June Data Protection Newsletter

We are here to share clear and practical insights on the latest developments in data protection, AI, and tech regulation, helping you stay informed and compliant in this ever-changing digital landscape.

Whether you manage compliance or simply want to stay safer and better informed online, this newsletter is for you.

As always, our Data Protection Team is here to help. If you would like tailored advice or to discuss a specific issue, please contact us using the details at the end of this page.

EU Commission publishes Code of Practice on Transparency of AI-Generated Content

On 10^th June 2026, the European Commission has published the Code of Practice on Transparency of AI-Generated Content to support providers and deployers of generative AI systems in complying with the AI Act’s obligations on the marking and labelling of AI-generated content.

🧩Key takeaway

Article 50 of the AI Act establishes transparency obligations for certain AI systems and AI-generated outputs, subject to limited exceptions, including specific law enforcement scenarios. To support implementation, the Code sets out practical measures under two main sections corresponding to Articles 50(2) and 50(4) of the AI Act:

• Section 1 - Providers: Guidance on technical measures for marking AI-generated or manipulated content and enabling its detection (Article 50(2))
• Section 2 - Deployers: Guidance on labelling deepfakes and AI-generated or manipulated text disclosed to the public (Article 50(4))

The Annex to the Code also includes three standard icons that deployers may use when labelling AI-generated deepfakes or published AI-generated content.

The Code is currently subject to an adequacy assessment by the European Commission and the AI Board. If approved, signatories may rely on the Code as a recognised means of demonstrating compliance with Article 50, irrespective of where they are established or operate within the EU market. 

Providers and deployers of generative AI systems may join the Code by submitting a Signatory Form to the Commission. Then the Commission will publish the list of signatories in July 2026. 

❔Why is it important?

From 2 August 2026, organisations placing AI systems on the EU market or using such systems within the EU will generally be required to comply with the transparency obligations under Article 50 of the AI Act (subject to a possible extension until 2 December 2026 for certain systems already on the market under the Digital Omnibus provisional agreement).

For businesses, this is important because joining the Code could reduce compliance costs, lower legal uncertainty, and simplify regulatory reporting across all EU Member States. Businesses that choose not to adhere to the Code remain free to adopt alternative compliance measures but will need to justify the adequacy of those measures independently.

Italian Garante fines an automotive company for post-sick leave questionnaires

The Italian Supervisory Authority (Garante) has imposed a €50,000 administrative fine on Magna PT S.p.A. (the Company) and ordered a definitive ban on certain data processing activities after finding unlawful handling of employee personal data, including health-related information.

🧩Key takeaway

The case arose from a trade union complaint concerning an internal company practice under which employees returning from sick leave, workplace accidents, or hospitalisation were required to attend an interview and complete a questionnaire.

The questionnaire, completed by the employee’s direct supervisor, was subsequently submitted to the Human Resources department, which, together with the supervisor and/or the company physician, evaluated potential measures to safeguard employees’ health, including workstation adjustments or interventions aimed at improving workplace relations.

Following its investigation, the Italian Garante identified multiple infringements of the GDPR, including:

• Failure to comply with key processing principles, including data minimisation and proportionality
• Absence of a valid legal basis for processing
• Unlawful processing of special category data, including health data
• Failure to provide employees with clear and transparent privacy information

The authority also found that the company retained irrelevant and excessive employee data for disproportionate periods - up to ten years - despite the information not being necessary for evaluating employees’ professional suitability or performance.

❔Why is it important?

This decision highlights the strict limits on employers’ ability to collect and process employee health data, even where workplace safety or employee welfare is invoked as a justification. 

Businesses should ensure that HR procedures involving sickness absence, medical leave, or workplace adjustments are supported by a clear legal basis and remain strictly necessary and proportionate. 

The case also reinforces that excessive data retention and informal internal practices may significantly increase GDPR enforcement risks.

