Tired of general newsletters that skim over your real concerns? DastraNews, offers legal and regulatory monitoring specifically designed for DPOs, lawyers, and privacy professionals.
Each month, we go beyond a simple recap: we select about ten decisions, news, or positions that have a concrete impact on your missions and organizations.
🎯 Targeted, useful, and grounded data protection monitoring.
Here is our selection for April 2025:
It's pouring reports!
April 2025 marks a real regulatory excitement in data protection: several authorities have published their annual reports, each providing valuable insights into the priorities, trends, and future developments of the GDPR and data governance in Europe.
📄 2024 Annual Report - CNIL (France)
France’s data protection authority, the CNIL, has published its 2024 report with a clear twofold observation: a steady rise in complaints and a sharper focus on inspections in several sensitive sectors.
Key highlights:
Significant rise in sanctions: 331 corrective measures were imposed, including 87 sanctions totalling over €55 million in fines.
5,629 personal data breaches were notified, marking a 20% increase from 2023.
Artificial Intelligence: 12 practical guidance sheets published (9 finalized) to support the development of AI systems respectful of personal data.
17,772 complaints received—a record—with 49% related to telecoms, the web, and social media, followed by commerce (19%) and employment (13%).
🔗 Read the summary: Summary of the 2024 Annual Report – CNIL
🔗 Access the full report: 2024 Annual Report – CNIL
📄 2024 Annual Report - European Data Protection Board (EDPB)
The EDPB’s report highlights its coordinated efforts to ensure consistent application of the GDPR across the EU.
Key takeaways:
- EDPB opinions (Article 64(2) GDPR): The board adopted eight important opinions, including those on the "consent or payment" model used by major online platforms or training AI models with personal data.
- Guidelines: Publication of four new guidelines, including data processing based on legitimate interest (Article 6(1)(f) GDPR) or data transfers to authorities in third countries (Article 48 GDPR).
- Strengthening cooperation and application of the GDPR:
- Coordinated actions: Launch of the third coordinated action focusing on the right of access to data, identifying disparities in how organizations respond to access requests.
- ChatGPT Taskforce: Creation of a task force to examine data processing related to ChatGPT, in the absence of a main establishment of the company in the EU.
- Support for national authorities: The Expert Pool has strengthened the capabilities of data protection authorities, particularly on complex topics such as AI and consent mechanisms.
🔗 Read the summary: Executive Summary – EDPB 2024 Report
🔗 Read the full report: EDPB 2024 Report
👩🚀 Dastra's little extra: Check out our article on the EDPB’s opinion 'Purely Commercial Interest and the GDPR: A Legitimate Interest? Yes, But...!"
📄 2024 Annual Report- European Data Protection Supervisor (EDPS)
The European Data Protection Supervisor (EDPS), the guardian of data protection within EU institutions, also released its 2024 review.
Key points:
Enhanced internal oversight, including audits of EU institutions’ IT systems — from public websites to large-scale systems like Schengen and visa databases.
Focus on AI: Creation of an AI Correspondents Network within EU institutions under the forthcoming AI legislation.
Investigations into data protection violations, such as the European Commission’s use of Microsoft tools.
Policy advice: Provided guidance to EU lawmakers on upcoming regulations with significant privacy implications.
🔗 Read the executive summary: Executive Summary – EDPS 2024 Report
🔗 Read the full report: EDPS 2024 Report
➔ One thing is clear from all these reports: regulatory oversight is now more focused and coordinated. For companies, anticipating risks and structuring their compliance approach has become a strategic necessity.
The CNIL publishes its European & International strategy for 2025-2028
The CNIL has published its European and international strategy for 2025–2028, with the objective of enhancing France’s influence in global data protection discourse and anticipating emerging technological and regulatory challenges.
This strategy is structured around three strategic priorities:
Reinforcing the effectiveness of European cooperation mechanisms, in order to ensure robust protection of personal data within the evolving digital regulatory landscape.
Promoting high-level international standards in data protection, while encouraging responsible innovation and facilitating secure data flows.
Consolidating the CNIL’s role as a European and international authority, by advocating a governance model that reconciles technological advancement with the safeguarding of fundamental rights.
In parallel, the CNIL affirms its commitment to supporting French organisations as they navigate their evolving international obligations, and to maintaining vigilance in the face of risks stemming from the extraterritorial application of foreign laws.
🔗 For further details: Strategy 2025-2028 – CNIL
The EDPB publishes its recommendations on Blockchain and data protection
On April 8, 2025, the European Data Protection Board (EDPB) issued version 1.1 of its Guidelines 02/2025 on the processing of personal data via blockchain technologies.
The EDPB reaffirms that neither the absence of a central authority nor technical limitations may exempt data controllers or processors from their obligations under the General Data Protection Regulation (GDPR).
Key recommendations of the guidelines include:
Necessity and proportionality: Blockchain should only be used where it is objectively necessary and proportionate to the intended purpose. The EDPB cautions against adopting blockchain for its own sake, without a demonstrable functional justification.
Preference for permissioned blockchains: The use of permissioned (or private) blockchains is encouraged, as they facilitate clearer governance structures, including the designation of controllers and processors, and enable greater control over access and data flows.
