All news with #gdpr tag

🔍 Regular cyber risk assessments are essential for identifying vulnerabilities, prioritizing remediation, and documenting security progress for leadership. CISOs receive actionable insights about exposed data, authentication gaps, and compliance obligations (for example, GDPR and PCI DSS). Analyses show one in ten cloud datasets is broadly accessible and more than 99% of compromised accounts lacked MFA. Typical assessments take two to four hours and deliver prioritized, immediately actionable recommendations.

🔒 Third Party Risk Management (TPRM) is a strategic program that helps organizations identify, assess, and control risks arising from external vendors and service providers. Core elements include risk identification and assessment, contract management, continuous monitoring and audits, and employee training. Compliance drivers such as SOC 2 and GDPR make robust TPRM essential to prevent legal and reputational damage. Integrating TPRM into enterprise risk frameworks and using automation improves consistency and oversight.

🛡️ Ransomware groups are increasingly threatening victims with regulatory complaints in addition to data leaks, citing alleged violations of rules such as GDPR. Security vendors including Akamai report the tactic has grown over the past two years and is used by gangs like Anubis and Ransomhub to pressure high-compliance sectors such as healthcare. Experts warn AI accelerates the process by quickly identifying 'material' issues and producing legally framed complaints, tightening deadlines and raising stakes for victims.

🔒 The French data protection authority, CNIL, fined Free Mobile and parent company Free a combined €42 million for insufficient protection of customer data after an October 2024 breach that exposed information of nearly 23 million subscribers. CNIL cited weak VPN authentication, poor detection of abnormal activity, delayed notifications, and excessive data retention. The companies must complete security fixes and perform mandated data clean-up within required deadlines.

⚠️ Recent analyses show ransomware groups increasingly threaten victims by reporting alleged regulatory breaches to authorities, adding a compliance layer to the familiar double-extortion model. Researchers at Akamai observed this tactic over the past two years, citing groups such as Anubis and Ransomhub. Attackers target industries with high compliance risk and use AI to rapidly identify and craft legally framed complaints under GDPR, DORA and tightened SEC rules.

⚖️ Italy's antitrust authority has fined Apple €98.6 million after finding that its App Tracking Transparency (ATT) framework restricted App Store competition by imposing a burdensome double-consent process on third-party developers. The AGCM said Apple used its dominant distribution position to unilaterally set consent rules without consulting developers. Regulators noted they are not contesting Apple's privacy goals but found the ATT consent requirements disproportionate and harmful to ad-supported developers. Apple said it will appeal and defended its privacy protections.

🔔 Italy's competition authority (AGCM) has fined Apple €98.6 million for using App Tracking Transparency (ATT) in a way the regulator says abused its dominant position in mobile app advertising. The AGCM found that ATT requires third-party apps to show a standardized tracking prompt while exempting Apple's own apps, creating a burdensome double-consent process because the ATT prompt does not satisfy GDPR requirements. Apple says it will appeal and continues to defend ATT as a privacy protection.

⚽ The French Football Federation (FFF) disclosed a data breach after attackers used a compromised account to access administrative management software used by clubs. FFF detected the unauthorized access, disabled the compromised account, and reset all user passwords across the system. Before they were evicted, threat actors exfiltrated personal and contact information for members. The federation said it has filed a criminal complaint, notified regulators, and will directly inform affected individuals while urging vigilance against phishing attempts.

🔒 The French Football Federation (FFF) reported unauthorized access to the centralized software used by licensed clubs to manage player registrations, an intrusion it believes occurred on 20 November. Exposed fields include names, genders, dates and places of birth, nationalities, postal and email addresses, phone numbers and football license ID numbers. The FFF says it deactivated the compromised account, reset all user passwords, filed a complaint with authorities and notified CNIL and ANSSI. It will inform affected individuals with known emails and urged license holders to remain vigilant against phishing and scam attempts.

⚠️ The EU Council's decision to frame communications scanning as voluntary is being presented as a retreat from plans to weaken end-to-end encryption, but privacy experts warn the danger persists. Campaigners including Patrick Breyer and European Digital Rights (EDRi) say this effectively privatizes Chat Control, enabling companies to deploy error-prone, warrantless client-side scanning. For enterprises and CISOs the main concern is data leakage: false positives could expose confidential documents, code, or strategic plans to outside authorities without corporate consent.

