[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f8K0Cng02mmr0zuo0wSjVg5YZmfp2SqE4JKkY_sT9Xk4":3},{"tableOfContents":4,"markDownContent":5,"htmlContent":6,"metaTitle":7,"metaDescription":8,"wordCount":9,"readTime":10,"title":7,"nbDownloads":11,"excerpt":12,"lang":13,"url":14,"intro":8,"featured":15,"state":16,"author":17,"authorId":18,"datePublication":22,"dateCreation":23,"dateUpdate":24,"mainCategory":25,"categories":41,"metaDatas":89,"imageUrl":90,"imageThumbUrls":91,"id":99},true,"Tired of general newsletters that skim over your real concerns? **DastraNews,** offers legal and regulatory monitoring **specifically designed for DPOs, lawyers, and privacy professionals**.\r\n\r\nEach month, we go beyond a simple recap: we select about ten decisions, news, or positions **that have a concrete impact on your missions and organizations**.\r\n\r\n🎯 **Targeted, useful, and grounded data protection monitoring.**\r\n\r\nHere is our selection for **April 2025**:\r\n\r\n## It's pouring reports!\r\n\r\nApril 2025 marks a **real regulatory excitement** in data protection: **several authorities have published their annual reports**, each providing valuable insights into the priorities, trends, and future developments of the GDPR and data governance in Europe.\r\n\r\n### 📄 2024 Annual Report - CNIL (France)\r\n\r\nFrance’s data protection authority, the CNIL, has published its 2024 report with a clear twofold observation: a steady rise in complaints and a sharper focus on inspections in several sensitive sectors.\r\n\r\n**Key highlights:**\r\n\r\n- **Significant rise in sanctions**: 331 corrective measures were imposed, including 87 sanctions totalling over €55 million in fines.\r\n\r\n- **5,629 personal data breaches** were notified, marking a 20% increase from 2023.\r\n\r\n- **Artificial Intelligence**: 12 practical guidance sheets published (9 finalized) to support the development of AI systems respectful of personal data.\r\n\r\n- **17,772 complaints received**—a record—with 49% related to telecoms, the web, and social media, followed by commerce (19%) and employment (13%).\r\n\r\n🔗 Read the summary: [Summary of the 2024 Annual Report – CNIL](https://www.cnil.fr/en/annual-report-2024#:~:text=The%20CNIL%20is%20publishing%20its,in%20protecting%20everyone's%20personal%20data.)🔗 Access the full report: [2024 Annual Report – CNIL](https://www.cnil.fr/sites/cnil/files/2025-04/rapport_annuel_2024.pdf)\r\n\r\n---\r\n\r\n### 📄 2024 Annual Report - European Data Protection Board (EDPB)\r\n\r\nThe EDPB’s report highlights its coordinated efforts to ensure consistent application of the GDPR across the EU.\r\n\r\n**Key takeaways**:\r\n\r\n- **EDPB opinions (Article 64(2) GDPR)**: The board adopted eight important opinions, including those on the \"consent or payment\" model used by major online platforms or training AI models with personal data.\r\n- **Guidelines**: Publication of four new guidelines, including data processing based on legitimate interest (Article 6(1)(f) GDPR) or data transfers to authorities in third countries (Article 48 GDPR).\r\n- **Strengthening cooperation and application of the GDPR:**\r\n  - **Coordinated actions**: Launch of the third coordinated action focusing on the right of access to data, identifying disparities in how organizations respond to access requests.\r\n  - **ChatGPT Taskforce**: Creation of a task force to examine data processing related to ChatGPT, in the absence of a main establishment of the company in the EU.\r\n  - **Support for national authorities**: The Expert Pool has strengthened the capabilities of data protection authorities, particularly on complex topics such as AI and consent mechanisms.\r\n\r\n🔗 Read the summary: [Executive Summary – EDPB 2024 Report](https://www.edpb.europa.eu/system/files/2025-04/edpb-ar-2024-executive-summary-en.pdf)🔗 Read the full report: [EDPB 2024 Report](https://www.edpb.europa.eu/system/files/2025-04/edpb-annual-report-2024_en.pdf)👩‍🚀 **Dastra's little extra:** Check out our article on the EDPB’s opinion ['Purely Commercial Interest and the GDPR: A Legitimate Interest? Yes, But...!\"](https://www.dastra.eu/en/article/legitimate-interests-and-purely-commercial-objective/59061)\r\n\r\n---\r\n\r\n### 📄 2024 Annual Report- European Data Protection Supervisor (EDPS)\r\n\r\nThe **European Data Protection Supervisor (EDPS)**, the guardian of data protection within EU institutions, also released its **2024 review**.\r\n\r\n**Key points**:\r\n\r\n- **Enhanced internal oversight**, including audits of EU institutions’ IT systems — from public websites to large-scale systems like Schengen and visa databases.\r\n\r\n- **Focus on AI**: Creation of an AI Correspondents Network within EU institutions under the forthcoming AI legislation.\r\n\r\n- **Investigations into data protection violations**, such as the European Commission’s use of Microsoft tools.\r\n\r\n- **Policy advice**: Provided guidance to EU lawmakers on upcoming regulations with significant privacy implications.\r\n\r\n🔗 Read the executive summary: [Executive Summary – EDPS 2024 Report](https://www.edps.europa.eu/system/files/2025-04/2024-EDPS_Executive-Summary_EN.pdf)🔗 Read the full report: [EDPS 2024 Report](https://www.edpb.europa.eu/system/files/2025-04/edpb-annual-report-2024_en.pdf)**➔ One thing is clear from all these reports: regulatory oversight is now more focused and coordinated. For companies, anticipating risks and structuring their compliance approach has become a strategic necessity.**\r\n\r\n## **The CNIL publishes its European & International strategy for 2025-2028**\r\n\r\nThe CNIL has published its **European and international strategy for 2025–2028**, with the objective of enhancing **France’s influence in global data protection discourse** and anticipating emerging technological and regulatory challenges.\r\n\r\nThis strategy is structured around **three strategic priorities**:\r\n\r\n1. **Reinforcing the effectiveness of European cooperation mechanisms**, in order to ensure robust protection of personal data within the evolving digital regulatory landscape.\r\n\r\n2. **Promoting high-level international standards** in data protection, while encouraging responsible innovation and facilitating secure data flows.\r\n\r\n3. **Consolidating the CNIL’s role as a European and international authority**, by advocating a governance model that reconciles technological advancement with the safeguarding of fundamental rights.\r\n\r\nIn parallel, the CNIL affirms its commitment to **supporting French organisations** as they navigate their evolving international obligations, and to maintaining vigilance in the face of risks stemming from the **extraterritorial application of foreign laws**.\r\n\r\n🔗 For further details: [Strategy 2025-2028 – CNIL](https://www.cnil.fr/en/cnil-publishes-its-european-and-international-strategy-2025-2028)\r\n\r\n## The EDPB publishes its recommendations on Blockchain and data protection\r\n\r\nOn **April 8, 2025**, the **European Data Protection Board (EDPB)** issued version **1.1 of its Guidelines 02/2025** on the **processing of personal data via blockchain technologies**.