March Data Wrap: A Snapshot Of Key Regulatory Developments

When can a data access request cross the line from legitimate to abusive? On 19 March 2026, the CJEU ruled in Brillen Rottler (Case C-526/24) that even a first DSAR can be refused under Article 12(5) GDPR as "excessive" where the controller demonstrates it was made with abusive intent. 

Key findings include:

• Decisive factor is intent not just the number of requests: Whether a request is "excessive" turns on both qualitative and quantitative characteristics. While frequency or repetition may be indicators, the data subject's intent is the more decisive factor.
• Burden of proof: Abusive intent must be demonstrated by the controller. Relevant circumstances to consider include the time elapsed between the provision of the data and the access request, the data subject's conduct (such as repeated DSARs followed by compensation claims across multiple controllers), and the underlying objective of the request.
• Exceptional for first-time requests: Reliance on Article 12(5) in respect of first-time requests should remain exceptional. The high evidential threshold remains and controllers are subject to strict criteria where a request is the first of its kind.
• Compensation requires actual damage: Article 82(1) GDPR provides a right to compensation for damage stemming from an infringement of Article 15(1) GDPR (such as where the refusal process is defective), regardless of whether the infringement involved unlawful processing. However, compensation is excluded where the data subject's own conduct was the decisive cause of the damage.

The judgment arguably tightens the reins on mass‑claim strategies, while also recognising that the lower threshold of “uncertainty” about processing may still amount to non‑material damage. The ruling also aligns with the European Commission’s draft Digital Omnibus Regulation, which seeks to codify an ability to refuse abusive DSARs. The message is clear: the GDPR protects individuals, not opportunistic behaviour; but controllers must be ready to evidence abuse and justify refusals.

For further detail and commentary regarding the judgement, please refer to our blog piece here.

On 31 March 2026, the ICO launched a consultation in relation to draft guidance about automated decision‑making ("ADM") and profiling, intended to update its existing guidance on ADM and profiling, following changes introduced by the Data (Use and Access) Act 2025 ("DUAA"). 

According to the ICO, the new guidance focuses on the provisions specific to ADM, clarifies how organisations can use ADM, and sets out where and how safeguards should be used. The ICO has also stated that the updated guidance will inform parts of its AI and ADM code of practice (which it is currently preparing to develop). The consultation is open until 29 May 2026.

Alongside the consultation, the ICO also published a report on its findings on the use of ADM in recruitment, which was one of the ICO's key areas of scrutiny as part of its AI and biometrics strategy announced last year. The report, based on evidence collected from engagement with over 30 employers between March 2025 and January 2026, recognises that automated recruitment tools can be helpful to both candidates and employers. These tools, however, can also carry risks including the potential for bias or discrimination.

A key finding is that "many employers engaging in automated recruitment are likely relying on solely automated decisions as part of this process", i.e. these decisions sit squarely within the scope of the relevant ADM provisions set out in the UK GDPR. On this basis, the ICO concludes that there is a need for more transparency and safeguards in this area. 

Organisations should therefore review how automation is used in their hiring processes, assess whether any hiring decisions may fall within the scope of Article 22 UK GDPR, and ensure that transparency arrangements and safeguards are appropriate.

The ICO expects organisations wishing to use ADM in their recruitment processes to:

• proactively monitor their automated tools for bias and discriminatory outcomes;
• be transparent with candidates on when and how ADM is used; and
• explain to candidates how they can exercise their right to challenge a decision and request a human review.

Although only published on the ICO website in March 2026, in December 2025, the ICO issued a £66,000 fine and a reprimand against Police Scotland for serious failures in the handling of sensitive personal data under the UK GDPR. 

The decision is notable for being the first in which the ICO has separately sanctioned breaches of the data minimisation principle and the obligation to implement data protection by design and by default as standalone violations, distinct from the more commonly cited failures relating to data security under.

The penalty arose from the extraction by Police Scotland of the full contents of a complainant's mobile phone during a criminal investigation, which included a large volume of highly sensitive personal data. That data was subsequently included, without redaction, in a misconduct disclosure bundle compiled by Police Scotland's Professional Standards Department, resulting in its unauthorised disclosure to a third party.

The ICO found that Police Scotland had not implemented adequate safeguards in the preparation and disclosure of misconduct files. There was no effective framework to ensure that only relevant data was selected and, as a result, substantial volumes of data with no relevance to the misconduct investigation were disclosed in full.

