fined-14m-for-data-breach-affecting-over-6m-people/\" rel=\"nofollow\">here for more information.\u003C/a>\u003C/p>\r\n\u003C/blockquote>\r\n\u003Chr />\r\n\u003Ch2 id=\"cnil-750000-fine-against-conde-nast-publications-for-cookie-rule-violations\">CNIL: €750,000 Fine Against Condé Nast Publications for Cookie Rule Violations\u003C/h2>\r\n\u003Cp>The CNIL has sanctioned \u003Cstrong>Condé Nast Publications\u003C/strong> (publisher of \u003Cem>Vanity Fair\u003C/em>) with a \u003Cstrong>€750,000\u003C/strong> fine for several ongoing violations of Article 82 of the French Data Protection Act regarding \u003Cstrong>cookies and trackers\u003C/strong>.\u003C/p>\r\n\u003Cp>After an initial complaint filed in 2019 by the association NOYB, a formal notice in 2021, and a closure in 2022, the CNIL conducted \u003Cstrong>new inspections in 2023 and 2025\u003C/strong> showing that the website \u003Ca href=\"http://vanityfair.fr\" rel=\"nofollow\">\u003Cem>vanityfair.fr\u003C/em>\u003C/a> was still non-compliant.\u003C/p>\r\n\u003Cp>\u003Cstrong>The main violations identified:\u003C/strong>\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cp>\u003Cstrong>Placement of cookies subject to consent before any choice\u003C/strong>: cookies were installed upon arrival on the site, without prior consent.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Insufficient information\u003C/strong>: some cookies were presented as \"strictly necessary\" without clear explanation of their actual purposes.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Impossibility to effectively refuse or withdraw consent\u003C/strong>: even after clicking \"Reject All\" or withdrawing consent, cookies subject to consent continued to be placed or read.\u003C/p>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003Cp>The sanction takes into account: the existence of a \u003Cstrong>previous formal notice\u003C/strong>, the \u003Cstrong>number of affected users\u003C/strong>, and the repetition of the violations despite exchanges with the CNIL.\u003C/p>\r\n\u003Cp>A strong reminder to publishers: cookie compliance requires \u003Cstrong>effective implementation\u003C/strong>, continuous \u003Cstrong>monitoring\u003C/strong>, and genuinely functional \u003Cstrong>refusal mechanisms\u003C/strong>.\u003C/p>\r\n\u003Cblockquote>\r\n\u003Cp>For more information, click \u003Ca href=\"https://www.cnil.fr/en/cookies-placed-without-consent-company-publishes-website-vanityfairfr-fined-750000-euros\" rel=\"nofollow\">here\u003C/a>.\u003C/p>\r\n\u003C/blockquote>\r\n\u003Ch2 id=\"cnil-launch-of-the-2025-national-survey-dpo-and-ai\">CNIL: Launch of the 2025 National Survey \"DPO and AI\"\u003C/h2>\r\n\u003Cp>The CNIL is launching a large-scale survey aimed at better understanding the \u003Cstrong>role of DPOs in the context of AI usage\u003C/strong> in French organizations.\u003Cbr />\r\n\u003Cbr />\r\nThe rise of AI is disrupting data processing practices. However, the CNIL seeks to answer the following questions:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>What role does the DPO play in this new reality? How far does their scope of intervention extend?\u003C/li>\r\n\u003Cli>What challenges do they face daily?\u003C/li>\r\n\u003Cli>What tools and training do they need?\u003C/li>\r\n\u003C/ul>\r\n\u003Cp>To answer these questions, the CNIL opens a national survey targeting DPOs, whether they operate in the public or private sector. \u003Cbr />\r\n\u003Cbr />\r\nIts position is as follows: while the DPO must be associated with any use of personal data, they are not necessarily the lead on compliance with the Artificial Intelligence Regulation (RIA), which involves other specific competencies.\u003Cbr />\r\n\u003Cbr />\r\nHowever, the RIA presents a major opportunity: its principles (risk-based approach, responsibility, transparency, and protection of fundamental rights) build upon those of the GDPR. DPOs thus have a strong foundation to guide their organizations toward compliant and responsible AI.\u003C/p>\r\n\u003Cblockquote>\r\n\u003Cp>🔗 DPOs, your opinion matters: participate in the survey \u003Ca href=\"https://www.cnil.fr/fr/dpo-a-lheure-de-lia-lancement-enquete-2025\" rel=\"nofollow\">before December 15, 2025 here\u003C/a>\u003C/p>\r\n\u003C/blockquote>\r\n\u003Chr />\r\n\u003Ch2 id=\"hungary-adoption-of-a-national-ai-law\">Hungary: Adoption of a National AI Law\u003C/h2>\r\n\u003Cp>Hungary becomes one of the first member states to adopt a \u003Cstrong>national law on artificial intelligence\u003C/strong>, complementing the AI Act.\u003Cbr />\r\n\u003Cbr />\r\nThe law introduces:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cp>sector-specific obligations,\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>strengthened transparency requirements,\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>new administrative penalties.