\r\n\r\nThe EDPB reaffirms that **neither the absence of a central authority nor technical limitations** may exempt data controllers or processors from their obligations under the **General Data Protection Regulation (GDPR)**.\r\n\r\n**Key recommendations of the guidelines include**:\r\n\r\n- **Necessity and proportionality**: Blockchain should only be used where it is **objectively necessary** and proportionate to the intended purpose. The EDPB cautions against adopting blockchain for its own sake, without a demonstrable functional justification.\r\n\r\n- **Preference for permissioned blockchains**: The use of **permissioned (or private) blockchains** is encouraged, as they facilitate clearer **governance structures**, including the designation of controllers and processors, and enable greater control over access and data flows.\r\n\r\n- **Data minimization and pseudonymization**: Personal data should, wherever possible, be **stored off-chain**. On-chain content should be limited to **pseudonymous identifiers or cryptographic hashes**, with the EDPB stressing that pseudonymization does **not equate to anonymization** under the GDPR.\r\n\r\n- **Right to erasure**: The immutable nature of blockchain raises significant challenges for complying with the **right to erasure**. The EDPB suggests implementing technical safeguards, such as **encryption coupled with deletion of encryption keys**, to render personal data effectively inaccessible.\r\n\r\n- **Accountability and DPIA**: A **Data Protection Impact Assessment (DPIA)** is deemed essential prior to deploying any blockchain-based processing that involves personal data, given the inherent risks to data subjects' rights and freedoms.\r\n\r\n➔ This guidance constitutes a **foundational reference** for any organisation considering blockchain-based solutions, underscoring the need to embed **Privacy by Design and by Default** from the earliest stages, supported by a **robust technical and organizational compliance framework**\r\n\r\n🔗 Read the guidelines: [Guidelines 2/2025 – Blockchain & GDPR (EDPB)](https://www.edpb.europa.eu/system/files/2025-04/edpb_guidelines_202502_blockchain_en.pdf)\r\n\r\n## The five strategic pillars of the EU’s AI Action Plan\r\n\r\nThe European Commission has unveiled an [**ambitious action plan around five pillars,**](https://ec.europa.eu/commission/presscorner/detail/en/ip_25_1013) structured around **five strategic axes**, with the aim of strengthening the EU’s **technological sovereignty** and fostering a competitive, secure, and innovation-driven AI ecosystem.\r\n\r\n#### 1. Build a large-scale European AI infrastructure\r\n\r\nThe EU plans to develop a **network of AI factories**, with **13 already operational**, and to support the creation of **AI giga-factories** equipped with up to **100,000 specialized chips** each.Through the **InvestAI program**, up to **€20 billion** will be mobilized to finance **five major installations** of this kind.\r\n\r\n#### 2. Accelerate access to massive high-quality data\r\n\r\n**Data labs** will be integrated into AI factories to **collect and manage large-scale, reliable datasets**.In 2025, the Commission will launch a **European Data Union strategy** to **facilitate cross-border data flows** within the digital single market, supporting scalable AI development.\r\n\r\n#### 3. Stimulate AI adoption in strategic sectors\r\n\r\nThe **'Applying AI'** strategy will aim to **increase the concrete adoption of AI** in both public and private sectors. The **AI factories** and **European digital innovation hubs** will act as accelerators for **sector-specific use cases**, aligned with EU industrial and societal priorities.\r\n\r\n#### 4. Train and attract AI talent\r\n\r\nThe Commission intends to enhance skills through:\r\n\r\n- the **European talent pool**,\r\n\r\n- the **MSCA Choose Europe** initiative,\r\n\r\n- the future **AI Skills Academy**,\r\n\r\n- specialized **AI scholarship programs**.\r\n\r\nTeaching and training initiatives on AI and generative AI will be developed at all levels.\r\n\r\n#### 5. Provide a Simplified and Trustworthy Regulatory Framework\r\n\r\nThe **AI Act**, which came into effect on **August 1, 2024**, is designed to **build trust**, secure investments, and **guarantee responsible use of AI**. A **regulatory assistance office** will be set up to assist companies in their compliance efforts, thereby enhancing trust and legal security.\r\n\r\n#### Next steps:\r\n\r\nTwo public consultations are open to all interested parties until **June 4, 2025**, focusing on:\r\n\r\n- the [**legislative act on the development of cloud computing and AI**](https://digital-strategy.ec.europa.eu/en/cloud-and-ai-development-public-consultation)\r\n\r\n- the [**'Applying AI' strategy**](https://digital-strategy.ec.europa.eu/en/applyai-strategy-public-consultation), aimed at identifying stakeholder priorities, barriers to overcome to foster AI adoption, and the relevance of the proposed strategic orientations — including necessary complementary measures to ensure smooth and effective implementation of the AI regulation.\r\n\r\n**A third consultation** regarding the strategy for a European data union will be launched in May.\r\n\r\n## Interaction between the GDPR and the ePrivacy Directive: Insights from the Advocate General in *Inteligo Media v. ANSPDCP*\r\n\r\nOn **25 April 2025**, the **Advocate General of the Court of Justice of the European Union (CJEU)** delivered his Opinion in the case *Inteligo Media SA v. ANSPDCP*, offering key clarifications regarding the **relationship between the General Data Protection Regulation (GDPR)** and the **ePrivacy Directive (Directive 2002/58/EC)** in the context of direct electronic marketing.\r\n\r\n### Case background\r\n\r\nInteligo Media, a Romanian company, had been **sanctioned by the Romanian data protection authority (ANSPDCP)** for distributing newsletters via email **without obtaining the prior consent of the recipients**, in alleged breach of **Article 13(2) of the ePrivacy Directive**. The company challenged the sanction, arguing that the data processing was lawful under **Article 6(1)(f) of the GDPR**, invoking legitimate interests.\r\n\r\n### **Legal question**\r\n\r\nThe central legal issue concerns whether the **newsletter qualifies as an unsolicited electronic communication for direct marketing purposes** under **Article 13(2) of Directive 2002/58/EC**. This classification is decisive, as it determines whether **prior consent (opt-in)** is required, or whether the controller may rely on the **exception** provided for existing customer relationships under the same provision.\r\n\r\n### Position of the Advocate General\r\n\r\nAlthough formatted as an informative legal update — with summaries and links to full articles — the Advocate General concluded that the **newsletter served a direct commercial objective**: encouraging recipients to exhaust their monthly quota of free content, thereby increasing the likelihood of converting them into paying subscribers.