Through its findings, the ICO emphasises the importance of clear internal guidance and training on UK GDPR compliance within the performance of specific tasks, notably to reduce risks arising from individual judgement at the point of processing. Such guidance must address the application of specific data protection principles, including data minimisation (e.g., how to identify the information that should be retained and the importance of redaction).

This decision serves as a clear warning that data minimisation and privacy by design are not abstract principles. Regulators will assess how much personal data organisations collect, and whether their systems effectively ensure compliance with the UK GDPR in that respect.

Organisations should treat this decision as an opportunity to review how their processing activities are designed and operated, and whether they ensure compliance with GDPR principles from the outset when collecting data. This is particularly important given that infringements of the data minimisation principle fall within the higher tier of administrative fines under the UK GDPR, exposing organisations to penalties of up to £17.5 million, or, in the case of an undertaking, 4% of total worldwide annual turnover for the preceding financial year, whichever is higher.

In a decision issued on 30 March 2026, the Italian Data Protection Authority, the Garante, imposed a fine of €31.8 million on Intesa Sanpaolo in connection with a customer data breach, after the authority found that the bank failed to implement sufficient security controls to safeguard and monitor personal data. 

An employee's unauthorised access to customer data on 6,647 occasions between February 2022 and April 2024 raised questions about the protective measures in place at the Italian bank. The data concerned included information relating to the bank account movements, payment card details and investment information of 3,573 customers. Of those affected, 150 were public figures, bank personnel and national politicians.

The bank was also criticised for giving late notifications of the breach. It informed customers only in November 2024, after an order required such communication, and delayed notifying the Garante, which hindered the authority’s ability to intervene promptly. The Garante concluded that the bank breached the GDPR principles of integrity, confidentiality and accountability.

This is the second fine issued against the bank this month. In a separate enforcement action on 12 March 2026, it was issued with a €17.6 million penalty for unlawfully profiling 2.4 million customers based on their assumed digital abilities when transferring them to its subsidiary, Isybank Spa. In making such assumptions, the bank targeted those under 65, habitual users of digital channels, holders of investment products and having financial resources below a certain threshold. The Garante rejected the bank's argument that it had relied on 'legitimate interests' to support its processing activities. 

The bank has therefore been fined almost €50 million in the month of March 2026 alone. The decision signals that authorities will continue levying substantial sanctions against institutions that fall short on customer governance and security controls. The 30 March fine is the second-largest issued by the Garante under the GDPR, and the 12 March fine is the fifth-largest, reflecting a broader shift towards higher-value penalties for security and customer-data failings. Institutions should also be reminded by this example that regulators will consider delays or deficiencies in breach notifications when assessing compliance.

In July 2021, the Luxembourg National Commission for Data Protection ("CNDP") imposed a record fine of $854.4 million (€746 million) on Amazon for infringements of several provisions of the GDPR. Amazon’s challenge to the decision was unsuccessful in 2025.

However, in the latest stage of the process, the Luxembourg Administrative Court, while confirming that at the time of the 2021 decision Amazon had wrongly relied on the 'legitimate interests' legal basis to process customers’ personal data for personalised advertising, nevertheless annulled the fine. The Court found that the CNDP had failed to assess whether Amazon had acted negligently or intentionally before imposing the fine and had not considered whether a fine was an appropriate enforcement measure. 

This ruling underscores how challenging GDPR enforcement can be for regulators who must not only find infringements but also carefully consider and apply their enforcement powers appropriately.

On 25 March 2026, the UK's Office of Communications ("Ofcom") and the ICO published a joint statement on age assurance ("Joint Statement"), clarifying how online services can meet their obligations under the Online Safety Act 2023 ("OSA") and UK data protection law when implementing age assurance measures. The statement targets services likely to be accessed by children and reflects a continued move towards coordinated regulation in this area. 

The regulators emphasise a shared, risk‑based and technology‑neutral approach, giving services flexibility to choose appropriate age assurance methods provided they are effective, proportionate and compliant with legal requirements. The statement is clear that self‑declaration by individuals alone is not sufficient, and that methods must be robust against circumvention. Certain approaches, such as debit card checks or general contractual age restrictions, are expressly identified as not capable of being highly effective. 

The Joint Statement highlights that, under the OSA, certain services, such as user‑to‑user platforms hosting primary priority content (including pornography and self‑harm content) and services displaying their own pornographic content, are required to deploy highly effective age assurance. Whilst the OSA does not require services to set a minimum age, any minimum age that is adopted must be clearly stated and consistently enforced. Where this is not done using highly effective methods, services should assume underage users are present and reflect this in their children’s risk assessments. 