EU debate on restricting minors’ access to social media

On 2 June 2026, the European Parliament published a research paper titled Debate on Setting a Minimum Age for Social Media, examining possible EU measures to restrict minors’ access to social media, including age-based restrictions and age assurance mechanisms. 

🧩Key takeaway

In its research, the European Parliament highlights a growing global trend toward restricting children’s access to social media. Examples include Australia, which has introduced a minimum age of 16 for certain social media platforms, and China, where digital curfews and time limits are already used to regulate minors’ online activities.

The European Parliament also reviewed developments across EU Member States and noted that national approaches differ in terms of age thresholds, terminology, and scope of restrictions, creating a risk of regulatory fragmentation across the EU.

To address this, several Member States and the European Parliament have called for a common EU approach, including a possible EU-wide minimum age for social media or a broader digital majority age.

The European Commission has also launched a Special Panel on Child Safety Online and is advancing work on a harmonised age verification framework. The panel is expected to submit its report to the President of the Commission in July 2026, after which the Commission will consider its recommendations and determine the next steps.

❔Why is it important?

Although no EU-wide minimum age requirement has been adopted yet, the current debate signals increasing regulatory pressure on social media platforms and other digital service providers to strengthen child safety measures. 

Businesses offering online services accessible to minors should closely monitor developments, particularly regarding age verification, platform design, and compliance with child protection obligations under the GDPR and Digital Services Act (DSA). 

For parents and individual users, the initiative reflects a broader policy shift toward creating safer digital environments for children while balancing privacy and access to information.

The EDPB publishes a template for personal data breach notification

On 10th June 2026, the European Data Protection Board (EDPB) has published a draft template for a common personal data breach notification. The template is open for public consultation until 5 August 2026, after which the EDPB will determine the timeline for its practical implementation.

🧩Key takeaway

The template is about 27 pages, divided into 7 sections. Compared to national templates such as the CNPD form, the EDPB template provides considerably more detail and structure at every stage:

1. Type of notification: Allows formal withdrawal of a previous notification, e.g. if it turns out to be a duplicate or is reassessed as posing no risk.
2. Identification of the data controller and reporting person: Detailed company info (sector list, organisation type, company ID, EEA representative if not EU-based), clear DPO identification separate from the reporting person, and third parties specified by role (processor / joint controller).
3. Initial information on the breach: Structured timeline (including whether dates are estimated), breach classified by type (confidentiality / integrity / availability), and cause selected from a standardised list.
4. Further info – consequences, assessment, measures: Consequences assessed separately per breach type, impact and severity rated using fixed categories, risk level chosen from defined categories, and measures (before/after) selected from standardised checklists.
5. Communication to data subjects: Requires specifying which breach type triggered the notification decision, the precise legal ground under Article 34(3) GDPR if not notifying, whether notification was partial, and which communication channel was used.
6. Possible other issues: Dedicated section for non-EU established controllers still subject to GDPR, detailed cross-border information (lead authority, countries involved, numbers per country), and a direct question on police/criminal reporting.
7. Attachments: Detailed checklist of required supporting documents, with a specific breakdown for phishing cases (mailbox owner, recipients, exposed data subjects).

❔Why is it important?

This template makes the data breach notification process more consistent and smoother across EU supervisory authorities. This is separate from the Digital Omnibus proposal for a single EU reporting portal, which would allow organisations to report not only data breaches but also cybersecurity and financial-sector incidents in one place. It remains to be seen how the two initiatives will align.

The greater level of detail and comprehensiveness in the EDPB template also makes the notification process more demanding, as correctly assessing the predefined values and tooltips often requires specialised expertise. 

Following this update, the Data Breach notification forms of the national data protection authorities might soon be changed to reflect these novelties.

Contact

Need advice on Data Protection, AI, or Whistleblowing compliance?

Our Data Protection team is here to support you. Contact us today to discuss your needs and explore how we can assist you: Dara Kelly, Head of Advisory, or Pasquale Esposito, Data Protection Officer.