\r\n\r\nWhat is legally relevant, according to the Advocate General, is the **individualised nature** of the communication (sent to **identified recipients’ personal email addresses**), combined with the **underlying economic aim** of customer retention and monetisation. This combination, he argues, satisfies the definition of a **“direct marketing communication”**, thus falling squarely within the scope of **Article 13(2) ePrivacy Directive**, which mandates **prior and specific consent**, unless the narrow exception applies.\r\n\r\n### Interpretation of the ePrivacy Directive and its interaction with the GDPR\r\n\r\nThe Advocate General underlined that in cases governed by **Article 13(2) of the ePrivacy Directive**, the conditions of **lawful processing under Article 6 of the GDPR** do not apply separately. Rather, the **ePrivacy Directive constitutes a lex specialis**, fully regulating the **lawfulness of electronic communications for marketing purposes**. In this context, the GDPR does not impose **additional or parallel obligations**, in line with **Article 95 GDPR**, which prevents duplication of obligations where sector-specific rules apply.\r\n\r\n### Practical implications\r\n\r\nA free newsletter can be assimilated to a sale under the ePrivacy directive as long as it is part of a broader commercial strategy aimed at selling additional services. **Such promotional messages may therefore be sent on the basis of an opt-out mechanism — under certain conditions — rather than on the basis of prior consent (opt-in).**\r\n\r\nWhile the Advocate General’s Opinion is not binding, it carries significant persuasive authority. Should the CJEU follow this reasoning, it would **reinforce the autonomy of the ePrivacy Directive** in governing electronic communications and **clarify its precedence over the GDPR** in this domain.\r\n\r\n🔗 Read the Advocate General's conclusions [here](https://curia.europa.eu/juris/document/document.jsf?text=&docid=297249&pageIndex=0&doclang=en&mode=req&dir=&occ=first&part=1).\r\n\r\n## Spanish fine of €500,000 for MARINA SALUD hospital: unlawful sub-processing\r\n\r\nThe **Spanish Data Protection Authority (AEPD)** has imposed a fine of **€500,000** on **MARINA SALUD, S.A.**, for failing to comply with the sub-processing obligations.\r\n\r\n### Context\r\n\r\n- The Ministry of Health and Public Health of Valencia (data controller) has relied since 2009 on the services of Marina Salud (processor), a healthcare organization providing public health services under a contract.\r\n- On January 19, 2023, the controller inspected the premises of the processor. It was revealed that the processor was using third-party health information system software and refused to provide the controller with the contract governing their relation with the third party.\r\n- Two subsequent unauthorized processors were also engaged.\r\n\r\n### Breaches identified\r\n\r\nThe AEPD identified a **breach of Article 28(2) of the GDPR** concerning outsourcing:\r\n\r\n- **Unauthorised subprocessing**: Although a general authorisation was included in the 2009 data processing agreement, MARINA SALUD failed to inform the controller of **new subprocessing contracts** entered into **after the GDPR came into force** in 2018.\r\n\r\n- **Infringement of the right to object**: Under **Article 28(2) GDPR**, even with general authorisation, **the controller must be informed in advance of any intended changes**, to allow for **objection**. \r\n\r\n### As a consequence\r\n\r\nIn determining the fine, the AEPD considered the severity of the breach given the sensitive nature of the data processed (sensitive health data), and that the processor had a high turnover. Therefore, the AEPD imposed a fine of €500,000.By sanctioning MARINA SALUD, the AEPD reminds us of the importance and the need to **ensure transparency** and **control in the processor chain**.\r\n\r\n🔗 Decision available (in Spanish): [AEPD](https://www.aepd.es/documento/ps-00127-2024.pdf)👩‍🚀 **Dastra’s tip**: Curious about subprocessing obligations? Read our article \"[Subprocessing under the GDPR: Key Implications of the EDPB’s October 2024 Opinion\"](https://www.dastra.eu/en/article/gdpr-subcontracting-what-changes-with-the-opinions-of-the-edpb-in-october-2024/59029)\r\n\r\n## Illegal marketing: a UK company fined £90,000\r\n\r\nThe **Information Commissioner's Office (ICO)**, the UK data protection authority, imposed, on April 24, a fine of **£90,000** (approximately **€105,000**) on **AFK Letters Co Ltd (AFK)** for making over **95,000 unsolicited commercial calls**.\r\n\r\n### Allegations against AFK\r\n\r\nAFK Letters specializes in writing compensation letters for its clients. The ICO's investigation highlighted several significant shortcomings under **UK data protection and electronic marketing law** (Privacy and Electronic Communications Regulations – PECR).\r\n\r\n- **Absence of valid consent**:  Between **January and September 2023**, AFK placed 95,277 calls using data from its own website and a third-party provider, but was **unable to demonstrate that recipients had given specific, valid consent**. Even for recent contacts, no records of consent were retained.  Moreover, **the third-party data provider's consent statements did not clearly identify AFK** as the sender.\r\n\r\n- **Insufficient transparency**:  The provider obtained **generic consent** from data subjects. AFK's own **privacy policy mentioned only email marketing**, with **no reference to phone calls**, thereby violating the requirement to **inform data subjects clearly and fully**.\r\n\r\n### 💬 ICO’s message\r\n\r\nThrough this enforcement, the ICO reiterates that:\r\n\r\n- Telemarketing must be preceded by **clear, specific, and recorded consent**.\r\n\r\n- Organisations must ensure **full transparency** in their privacy notices regarding all intended communication channels.\r\n\r\n🔗 Decision available (in English): [ICO, AFK Letters Co Ltd](https://ico.org.uk/action-weve-taken/enforcement/2025/04/afk-letters-co-ltd-mpn/)\r\n\r\n## First sanctions under the Digital Markets Act: Apple and Meta heavily fined\r\n\r\nIn a landmark enforcement action under the **Digital Markets Act (DMA)**, the **European Commission** has imposed fines totaling **€700 million** — **€500 million for Apple** and **€200 million for Meta** — marking the first application of the DMA since it entered into force.\r\n\r\n### Legal basis\r\n\r\n- **Apple** was sanctioned for **restricting app developers from informing users** about alternative purchasing options outside the App Store — often more affordable.  This practice violates **Article 5(4) DMA**, which prohibits **“gatekeepers”** from preventing business users from communicating freely with end users.\r\n\r\n- **Meta** was fined for implementing a **“consent or pay” model** on Facebook and Instagram, giving users a binary choice: accept highly personalised advertising or pay for an ad-free version.  However, under the DMA, gatekeepers must offer a **genuine third option**: a **free service based on limited advertising targeting**, which must be presented fairly and transparently.\r\n\r\n### Enforcement consequences\r\n\r\nDespite the significant financial penalties, both tech giants remain financially dominant, having reported **€82 billion** (Apple) and **€55 billion** (Meta) in annual net profits.