Data minimization and pseudonymization: Personal data should, wherever possible, be stored off-chain. On-chain content should be limited to pseudonymous identifiers or cryptographic hashes, with the EDPB stressing that pseudonymization does not equate to anonymization under the GDPR.
Right to erasure: The immutable nature of blockchain raises significant challenges for complying with the right to erasure. The EDPB suggests implementing technical safeguards, such as encryption coupled with deletion of encryption keys, to render personal data effectively inaccessible.
Accountability and DPIA: A Data Protection Impact Assessment (DPIA) is deemed essential prior to deploying any blockchain-based processing that involves personal data, given the inherent risks to data subjects' rights and freedoms.
➔ This guidance constitutes a foundational reference for any organisation considering blockchain-based solutions, underscoring the need to embed Privacy by Design and by Default from the earliest stages, supported by a robust technical and organizational compliance framework
🔗 Read the guidelines: Guidelines 2/2025 – Blockchain & GDPR (EDPB)
The five strategic pillars of the EU’s AI Action Plan
The European Commission has unveiled an ambitious action plan around five pillars, structured around five strategic axes, with the aim of strengthening the EU’s technological sovereignty and fostering a competitive, secure, and innovation-driven AI ecosystem.
1. Build a large-scale European AI infrastructure
The EU plans to develop a network of AI factories, with 13 already operational, and to support the creation of AI giga-factories equipped with up to 100,000 specialized chips each.
Through the InvestAI program, up to €20 billion will be mobilized to finance five major installations of this kind.
2. Accelerate access to massive high-quality data
Data labs will be integrated into AI factories to collect and manage large-scale, reliable datasets.
In 2025, the Commission will launch a European Data Union strategy to facilitate cross-border data flows within the digital single market, supporting scalable AI development.
3. Stimulate AI adoption in strategic sectors
The 'Applying AI' strategy will aim to increase the concrete adoption of AI in both public and private sectors. The AI factories and European digital innovation hubs will act as accelerators for sector-specific use cases, aligned with EU industrial and societal priorities.
4. Train and attract AI talent
The Commission intends to enhance skills through:
the European talent pool,
the MSCA Choose Europe initiative,
the future AI Skills Academy,
specialized AI scholarship programs.
Teaching and training initiatives on AI and generative AI will be developed at all levels.
5. Provide a Simplified and Trustworthy Regulatory Framework
The AI Act, which came into effect on August 1, 2024, is designed to build trust, secure investments, and guarantee responsible use of AI. A regulatory assistance office will be set up to assist companies in their compliance efforts, thereby enhancing trust and legal security.
Next steps:
Two public consultations are open to all interested parties until June 4, 2025, focusing on:
the legislative act on the development of cloud computing and AI
the 'Applying AI' strategy, aimed at identifying stakeholder priorities, barriers to overcome to foster AI adoption, and the relevance of the proposed strategic orientations — including necessary complementary measures to ensure smooth and effective implementation of the AI regulation.
A third consultation regarding the strategy for a European data union will be launched in May.
Interaction between the GDPR and the ePrivacy Directive: Insights from the Advocate General in Inteligo Media v. ANSPDCP
On 25 April 2025, the Advocate General of the Court of Justice of the European Union (CJEU) delivered his Opinion in the case Inteligo Media SA v. ANSPDCP, offering key clarifications regarding the relationship between the General Data Protection Regulation (GDPR) and the ePrivacy Directive (Directive 2002/58/EC) in the context of direct electronic marketing.
Case background
Inteligo Media, a Romanian company, had been sanctioned by the Romanian data protection authority (ANSPDCP) for distributing newsletters via email without obtaining the prior consent of the recipients, in alleged breach of Article 13(2) of the ePrivacy Directive. The company challenged the sanction, arguing that the data processing was lawful under Article 6(1)(f) of the GDPR, invoking legitimate interests.
Legal question
The central legal issue concerns whether the newsletter qualifies as an unsolicited electronic communication for direct marketing purposes under Article 13(2) of Directive 2002/58/EC. This classification is decisive, as it determines whether prior consent (opt-in) is required, or whether the controller may rely on the exception provided for existing customer relationships under the same provision.
Position of the Advocate General
Although formatted as an informative legal update — with summaries and links to full articles — the Advocate General concluded that the newsletter served a direct commercial objective: encouraging recipients to exhaust their monthly quota of free content, thereby increasing the likelihood of converting them into paying subscribers.
What is legally relevant, according to the Advocate General, is the individualised nature of the communication (sent to identified recipients’ personal email addresses), combined with the underlying economic aim of customer retention and monetisation. This combination, he argues, satisfies the definition of a “direct marketing communication”, thus falling squarely within the scope of Article 13(2) ePrivacy Directive, which mandates prior and specific consent, unless the narrow exception applies.
