eleni-afiontzi-glu8gzphtra-unsplash-7ebbf7bc-0886-4f3f-b761-d0833e0b324c

Cyber Monday Flash - April

Regulatory keys that set the privacy and cybersecurity agenda.

Una tienda vintage con un escaparate iluminado en tonos rosados que muestra el texto 'PHOTOS'.

European Commission launches app for online age verification

The European Commission has announced that the European age verification application is now technically operational and will be available soon to protect minors from harmful content and addictive practices on digital platforms.

From a regulatory perspective, the initiative reinforces the implementation of the Digital Services Act and anticipates increased scrutiny of age verification, privacy and responsible platform design obligations.

Un semáforo emitiendo luces roja y verde en una noche oscura.

EDPB opens public consultation on a harmonised EIPD model

The European Data Protection Board (EDPB) has opened a public consultation (until 9 June 2026) on its new harmonised Data Protection Impact Assessment (DPIA) model, accompanied by an explanatory document, with the aim of reducing the existing fragmentation between national authorities and reinforcing consistency in the application of Article 35 GDPR.

The proposal sets a common DPIA structure, without imposing a specific methodology, and aims at its adoption as the European reference format, with a direct impact on risk governance and accountability.

Una imagen que muestra trazos de luz en movimiento en la oscuridad.

The Audiencia Nacional reduces a sanction for the use of a fingerprint to a warning

The National High Court (SAN 799/2026) has annulled the fine of 20,000 euros imposed by the AEPD for the use of fingerprints for access to changing rooms and toilets, replacing it with a warning, as it considered the financial penalty to be disproportionate.

However, the court confirmed that the use of biometrics violated the principle of minimisation of article 5.1.c) of the GDPR, as there were less intrusive alternatives, consolidating a restrictive doctrine on the use of biometric data in the workplace.

Una vista desde abajo de rascacielos que se elevan hacia el cielo.

The AEPD fines a financial institution 400,000 euros for video surveillance security deficiencies

The AEPD has fined a financial institution 400,000 euros for infringement of article 32 of the GDPR, after finding deficiencies in the management of access to the images of its video surveillance system, following the termination of the procedure for voluntary payment.

The Agency accredits that the security provider accessed the images through a shared generic user, without individual identification or effective traceability, despite the fact that the contract and the EIPD required reinforced controls. The resolution recalls that outsourcing does not exonerate the data controller, who must verify the real and continuous implementation of technical and organisational measures, especially in high-impact processing such as bank video surveillance.

La imagen muestra una pared con paneles iluminados en colores naranja, rosa y blanco contra un fondo azul claro.

The AEPD declares the demand for a copy of the DNI to be unlawful

The AEPD has declared that the requirement and retention of a copy or scan of the DNI for the face-to-face presentation of documents at registry offices violates the principle of minimisation of Article 5.1.c) RGPD(Resolution PS-00138-2025).

The Agency recalls that identity verification does not, in itself, legitimise the retention of the document, and less intrusive means should be chosen and each case should be assessed in accordance with the criteria of necessity and proportionality, reinforcing the privacy by design approach in face-to-face procedures.

Vista de una torre desde una ventana con un cielo despejado.

The AEPD fines a telecommunications company for failing to comply with the right of access

The AEPD has confirmed a fine of 100,000 euros imposed on a telecommunications company for repeatedly failing to comply with a final decision ordering it to fulfil a user's right of access to his geolocation data, rejecting the appeal for reconsideration lodged.

The Agency concludes that the information provided did not make it possible to know the actual geographic location of the handset, thus rendering the right of access meaningless, and recalls that operators are obliged, in accordance with Law 25/2007, to keep and provide the data necessary to identify the location of the mobile device. The ruling reinforces the doctrine that the right of access must be effective, complete and useful, and that merely formal or partial compliance, especially after final rulings, constitutes an autonomous infringement punishable by law.

Una pantalla de luces cálidas colgantes en un ambiente moderno.

The EDPB consolidates Europrivacy as a European seal and enables its use in international transfers.

The EDPB, through Opinions 14/2026 and 15/2026, has consolidated Europrivacy as the first fully operational certification scheme under Article 42(5) of the GDPR and, for the first time, as an adequate assurance for international transfers under Article 46 GDPR.

The Committee confirms its automatic recognition throughout the EEA as the European Data Protection Seal and recognises that the certification can be used even in the absence of an adequacy decision, provided that the importer makes binding commitments. Although it does not replace case-by-case assessment, it broadens the range of mechanisms available alongside SCCs and BCRs, reinforcing accountability and legal certainty in international data flows.

Meet our team

We support organisations in the comprehensive management of privacy and cybersecurity risks.

What are you looking for?