\r\n\r\n- The companies now have **60 days to comply** with the Commission’s findings.\r\n\r\n- In case of non-compliance, they risk **further fines of up to 10% of global turnover**, and up to **20% in the event of repeated infringements**.\r\n\r\n🔎 **Key takeaway:**[This decision](https://ec.europa.eu/commission/presscorner/detail/en/ip_25_1085) marks a **turning point in EU digital regulation**, signalling the Commission’s **willingness to enforce the DMA rigorously** and to **restore competitive fairness** in online platforms by rebalancing power between gatekeepers and users.","\u003Cp>Tired of general newsletters that skim over your real concerns? \u003Cstrong>DastraNews,\u003C/strong> offers legal and regulatory monitoring \u003Cstrong>specifically designed for DPOs, lawyers, and privacy professionals\u003C/strong>.\u003C/p>\r\n\u003Cp>Each month, we go beyond a simple recap: we select about ten decisions, news, or positions \u003Cstrong>that have a concrete impact on your missions and organizations\u003C/strong>.\u003C/p>\r\n\u003Cp>🎯 \u003Cstrong>Targeted, useful, and grounded data protection monitoring.\u003C/strong>\u003C/p>\r\n\u003Cp>Here is our selection for \u003Cstrong>April 2025\u003C/strong>:\u003C/p>\r\n\u003Ch2 id=\"its-pouring-reports\">It's pouring reports!\u003C/h2>\r\n\u003Cp>April 2025 marks a \u003Cstrong>real regulatory excitement\u003C/strong> in data protection: \u003Cstrong>several authorities have published their annual reports\u003C/strong>, each providing valuable insights into the priorities, trends, and future developments of the GDPR and data governance in Europe.\u003C/p>\r\n\u003Ch3 id=\"annual-report-cnil-france\">📄 2024 Annual Report - CNIL (France)\u003C/h3>\r\n\u003Cp>France’s data protection authority, the CNIL, has published its 2024 report with a clear twofold observation: a steady rise in complaints and a sharper focus on inspections in several sensitive sectors.\u003C/p>\r\n\u003Cp>\u003Cstrong>Key highlights:\u003C/strong>\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cp>\u003Cstrong>Significant rise in sanctions\u003C/strong>: 331 corrective measures were imposed, including 87 sanctions totalling over €55 million in fines.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>5,629 personal data breaches\u003C/strong> were notified, marking a 20% increase from 2023.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Artificial Intelligence\u003C/strong>: 12 practical guidance sheets published (9 finalized) to support the development of AI systems respectful of personal data.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>17,772 complaints received\u003C/strong>—a record—with 49% related to telecoms, the web, and social media, followed by commerce (19%) and employment (13%).\u003C/p>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003Cp>🔗 Read the summary: \u003Ca href=\"https://www.cnil.fr/en/annual-report-2024#:%7E:text=The%20CNIL%20is%20publishing%20its,in%20protecting%20everyone%27s%20personal%20data.\" rel=\"nofollow\">Summary of the 2024 Annual Report – CNIL\u003C/a>\u003Cbr />\r\n🔗 Access the full report: \u003Ca href=\"https://www.cnil.fr/sites/cnil/files/2025-04/rapport_annuel_2024.pdf\" rel=\"nofollow\">2024 Annual Report – CNIL\u003C/a>\u003C/p>\r\n\u003Chr />\r\n\u003Ch3 id=\"annual-report-european-data-protection-board-edpb\">📄 2024 Annual Report - European Data Protection Board (EDPB)\u003C/h3>\r\n\u003Cp>The EDPB’s report highlights its coordinated efforts to ensure consistent application of the GDPR across the EU.\u003C/p>\r\n\u003Cp>\u003Cstrong>Key takeaways\u003C/strong>:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cstrong>EDPB opinions (Article 64(2) GDPR)\u003C/strong>: The board adopted eight important opinions, including those on the \"consent or payment\" model used by major online platforms or training AI models with personal data.\u003C/li>\r\n\u003Cli>\u003Cstrong>Guidelines\u003C/strong>: Publication of four new guidelines, including data processing based on legitimate interest (Article 6(1)(f) GDPR) or data transfers to authorities in third countries (Article 48 GDPR).\u003C/li>\r\n\u003Cli>\u003Cstrong>Strengthening cooperation and application of the GDPR:\u003C/strong>\r\n\u003Cul>\r\n\u003Cli>\u003Cstrong>Coordinated actions\u003C/strong>: Launch of the third coordinated action focusing on the right of access to data, identifying disparities in how organizations respond to access requests.\u003C/li>\r\n\u003Cli>\u003Cstrong>ChatGPT Taskforce\u003C/strong>: Creation of a task force to examine data processing related to ChatGPT, in the absence of a main establishment of the company in the EU.\u003C/li>\r\n\u003Cli>\u003Cstrong>Support for national authorities\u003C/strong>: The Expert Pool has strengthened the capabilities of data protection authorities, particularly on complex topics such as AI and consent mechanisms.\u003C/li>\r\n\u003C/ul>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003Cp>🔗 Read the summary: \u003Ca href=\"https://www.edpb.europa.eu/system/files/2025-04/edpb-ar-2024-executive-summary-en.pdf\" rel=\"nofollow\">Executive Summary – EDPB 2024 Report\u003C/a>\u003Cbr />\r\n🔗 Read the full report: \u003Ca href=\"https://www.edpb.europa.eu/system/files/2025-04/edpb-annual-report-2024_en.pdf\" rel=\"nofollow\">EDPB 2024 Report\u003C/a>\u003Cbr />\r\n\u003Cbr />\r\n👩‍🚀 \u003Cstrong>Dastra's little extra:\u003C/strong> Check out our article on the EDPB’s opinion \u003Ca href=\"https://www.dastra.eu/en/article/legitimate-interests-and-purely-commercial-objective/59061\">'Purely Commercial Interest and the GDPR: A Legitimate Interest? Yes, But...!\"\u003C/a>\u003C/p>\r\n\u003Chr />\r\n\u003Ch3 id=\"annual-report-european-data-protection-supervisor-edps\">📄 2024 Annual Report- European Data Protection Supervisor (EDPS)\u003C/h3>\r\n\u003Cp>The \u003Cstrong>European Data Protection Supervisor (EDPS)\u003C/strong>, the guardian of data protection within EU institutions, also released its \u003Cstrong>2024 review\u003C/strong>.\u003C/p>\r\n\u003Cp>\u003Cstrong>Key points\u003C/strong>:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cp>\u003Cstrong>Enhanced internal oversight\u003C/strong>, including audits of EU institutions’ IT systems — from public websites to large-scale systems like Schengen and visa databases.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Focus on AI\u003C/strong>: Creation of an AI Correspondents Network within EU institutions under the forthcoming AI legislation.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Investigations into data protection violations\u003C/strong>, such as the European Commission’s use of Microsoft tools.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Policy advice\u003C/strong>: Provided guidance to EU lawmakers on upcoming regulations with significant privacy implications.