Cyber Monday Flash - March
In this edition we analyse the main novelties in data protection and cybersecurity, with key resolutions of the AEPD and new regulatory developments.
The AEPD warns of conflict of interest in the Huesca Provincial Council
The Spanish Data Protection Agency(AEPD) has declared that the Provincial Council of Huescabreached the GDPR by simultaneously appointing its Data Protection Officer (DPO) as Head of the Internal Information System, considering that this accumulation compromises the independence required by the regulation.
The resolution focuses on the risk of conflict of interest, recalling that article 38 of the GDPR prohibits the DPO from assuming functions that affect his or her impartiality, especially when this involves determining the purposes and means of the processing or managing sensitive information.
Consequently, the AEPD concludes that an adequate separation of functions was not guaranteed, in violation of article 38 of the GDPR.
Data protection shortcomings for minors: AEPD fines school €20,000
The AEPD has fined an educational centre €20,000 for data protection breaches in the use of Google Workspace for Education.
The authority concluded that the Impact Assessment (EIPD) was incomplete and did not adequately identify the risks in the processing of children's data, in addition to appreciating the absence of a valid legitimising basis, which entailed disproportionate processing in a particularly sensitive environment.
The resolution recalls the need for strict compliance with the principle of proactive responsibility, requiring the centres to ensure that the processing of data does not exceed the educational purposes or generate additional unjustified uses.
New evidentiary obligations in the electricity sector after RD 88/2026
Royal Decree 88/2026 introduces an important change in electricity supply contracting by requiring marketers to legally accredit the entire contracting process, from identification of the customer to consent, reinforcing traceability, especially in digital and telephone channels.
The main new features include the mandatory prior sending of the summary document, the retention of evidence of its receipt and the updating of the holder's details before signing. It also reinforces the use of electronic signatures and trust services as valid accreditation mechanisms.
Overall, the regulation places proof of consent at the heart of the system, promoting more secure, auditable and digitally adapted contracting models.
CEPD and EDPS warn of data protection risks in European Biotech Act proposal
The EDPS and the EDPS have published a joint opinion on the European Biotech Act, warning that, although it strengthens the competitiveness of the sector, it introduces relevant changes that impact on the processing of personal data, especially in clinical trials, use of AI and testing environments.
The proposal redefines the legal basis for processing, identifies sponsors and researchers as responsible and expands the use of advanced technologies, which could change the scope of existing treatments.
In addition, it identifies risks such as extended retention periods, excessive access by authorities, reuse of data for poorly defined purposes and lack of legal clarity on certain AI-related processing.
The AEPD sanctions YOTI for making access to the app subject to the compulsory submission of biometric data
The Spanish Data Protection Agency (AEPD) has imposed three fines totalling €950,000 on YOTI LTD for processing biometric data, including that of minors, without a valid legal basis through its Digital ID app.
The authority concludes that the use of the app was conditional on facial scanning, used for authentication and other purposes, as well as triggering additional processing by default without the required explicit consent.
In addition, breaches were detected in the retention periods, as biometric and geolocation data were kept for longer than necessary. Overall, the AEPD found breaches of the GDPR in the areas of consent, processing of special categories and the principle of minimisation.
The AEPD recognises video game game saves as personal data
The Spanish Data Protection Agency (AEPD) has upheld a complaint against NVIDIA for failing to respond in a timely manner to a request for access. The user requested a copy of the save game files linked to his GeForce NOW account, but NVIDIA failed to provide the information within the required timeframe.
The AEPD considers that save game files constitute personal data, as they reflect the gamer's activity, preferences, progress and usage patterns, all of which are directly associated with the data subject.
NVIDIA argued that these files are not part of the normal flow of data available through its Privacy Center and that retrieving them requires complex technical processes. However, the Agency recalls that even when the data are not integrated into the Controller's internal circuits, they must be made available to the user within the legal response time.
AEPD concludes that FC Barcelona used biometric data without the necessary guarantees
The Spanish Data Protection Agency (AEPD) has fined FC Barcelona €500,000 for irregularities in the use of biometrics during the digital update of the social census. The Club defended that facial and voice recognition was necessary to avoid impersonation and that there was a face-to-face alternative.
The AEPD concludes that the Club did not carry out an Impact Assessment (EIPD), despite the fact that the processing required it due to its scope and nature. Specifically, it considers that facial and voice recognition involves the processing of high-risk biometric data and, therefore, of special categories, which requires compliance with articles 9 and 35 of the GDPR.
The process potentially affected 143,000 individuals, including minors. For the AEPD, FC Barcelona did not adequately assess the risks or evaluate less intrusive alternatives, making the processing disproportionate and in breach of the GDPR.
EDPB warns of possible use of biometric data of European travellers at US entry control
The European Data Protection Board (EDPB) has informed the European Commission of its concerns about the US-driven reform of the ESTA system, which would significantly expandthe data required from EEA nationals, including five years of social media history and data from family members not linked to the trip.
The EDPB also criticises the fact that applications would be handled only via a mobile app, a measure that could make it more difficult to exercise rights and reduce the transparency of processing.
The most sensitive point is the possible collection of biometric data. The Committee warns that, given the scope and nature of the information envisaged, the processing could involve particularly sensitive data.
The EDPB calls on the Commission to ask the US for clear information on safeguards, exercise of rights and retention periods, especially if biometric data are included, and to clarify how the proposed changes could impact on border cooperation agreements.
Luxembourg court upholds CNPD's sanction against Amazon for breaches of the GDPR
The Luxembourg Administrative Court upheld in 2025 the €746 million fine imposed on Amazon for multiple breaches of the GDPR, including the use of an inappropriate legal basis for interest-based advertising and infringement of rights such as transparency, access, rectification, erasure and objection. However, the enforcement of the sanction was suspended during the appeal process.
In March 2026, the Administrative Court reviewed the case again and decided to annul the fine, not because Amazon had not committed breaches of the GDPR, but because the CNPD did not properly analyse whether there was intent or negligence and whether the fine was the most proportionate measure. Even so, the Court upheld most of the breaches previously identified and acknowledged that Amazon had already remedied the deficiencies when the case was reviewed. The case went back to the CNPD to reassess the sanction in line with the most recent case law of the Court of Justice of the EU.
Cybersecurity and privacy
Our holistic approach combines legal, technical and business knowledge to design compliance strategies that not only minimise risks, but also enable companies to take advantage of the opportunities of the digital environment in a safe and sustainable way.