By judgment from 9 January 2025 in Case C‑394/23 the Court of Justice (CJEU) rules that the processing of personal data relating to the title of the customers of a transport undertaking is not necessary and might even be not legally grounded.

In 2024, EU data protection authorities imposed a total of EUR 1.2 billion in fines. This brings the total value of fines to EUR 5.88 billion since the GDPR became applicable, DLA Piper's latest report reveals.* The technology sector has been hit the hardest, with data protection focusing on managerial responsibility and privacy issues in AI tools.

This article analyzes the Decision of the Italian Data Protection Commissioner (“Commissioner“) No. 472 of July 17, 2024 (“Decision“), which concerns the monitoring of employees’ official computers and emails, and the protection of personal data in accordance with Italian regulations and the General Data Protection Regulation of the European Union, which was adopted on April 14, 2016, and came into force on May 25, 2018 (“GDPR”).

Although more than six years have passed since the adoption of the new Personal Data Protection Law (the “Law“), there are still practical uncertainties about when data controllers and processors must appoint a Data Protection Officer (DPO). Additionally, many foreign data controllers and processors subject to the Law have yet to fulfill their obligation to appoint a representative for personal data protection. This lack of compliance makes it harder for individuals to exercise their rights when it comes to the processing of their personal data.

Conducting legal due diligence on the target company is standard practice before completinga transaction. Even today, eight years after the GDPR came into effect, some companies still fail to implement basic data protection principles in their internal policies or in their relationships with business partners and suppliers. Some even claim not to process any personal data at all.

Agnieszka Rapcewicz has been promoted to Partner at Just Law Jastrun Kowalski.