Interpretation of the ePrivacy Directive and its interaction with the GDPR
The Advocate General underlined that in cases governed by Article 13(2) of the ePrivacy Directive, the conditions of lawful processing under Article 6 of the GDPR do not apply separately. Rather, the ePrivacy Directive constitutes a lex specialis, fully regulating the lawfulness of electronic communications for marketing purposes. In this context, the GDPR does not impose additional or parallel obligations, in line with Article 95 GDPR, which prevents duplication of obligations where sector-specific rules apply.
Practical implications
A free newsletter can be assimilated to a sale under the ePrivacy directive as long as it is part of a broader commercial strategy aimed at selling additional services. Such promotional messages may therefore be sent on the basis of an opt-out mechanism — under certain conditions — rather than on the basis of prior consent (opt-in).
While the Advocate General’s Opinion is not binding, it carries significant persuasive authority. Should the CJEU follow this reasoning, it would reinforce the autonomy of the ePrivacy Directive in governing electronic communications and clarify its precedence over the GDPR in this domain.
🔗 Read the Advocate General's conclusions here.
Spanish fine of €500,000 for MARINA SALUD hospital: unlawful sub-processing
The Spanish Data Protection Authority (AEPD) has imposed a fine of €500,000 on MARINA SALUD, S.A., for failing to comply with the sub-processing obligations.
Context
- The Ministry of Health and Public Health of Valencia (data controller) has relied since 2009 on the services of Marina Salud (processor), a healthcare organization providing public health services under a contract.
- On January 19, 2023, the controller inspected the premises of the processor. It was revealed that the processor was using third-party health information system software and refused to provide the controller with the contract governing their relation with the third party.
- Two subsequent unauthorized processors were also engaged.
Breaches identified
The AEPD identified a breach of Article 28(2) of the GDPR concerning outsourcing:
Unauthorised subprocessing: Although a general authorisation was included in the 2009 data processing agreement, MARINA SALUD failed to inform the controller of new subprocessing contracts entered into after the GDPR came into force in 2018.
Infringement of the right to object: Under Article 28(2) GDPR, even with general authorisation, the controller must be informed in advance of any intended changes, to allow for objection.
As a consequence
In determining the fine, the AEPD considered the severity of the breach given the sensitive nature of the data processed (sensitive health data), and that the processor had a high turnover. Therefore, the AEPD imposed a fine of €500,000.
By sanctioning MARINA SALUD, the AEPD reminds us of the importance and the need to ensure transparency and control in the processor chain.
🔗 Decision available (in Spanish): AEPD
👩🚀 Dastra’s tip: Curious about subprocessing obligations? Read our article "Subprocessing under the GDPR: Key Implications of the EDPB’s October 2024 Opinion"
Illegal marketing: a UK company fined £90,000
The Information Commissioner's Office (ICO), the UK data protection authority, imposed, on April 24, a fine of £90,000 (approximately €105,000) on AFK Letters Co Ltd (AFK) for making over 95,000 unsolicited commercial calls.
Allegations against AFK
AFK Letters specializes in writing compensation letters for its clients. The ICO's investigation highlighted several significant shortcomings under UK data protection and electronic marketing law (Privacy and Electronic Communications Regulations – PECR).
Absence of valid consent:
Between January and September 2023, AFK placed 95,277 calls using data from its own website and a third-party provider, but was unable to demonstrate that recipients had given specific, valid consent. Even for recent contacts, no records of consent were retained.
Moreover, the third-party data provider's consent statements did not clearly identify AFK as the sender.Insufficient transparency:
The provider obtained generic consent from data subjects. AFK's own privacy policy mentioned only email marketing, with no reference to phone calls, thereby violating the requirement to inform data subjects clearly and fully.
💬 ICO’s message
Through this enforcement, the ICO reiterates that:
Telemarketing must be preceded by clear, specific, and recorded consent.
Organisations must ensure full transparency in their privacy notices regarding all intended communication channels.
🔗 Decision available (in English): ICO, AFK Letters Co Ltd
First sanctions under the Digital Markets Act: Apple and Meta heavily fined
In a landmark enforcement action under the Digital Markets Act (DMA), the European Commission has imposed fines totaling €700 million — €500 million for Apple and €200 million for Meta — marking the first application of the DMA since it entered into force.
Legal basis
Apple was sanctioned for restricting app developers from informing users about alternative purchasing options outside the App Store — often more affordable.
This practice violates Article 5(4) DMA, which prohibits “gatekeepers” from preventing business users from communicating freely with end users.Meta was fined for implementing a “consent or pay” model on Facebook and Instagram, giving users a binary choice: accept highly personalised advertising or pay for an ad-free version.
However, under the DMA, gatekeepers must offer a genuine third option: a free service based on limited advertising targeting, which must be presented fairly and transparently.
Enforcement consequences
Despite the significant financial penalties, both tech giants remain financially dominant, having reported €82 billion (Apple) and €55 billion (Meta) in annual net profits.
The companies now have 60 days to comply with the Commission’s findings.
In case of non-compliance, they risk further fines of up to 10% of global turnover, and up to 20% in the event of repeated infringements.
🔎 Key takeaway:
This decision marks a turning point in EU digital regulation, signalling the Commission’s willingness to enforce the DMA rigorously and to restore competitive fairness in online platforms by rebalancing power between gatekeepers and users.