Hello Friends,
India’s Ministry of Electronics & IT (MeitY) has released detailed guidelines outlining the ideal Consent Management System (CMS) under the DPDP Act 2023. The rules require explicit, purpose-specific user consent, clear withdrawal mechanisms, and standardized records to be maintained by entities processing personal data. CMS providers, intermediaries, and Data Protection Officers must register and comply with fiduciary duties, transparency, data minimization, and secure handling of consent metadata. The framework also mandates oversight, audit trails, breach notifications, and defines roles for significant data fiduciaries and grievance redressal processes.
By proactively addressing DPDPA compliance, we not only mitigate legal risks but also reinforce trust and credibility with our customers.
"Given the urgency of this matter, we propose starting the compliance process by taking up privacy assessments today to know the organisational gaps and expedite your efforts in aligning with DPDPA requirements. Taking immediate action will help you to be on the path towards compliance.”
Enjoy reading!
Privacy Enforcement
Finland: Ombudsman fines Yliopiston Apteekille €1.1M for use of cookies.
The Finnish Data Protection Ombudsman fined Yliopiston Apteekille €1.1 million for GDPR violations related to the use of cookies and tracking technologies. The investigation, prompted by a doctoral researcher, revealed that from May 2018 to September 2022, Yliopiston Apteekille transmitted pharmacy transaction data and identifiable information to companies like Google and Meta. Violations included GDPR Articles 5(1)(c), 5(1)(f), 32(1), and 32(2), leading to the significant penalty.
South Korea: PIPC fines Jeonbuk National University KRW 623 million for security failures.
The Personal Information Protection Commission (PIPC) fined Jeonbuk National University KRW 623 million for security failures under the Personal Information Protection Act (PIPA). The investigation revealed a data breach affecting 320,000 individuals due to an SQL injection attack exploiting a long-standing vulnerability. Additionally, Jeonbuk National University retained resident registration numbers beyond the legal retention period. The university was found to have violated Articles 24-2 and 29 of PIPA due to inadequate cybersecurity measures.
Data Breach
Turkey: KVKK announces Christian Dior Couture data breach
On May 22, 2025, the KVKK announced a data breach involving Christian Dior Couture SA, where unauthorized access to its global CRM database occurred, affecting personal data of customers and staff. The breach involved a ransom demand and compromised data includes sensitive information such as names, contact details, and purchase history. Although access has been blocked, there is still a risk of data misuse or exposure.
Turkey: KVKK announces Adidas Spor Malzemeleri Satış ve Pazarlama data breach
The Personal Data Protection Authority (KVKK) announced a data breach involving Adidas Spor Malzemeleri Satış ve Pazarlama A.Ş., affecting 544,395 individuals. The breach was discovered after a third-party email claimed possession of Adidas customer data, which was confirmed to include Turkish customers' personal information. Compromised data included names, email addresses, gender, birth dates, and phone numbers, though not all data types were affected for every customer. The breach was related to the Adidas AG group infrastructure and was reported as per Article 12(5) of the Law on Protection of Personal Data No. 6698.
Privacy in Spotlight
Germany: BfDI imposes two fines totaling €45M on Vodafone for GDPR violations
The Federal Commissioner for Data Protection and Freedom of Information (BfDI) fined Vodafone GmbH €45 million for GDPR violations, citing security vulnerabilities and inadequate partner agency verification. Vodafone breached Article 28(1) by failing to monitor partner agencies and Article 32(1) due to distribution system weaknesses. The fines included €15 million for Article 28(1) violations and €30 million for security flaws in the 'MeinVodafone' portal. Vodafone has since improved its systems, revised partner agency processes, and separated from fraudulent partners. A follow-up audit will assess the effectiveness of these measures.
South Korea: PIPC investigates Dior and Tiffany for data security failures
The Personal Information Protection Commission (PIPC) of South Korea is investigating Dior and Tiffany for potential violations of the Personal Information Protection Act (PIPA) due to data breaches reported on May 7 and May 9, 2025. The breaches involved inadequate access management measures in customer service management software, leading to personal information leaks. The investigation will assess violations of technical and administrative security obligations under PIPA. Organizations are advised to implement two-factor authentication and restrict IP addresses for employee account access.
Regulations
Oklahoma, USA: Amended Security Breach Notification Act becomes law
Senate Bill 626 amends the Oklahoma Security Breach Notification Act, introducing new definitions like 'reasonable safeguards' and updating breach notification requirements. The Act mandates notifying the Attorney General within 60 days of informing affected residents, with exemptions for breaches affecting fewer than 500 residents or 1,000 for credit bureaus. Compliance with other laws like HIPAA exempts entities from additional notification requirements, and civil penalties are based on breach magnitude and notification failures. Effective January 1, 2026, the Act applies to breaches discovered or notified after this date.
Malaysia: PDPA Amendment Act fully comes into effect
On June 1, 2025, the Personal Data Protection (Amendment) Act 2024 (the Amendment Act) fully came into effect, after the Amendment Act was published in the Official Gazette on October 17, 2024.
The Amendment Act started coming into effect in a staggered way since January 1, 2025, in accordance with the Personal Data Protection (Amendment) Act 2024, appointment of date of coming into operation (the Appointment Act), published in the Gazette on December 24, 2024. In particular, Sections 6 and 9 came into effect, providing for the mandatory appointment of data protection officers (DPOs), data breach notifications, and the right to data portability.