Personal Data Protection and ICT Regulation

Welcome to the November 2025 edition of RegRally Insights: Personal Data Protection and ICT Regulation.
This month, we highlight key developments that are shaping data protection and digital compliance across the EU.
From the joint EDPB and European Commission guidance on how the Digital Markets Act (DMA) interacts with the GDPR, to enforcement decisions addressing transparency, unlawful processing, and generative AI, these updates underscore the importance of handling personal data in a lawful, fair, and transparent manner.

Our briefing summarises practical takeaways, upcoming coordinated enforcement actions, and evolving guidance to help organisations ensure compliance, mitigate risks, and maintain trust in an increasingly complex digital environment.

EDPB and European Commission Issue Joint Guidelines on How DMA and GDPR Work Together

The European Data Protection Board (EDPB) and the European Commission have jointly endorsed new guidelines clarifying the interaction between the Digital Markets Act (DMA) and the GDPR.

The guidance explains how both frameworks complement one another:

GDPR protects individuals’ rights and privacy;
DMA ensures fairness and contestability in digital markets.

Because many DMA obligations involve the processing of personal data, the guidelines set out how to implement DMA requirements without infringing GDPR rules. Key clarifications include:

Valid choice and consent under Article 5(2) DMA when combining or cross-using personal data across core platform services;
Rules on third-party app distribution;
Data portability and access requests;
Interoperability obligations for messaging services.

A joint public consultation on the guidelines is open until 4 December 2025. Afterward, all submissions will be published on the DMA website (with links from the EDPB website), and both institutions will jointly adopt a final version.

VDAI Finds Unlawful Use of Personal Data in Public Construction System “Infostatyba”

The State Data Protection Inspectorate (VDAI) has upheld a complaint regarding the unlawful entry of a person’s data into Lithuania’s public construction information system Infostatyba. The complainant’s name, surname, qualification certificate number, and email were listed as those of a project supervisor and construction manager, despite the individual having no involvement in the project and having never given consent.

VDAI’s investigation found that the housing association (DNSB Klaipėdos voruta) and its service provider were unable to demonstrate any valid legal basis for processing the individual’s data. The only justification presented – a 2020 internal order – was irrelevant and did not prove consent or legitimate interest. VDAI concluded that the data processing was unlawful, unfair, and non-transparent, violating GDPR Article 5(1)(a) (lawfulness, fairness, transparency) and Article 6(1) (lack of a legal basis)

Although the association claimed the data had been removed, VDAI determined that it remained visible in the Infostatyba system.

VDAI Issues Reprimand for Lack of Transparency in Data Erasure Request Handling

In February 2025, the State Data Protection Inspectorate (VDAI) examined a complaint regarding how the platform www.cargo.lt, operated by UAB Eurospektras, handled a request for erasure under Article 17 of the GDPR. The complainant sought the deletion of their name and surname from the platform’s company directory after leaving their former employer.

The controller refused the request, arguing that the individual was still listed as a company director and that such information was retained under the platform’s Privacy Policy to protect users from potential financial risks. While the company noted that personal data unrelated to representation had already been removed, it justified retaining data linked to the legal entity.

Following its assessment, the VDAI found that:

The right to erasure did not apply, as the data in question concerned the complainant’s role as a representative of a legal entity, not private personal data.
The controller failed to provide clear and transparent information when responding to the request, breaching Articles 12(1) and 12(4) GDPR.
A formal reprimand was issued under Article 58(2)(b) GDPR, with no fine—considered a sufficient and proportionate measure.

The decision underscores that even when data processing is lawful, controllers must ensure transparent, complete, and timely communication when addressing GDPR rights requests.

Dutch DPA Fines Experian €2.7 Million for GDPR Transparency and Data Protection Failures

The Dutch Data Protection Authority (DPA) has imposed a €2.7 million fine on Experian, one of the world’s largest credit reporting companies, for significant violations of GDPR transparency and data protection rules.

Following an investigation launched in 2023 after multiple complaints, the DPA concluded that Experian had:

Failed to explain why it collected specific categories of personal data;
Insufficiently informed individuals about how their data was being used — and in some cases did not inform them at all;
Improperly processed sensitive personal data without adequately assessing the associated risks.

Although the fine itself was issued in 2023, the regulator publicly disclosed the exact amount only last week.

The case underscores the crucial importance of clear communication, transparency, and robust risk assessment when processing personal data, especially for organisations handling high-volume or high-impact datasets.

