Hello Friends,

As organizations increasingly collect and process personal data across digital platforms, transparency around how this data is handled has become more important than ever. Privacy notices play a crucial role in informing individuals about data collection practices, the purposes of processing, sharing arrangements, and their rights under evolving laws, such as the DPDPA, and long-standing frameworks like the GDPR. Regulators are placing greater emphasis on clear, accessible, and accurate privacy disclosures.

Regularly reviewing and updating privacy notices helps organizations meet legal requirements, reduce compliance risks, and build trust with users. Taking a proactive approach ensures transparency remains aligned with changing regulatory expectations and business practices.

Enjoy reading!

Privacy Enforcement

Poland: UODO fines District Sanitary Inspector in Police PLN 20,000

Poland’s Personal Data Protection Office (UODO) imposed an administrative fine of PLN 20,000 on the District Sanitary Inspector in Police for failing to implement adequate technical and organisational safeguards and a proper risk analysis as required under GDPR. The authority found that the controller did not sufficiently assess vulnerabilities or adopt appropriate protections, increasing the risk to personal data security. This enforcement highlights the importance of robust risk assessment and security measures to prevent breaches and comply with GDPR standards Read More

Italy: Garante fines Aimag €300,000 for data security failures

Italy’s data protection authority Garante, fined utility company Aimag S.p.A. €300,000 for serious data protection failures. The decision followed findings that Aimag lacked sufficient security measures and did not properly manage consent and data processing activities, resulting in violations of GDPR requirements. The authority emphasised implementing robust verification and validation mechanisms, ensuring clear accountability, and maintaining appropriate organisational and technical safeguards, particularly when processing sensitive personal data, to comply with GDPR consent requirements and prevent similar regulatory penalties. Read More

Croatia: AZOP fines bank €1.5M for multiple GDPR violations

Croatia’s Personal Data Protection Agency (AZOP) imposed a €1.5 million fine on a major bank for multiple GDPR breaches related to its mobile banking services. The regulator found the bank collected extensive personal data from users without a valid legal basis, failed to provide clear transparency on data collection, and violated data minimisation principles. The enforcement underscores the serious consequences organisations face when they do not comply with GDPR rules on lawful processing, transparency, and proportionality. Read more

Data Breach

Turkey: KVKK announces Balıkesir Uludağ Turizm data breach

Turkey’s data protection authority, KVKK, revealed that Balıkesir Uludağ Turizm suffered a significant data breach after a brute-force attack. The breach exposed more than 10 million records, including personal identifiers and travel data, underscoring ongoing risks from weak authentication and cyberattacks on hospitality and tourism systems. Organisations are advised to strengthen access controls and monitoring to prevent similar incidents. Read More

Europe: UK, Jersey, Guernsey, and Isle of Man launch joint investigation into Prospect data breach.

Data protection authorities from the UK, Jersey, Guernsey and the Isle of Man initiated a joint cross-border investigation on 18 Dec. 2025 into a data breach at Prospect Custodian Trustees Ltd. The breach affected over 160,000 members' personal and sensitive data. The collaborative probe highlights regulators’ increasing focus on breaches involving multi-jurisdictional data flows and the need for coordinated enforcement when personal data spans borders. Read More

Privacy in Spotlight

US House subcommittees explore cybersecurity implications of AI and quantum computing.

U.S. House subcommittees recently examined how emerging technologies like artificial intelligence and quantum computing could reshape the cybersecurity landscape. Lawmakers discussed both the opportunities and risks posed by these technologies, including AI-driven cyberattacks, automation of vulnerabilities, and the future threat quantum computing poses to encryption standards. The discussions highlighted the need for updated cybersecurity strategies, regulatory preparedness, and investment in post-quantum security to protect sensitive data and critical infrastructure. Read More

Rethinking AI as a privacy protector — Using good AI to defend against bad .

Privacy experts are increasingly exploring how artificial intelligence can be used as a tool to strengthen privacy rather than weaken it. This approach focuses on deploying “good AI” to detect security threats, prevent data misuse, and automate privacy compliance tasks such as monitoring access controls and identifying anomalies. By using AI defensively, organizations can counter AI-driven attacks, enhance data protection, and proactively manage privacy risks in complex digital environments. Read More

Regulations

Australia unveils AI policy roadmap

Australia unveiled its National AI Plan, shifting from purely safety-oriented strategies toward economic investment and adoption goals, while affirming that existing legal and regulatory frameworks (including privacy laws) will continue to govern AI-related risks. The plan also sets up an AI Safety Institute to monitor and share information about AI capabilities and harms. Read More

EU Digital Omnibus: Analysis of key changes

The proposed Digital Omnibus and Digital Omnibus on AI packages, continued drawing regulatory attention and debate through December. These EU proposals aim to simplify GDPR compliance, clarify data-related rules for AI, introduce unified breach reporting mechanisms, and support innovation while maintaining privacy protections. Read more