Global data protection developments this quarter show regulators moving from broad policy direction into more practical guidance, enforcement, and sector-specific action. In this edition of Global Data Protection Compliance FY26/02, we look at updates from the EU, Poland, the Netherlands, Spain, Mexico, India, and Brazil, including new DPIA guidance, GDPR enforcement decisions, automated decision-making requirements, AI-related safeguards, employment data protections, India’s DPDP implementation timeline, and expanded cooperation on children’s privacy and digital safety. Together, these developments highlight a continued push for stronger governance, clearer accountability, and more transparent use of personal data across both public and private sectors.
Key developments by region:
- Data protection in the EU - On the 10th anniversary of the GDPR's adoption, the EDPB reflected on the regulation's impact, highlighting stronger data protection, increased cooperation among supervisory authorities, and ongoing efforts to address emerging digital and technological challenges.
- Data protection in Poland - The Polish Data Protection Authority (UODO) highlighted several key GDPR compliance expectations. It confirmed that publishing non-anonymised personal data in the Public Information Bulletin (BIP) constitutes a GDPR violation, emphasized that the use of unauthorized data processing tools can lead to unlawful processing, and reminded data controllers of their obligation to regularly test and assess the effectiveness of their technical and organizational security measures.
- Data protection in The Netherlands - The Dutch Data Protection Authority (AP) called for stronger safeguards around emerging technologies by supporting a Europe-wide ban on AI "nudify" apps and websites and seeking public input on how organizations should explain automated decision-making. The AP also reinforced GDPR enforcement by imposing a €100 million fine on taxi app Yango and announced that, from 1 July, it will verify whether municipalities have properly registered scan-car algorithms in the national algorithm register.
- Data protection in Spain - The Spanish Data Protection Authority (AEPD), together with the Belgian Data Protection Authority, promoted good data protection practices for the video game sector by issuing guidance to help developers and publishers strengthen privacy protections and ensure GDPR compliance, particularly for children and other vulnerable users.
- Data protection in Mexico - The Government of Mexico reinforced the protection of personal data in employment by prohibiting the misuse of personal data during hiring processes. The measure aims to ensure that employers collect and use applicants' personal information only for legitimate, lawful, and non-discriminatory recruitment purposes.
- Data protection in India - India is moving toward implementation of the Digital Personal Data Protection (DPDP) framework, with a key compliance deadline approaching in May 2027. Organizations should use the transition period to assess data processing practices, strengthen governance, and implement the measures needed to meet the new regulatory requirements.
- Data protection in Brazil - ANPD advanced several strategic initiatives, including launching a joint selection process with UNDP for a specialized consulting firm focused on regulatory mapping and security incidents. The authority also promoted ethical AI discussions, partnered with the Ministry of Education (MEC) to strengthen data protection in educational settings, and expanded international cooperation with the European Union to enhance the protection of children and adolescents in the digital environment.

Data protection in the EU

- Enhancing compliance and consistency: EDPB adopts DPIA template
In line with the EDPB’s Helsinki Statement to make GDPR compliance easier and strengthen consistency across Europe, the EDPB has adopted a template for Data Protection Impact Assessments (DPIA). The template will help organisations structure, harmonise and evidence their DPIA reporting processes. The template is complemented by an explainer document providing concise explanations for completing this template effectively, by breaking down key concepts in a simple language and addressing possible questions and knowledge gaps controllers might have.
A DPIA is a process required in situations where the processing is likely to result in a high risk, to describe how personal data will be processed, assess whether the processing is necessary and appropriate, and identify and reduce risks to individuals’ rights and freedoms. The EDPB template has been conceived to support organisations step by step in this process while filling the template.
Controllers can conduct their risk analysis and management processes as they prefer, using the DPIA methodology of their choice. While it is not mandatory for organisations to use the EDPB template, it allows them to benefit from predefined fields that prompt complete and structured responses. This will help ensure that all necessary information is captured accurately while minimising the risk of errors and saving time.
The template will be subject to public consultation until 9 June, providing stakeholders with the opportunity to comment and provide feedback. Following the public consultation, all Data Protection Authorities will initiate the necessary steps to adopt this template either as their sole standard or as a ‘meta-template’ to which national-specific templates will align. In the meantime, organisations are encouraged to use this template and to provide feedback in the context of the public consultation.
