In 2025, the right to erasure under Art. 17 GDPR will be the focus of a Europe-wide review by data protection supervisory authorities. As part of the Coordinated Enforcement Framework (CEF) of the European Data Protection Board, companies and public bodies will be put to the test. What action is required for data controllers.
As controllers within the meaning of Art. 4 No. 7 GDPR, associations are obliged to fulfill all data protection requirements and to demonstrate compliance with them. Implementation regularly poses considerable practical challenges, especially for smaller, voluntarily organized associations. The following explanations summarize the essential obligations.
A current case before the European Court of Justice focuses on the data protection assessment of email newsletters. Among other things, it concerns the distinction between direct advertising and commercial communication as well as the applicability of the General Data Protection Regulation in relation to the ePrivacy Directive.
While compliance issues have often been dealt with in silos in the past, the reality shows that data protection, information security, business continuity and legal obligations are closely interlinked. This is precisely where the idea of Integrated Risk Management (IRM) comes in - an approach that does not look at risks in isolation, but systematically links them together.
The French competition authority (Autorité de la concurrence) fined Apple 150 million euros on March 31, 2025. The reason is the abuse of a dominant market position in the distribution of mobile apps on iOS and iPadOS devices between April 2021 and July 2023.
Anyone introducing biometric access systems should be careful: In Spain, the data protection authority AEPD imposed a hefty fine on the Spanish soccer association LALIGA because no data protection impact assessment was carried out before fingerprint scanners were used. GDPR violations were really expensive for the Polish postal service.
The Federal Court of Justice has clarified that breaches of the GDPR's data protection information obligations can also constitute a breach of competition law - and can therefore be prosecuted under civil law by qualified bodies. This means that consumer protection associations can also take legal action against data protection violations.
The unauthorized processing of personal health data in connection with the online sale of medicinal products not only constitutes a violation of the GDPR, but may also constitute an unfair commercial act within the meaning of Section 3a UWG. In these cases, competitors are entitled to injunctive relief under competition law.
The Luxembourg data protection supervisory authority Commission Nationale pour la Protection des Données (CNPD) imposed a record fine of 746 million euros on Amazon Europe Core S.à r.l. on July 15, 2021. The Luxembourg Administrative Court confirmed this decision in full on March 18, 2025.
You can also follow us on our social media channels:
Phone: +1 (954) 852-1633
Mail: info@2b-advice.com
English 
German 
Italian 
French