\u003C/p>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003Cp>🔗 Read the executive summary: \u003Ca href=\"https://www.edps.europa.eu/system/files/2025-04/2024-EDPS_Executive-Summary_EN.pdf\" rel=\"nofollow\">Executive Summary – EDPS 2024 Report\u003C/a>\u003Cbr />\r\n🔗 Read the full report: \u003Ca href=\"https://www.edpb.europa.eu/system/files/2025-04/edpb-annual-report-2024_en.pdf\" rel=\"nofollow\">EDPS 2024 Report\u003C/a>\u003Cbr />\r\n\u003Cbr />\r\n\u003Cstrong>➔ One thing is clear from all these reports: regulatory oversight is now more focused and coordinated. For companies, anticipating risks and structuring their compliance approach has become a strategic necessity.\u003C/strong>\u003C/p>\r\n\u003Ch2 id=\"the-cnil-publishes-its-european-international-strategy-for-2025-2028\">\u003Cstrong>The CNIL publishes its European & International strategy for 2025-2028\u003C/strong>\u003C/h2>\r\n\u003Cp>The CNIL has published its \u003Cstrong>European and international strategy for 2025–2028\u003C/strong>, with the objective of enhancing \u003Cstrong>France’s influence in global data protection discourse\u003C/strong> and anticipating emerging technological and regulatory challenges.\u003C/p>\r\n\u003Cp>This strategy is structured around \u003Cstrong>three strategic priorities\u003C/strong>:\u003C/p>\r\n\u003Col>\r\n\u003Cli>\u003Cp>\u003Cstrong>Reinforcing the effectiveness of European cooperation mechanisms\u003C/strong>, in order to ensure robust protection of personal data within the evolving digital regulatory landscape.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Promoting high-level international standards\u003C/strong> in data protection, while encouraging responsible innovation and facilitating secure data flows.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Consolidating the CNIL’s role as a European and international authority\u003C/strong>, by advocating a governance model that reconciles technological advancement with the safeguarding of fundamental rights.\u003C/p>\r\n\u003C/li>\r\n\u003C/ol>\r\n\u003Cp>In parallel, the CNIL affirms its commitment to \u003Cstrong>supporting French organisations\u003C/strong> as they navigate their evolving international obligations, and to maintaining vigilance in the face of risks stemming from the \u003Cstrong>extraterritorial application of foreign laws\u003C/strong>.\u003C/p>\r\n\u003Cp>🔗 For further details: \u003Ca href=\"https://www.cnil.fr/en/cnil-publishes-its-european-and-international-strategy-2025-2028\" rel=\"nofollow\">Strategy 2025-2028 – CNIL\u003C/a>\u003C/p>\r\n\u003Ch2 id=\"the-edpb-publishes-its-recommendations-on-blockchain-and-data-protection\">The EDPB publishes its recommendations on Blockchain and data protection\u003C/h2>\r\n\u003Cp>On \u003Cstrong>April 8, 2025\u003C/strong>, the \u003Cstrong>European Data Protection Board (EDPB)\u003C/strong> issued version \u003Cstrong>1.1 of its Guidelines 02/2025\u003C/strong> on the \u003Cstrong>processing of personal data via blockchain technologies\u003C/strong>.\u003C/p>\r\n\u003Cp>The EDPB reaffirms that \u003Cstrong>neither the absence of a central authority nor technical limitations\u003C/strong> may exempt data controllers or processors from their obligations under the \u003Cstrong>General Data Protection Regulation (GDPR)\u003C/strong>.\u003C/p>\r\n\u003Cp>\u003Cstrong>Key recommendations of the guidelines include\u003C/strong>:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cp>\u003Cstrong>Necessity and proportionality\u003C/strong>: Blockchain should only be used where it is \u003Cstrong>objectively necessary\u003C/strong> and proportionate to the intended purpose. The EDPB cautions against adopting blockchain for its own sake, without a demonstrable functional justification.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Preference for permissioned blockchains\u003C/strong>: The use of \u003Cstrong>permissioned (or private) blockchains\u003C/strong> is encouraged, as they facilitate clearer \u003Cstrong>governance structures\u003C/strong>, including the designation of controllers and processors, and enable greater control over access and data flows.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Data minimization and pseudonymization\u003C/strong>: Personal data should, wherever possible, be \u003Cstrong>stored off-chain\u003C/strong>. On-chain content should be limited to \u003Cstrong>pseudonymous identifiers or cryptographic hashes\u003C/strong>, with the EDPB stressing that pseudonymization does \u003Cstrong>not equate to anonymization\u003C/strong> under the GDPR.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Right to erasure\u003C/strong>: The immutable nature of blockchain raises significant challenges for complying with the \u003Cstrong>right to erasure\u003C/strong>. The EDPB suggests implementing technical safeguards, such as \u003Cstrong>encryption coupled with deletion of encryption keys\u003C/strong>, to render personal data effectively inaccessible.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Accountability and DPIA\u003C/strong>: A \u003Cstrong>Data Protection Impact Assessment (DPIA)\u003C/strong> is deemed essential prior to deploying any blockchain-based processing that involves personal data, given the inherent risks to data subjects' rights and freedoms.\u003C/p>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003Cp>➔ This guidance constitutes a \u003Cstrong>foundational reference\u003C/strong> for any organisation considering blockchain-based solutions, underscoring the need to embed \u003Cstrong>Privacy by Design and by Default\u003C/strong> from the earliest stages, supported by a \u003Cstrong>robust technical and organizational compliance framework\u003C/strong>\u003C/p>\r\n\u003Cp>🔗 Read the guidelines: \u003Ca href=\"https://www.edpb.europa.eu/system/files/2025-04/edpb_guidelines_202502_blockchain_en.pdf\" rel=\"nofollow\">Guidelines 2/2025 – Blockchain & GDPR (EDPB)\u003C/a>\u003C/p>\r\n\u003Ch2 id=\"the-five-strategic-pillars-of-the-eus-ai-action-plan\">The five strategic pillars of the EU’s AI Action Plan\u003C/h2>\r\n\u003Cp>The European Commission has unveiled an \u003Ca href=\"https://ec.europa.eu/commission/presscorner/detail/en/ip_25_1013\" rel=\"nofollow\">\u003Cstrong>ambitious action plan around five pillars,\u003C/strong>\u003C/a> structured around \u003Cstrong>five strategic axes\u003C/strong>, with the aim of strengthening the EU’s \u003Cstrong>technological sovereignty\u003C/strong> and fostering a competitive, secure, and innovation-driven AI ecosystem.\u003C/p>\r\n\u003Ch4 id=\"build-a-large-scale-european-ai-infrastructure\">1. Build a large-scale European AI infrastructure\u003C/h4>\r\n\u003Cp>The EU plans to develop a \u003Cstrong>network of AI factories\u003C/strong>, with \u003Cstrong>13 already operational\u003C/strong>, and to support the creation of \u003Cstrong>AI giga-factories\u003C/strong> equipped with up to \u003Cstrong>100,000 specialized chips\u003C/strong> each.\u003Cbr />\r\nThrough the \u003Cstrong>InvestAI program\u003C/strong>, up to \u003Cstrong>€20 billion\u003C/strong> will be mobilized to finance \u003Cstrong>five major installations\u003C/strong> of this kind.