From a data protection perspective, the ICO stresses that age assurance can help prevent unlawful processing of children’s data and support compliance with the Children’s Code. The joint statement reiterates that organisations must nonetheless identify a lawful basis for age assurance processing, minimise data collection, ensure transparency, and carry out Data Protection Impact Assessments where appropriate. Profiling is not currently regarded as an effective standalone method for preventing underage access. 

The Joint Statement includes practical examples illustrating how services can design age assurance processes that satisfy both online safety and data protection requirements. Overall, it sends a clear signal that regulatory expectations in this area continue to rise, and that services should expect closer scrutiny and coordinated enforcement from both regulators going forward.

Following the entry into force of the Data (Use and Access) Act ("DUAA"), the ICO has published updated guidance on the GDPR purpose limitation principle and the new concept of “recognised legitimate interests”.

The guidance on "recognised legitimate interests" addresses DUAA’s addition of a statutory list of recognised legitimate interests to the UK GDPR that organisations may rely on without carrying out a full legitimate interests assessment and balancing test. These include, among other things, processing for fraud prevention, network security, safeguarding and the detection of unlawful acts. The ICO guidance makes clear that, where an organisation is relying on a recognised legitimate interest, it must still identify and document the relevant category, ensure that the processing is necessary for that purpose, and apply appropriate safeguards, including data minimisation and transparency. Although the balancing test is disapplied, organisations remain accountable for demonstrating that their reliance is reasonable, proportionate and does not override individuals’ rights in practice, and must keep this under review.

The ICO’s updated guidance on the purpose limitation principle also reflects changes introduced by DUAA by expressly recognising a statutory list of purposes in Annex 2 to the UK GDPR that are automatically compatible with the original purpose of collection such as crime prevention, safeguarding and compliance with legal obligations. Unlike the previous guidance, which focused mainly on research and archiving, the new text confirms that organisations do not need to carry out a full compatibility assessment for these uses and, in some cases, do not need to identify a new lawful basis. The guidance also draws a clear distinction where consent was the original lawful basis, noting that options for changing purpose are more limited in those cases. Overall, the ICO adopts a more pragmatic approach to purpose limitation, emphasising reasonable expectations, transparency and accountability rather than treating any further use as impermissible “function creep”, while maintaining the requirement to specify purposes clearly at the outset.

The European Data Protection Board ("EDPB") has officially launched its Coordinated Enforcement Framework ("CEF") action for 2026, focusing on compliance with the obligations of transparency and information under the GDPR. The action reinforces the central role of transparency in EU data protection law and signals that this aspect of compliance will be a particular priority for supervisory authorities in the coming year.

Transparency is one of the core principles applicable to data processing under the GDPR. It is an overarching obligation which impacts three general areas:

• Providing specific information to data subjects to ensure fair processing (Articles 13 and 14 GDPR);
• Communicating with data subjects about their data processing rights (Articles 15 to 22 and 34 GDPR); and
• Facilitating the exercise of data subject rights (Article 12(2) GDPR).

Under the 2026 CEF action, twenty-five Data Protection Authorities ("DPAs") across the EU will assess the compliance of controllers with their transparency and information obligations under the GDPR. The outcomes of the national investigations will be analysed at both national and EU level, and the EDPB is expected to publish a consolidated report highlighting common issues, good practices and areas for further enforcement. 

In practice, organisations can expect increasing scrutiny on how they communicate their processing activities to individuals (e.g., whether their privacy notices are easily accessible, written in plain language, and available across all relevant channels). 

The EDPB has adopted its 2025 CEF report on the right to erasure, drawing on coordinated investigations by 32 DPAs across Europe. 

Seven recurring compliance issues were identified:

1. Absence of a documented and updated internal procedure to handle erasure requests: As many as 17 DPAs raised concerns about controllers not having any internal procedure in place to handle erasure requests, or having an incomplete or irregularly reviewed one.
2. Absence of, or inadequate, training: In many cases, data protection training is either not conducted regularly or is limited to general annual sessions; this can lead to failures to recognise erasure requests and to respond to them appropriately. 
3. Insufficient information provided to data subjects: Many controllers do not systematically inform data subjects of the right to erasure, resulting in a general lack of awareness and fewer requests. Additionally, upon receiving a request, some controllers fail to inform data subjects of delays, provide justifications for refusals, or advise on the right to lodge a complaint with a supervisory authority.
4. Misuse of and legal uncertainty on the exceptions to deny erasure requests: More than a dozen DPAs noted that several controllers demonstrated uncertainty or inconsistency in applying the exceptions under Article 17(3) GDPR. 
5. Difficulties in defining and implementing data retention periods: Some controllers struggle to determine appropriate retention periods given the variety of general and sector‑specific European and national laws.
6. Deletion of personal data in the context of back-ups: Half of the responding DPAs raised concerns that many controllers have no specific procedures to handle erasure requests in the context of back-ups, instead relying on automatic deletion measures or general retention periods not tailored to individual requests.
7. Difficulties with anonymisation to respond to erasure requests: Anonymisation is often used as a substitute for permanent deletion. In practice, multiple DPAs found that many controllers apply only basic pseudonymisation or partial masking, which does not meet the GDPR’s requirements. Multiple controllers expressed a need for clearer guidance on what legally constitutes anonymisation and what appropriate technical solutions look like under the GDPR.