- Marking 10 years of the GDPR: the evolution of the European data protection landscape
Brussels, 27 April – Today marks the 10th anniversary of the GDPR’s adoption, the first comprehensive data protection framework spanning an entire continent, establishing clear rights for individuals and obligations for organisations across Europe.
The moment that led to the creation of the EDPB
The GDPR led to the establishment of the European Data Protection Board (EDPB) on 25 May 2018, replacing the Article 29 Working Party that was previously in charge of dealing with issues relating to the protection of personal data.
The GDPR gave the Data Protection Authorities (DPAs) stronger enforcement powers and expanded the scope of their work from focusing mainly on national compliance complaints to routinely dealing with cross-border cases.
In the past 10 years, the 31 European DPAs comprising the EDPB have worked together to ensure the consistent enforcement of the GDPR and a harmonised data protection approach across Europe.
A key role in an evolving digital landscape
Today, the GDPR is part of a broader and evolving European digital framework, alongside other digital laws such as the Digital Services Act, the Digital Markets Act, and the AI Act. In a world shaped by artificial intelligence, platform economies, and increasing data-driven innovation, the GDPR ensures that technological progress goes hand in hand with the protection of individuals’ fundamental rights.
An inspiration for the rest of the world
The impact of the GDPR has extended far beyond Europe’s borders, inspiring similar frameworks across the globe and contributing to a growing international recognition of privacy as a fundamental right.
How the GDPR has shaped the data protection landscape: insights from Data Protection Authorities
Have you ever wondered what the data protection landscape looked like before the GDPR and how DPAs prepared for its entry into force? How has life for Europeans changed since its adoption? Watch the video for insights and testimonies from Data Protection Authorities which contributed to the shaping of the data protection landscape in Europe.
- EDPB and EDPS support strengthening EU’s cybersecurity and easing compliance while protecting individuals’ personal data
The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have adopted a Joint Opinion on the European Commission’s proposal for a Cybersecurity Act 2 (CSA2) and the proposal on amendments to the Network and Information Security 2 (NIS2) Directive.
Regarding the Proposal for the CSA2, the EDPB and the EDPS support the general objective to strengthen the role of the European Union Agency for Cybersecurity (ENISA) and to facilitate uptake of cybersecurity certification, as well as the objective to further address the various risks to ICT supply chains, including non-technical ones.
The proposal to provide further clarification on the way ENISA gives support to different stakeholders is well received. The EDPB and the EDPS specifically welcome that ENISA’s advice would be issued upon a prior request from the EDPB, thus ensuring a clear coordination and a clear division of responsibilities. They also suggest adding the EDPS as a possible requestor of advice from ENISA.
In the joint opinion, the EDPB and the EDPS recall that in case the Management Board of ENISA decides to adopt additional measures necessary for the application of the EU Data Protection Regulation, such decisions should be limited to very technical (practical) details related to the processing of personal data. The Proposal should also provide for a prior consultation with the EDPS before adoption of such rules.
The joint opinion welcomes the synergies that might arise from the cooperation between ENISA and other EU institutions and bodies, and also recommends adding an explicit reference to the EDPS as an EU body with which ENISA would cooperate.
- Supporting GDPR consistency: EDPB launches dedicated form
The EDPB has launched a dedicated contact form for stakeholders to report possible inconsistencies in how the GDPR is interpreted across Europe. This initiative reflects the commitments set out in the EDPB Helsinki Statement on enhanced clarity, support and engagement, aimed at strengthening the dialogue with stakeholders and ensuring consistent GDPR enforcement across Europe.
The new tool enables stakeholders to report alleged divergences between national positions, as well as between national positions and those of the EDPB. The EDPB will not respond to individual submissions, but the information received will be compiled regularly and discussed at a high level by the Board members to consider possible steps to improve consistency.
- One-Stop-Shop case digest on right to object and right to erasure updated
The digests are drafted on the basis of one-stop-shop decisions taken from the EDPB’s public register (based on Art.60 GDPR). Such case digests complement the EDPB's public register by selecting and presenting the most important decisions on a given theme and providing aggregate results of relevant decisions on this theme.
