Data Protection. Retrospective 2025

Data Protection

Retrospective 2025

2025 – Data protection in review

GDPR developments in 2025 demonstrated, at European level, an increased focus on cross-border enforcement, the integration of artificial intelligence (AI), and administrative simplification. Key changes included new procedural rules intended to streamline investigation deadlines, the “Digital Omnibus” proposal aimed at facilitating record-keeping for smaller companies (up to 750 employees), and specific guidelines for training AI models, including recognition of “legitimate interest” subject to appropriate safeguards.

GDPR – Key Developments and Trends in 2025	The European Commission’s declared intention in the data protection field was for businesses in Europe, from factories to start-ups, to spend less time on administrative and compliance-assurance tasks and to have more time for innovation and scaling, as well as to align the GDPR with other rules in the digital domain. Supervisory authorities maintained a high pace of enforcement in 2025 (aggregate fines of approximately EUR 1.2 billion at European level), confirming that the risk posed by non-compliance remains, first and foremost, an operational and financial one. At the same time, analysis of the data provided by European data protection supervisory authorities indicates a 22% year-on-year increase in the number of notified personal data breaches, reaching an average of 443 notifications per day. The EDPB continued to clarify, through Guidelines, the intersection between the GDPR and the Digital Services Act and the Digital Markets Act (“DSA”/“DMA”), and addressed emerging topics such as the processing of data through blockchain technologies and transfers of data to third-country authorities. At the same time, the EDPB presented two new projects under the Support Pool of Experts (“SPE”), which provide direction on the use of artificial intelligence and data protection. At the same time, the EDPB increasingly oriented its work towards data subject rights and launched, in 2025, the Coordinated Enforcement Framework (“CEF”) action, focused on the right to erasure (“right to be forgotten”), following the coordinated actions carried out in 2024 in relation to the right of access. In Romania, the recurring themes flagged by the National Supervisory Authority for Personal Data Processing (ANSPDCP) (and consistently reflected in its 2025 fine announcements) included online data disclosures, video surveillance, non-compliance with data subject rights, failure to implement appropriate technical and organisational measures, as well as unsolicited commercial communications and breaches of GDPR principles. The new package of measures in the digital field was presented by the European Commission on 19 November 2025.
	Relevant actions and issues of concern. European Data Protection Board (EDPB)
Statement No. 01/2025 on age assurance	The statement adopted at the plenary meeting of 11 February 2025 provides guidelines on the methods used to determine a person’s age or age range online, known as “age assurance”. The main purpose is to protect children in the digital environment, while ensuring, at the same time, respect for fundamental rights and the applicable data protection legal framework.
Guidelines No. 02/2025 on the processing of personal data through blockchain technologies	Through these Guidelines, the EDPB explains how blockchain technologies operate and analyses different architectures, showing their implications for the processing of personal data. It emphasises that technical and organisational measures must be embedded from the design phase of the processing (privacy by design/by default). In addition, it sets out data minimisation techniques and methods for managing/storing personal data. As a general rule, it recommends avoiding the storage of personal data directly on a blockchain, in particular where this would conflict with data protection principles.
DMA and GDPR: the EDPB and the European Commission endorse joint guidelines to clarify common points of contact	On 9 October 2025, the EDPB and the European Commission endorsed joint guidelines on the interplay between the Digital Markets Act (“DMA”) and the GDPR – the first guidelines jointly produced by the two institutions – with the aim of ensuring consistent application of the two legal frameworks and increasing legal certainty for undertakings designated as “gatekeepers”, for business users and for data subjects. The guidelines clarify, in particular, how such gatekeepers can implement their obligations under the DMA in line with the GDPR, including the relevant requirements to provide users with concrete, specific options and to obtain valid consent.
The EDPB publishes the final version of its Guidelines on transfers of data to third-country authorities	With regard to transfers of data to third countries, as a general rule, an international agreement may provide both a legal basis and a ground (or justification) for the transfer. The EDPB underlines that judgments from third countries are not automatically recognised in Europe and that, in the absence of an appropriate international agreement, data transfers may take place only in exceptional circumstances and on a case-by-case basis.
	Most significant GDPR fines imposed at EU level
Tiktok Technology Limited	The Irish Data Protection Commission (“DPC”) imposed to TIKTOK TECHNOLOGY LIMITED a fine of EUR 530 million for breaches of the GDPR. Following the investigation, it was found that the controller unlawfully transferred personal data to a third country and breached its transparency obligations. Specifically, the standard contractual clauses accepted by users when creating an account on the platform, together with the supplementary measures implemented, do not provide a level of protection for personal data equivalent to that guaranteed by the GDPR. In addition, the controller did not inform EEA data subjects that their data are stored on servers in China. The investigation was launched following a number of complaints.
Google LLC	The French Data Protection Authority (“DPA”) imposed to GOOGLE LLC a fine of EUR 200 million for breaches of the French Data Protection Act “Loi Informatique et Libertés” and the French Postal and Electronic Communications Code (“CPCE”). Following the investigation, it was found that the controller designed its cookie-consent mechanism in such a way that freely given and informed consent could not be expressed. Thus, the data subject could choose only between the free service, which involved personalised marketing, and a paid version without such marketing. In addition, the controller designed its email service so that ads could be displayed in areas where data subjects would normally find received emails. The investigation was launched following a complaint.