\u003C/p>\r\n\u003Ch4 id=\"accelerate-access-to-massive-high-quality-data\">2. Accelerate access to massive high-quality data\u003C/h4>\r\n\u003Cp>\u003Cstrong>Data labs\u003C/strong> will be integrated into AI factories to \u003Cstrong>collect and manage large-scale, reliable datasets\u003C/strong>.\u003Cbr />\r\nIn 2025, the Commission will launch a \u003Cstrong>European Data Union strategy\u003C/strong> to \u003Cstrong>facilitate cross-border data flows\u003C/strong> within the digital single market, supporting scalable AI development.\u003C/p>\r\n\u003Ch4 id=\"stimulate-ai-adoption-in-strategic-sectors\">3. Stimulate AI adoption in strategic sectors\u003C/h4>\r\n\u003Cp>The \u003Cstrong>'Applying AI'\u003C/strong> strategy will aim to \u003Cstrong>increase the concrete adoption of AI\u003C/strong> in both public and private sectors. The \u003Cstrong>AI factories\u003C/strong> and \u003Cstrong>European digital innovation hubs\u003C/strong> will act as accelerators for \u003Cstrong>sector-specific use cases\u003C/strong>, aligned with EU industrial and societal priorities.\u003C/p>\r\n\u003Ch4 id=\"train-and-attract-ai-talent\">4. Train and attract AI talent\u003C/h4>\r\n\u003Cp>The Commission intends to enhance skills through:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cp>the \u003Cstrong>European talent pool\u003C/strong>,\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>the \u003Cstrong>MSCA Choose Europe\u003C/strong> initiative,\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>the future \u003Cstrong>AI Skills Academy\u003C/strong>,\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>specialized \u003Cstrong>AI scholarship programs\u003C/strong>.\u003C/p>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003Cp>Teaching and training initiatives on AI and generative AI will be developed at all levels.\u003C/p>\r\n\u003Ch4 id=\"provide-a-simplified-and-trustworthy-regulatory-framework\">5. Provide a Simplified and Trustworthy Regulatory Framework\u003C/h4>\r\n\u003Cp>The \u003Cstrong>AI Act\u003C/strong>, which came into effect on \u003Cstrong>August 1, 2024\u003C/strong>, is designed to \u003Cstrong>build trust\u003C/strong>, secure investments, and \u003Cstrong>guarantee responsible use of AI\u003C/strong>. A \u003Cstrong>regulatory assistance office\u003C/strong> will be set up to assist companies in their compliance efforts, thereby enhancing trust and legal security.\u003C/p>\r\n\u003Ch4 id=\"next-steps\">Next steps:\u003C/h4>\r\n\u003Cp>Two public consultations are open to all interested parties until \u003Cstrong>June 4, 2025\u003C/strong>, focusing on:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cp>the \u003Ca href=\"https://digital-strategy.ec.europa.eu/en/cloud-and-ai-development-public-consultation\" rel=\"nofollow\">\u003Cstrong>legislative act on the development of cloud computing and AI\u003C/strong>\u003C/a>\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>the \u003Ca href=\"https://digital-strategy.ec.europa.eu/en/applyai-strategy-public-consultation\" rel=\"nofollow\">\u003Cstrong>'Applying AI' strategy\u003C/strong>\u003C/a>, aimed at identifying stakeholder priorities, barriers to overcome to foster AI adoption, and the relevance of the proposed strategic orientations — including necessary complementary measures to ensure smooth and effective implementation of the AI regulation.\u003C/p>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003Cp>\u003Cstrong>A third consultation\u003C/strong> regarding the strategy for a European data union will be launched in May.\u003C/p>\r\n\u003Ch2 id=\"interaction-between-the-gdpr-and-the-eprivacy-directive-insights-from-the-advocate-general-in-inteligo-media-v.anspdcp\">Interaction between the GDPR and the ePrivacy Directive: Insights from the Advocate General in \u003Cem>Inteligo Media v. ANSPDCP\u003C/em>\u003C/h2>\r\n\u003Cp>On \u003Cstrong>25 April 2025\u003C/strong>, the \u003Cstrong>Advocate General of the Court of Justice of the European Union (CJEU)\u003C/strong> delivered his Opinion in the case \u003Cem>Inteligo Media SA v. ANSPDCP\u003C/em>, offering key clarifications regarding the \u003Cstrong>relationship between the General Data Protection Regulation (GDPR)\u003C/strong> and the \u003Cstrong>ePrivacy Directive (Directive 2002/58/EC)\u003C/strong> in the context of direct electronic marketing.\u003C/p>\r\n\u003Ch3 id=\"case-background\">Case background\u003C/h3>\r\n\u003Cp>Inteligo Media, a Romanian company, had been \u003Cstrong>sanctioned by the Romanian data protection authority (ANSPDCP)\u003C/strong> for distributing newsletters via email \u003Cstrong>without obtaining the prior consent of the recipients\u003C/strong>, in alleged breach of \u003Cstrong>Article 13(2) of the ePrivacy Directive\u003C/strong>. The company challenged the sanction, arguing that the data processing was lawful under \u003Cstrong>Article 6(1)(f) of the GDPR\u003C/strong>, invoking legitimate interests.\u003C/p>\r\n\u003Ch3 id=\"legal-question\">\u003Cstrong>Legal question\u003C/strong>\u003C/h3>\r\n\u003Cp>The central legal issue concerns whether the \u003Cstrong>newsletter qualifies as an unsolicited electronic communication for direct marketing purposes\u003C/strong> under \u003Cstrong>Article 13(2) of Directive 2002/58/EC\u003C/strong>. This classification is decisive, as it determines whether \u003Cstrong>prior consent (opt-in)\u003C/strong> is required, or whether the controller may rely on the \u003Cstrong>exception\u003C/strong> provided for existing customer relationships under the same provision.\u003C/p>\r\n\u003Ch3 id=\"position-of-the-advocate-general\">Position of the Advocate General\u003C/h3>\r\n\u003Cp>Although formatted as an informative legal update — with summaries and links to full articles — the Advocate General concluded that the \u003Cstrong>newsletter served a direct commercial objective\u003C/strong>: encouraging recipients to exhaust their monthly quota of free content, thereby increasing the likelihood of converting them into paying subscribers.\u003C/p>\r\n\u003Cp>What is legally relevant, according to the Advocate General, is the \u003Cstrong>individualised nature\u003C/strong> of the communication (sent to \u003Cstrong>identified recipients’ personal email addresses\u003C/strong>), combined with the \u003Cstrong>underlying economic aim\u003C/strong> of customer retention and monetisation. This combination, he argues, satisfies the definition of a \u003Cstrong>“direct marketing communication”\u003C/strong>, thus falling squarely within the scope of \u003Cstrong>Article 13(2) ePrivacy Directive\u003C/strong>, which mandates \u003Cstrong>prior and specific consent\u003C/strong>, unless the narrow exception applies.\u003C/p>\r\n\u003Ch3 id=\"interpretation-of-the-eprivacy-directive-and-its-interaction-with-the-gdpr\">Interpretation of the ePrivacy Directive and its interaction with the GDPR\u003C/h3>\r\n\u003Cp>The Advocate General underlined that in cases governed by \u003Cstrong>Article 13(2) of the ePrivacy Directive\u003C/strong>, the conditions of \u003Cstrong>lawful processing under Article 6 of the GDPR\u003C/strong> do not apply separately. Rather, the \u003Cstrong>ePrivacy Directive constitutes a lex specialis\u003C/strong>, fully regulating the \u003Cstrong>lawfulness of electronic communications for marketing purposes\u003C/strong>. In this context, the GDPR does not impose \u003Cstrong>additional or parallel obligations\u003C/strong>, in line with \u003Cstrong>Article 95 GDPR\u003C/strong>, which prevents duplication of obligations where sector-specific rules apply.