Prompted by the CEF results, DPAs and the EDPB have indicated their intention to publish additional material at national and EU level respectively. Several DPAs have also signalled potential enforcement action against controllers, with some considering launching formal investigations. 

Organisations should therefore expect both more clarity and guidance but also increased scrutiny in respect of this core right under GDPR. 

The Commission’s guidance on the EU Cyber Resilience Act ("CRA"), published on 3 March 2026 with feedback being sought now, offers significant clarification on the scope, lifecycle duties and conformity routes of the legislation (more information on the Commission's website). 

As a reminder, the CRA applies in phases. Provisions on conformity assessment bodies apply from 11 June 2026, reporting obligations from 11 September 2026, and the CRA applies in full from 11 December 2027.

Scope and Placing on the Market

The CRA applies to any product with digital elements, including products with hardware-software combinations where components are obtained separately. What matters is the presence of a digital data connection. Remote data processing solutions ("RDPS") fall in scope when the remote software is essential to the products functions (including performance support) and is designed or developed by, or under the responsibility of, the manufacturer. Complex or pre‑CRA designs remain in scope, requiring a risk assessment, technical documentation and user information. The Commission also flags the guidance’s focus on how the EU CRA interacts with other EU legislation, alongside remote data processing solutions, free/open source software ("FOSS"), and support periods.

For standalone software, "placing" on the market occurs when a finished version is first offered in the EU, later iterations only change that date if they constitute a substantial modification. The draft guidance also clarifies that some developer materials (such as sample or demonstration code in tutorials) are not treated as being ‘placed on the market’ as standalone products.

FOSS and Stewards

FOSS is only within CRA scope when supplied commercially. Community versions are not in scope unless the publisher meets the definition of an “open‑source software steward" (subject only to Article 24 steward obligations), meaning a legal person providing sustained support for FOSS intended for commercial use by others. Donations alone do not make supply commercial, unless essential updates or binaries are effectively pay‑walled.

Manufacturers integrating FOSS remain fully responsible for CRA compliance for their product and must report upstream vulnerabilities and share fixes.

Substantial Modification and Support Period

A modification is substantial if it affects compliance with essential requirements or changes the intended purpose of the product. 

The guidance clarifies that the five year support period is a baseline and not a blanket rule. Support periods set by manufacturers should match how long the product is realistically expected to be used, which might extend beyond five years if necessary. For iterative software, the guidance indicates that each version placed on the market should have a declared support period. For software, they may remediate only the latest version if upgrades are free and impose no additional costs for users (e.g., environmental/operational costs).

Important/Critical Products and Conformity

Classification turns on the product’s core functionality. A product is default, important (Class I/II) or critical depending on the functions it performs. Harmonised standards confer a presumption of conformity only for the risks they cover, and manufacturers must still perform a risk assessment covering gaps.

Risk Assessment, External Dependencies and Reporting

The product‑level risk assessment is distinct from due diligence on components or external services. External dependencies must not undermine essential requirements, even where the manufacturer does not control the external infrastructure.

Manufacturers must notify the Computer Security Incident Response team coordinator and Euroean Union Agency for Cybersecurity within 24 hours of becoming aware of an actively exploited vulnerability or severe incident, submit a 72-hour report and follow up with a complete report within 14 days after a corrective/mitigating measure is available (for actively exploited vulnerabilities) or within one month after the 72‑hour notification (for severe incidents). Affected users must be informed proportionately.

Related Guidance – ENISA’s Secure‑By‑Design Playbook

ENISA has also published practical guidance outlining measures SMEs can implement now, including hardened defaults, least‑privilege access, attack‑surface minimisation, baseline logging and alerting, reliable update paths, Software Bill Of Materials‑driven dependency hygiene and machine‑readable security attestations.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.