From the GDPR world – with a sideways glance

The download form asks for an email for the guide. The app asks for location to function. Is that consent — or payment in another currency?

The boat wasn't just about bad security. It was about no one being responsible for the system.

Mailchimp shows you who opened your newsletter at 9:14 AM on an iPhone. Have you told your subscribers you can see that?

Send a request for access to your personal data to yourself – as if you were a customer. Can you respond within 30 days, with everything GDPR requires?

«Accept terms» is not valid consent — at least not when the alternative is losing access to the service.

The loyalty card collected points. Your email address was forwarded to a social network – without anyone telling you.

750,000 of those exposed were not even active members anymore. The association had never deleted them.

Schibsted wants 39 kroner. Facebook was fined two billion. The question isn't the size of the price – but whether privacy should have a price.

VG, Aftenposten, and BT are offering you a choice – share your data with advertisers, or pay an extra 39 kroner a month. The Norwegian Data Protection Authority is not impressed.

Da 2,1 millioner menneskers data ble publisert på Darknet etter SportAdmin-bruddet, var det ikke bare programvareselskapet som hadde et problem. Hvert idrettslag som brukte systemet…

The online store was hacked through a system no one used anymore. The fine was over ten million kroner.

The prospecting tool stored contact data for five years—and automatically reset the deadline each time the person changed jobs. In practice, the data was never deleted.

Your newsletter knows who opens it, when, and on what device. The CNIL says you need consent for that.

83.5 percent of the insight requests Noyb has sent to companies over the past eight years did not receive a response in line with the law.

Merely using the app revealed the user's sexual orientation. The Norwegian Data Protection Authority imposed a fine of 65 million. The Court of Appeal agreed.

The retail chain shared the customer list with a social network. 10.5 million people's emails and phone numbers were used to show them ads. No one was asked.

To maskerte menn banket på døren midt på natten. De visste navnet hans, adressen og at han hadde skydevåpen hjemme. Opplysningene kom fra et hack…

The bank app required access to the list of all installed apps on your phone. Garante said: that's too much.

The sports app was hacked. Data from 2.1 million children — personal identification numbers, health information, club affiliation — ended up on the Darknet.

160 million contact profiles. Harvested from LinkedIn without asking. Stored for five years. CNIL fined KASPR €240,000.

22. desember 2025 bøtela det franske datatilsynet CNIL programvareselskapet NEXPUBLICA FRANCE med €1,7 millioner. Selskapet utvikler PCRM — et forvaltningssystem brukt av franske sosialtjenester, blant…

14. april 2026 vedtok EDPB en felles mal for personvernkonsekvensvurdering — det GDPR kaller en DPIA. Malen er gratis, strukturert med forhåndsdefinerte felt, og følges…

Den 29. januar 2026 satte det danske Datatilsyn et foreløpig punktum i en sak som startet i 2022. 51 kommuner brukte Google Workspace og Chromebooks…

DLA Pipers årsundersøkelse, publisert 28. januar 2026, viser at europeiske virksomheter meldte om 443 databrudd per dag i 2025 — den første gangen snittet har…

De fleste norske virksomheter bruker minst én tjeneste som overfører persondata til USA — Microsoft 365, Google Workspace, Salesforce eller lignende. Den juridiske basisen for…

Les også: France Travail: 43 millioner rammet fordi ansatte hadde for mye tilgang Da CNIL etterforsket France Travail-bruddet, fant de noe mange virksomheter kjenner igjen…

I mars 2024 ble France Travail, den franske statlige arbeidsformidlingen, rammet. Angriperne brukte ikke avansert teknologi — de brukte sosial manipulering. De ga seg ut…

Most privacy policies are written for lawyers. GDPR says they should be written for people. What should actually be in them?

25 European supervisory authorities are now checking whether your privacy policy gives people what they are entitled to know.

Reddit hadn't done a single risk assessment before they let children in. It cost £14 million.

You deleted the customer from the CRM. But the backup system remembers everything. Are you actually in compliance—or just in the production environment?

32 supervisory authorities checked 764 businesses. Most do not know what they are storing, why, or when they should delete it.