\u003C/p>\r\n\u003Ch3 id=\"practical-implications\">Practical implications\u003C/h3>\r\n\u003Cp>A free newsletter can be assimilated to a sale under the ePrivacy directive as long as it is part of a broader commercial strategy aimed at selling additional services. \u003Cstrong>Such promotional messages may therefore be sent on the basis of an opt-out mechanism — under certain conditions — rather than on the basis of prior consent (opt-in).\u003C/strong>\u003C/p>\r\n\u003Cp>While the Advocate General’s Opinion is not binding, it carries significant persuasive authority. Should the CJEU follow this reasoning, it would \u003Cstrong>reinforce the autonomy of the ePrivacy Directive\u003C/strong> in governing electronic communications and \u003Cstrong>clarify its precedence over the GDPR\u003C/strong> in this domain.\u003C/p>\r\n\u003Cp>🔗 Read the Advocate General's conclusions \u003Ca href=\"https://curia.europa.eu/juris/document/document.jsf?text=&docid=297249&pageIndex=0&doclang=en&mode=req&dir=&occ=first&part=1\" rel=\"nofollow\">here\u003C/a>.\u003C/p>\r\n\u003Ch2 id=\"spanish-fine-of-500000-for-marina-salud-hospital-unlawful-sub-processing\">Spanish fine of €500,000 for MARINA SALUD hospital: unlawful sub-processing\u003C/h2>\r\n\u003Cp>The \u003Cstrong>Spanish Data Protection Authority (AEPD)\u003C/strong> has imposed a fine of \u003Cstrong>€500,000\u003C/strong> on \u003Cstrong>MARINA SALUD, S.A.\u003C/strong>, for failing to comply with the sub-processing obligations.\u003C/p>\r\n\u003Ch3 id=\"context\">Context\u003C/h3>\r\n\u003Cul>\r\n\u003Cli>The Ministry of Health and Public Health of Valencia (data controller) has relied since 2009 on the services of Marina Salud (processor), a healthcare organization providing public health services under a contract.\u003C/li>\r\n\u003Cli>On January 19, 2023, the controller inspected the premises of the processor. It was revealed that the processor was using third-party health information system software and refused to provide the controller with the contract governing their relation with the third party.\u003C/li>\r\n\u003Cli>Two subsequent unauthorized processors were also engaged.\u003C/li>\r\n\u003C/ul>\r\n\u003Ch3 id=\"breaches-identified\">Breaches identified\u003C/h3>\r\n\u003Cp>The AEPD identified a \u003Cstrong>breach of Article 28(2) of the GDPR\u003C/strong> concerning outsourcing:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cp>\u003Cstrong>Unauthorised subprocessing\u003C/strong>: Although a general authorisation was included in the 2009 data processing agreement, MARINA SALUD failed to inform the controller of \u003Cstrong>new subprocessing contracts\u003C/strong> entered into \u003Cstrong>after the GDPR came into force\u003C/strong> in 2018.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Infringement of the right to object\u003C/strong>: Under \u003Cstrong>Article 28(2) GDPR\u003C/strong>, even with general authorisation, \u003Cstrong>the controller must be informed in advance of any intended changes\u003C/strong>, to allow for \u003Cstrong>objection\u003C/strong>.\u003C/p>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003Ch3 id=\"as-a-consequence\">As a consequence\u003C/h3>\r\n\u003Cp>In determining the fine, the AEPD considered the severity of the breach given the sensitive nature of the data processed (sensitive health data), and that the processor had a high turnover. Therefore, the AEPD imposed a fine of €500,000.\u003Cbr />\r\nBy sanctioning MARINA SALUD, the AEPD reminds us of the importance and the need to \u003Cstrong>ensure transparency\u003C/strong> and \u003Cstrong>control in the processor chain\u003C/strong>.\u003C/p>\r\n\u003Cp>🔗 Decision available (in Spanish): \u003Ca href=\"https://www.aepd.es/documento/ps-00127-2024.pdf\" rel=\"nofollow\">AEPD\u003C/a>\u003Cbr />\r\n\u003Cbr />\r\n👩‍🚀 \u003Cstrong>Dastra’s tip\u003C/strong>: Curious about subprocessing obligations? Read our article \"\u003Ca href=\"https://www.dastra.eu/en/article/gdpr-subcontracting-what-changes-with-the-opinions-of-the-edpb-in-october-2024/59029\">Subprocessing under the GDPR: Key Implications of the EDPB’s October 2024 Opinion\"\u003C/a>\u003C/p>\r\n\u003Ch2 id=\"illegal-marketing-a-uk-company-fined-90000\">Illegal marketing: a UK company fined £90,000\u003C/h2>\r\n\u003Cp>The \u003Cstrong>Information Commissioner's Office (ICO)\u003C/strong>, the UK data protection authority, imposed, on April 24, a fine of \u003Cstrong>£90,000\u003C/strong> (approximately \u003Cstrong>€105,000\u003C/strong>) on \u003Cstrong>AFK Letters Co Ltd (AFK)\u003C/strong> for making over \u003Cstrong>95,000 unsolicited commercial calls\u003C/strong>.\u003C/p>\r\n\u003Ch3 id=\"allegations-against-afk\">Allegations against AFK\u003C/h3>\r\n\u003Cp>AFK Letters specializes in writing compensation letters for its clients. The ICO's investigation highlighted several significant shortcomings under \u003Cstrong>UK data protection and electronic marketing law\u003C/strong> (Privacy and Electronic Communications Regulations – PECR).\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cp>\u003Cstrong>Absence of valid consent\u003C/strong>:\u003Cbr />\r\nBetween \u003Cstrong>January and September 2023\u003C/strong>, AFK placed 95,277 calls using data from its own website and a third-party provider, but was \u003Cstrong>unable to demonstrate that recipients had given specific, valid consent\u003C/strong>. Even for recent contacts, no records of consent were retained.\u003Cbr />\r\nMoreover, \u003Cstrong>the third-party data provider's consent statements did not clearly identify AFK\u003C/strong> as the sender.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Insufficient transparency\u003C/strong>:\u003Cbr />\r\nThe provider obtained \u003Cstrong>generic consent\u003C/strong> from data subjects. AFK's own \u003Cstrong>privacy policy mentioned only email marketing\u003C/strong>, with \u003Cstrong>no reference to phone calls\u003C/strong>, thereby violating the requirement to \u003Cstrong>inform data subjects clearly and fully\u003C/strong>.\u003C/p>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003Ch3 id=\"icos-message\">💬 ICO’s message\u003C/h3>\r\n\u003Cp>Through this enforcement, the ICO reiterates that:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cp>Telemarketing must be preceded by \u003Cstrong>clear, specific, and recorded consent\u003C/strong>.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>Organisations must ensure \u003Cstrong>full transparency\u003C/strong> in their privacy notices regarding all intended communication channels.