Organisations should ensure they provide clear and accessible information to individuals about how their personal data is collected and used. Transparency remains a key principle under the GDPR, and failure to meet these obligations can result in significant penalties. Regularly reviewing privacy notices, data collection practices, and communication with data subjects can help prevent compliance risks similar to those faced by Experian.

EDPB to Launch 2026 EU-Wide Enforcement Action on GDPR Transparency Obligations

At its October plenary, the European Data Protection Board (EDPB) confirmed that the next Coordinated Enforcement Framework (CEF) action in 2026 will focus on how organisations comply with the GDPR’s transparency requirements (Articles 12–14). The initiative aims to assess whether individuals are adequately informed about when, why, and how their personal data is processed.

Under the CEF, national Data Protection Authorities (DPAs) conduct parallel investigations on the same topic and pool their insights, enabling consistent enforcement and strengthened cooperation across the EU.

Previous coordinated actions addressed cloud use in the public sector (2023), Data Protection Officers (2024), and the right of access (2025). A report on the right to erasure is also expected to be released soon.

Launched in 2020, the CEF forms a core pillar of the EDPB’s 2024–2027 Strategy, complemented by the Support Pool of Experts.

Our recommendations:

As transparency will be an enforcement priority, organisations are advised to prepare in advance:

Review privacy notices – ensure they are complete, accurate, up to date and easy to understand.
Verify delivery – confirm individuals actually receive the information at key touchpoints ( e.g. sign-up, apps, CCTV, cookie layers, HR onboarding, offline forms).
Avoid dark patterns – don’t obscure, overload or manipulate information to make it hard to understand.
Ensure consistency – align wording across websites, apps, contracts, forms and emails.
Document your approach – record how, when and why information is provided in line with Articles 12–14 GDPR. Meet response deadlines – when individuals exercise their rights, reply within one month with a substantive and specific response; silence will be considered non-compliance.

CJEU Overturns General Court Judgment in EDPS vs. SRB Case on Transfer of Pseudonymised Data

The Court of Justice of the European Union (CJEU) has set aside the General Court’s earlier decision that annulled an EDPS ruling concerning the Single Resolution Board’s (SRB) transfer of pseudonymised consultation comments to Deloitte during the Banco Popular resolution process.

The CJEU held that:

Personal opinions qualify as personal data by their nature. They reflect an individual’s thinking and are inherently linked to the author. Therefore, the EDPS did not need to reassess the content, purpose, or effects of these comments to determine that they “related” to identified or identifiable persons.
Pseudonymised data are not always personal data for every recipient. Whether information is considered personal data depends on the specific recipient’s ability to re-identify the individual, in line with established case law.
The information obligation must be assessed at the point of collection and from the controller’s perspective. This means the SRB was required to inform data subjects before transferring the comments, regardless of Deloitte’s ability to identify the commenters after pseudonymisation.

This ruling reinforces key principles of EU data protection law, including the scope of personal data, the effect of pseudonymization, and the controller’s duty to inform data subjects before data transfers.

EDPB Issues Opinions on Extension of UK Adequacy Decisions Until 2031

The European Data Protection Board (EDPB) has adopted two opinions on the European Commission’s draft decisions to extend the validity of the United Kingdom’s adequacy decisions under both the GDPR and the Law Enforcement Directive (LED) until December 2031.

Requested by the Commission pursuant to Art. 70(1)(s) GDPR and Art. 51(1)(g) LED, the opinions assess the Commission’s proposal to prolong the two adequacy decisions, which are currently due to expire in December 2025, for an additional six years.

If adopted, the extension will ensure that organisations and competent authorities in the EU can continue to transfer personal data to the UK without the need for additional safeguards, thereby maintaining legal certainty and operational continuity for businesses and public-sector bodies that rely on cross-border data flows.

VDAI: Public Institution Breached GDPR Transparency Rules in eDelivery Case

On 7 July 2025, the State Data Protection Inspectorate (VDAI) issued decision No. 3R-856(2.13-1.E) in a case concerning the accuracy and transparency of personal data handling between two public institutions using the eDelivery system.

Key findings:

The institution could not have received the complainant’s email address from the eDelivery system, as such data are not technically transmitted.
The email address had in fact been provided directly by the complainant in 2019 during prior correspondence.
The processing was lawful under Article 6(1)(c) and (e) GDPR as part of public administration functions.
However, the institution supplied incorrect information about the data source, breaching Article 15(1)(g) GDPR, which requires precise disclosure of where personal data originates.

The complaint was therefore partially upheld. No sanctions were imposed, as the violation was minor and rectified once the correct source of the data was clarified.