\u003Cbr />\r\nIt illustrates a growing trend towards \u003Cstrong>complementary nationalization\u003C/strong> of AI rules in Europe.\u003C/p>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003Cblockquote>\r\n\u003Cp>\u003Ca href=\"https://cdn.kormany.hu/uploads/document/c/c0/c0d/c0dfdbd37cfa520ae37361a168d244c85e7295af.pdf\" rel=\"nofollow\">Access the law here.\u003C/a>\u003C/p>\r\n\u003C/blockquote>\r\n\u003Ch2 id=\"ai-and-cjeu-a-new-preliminary-question-before-the-cjeu\">AI and CJEU: A New Preliminary Question Before the CJEU\u003C/h2>\r\n\u003Cp>The CJEU is seized with a new case (C-245/25) regarding the use, by an expert witness, of AI-assisted accident simulation software. The central question: does this type of tool fall under \u003Cstrong>high-risk AI systems\u003C/strong> as defined by the \u003Cstrong>AI Act\u003C/strong>?\u003C/p>\r\n\u003Cp>The case arises from a road accident. The designated expert used the software \u003Cem>Virtual Crash 4.0\u003C/em>, designed for the American market, which one party contests. They argue that the tool wasn't suitable and that an expert report must detail all the calculations conducted, which the expert couldn't provide, merely claiming to have \"verified\" the results.\u003C/p>\r\n\u003Cp>The Bulgarian court then decided to refer to the CJEU, invoking notably:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cp>the principle of \u003Cstrong>explainability\u003C/strong>,\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>the requirement for understanding decision-making processes,\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>the potential impact on the \u003Cstrong>right to a fair trial\u003C/strong> (Art. 19 TEU).\u003C/p>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003Cp>The questions posed concern:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cp>the qualification of the software as \u003Cstrong>high-risk AI\u003C/strong> (Annex III, point 8, AI Act),\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>the scope of \u003Cstrong>Article 86 AI Act\u003C/strong> regarding the right to an explanation,\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>the possibility for a court to rely on a report based solely on an algorithmic result simply \"validated\" by the expert.\u003C/p>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003Cblockquote>\r\n\u003Cp>It remains to be seen whether the CJEU will address all these questions… \u003Ca href=\"https://curia.europa.eu/juris/showPdf.jsf?text=2024%252F1689&docid=306404&pageIndex=0&doclang=en&mode=req&dir=&occ=first&part=1&cid=9524520\" rel=\"nofollow\">More details here!\u003C/a>\u003C/p>\r\n\u003C/blockquote>\r\n\u003Ch2 id=\"the-european-commission-launches-a-code-of-practice-on-marking-ai-generated-content\">The European Commission Launches a Code of Practice on Marking AI-Generated Content\u003C/h2>\r\n\u003Cp>The European Commission has announced the creation of a working group tasked with developing a \u003Cstrong>code of practice\u003C/strong> for the \u003Cstrong>marking and labeling of AI-generated content\u003C/strong>.\u003Cbr />\r\nObjective: to ensure a \u003Cstrong>clear identification\u003C/strong> of synthetic content, including deepfakes, to enhance the transparency mandated by the AI Act.\u003Cbr />\r\n\u003Cbr />\r\nThe code will cover:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cp>marking formats (watermarks, metadata, visual warnings),\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>obligations for generative AI providers,\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>technical measures ensuring the reliability of marking.\u003C/p>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003Cp>This future code, to be developed over a period of seven months by independent \u003Cstrong>experts\u003C/strong> under the coordination of the \u003Cstrong>EU AI Office\u003C/strong>, will be a \u003Cstrong>voluntary tool\u003C/strong> for providers and users of generative AI systems.\u003C/p>\r\n\u003Cblockquote>\r\n\u003Cp>A first version is expected in early 2026. The Commission's press release is \u003Ca href=\"https://digital-strategy.ec.europa.eu/en/news/commission-launches-work-code-practice-marking-and-labelling-ai-generated-content\" rel=\"nofollow\">accessible here.\u003C/a>\u003C/p>\r\n\u003C/blockquote>\r\n\u003Chr />\r\n\u003Ch2 id=\"data-act-draft-model-contract-clauses\">Data Act: Draft Model Contract Clauses\u003C/h2>\r\n\u003Cp>The European Commission has published the recommendation on \u003Cstrong>new non-binding model contractual clauses\u003C/strong> intended to facilitate the implementation of the \u003Cstrong>Data Act\u003C/strong>, particularly for \u003Cstrong>SMEs\u003C/strong>.