⚠️A representative YouGov survey commissioned by recruitment firm SThree found that 77% of STEM professionals in Germany use AI tools at work without approval from IT or management. Commonly used services include ChatGPT, Google Gemini and Perplexity. Experts warn this shadow IT practice can lead to GDPR breaches, inadvertent disclosure of sensitive customer or internal data and the risk that providers will retain and reuse submitted content for training. In Germany, 23% report daily use, 29% weekly and 12% monthly; respondents cite efficiency gains and technical curiosity as primary drivers.

🔒 European leaders, including Chancellor Friedrich Merz and President Emmanuel Macron, will attend a Berlin summit of digital ministers and IT experts expected to draw about 900 participants. The conference highlights concerns that US laws such as CLOUD Act and FISA 702 can compel US cloud providers to disclose data held in Europe, driving calls to reduce dependencies on non‑European vendors. Officials and industry leaders emphasise technological controls — notably strong encryption and customer-held keys — and the need for scalable European cloud alternatives while addressing regulatory and startup barriers.

🛡️A leaked draft of the EU Commission’s proposed “Digital Omnibus” would amend the GDPR to absorb cookie rules and relax limits on AI training with personal data. The draft, due to be presented on 19 November 2025, would add Article 88a to move cookie regulation into the GDPR and allow processing on a closed list of low‑risk purposes or other legal bases including legitimate interest. Critics warn this shifts tracking from opt‑in to opt‑out and risks diluting privacy protections, while the proposal also narrows sensitive‑data protections and requires browsers to transmit consent preferences.

🔓 The European Commission's leaked "Digital Omnibus" draft would revise the GDPR, shifting cookie rules into the regulation and allowing broader processing based on legitimate interests. Websites could move from opt-in to opt-out tracking, and companies could train AI on personal data without explicit consent if safeguards like data minimization, transparency and an unconditional right to object are applied. Privacy groups warn the changes would weaken protections.

🔍 Clearview AI has been hit with a criminal complaint filed in Austria by the European Center for Digital Rights (noyb), alleging that the company ignored decisions by several EU data protection authorities. The complaint invokes GDPR provisions allowing criminal sanctions under Article 84 and seeks prosecution of executives, potentially including jail time and personal liability when traveling to Europe. The action follows fines and bans from multiple DPAs and ongoing appeals, notably only in the UK.

☁️ Global Payments partnered with Google Cloud to design a multi-region, highly available database architecture using Cloud SQL Enterprise Plus. The deployment spans three regions with zonal replication, read replicas, cascading replication, and Cloud SQL Auth Proxy integration to support low-latency reads and rapid failover. This configuration yields near-zero planned downtime, sub-minute RTO and zero RPO for Tier 1 workloads, while meeting PCI DSS, GDPR, and NIST requirements.

🛡️ This article by Andrius Buinovskis of NordLayer explains why default gateway setups often leave gaps in security, performance, and compliance. It recommends four core actions: network segmentation, multiple distributed gateways to avoid single points of failure, optimization for geographically dispersed workforces, and layered cloud firewall controls to restrict ports and protocols. The guidance aligns with Zero Trust principles and highlights regional privacy rules such as GDPR and CCPA.

🔒 Experian Netherlands has been fined €2.7m by the Dutch Data Protection Authority for breaching GDPR requirements after collecting and processing personal data from public and private sources without proper notice or consent. The regulator found Experian compiled extensive databases using information from the Chamber of Commerce and data sold by telecom and energy firms, and that its credit scores influenced contract terms, deposits and denials. Experian acknowledged the violations, will not appeal, has ceased Dutch operations and plans to delete the database by year-end.

🔍 Experian Netherlands was fined EUR 2.7 million by the Dutch Data Protection Authority for collecting and using personal data from multiple public and private sources without properly informing individuals or obtaining consent. The AP found the company aggregated information from the Chamber of Commerce, telecom and energy firms to produce credit assessments that affected interest rates and upfront deposits. Experian acknowledged the violations, will not appeal, has ceased operations in the Netherlands, and pledged to delete its database of personal data before year-end.

🔒 The Hohen Neuendorf city administration reported a cyberattack detected on October 7 that forced an immediate shutdown of its IT systems and left municipal operations running in a limited capacity. Contracted cybersecurity experts found indications attackers temporarily accessed and encrypted parts of the city's data holdings, preventing immediate inspection. Authorities say it cannot yet be confirmed whether personal data were stolen and that the city will notify affected individuals under GDPR if a data outflow is verified. Preliminary investigation points to security gaps at an external IT service provider that allegedly failed to report vulnerabilities as contractually required.