Poczta Polska S.A. (the Polish Post)	The Polish Data Protection Authority (“UODO”) imposed to Poczta Polska S.A. (the Polish Post) a fine of EUR 6,44 million and to the Minister of Digitalization a fine of approx. EUR 23,380.00 for breaches of the GDPR. As a result of the investigation, it was found that the controller unlawfully processed personal data. Thus, in the run-up to the 2020 presidential elections, at the request of the Polish Post, the Minister of Digitalization transferred data from the PESEL register on about 30 million data subjects, representing about 80% of Poland’s population. This data was then unlawfully processed by the postal service. The investigation was launched following a data breach notification by the controller.
Aena, S.M.E., S.A.	The Spanish Data Protection Authority (“AEPD”) imposed to Aena, S.M.E., S.A. a fine of EUR 10,043,002 for breaches of the GDPR. Following the investigation, it was found that the controller had not carried out a data protection impact assessment prior to commencing the processing. The controller ran a pilot project across several airports, which involved the use of facial recognition systems (processing of biometric data, a special category of data). However, prior to commencing the processing, the controller did not carry out a data protection impact assessment (DPIA), although the processing was likely to generate a high risk to the rights and freedoms of data subjects. The investigation was launched following a complaint.
	Most significant GDPR fines imposed in Romania
Webrasoft SRL	WEBRASOFT SRL – fine amounting to LEI 99,518.00 (the equivalent of EUR 20,000) for violating the provisions of Article 32 para. (1) letters b) and d) and Article 32 para. (2) of the GDPR. As a result of the investigation, it was found that the controller did not implement adequate technical and organizational measures to ensure a level of security appropriate to the risk presented by the processing. In particular, personal data (name, surname, personal identification number, home address, phone number, e-mail address, bank account number) belonging to a significant number of customers were accessed by an unauthorized person, following a cyber attack on the controller’s server where the customer database was stored. The investigation was launched following a data breach notification by the controller.
The Alliance for the Union of Romanians (“AUR”) Party	THE ALLIANCE FOR THE UNION OF ROMANIANS (“AUR”) PARTY– fine amounting to LEI 126,467.5 (the equivalent of EUR 25,000) for violating the provisions of Article 32 para. (1) letters b) and d) and para. (2) corroborated with Article 25 para. (1) and (2) and Article 5 para. (1) letter c) and para. (2) read in conjunction with Article 6 para. (1) of the GDPR. As a result of the investigation, it was found that the controller did not implement adequate technical and organizational measures to ensure a level of security appropriate to the risk presented by the processing and unlawfully processed personal data. In particular, personal data (name and surname, telephone number, e-mail address, residence address, personal identification number, date of birth, nationality, citizenship, gender, religion, profession etc.) belonging to a very large number of data subjects, were disclosed in an unauthorized manner following a cyber attack on the application aur.mobi owned by the controller. Furthermore, the Permanent Electoral Authority reported the unauthorized processing of personal data (name, surname, series and ID number, home address, date of birth, email, phone number, signature) through www.semnezsivotez.org and www.semnezsivotez.ro platforms for a significant number of data subjects. The investigation was launched following two data breach notifications by the controller.
Data Diggers Market Research S.R.L.	DATA DIGGERS MARKET RESEARCH S.R.L. – fine amounting to LEI 59,726.40 (the equivalent of EUR 12,000) for violating the provisions of Article 15 and Article 14 in conjunction with Article 12 para. (1) and Article 6 para (1) of the GDPR. As a result of the investigation, it was found that the controller unlawfully processed personal data. Thus, the controller did not provide the complainants with complete information following the exercise of their right of access to personal data. Moreover, it did not provide at the time of the first communication with the complainants the information which it was obliged to provide. The investigation was launched following referrals from two other data protection authorities in the EU, following complaints made by two individuals in these countries.
Unicredit Bank S.A.	UNICREDIT BANK S.A. – fine amounting to LEI 74,652.00 (the equivalent of EUR 15,000) for violating the provisions of Article 25 para. (1) of the GDPR. As a result of the investigation, it was found that the controller did not implement adequate technical and organizational measures to ensure a level of security appropriate to the risk presented by the processing. Thus, both the solution for customer communication with the controller and the controller’s application for creating usernames were implemented without prior testing in a test environment, which led to the unauthorized disclosure of personal data belonging to a significant number of the controller’s customers. The investigation was launched following two data breaches notifications by the controller.
	Data Protection Compliance and Strategic Outlook
	Within this dynamic regulatory landscape, organisations are increasingly required to adopt a proactive and structured approach to data protection compliance, ensuring both operational resilience and alignment with evolving European standards. The developments of 2025 — from enhanced cross‑border enforcement to new guidelines on AI, blockchain and international data transfers — underscore the importance of integrating privacy considerations into governance, technology and business decision‑making processes. The Data Protection & Privacy team at Voicu & Asociații assist clients in assessing the impact of such changes, strengthening internal compliance frameworks, reviewing and updating documentation, and managing risks associated with data processing activities. Our multidisciplinary expertise enables us to deliver robust, business‑oriented solutions tailored to the specific needs and regulatory exposure of each organisation.
	download full english version (.pdf)

Data Protection. Retrospective 2025

About Voicu & Asociații SCA

News & Events

Voicu & Asociații Supports the Engineers’ Symphony Concert at the Romanian Athenaeum

VA Excellence Through Knowledge series: Lease Agreements in Shopping Centers – Key Considerations for Food vs. Non-Food Retailers

VA Excellence Through Knowledge series: Preventive concordat – a legal mechanism for timely business rescue

Legal Advisory for the Expansion of a Major European Retail Chain into Romania

Latest Articles

The Controversial Tax Perspective on the Mandatory Use of Logbooks

Business transfer in insolvency – Way to revive a business. The case of UCM Reșița

Taxele de reziliere impuse de anumiţi furnizori la încetarea contractelor de furnizare a serviciilor, persoane juridice.

Subscription

Follow Us On