Data protection and GDPR
-

Records of processing and SMEs: the simplification of Article 30(5) GDPR seen by the EDPB and EDPS
Extending the exemption from the obligation to keep a record of processing activities to organisations with fewer than 750 employees: this is the Commission’s proposal on which the EDPB and the EDPS pronounced in Joint Opinion 01/2025. Favour for the lightening, but with a warning: the register is not just an obligation, it is a…
-

EHDS: the European Health Data Space between primary use, secondary use and prohibited uses
Regulation (EU) 2025/327 establishes the European Health Data Space: the first common European sectoral data space, with staggered application from 26 March 2027. Interoperable health records for care, access bodies for research, and a catalogue of expressly prohibited uses. The essential coordinates of a regulation set to reshape European digital health. With Regulation (EU) 2025/327…
-

Facial recognition in Italian cities: the moratorium extended to 2027 and the AI Act’s limits
After Trento, the Garante scrutinised Rome’s metro and Turin’s “intelligent” cameras. Meanwhile, the Italian moratorium on the use of facial recognition in public places has been extended to 31 December 2027, and the AI Act has set directly applicable prohibitions, from the scraping of facial images to real-time remote biometric identification. The updated map of…
-

The EDPB DPIA template: towards a harmonised impact assessment across the European Economic Area
On 14 April 2026 the EDPB adopted a template for data-protection impact assessments, put out for public consultation until 9 June 2026: predefined fields, an explanatory document and the ambition to become the single model — or the “meta-template” — of the authorities across the entire EEA. What changes, in practice, for controllers and DPOs?…
-

The Digital Omnibus and the GDPR: the EDPB and EDPS doubts on the new definition of personal data
While the Digital Omnibus on AI has reached the finish line, the twin package affecting the GDPR and ePrivacy is still on its way, and carries the most delicate question: the amendment of the definition of personal data. In Joint Opinion 2/2026 of 10 February 2026, the EDPB and the EDPS open to simplification but…
-

ISO/IEC 42005 and the impact assessment of AI systems: a compass between FRIA and DPIA
Published in May 2025, ISO/IEC 42005 offers organisations guidance for assessing the impact of AI systems on individuals, groups and society. A voluntary tool that sits in an ecosystem crowded with mandatory assessments: the FRIA of Article 27 of the AI Act and the DPIA of Article 35 of the GDPR. How do these three…
-

Health digital twins: GDPR, the AI Act and the EHDS put to the test by the patient’s digital twin
Digital twins in healthcare promise to simulate disease progression and personalise care. But a patient’s digital twin is, first of all, a large-scale processing of health data: when do synthetic data remain personal data? Who is the controller in a federated architecture? And what happens to the data of the deceased? The reflections that follow…
-

Italian cities go digital: from the European Mission Label to Trento’s lesson on intelligent surveillance
All nine Italian cities in the European mission “100 climate-neutral and smart cities by 2030” have now obtained the Mission Label. But the opening of the cities to the digital has also met its first, severe legal test: the Garante’s sanction against the Municipality of Trento for the “intelligent” surveillance projects Marvel and Protector. Between…
-

Digital cities and “deserving” citizens: from points-based citizenship to the AI Act’s ban on social scoring
In recent years several Italian municipalities trialled “points-based citizenship” schemes that closely echoed the much-criticised Chinese social-control model: virtuous-citizen wallets, digital licences, scorecards. Today that debate has a new legal frame: since 2 February 2025, social scoring is an AI practice prohibited by Article 5 of the AI Act. What remains of those projects, and…
-

The Garante’s 2026 inspection plan: the areas in the spotlight and the lessons of the Emirates case
By deliberation No. 797 of 30 December 2025 the Italian Garante planned its inspection activity for the first half of 2026: artificial intelligence in schools, data breaches of public databases, whistleblowing, health dossiers, energy-sector telemarketing, and anonymisation of Telco big data. And the recent Emirates fine shows that even a lawful legal basis does not…