March Data Protection Newsletter

We continue to share clear and practical insights on the latest developments in data protection, AI, and tech regulation, helping you stay informed and compliant in this ever-changing digital landscape.

Whether you manage compliance or simply want to stay safer and better informed online, this newsletter is for you.

As always, our Data Protection Team is here to help. If you would like tailored advice or to discuss a specific issue, please contact us using the details at the end of this page.

CNPD Administrative Court annuls €746 million fine against Amazon

Back in 2021, Luxembourg's data protection authority (the CNPD) hit Amazon with one of the biggest privacy fines in history, €746 million, for using individuals’ personal data to show them targeted advertisements without a proper legal basis.

Amazon appealed and on March 12, 2026, Luxembourg's Administrative Court (“the Court”) annulled the fine, finding two major procedural shortcomings in how the CNPD built its case.

🧩Key takeaways

The court confirmed that Amazon had violated several GDPR provisions, including the lack of a valid legal basis under Article 6(1)(f) for behavioural advertising and breaches of transparency and data subject rights.

However, the fine was thrown out because the CNPD did not properly justify how it calculated the penalty, whether Amazon acted intentionally or just carelessly and did not consider lighter alternatives before issuing the fine.

The case has been sent back to the CNPD, which could issue a new fine after fixing the procedural gaps.

❔Why is it important?

For companies, this case is a reminder that supervisory authorities must follow proper procedures when imposing fines, but it is equally a reminder that the underlying rules are real and enforceable.

Relying on vague "business interests" to justify collecting and using people's data for advertising is not in line with GDPR requirements.

If your company does any form of targeted advertising or profiling, this is a good opportunity to check that you have a genuine, well-documented reason for doing so.

Our Data Protection Team can help you understand your obligations and ensure the proper information is given to individuals. Please do not hesitate to contact us at: externaldpo@lu.gt.com.

CNIL closes enforcement order against KASPR following full Compliance

In December 2024, the French Data Protection Authority (CNIL) imposed a fine of €240,000 on KASPR, a company specializing in the collection of professional contact details from LinkedIn profiles, for violating many GDPR requirements.

KASPR was then given six months to fix the issues raised by the CNIL.

This month, the CNIL confirmed the closure of its enforcement order after the company demonstrated full compliance with the corrective measures imposed.

🧩Key takeaways

CNIL fined KASPR for several serious violations under the GDPR, including:

• Collected data without respect for users' privacy settings: KASPR collected contact details of LinkedIn users who had expressly chosen to limit the visibility of their profiles.
• Retained data for excessive periods: Every time a LinkedIn profile was updated, KASPR's system automatically reset the data retention clock; meaning data was kept longer than necessary. Retention periods need to be genuinely fixed, not quietly extended through automation process.
• Failed to inform individuals: until 2022, individuals whose data was collected were not informed at all. After that, notices were only available in English which the CNIL found insufficient, given that KASPR operates across multiple countries and languages.
• Inadequate responses to access requests: when individuals asked about the source of their data, KASPR simply stated it came from “publicly available sources”. The CNIL found that the information given to individuals was not sufficient. Individuals have the right to know specifically where their data originated.

❔Why is it important?

This case sends a clear message to any organisation that collects, buys, or processes professional data from online sources. "Publicly available" data does not mean freely usable.

The fact that a LinkedIn profile exists online does not give the right to collect it, store it indefinitely, and use it for outreach, especially if the person has taken steps to limit their visibility.

If your organisation uses data enrichment tools, sources contact lists from third parties or runs any kind of outreach based on scraped professional data, our Data Protection team can help you navigate and implement effectively your obligations under the GDPR.

The Court of justice of the European Union (CJEU) rules on abusive GDPR access requests (Case C-526/24)

The case concerns Brillen Rottler, a German optician, and T.C., an individual living in Austria. On 16 March 2023, T.C. subscribed to the company’s newsletter and provided his personal data.

