RegRally Insights: Personal Data Protection and ICT Regulation – December 2024

ECOVIS ProventusLaw invites you to its newest all-in-one essential compliance newsletter on personal data protection and ICT regulation.

Cyber Resilience Act  Now in Force

The Cyber Resilience Act (Regulation (EU) 2024/2847) took effect on December 10, 2024, providing a three-year transition period for companies to comply, with a deadline of December 11, 2027. The Act mandates cybersecurity requirements for manufacturers, importers, and distributors of “products with digital elements” (PDEs), including connected hardware and software products.

Key Points:

• Focus on Cybersecurity: Addresses product cybersecurity gaps to reduce incidents, costs, and reputational risks.
• Impact Scope: Applies to all PDE stakeholders in the EU market, covering the full product lifecycle.
• Goal: Boost trust in digital products, increasing consumer and business demand within and beyond the EU.

If you need assistance navigating the complex and ever-evolving cybersecurity regulatory landscape, we provide guidance under key frameworks such as NIS2, DORA, the AI Act and the Cyber Resilience Act. We have solutions tailored to our clients affected by the CRA.

EU Implements Technical Standards for DORA in the Financial Sector

On December 2, 2024, the EU Commission Implementing Regulation (EU) 2024/2956 was published in the Official Journal, establishing technical standards for the Digital Operational Resilience Act (DORA) in the financial sector. The regulation introduces standard templates for an information register that tracks all ICT service contracts with third-party providers.

Key Points:

• Information Register: Essential for ICT risk management, supervision by competent authorities, and oversight of critical ICT third-party providers.
• Effective Date: The regulation came into effect on December 22, 2024.

EU Adopts Delegated Regulation on Joint Examination Teams Under DORA

The European Commission has adopted a Delegated Regulation establishing regulatory technical standards (RTS) to define the composition and operational procedures of joint examination teams under the Digital Operational Resilience Act (DORA). The regulation outlines criteria for team composition, member designation, tasks, and working arrangements to ensure balanced participation from European Supervisory Authorities (ESAs) and relevant competent authorities.

Joint Inspection by Baltic Authorities on Data Protection in Short-Term Vehicle Rentals

Baltic data protection supervisory authorities conducted a joint inspection to assess compliance with GDPR in the short-term vehicle rental sector. The inspection revealed key issues, including insufficient transparency, failure to provide adequate information to data subjects, and improper selection of legal grounds for data processing. Some companies applied unsuitable legal bases for data processing, and privacy notices did not align with actual practices. The authorities recommended improved transparency, proper use of legal grounds like Article 6(1)(b) for contract performance, and adherence to GDPR requirements for processing special categories of data such as biometric information.

VDAI Approves Accreditation Procedure for Certification Services

The State Data Protection Inspectorate (VDAI) has approved the accreditation procedure for natural and legal persons wishing to provide certification services for compliance with personal data protection requirements. Certification, which is voluntary, allows data controllers and processors to demonstrate their adherence to GDPR standards and enhance trust in their services. Only VDAI-accredited certification bodies will be able to issue certificates, subject to criteria approved by the European Data Protection Board (EDPB). Certification bodies must meet specific conditions, including obtaining consent to use certification criteria and being accredited by the VDAI.

Finnish Supervisory Authority Fines Posti for Unlawful Data Processing

The Finnish Supervisory Authority (SA) imposed a €2.4 million fine on Posti for unlawful processing of personal data related to the creation of an electronic mailbox without customer consent. The investigation revealed that Posti automatically created the mailbox and linked it to other services, without allowing customers to opt-out. The SA found that Posti failed to adequately inform customers and violated several provisions of the GDPR, including Articles 5, 6.1, 13, and 25. Posti was reprimanded and ordered to rectify its practices to ensure that only necessary personal data is processed.

EDPB Opinion on Using Personal Data for AI Models

The European Data Protection Board (EDPB) has issued an opinion on the use of personal data in the development and deployment of AI models. The opinion addresses the criteria for considering AI models anonymous, outlines how legitimate interest can be used as a legal basis for processing personal data in AI, and discusses the implications of using unlawfully processed personal data. For a model to be deemed anonymous, it must make it highly unlikely that individuals can be identified or have personal data extracted from it. The EDPB also provides guidance on assessing legitimate interest as a legal basis for AI-related data processing.

Italian Data Protection Authority Fines OpenAI €15 Million for GDPR Violations

The Italian Data Protection Authority (Garante) has fined OpenAI €15 million for breaching the General Data Protection Regulation (GDPR). The investigation, initiated in March 2023, revealed several violations, including the lack of a valid legal basis for processing personal data to train ChatGPT, failure to notify authorities about a data breach in March 2023, inadequate age verification measures for users under 13, and insufficient transparency regarding data collection and processing practices.

CPDP Conference 2025: Celebrating Data Protection Day with Key Discussions on AI, Neuroscience, and Data Privacy

The Council of Europe (CoE), CPDP Conferences, and the European Data Protection Supervisor (EDPS) invite you to celebrate Data Protection Day with a special edition of the CPDP conference, taking place on 28th January 2025 in Brussels, Belgium, at the European Commission’s “Charlemagne” building and online. The conference will address emerging challenges in privacy, focusing on new technologies like AI and neuroscience, the future of data protection in EU institutions, and the balance between law enforcement and mass surveillance. This global event will bring together experts from academia, law, industry, and civil society to discuss the latest trends in digital privacy.