\u003Cbr />\r\n\u003Cbr />\r\nThese models, freely usable and adaptable, aim to assist organizations in structuring their data-sharing and cloud service contracts.\u003C/p>\r\n\u003Ch3 id=\"model-contractual-terms-mct-mandatory-data-sharing\">\u003Cstrong>Model Contractual Terms (MCT) – Mandatory Data Sharing\u003C/strong>\u003C/h3>\r\n\u003Cp>Three sets of MCT have been developed to cover relationships where \u003Cstrong>data sharing is mandatory\u003C/strong> (chapters II and III of the Data Act):\u003C/p>\r\n\u003Col>\r\n\u003Cli>\u003Cp>\u003Cstrong>MCT Holder ↔ User\u003C/strong>: access, use, and sharing of data generated by a connected product or associated service.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>MCT User ↔ Recipient\u003C/strong>: conditions of use of data by the recipient chosen by the user.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>MCT Holder ↔ Recipient\u003C/strong>: terms of sharing and possible financial compensation.\u003C/p>\r\n\u003C/li>\r\n\u003C/ol>\r\n\u003Cp>A fourth model addresses \u003Cstrong>voluntary data sharing\u003C/strong> between businesses, in compliance with the rules of Chapter IV on \u003Cstrong>abusive clauses\u003C/strong>.\u003C/p>\r\n\u003Ch3 id=\"standard-contractual-clauses-scc-cloud-services-chapter-vi\">\u003Cstrong>Standard Contractual Clauses (SCC) – Cloud Services (Chapter VI)\u003C/strong>\u003C/h3>\r\n\u003Cp>Three SCC translate the obligations related to \u003Cstrong>switching between providers\u003C/strong>:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cp>\u003Cstrong>Switching & Exit\u003C/strong>: conditions for changing service provider.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Termination\u003C/strong>: applicable provisions at the end of the contract.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Security & Business Continuity\u003C/strong>: obligations in case of incidents and guarantees during migration.\u003C/p>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003Cblockquote>\r\n\u003Cp>The \u003Cstrong>next step is to translate and publish the MCT and SCC\u003C/strong> in all EU languages, which should take three to four months.\u003C/p>\r\n\u003Cp>Access \u003Ca href=\"https://digital-strategy.ec.europa.eu/en/library/draft-recommendation-non-binding-model-contractual-terms-data-access-and-use-and-non-binding\" rel=\"nofollow\">here for the Commission's press release.\u003C/a>\u003C/p>\r\n\u003C/blockquote>\r\n","Dastra Insights: what happened in Privacy & AI in November? ","Privacy & AI insights from the Dastra hub: actionable updates for pros who work daily in the field.",2302,13,"Dastra Insights: What happened in Privacy & AI in November? ",0,null,"en","dastra-insights-what-happened-in-november",false,"Published",{"id":19,"displayName":20,"avatarUrl":21,"bio":13,"blogUrl":13,"color":13,"userId":19,"creationDate":22},20352,"Leïla Sayssa","https://static.dastra.eu/tenant-3/avatar/20352/TDYeY3C8Rz1lLE/dpo-avatar-h01-150.png","2025-03-03T11:08:22","2025-12-02T11:16:00","2025-12-02T11:16:06.0738356","2025-12-09T09:13:16.6213088",{"id":27,"name":28,"description":29,"url":30,"color":31,"parentId":13,"count":13,"imageUrl":13,"parent":13,"order":12,"translations":32},2,"Blog","A list of curated articles provided by the community","blog","#28449a",[33,36,39],{"lang":34,"name":28,"description":35},"fr","Une liste d'articles rédigés par la communauté",{"lang":37,"name":28,"description":38},"es","Una lista de artículos escritos por la comunidad",{"lang":40,"name":28,"description":41},"de","Eine Liste von Artikeln, die von der Community verfasst wurden",[43],{"id":27,"name":28,"description":29,"url":30,"color":31,"parentId":13,"count":13,"imageUrl":13,"parent":13,"order":12,"translations":44},[45,46,47],{"lang":34,"name":28,"description":35},{"lang":37,"name":28,"description":38},{"lang":40,"name":28,"description":41},[],"https://static.dastra.eu/content/e2031cff-bc35-46d3-8978-d393470b97d4/dastractu-original.jpg",[51,52,53,54,55,56,57],"https://static.dastra.eu/content/e2031cff-bc35-46d3-8978-d393470b97d4/dastractu-1000.webp","https://static.dastra.eu/content/e2031cff-bc35-46d3-8978-d393470b97d4/dastractu.webp","https://static.dastra.eu/content/e2031cff-bc35-46d3-8978-d393470b97d4/dastractu-1500.webp","https://static.dastra.eu/content/e2031cff-bc35-46d3-8978-d393470b97d4/dastractu-800.webp","https://static.dastra.eu/content/e2031cff-bc35-46d3-8978-d393470b97d4/dastractu-600.webp","https://static.dastra.eu/content/e2031cff-bc35-46d3-8978-d393470b97d4/dastractu-300.webp","https://static.dastra.eu/content/e2031cff-bc35-46d3-8978-d393470b97d4/dastractu-100.webp",59767]