Thirteen days later, he submitted a Data Subject Access Request (DSAR) under Article 15 of the GDPR. Brillen Rottler refused the request, citing publicly available reports and lawyers’ newsletters suggesting that T.C. regularly files DSARs “for the sole purpose of obtaining compensation for an alleged GDPR infringement.”

T.C. has challenged the refusal, claiming that the optician unlawfully restricted his GDPR rights and has filed a compensation claim in a German court. The Arnsberg Local Court has now referred the case to the Court of Justice of the European Union (CJEU) for a preliminary ruling.

🧩Key takeaways

On 19 March 2026, the CJEU delivered its answer: even a first-ever access request can be refused as excessive when it is made with abusive intent.

The GDPR mentions repetitive requests as one example of "excessive" DSAR, the CJEU confirmed that this is merely illustrative, not a requirement.

Even a single, first-time request can qualify as excessive if abusive intent can be demonstrated.

The CJEU has identified several factors to help organisations assess whether a request is abusive:

• Whether the individual provided data without being obliged to do so
• The purpose for which the data provided
• The time elapsed between data provided and the request being made
• And the overall conduct of the individual

Publicly available evidence of pattern of systematic DSAR may also be taken into consideration, provided it is supported by the factors mentioned above.

Finally, the CJEU confirmed that the right to compensation covers damages resulting from a violation of GDPR obligations. However, a mere allegation does not suffice: individuals must be able to prove both the violation and the damage caused by it.

This causal link may be broken where the conduct of the individual is itself the determining cause of the damage.

❔Why is it important?

This judgment is significant for organisations as it provides the first clear judicial framework to address individuals who submit DSARs not to exercise their data protection rights, but to manufacture compensation claims under Article 82 of the GDPR.

In practice, this means organisations should review their DSAR workflows and introduce an assessment of the intent behind requests.

If a refusal is considered, organisations must document their reasoning carefully and must be able to point to the relevant factors and explain how each element is satisfied. Failing to do so, could itself constitute an infringement of the GDPR.

For individuals, the CJEU reaffirms the right of access as a core transparency instrument under the GDPR, while at the same time making clear that it must not be misused to artificially generate claims for damages.

If you have any questions about this judgment or need support in managing your DSAR processes, our Data Protection Team is here to help your organisation navigate these obligations with confidence.

EDPB Launches 2026 Enforcement action on transparency and information obligations

On 19 March 2026, the European Data Protection Board (EDPB) officially launched its Coordinated Enforcement Framework (CEF) action for 2026, shifting focus to transparency and information obligations under the GDPR.

This means, 25 Data Protection supervisory authorities across Europe will actively assess whether organisations are properly informing individuals about how their personal data is being processed.

🧩Key takeaways

The focus is on transparency and information obligations. Therefore, supervisory authorities will be checking whether people are adequately informed about when and how their personal data is processed. This covers both the content of privacy notices and how they are presented.

Supervisory authorities will send questionnaires to survey the state of transparency measures across many organisations. Results will be compiled into a joint EU-wide report, with good practices highlighted and where weaknesses are found, recommendations or further enforcement may follow.

❔Why is it important?

If your organisation handles personal data (and almost every organisation does) now is the time to dust off your privacy notice and ask: is it actually clear? Does it explain who you are, what data you collect, why you collect it, how long you keep it, and who you share it with?

For individuals, this is good news: it means the information you are entitled to about how your data is used should become clearer.

Our Data Protection team is here to help you navigate your transparency obligations and ensure your organisation is well-prepared ahead of any supervisory enquiry. For more details, please contact our team via externaldpo@lu.gt.com.

Contact

Need advice on Data Protection, AI, or Whistleblowing compliance?

Our Data Protection team is here to support you. Contact us today to discuss your needs and explore how we can assist you: Dara Kelly, Head of Advisory, or Pasquale Esposito, Data Protection Officer.