\u003C/p>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003Cp>🔗 Decision available (in English): \u003Ca href=\"https://ico.org.uk/action-weve-taken/enforcement/2025/04/afk-letters-co-ltd-mpn/\" rel=\"nofollow\">ICO, AFK Letters Co Ltd\u003C/a>\u003C/p>\r\n\u003Ch2 id=\"first-sanctions-under-the-digital-markets-act-apple-and-meta-heavily-fined\">First sanctions under the Digital Markets Act: Apple and Meta heavily fined\u003C/h2>\r\n\u003Cp>In a landmark enforcement action under the \u003Cstrong>Digital Markets Act (DMA)\u003C/strong>, the \u003Cstrong>European Commission\u003C/strong> has imposed fines totaling \u003Cstrong>€700 million\u003C/strong> — \u003Cstrong>€500 million for Apple\u003C/strong> and \u003Cstrong>€200 million for Meta\u003C/strong> — marking the first application of the DMA since it entered into force.\u003C/p>\r\n\u003Ch3 id=\"legal-basis\">Legal basis\u003C/h3>\r\n\u003Cul>\r\n\u003Cli>\u003Cp>\u003Cstrong>Apple\u003C/strong> was sanctioned for \u003Cstrong>restricting app developers from informing users\u003C/strong> about alternative purchasing options outside the App Store — often more affordable.\u003Cbr />\r\nThis practice violates \u003Cstrong>Article 5(4) DMA\u003C/strong>, which prohibits \u003Cstrong>“gatekeepers”\u003C/strong> from preventing business users from communicating freely with end users.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Meta\u003C/strong> was fined for implementing a \u003Cstrong>“consent or pay” model\u003C/strong> on Facebook and Instagram, giving users a binary choice: accept highly personalised advertising or pay for an ad-free version.\u003Cbr />\r\nHowever, under the DMA, gatekeepers must offer a \u003Cstrong>genuine third option\u003C/strong>: a \u003Cstrong>free service based on limited advertising targeting\u003C/strong>, which must be presented fairly and transparently.\u003C/p>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003Ch3 id=\"enforcement-consequences\">Enforcement consequences\u003C/h3>\r\n\u003Cp>Despite the significant financial penalties, both tech giants remain financially dominant, having reported \u003Cstrong>€82 billion\u003C/strong> (Apple) and \u003Cstrong>€55 billion\u003C/strong> (Meta) in annual net profits.\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cp>The companies now have \u003Cstrong>60 days to comply\u003C/strong> with the Commission’s findings.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>In case of non-compliance, they risk \u003Cstrong>further fines of up to 10% of global turnover\u003C/strong>, and up to \u003Cstrong>20% in the event of repeated infringements\u003C/strong>.\u003C/p>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003Cp>🔎 \u003Cstrong>Key takeaway:\u003C/strong>\u003Cbr />\r\n\u003Ca href=\"https://ec.europa.eu/commission/presscorner/detail/en/ip_25_1085\" rel=\"nofollow\">This decision\u003C/a> marks a \u003Cstrong>turning point in EU digital regulation\u003C/strong>, signalling the Commission’s \u003Cstrong>willingness to enforce the DMA rigorously\u003C/strong> and to \u003Cstrong>restore competitive fairness\u003C/strong> in online platforms by rebalancing power between gatekeepers and users.\u003C/p>\r\n","DastraNews: What happened in April 2025?","Privacy & AI insights from the Dastra hub: actionable updates for pros who work daily in the field.",2913,16,0,null,"en","dastranews-what-happened-in-april-2025",false,"Published",{"id":18,"displayName":19,"avatarUrl":20,"bio":12,"blogUrl":12,"color":12,"userId":18,"creationDate":21},20352,"Leïla Sayssa","https://static.dastra.eu/tenant-3/avatar/20352/TDYeY3C8Rz1lLE/dpo-avatar-h01-150.png","2025-03-03T11:08:22","2025-05-02T13:01:00","2025-05-02T13:01:16.7048057","2025-09-02T08:33:50.1497932",{"id":26,"name":27,"description":28,"url":29,"color":30,"parentId":12,"count":12,"imageUrl":12,"parent":12,"order":11,"translations":31},2,"Blog","A list of curated articles provided by the community","blog","#28449a",[32,35,38],{"lang":33,"name":27,"description":34},"fr","Une liste d'articles rédigés par la communauté",{"lang":36,"name":27,"description":37},"es","Una lista de artículos escritos por la comunidad",{"lang":39,"name":27,"description":40},"de","Eine Liste von Artikeln, die von der Community verfasst wurden",[42,47,68],{"id":26,"name":27,"description":28,"url":29,"color":30,"parentId":12,"count":12,"imageUrl":12,"parent":12,"order":11,"translations":43},[44,45,46],{"lang":33,"name":27,"description":34},{"lang":36,"name":27,"description":37},{"lang":39,"name":27,"description":40},{"id":48,"name":49,"description":50,"url":51,"color":52,"parentId":26,"count":12,"imageUrl":12,"parent":53,"order":11,"translations":58},9,"News","Stay up to date with the latest news from data protection authorities: decisions, fines, guidelines, and regulatory trends in GDPR and privacy.","news","#1676ca",{"id":26,"name":27,"description":28,"url":29,"color":30,"parentId":12,"count":12,"imageUrl":12,"parent":12,"order":11,"translations":54},[55,56,57],{"lang":33,"name":27,"description":34},{"lang":36,"name":27,"description":37},{"lang":39,"name":27,"description":40},[59,62,65],{"lang":33,"name":60,"description":61},"Actualités","Suivez les dernières actualités des autorités de protection des données (CNIL, EDPS, etc.) : décisions, sanctions, lignes directrices et tendances réglementaires en matière de RGPD et de privacy.",{"lang":36,"name":63,"description":64},"Actualidad","Todos los artículos relativos a las autoridades de protección de datos",{"lang":39,"name":66,"description":67},"Nachrichten","Alle Artikel mit Bezug zu Datenschutzbehörden",{"id":69,"name":70,"description":71,"url":72,"color":73,"parentId":26,"count":12,"imageUrl":12,"parent":74,"order":79,"translations":80},69,"Expertise","Gain insights from our experts on GDPR compliance, data protection, and privacy challenges. In-depth articles, professional analysis, and real-world best practices.","indepth","#000000",{"id":26,"name":27,"description":28,"url":29,"color":30,"parentId":12,"count":12,"imageUrl":12,"parent":12,"order":11,"translations":75},[76,77,78],{"lang":33,"name":27,"description":34},{"lang":36,"name":27,"description":37},{"lang":39,"name":27,"description":40},5,[81,83,86],{"lang":33,"name":70,"description":82},"Bénéficiez des conseils de nos experts sur la conformité RGPD, la protection des données et les enjeux privacy. Articles de fond, analyses et retours d’expérience métier.",{"lang":39,"name":84,"description":85},"Fachwissen","Entdecken Sie die Artikel unserer DSGVO-Experten",{"lang":36,"name":87,"description":88},"Experiencia","Descubre los artículos de nuestros expertos en Privacy",[],"https://static.dastra.eu/content/dc82b7d3-a4d9-4618-a598-7365dea028ba/20-original.jpg",[92,93,94,95,96,97,98],"https://static.dastra.eu/content/dc82b7d3-a4d9-4618-a598-7365dea028ba/20-1000.webp","https://static.dastra.eu/content/dc82b7d3-a4d9-4618-a598-7365dea028ba/20.webp","https://static.dastra.eu/content/dc82b7d3-a4d9-4618-a598-7365dea028ba/20-1500.webp","https://static.dastra.eu/content/dc82b7d3-a4d9-4618-a598-7365dea028ba/20-800.webp","https://static.dastra.eu/content/dc82b7d3-a4d9-4618-a598-7365dea028ba/20-600.webp","https://static.dastra.eu/content/dc82b7d3-a4d9-4618-a598-7365dea028ba/20-300.webp","https://static.dastra.eu/content/dc82b7d3-a4d9-4618-a598-7365dea028ba/20-100.webp",59173]