The one-stop-shop thematic case digest on the right to object and right to erasure offers insights into how DPAs analyse the internal processes implemented within organisations to comply with these rights. It also lists the most frequent infringements and gives an overview of which corrective measures have been issued. Cases cover for example the exercise of the right to object to direct marketing or the wish of individuals to erase their account or online data profile.
Since the original case digest was finalised, DPAs have adopted hundreds of new OSS decisions on the rights to object and to erasure. The initial case digest has been revised to reflect these developments.
Data protection in Poland

- Publication of non-anonymised personal data in the Public Information Bulletin (BIP) is a violation of the GDPR
The President of the Personal Data Protection Office (UODO), Mirosław Wróblewski, conducted an administrative proceeding regarding the disclosure of personal data of citizens who supported a petition subsequently published by the Myślenice City and Commune Office in the Public Information Bulletin. The supervisory authority learned of this through a complaint from an individual whose personal data was disclosed at the time. Following the proceedings, the President of the UODO found a personal data breach by the data controller – the Mayor of the City and Commune of Myślenice – and imposed an administrative fine of PLN 7,700.
When deciding to impose an administrative fine, the President of the Personal Data Protection Office (UODO) took into account that the Controller, as a local government unit and a public entity, should demonstrate the highest level of legal knowledge. The breach is serious, and the file containing non-anonymized personal data was accessible for several days. The Controller did not change its position regarding mandatory breach reporting after the supervisory authority was summoned to file an individual complaint and the initiation of proceedings regarding a data protection breach. By the time the President of the UODO issued his decision, no relevant breach had been reported by the Controller.
- The use of unauthorized data processing tools is the reason for the violation
Following an investigation into a violation of personal data protection regulations reported by Energa-Obrót, President of the Personal Data Protection Office (UODO), Mirosław Wróblewski, issued warnings to the data controller and processors. The President of the UODO also imposed an administrative fine on one of the processors.
The case concerned, among other things, the use of unauthorized communication tools by sales representatives acting on behalf of the company within the door2door sales network. The supervisory authority found, among other things, that the company, as the controller, had failed to fulfill its obligations to implement appropriate technical and organizational measures. Irregularities were also identified on the part of entities entrusted by the controller with the processing of personal data.
- The data controller should regularly measure and test the implemented security measures
The Supreme Administrative Court dismissed the company's cassation appeal against the decision of the President of the Personal Data Protection Office and confirmed that the data controller should regularly measure and test the implemented security measures already on the date of application of the GDPR.
The case began in 2019 after the controller reported a personal data breach involving prepaid subscribers, which involved an unauthorized person gaining access to the personal data of over 114,000 Virgin Mobile customers. Subsequently, the President of the Personal Data Protection Office (UODO) initiated ex officio administrative proceedings to investigate whether the breach of personal data protection regulations occurred due to a failure to implement appropriate technical and organizational measures.
In 2022, the President of the Personal Data Protection Office issued an administrative decision in this matter and imposed a fine of PLN 1,968,524 on the administrative company. However, this decision was appealed to the Provincial Administrative Court in Warsaw. Following this ruling, the President of the Personal Data Protection Office re-examined the matter. In a subsequent decision, the supervisory authority discussed in detail the grounds justifying the imposed fine and upheld its previous position regarding the violation of GDPR provisions. The fine was again determined based on the decision for the financial year preceding the decision and amounted to PLN 1,599,395.
However, the company disagreed with this decision of the supervisory authority. Therefore, it filed a complaint with the Provincial Administrative Court against the decision of the President of the Personal Data Protection Office, which the court dismissed in its entirety.
The company filed a cassation appeal against this ruling of the Provincial Administrative Court to the Supreme Administrative Court, which on May 7, 2026, found that the complaint lacked justifiable grounds. The Supreme Administrative Court deemed the allegations contained therein to be unfounded.
According to the Supreme Administrative Court, during the re-examination of the case, the supervisory authority correctly assessed the premise regarding the manner in which the personal data breach was learned, consisting in reporting the personal data breach to the President of the Personal Data Protection Office. According to the supervisory authority, this premise did not constitute a mitigating circumstance in the imposition of the penalty, as it is neutral in nature.
The Supreme Administrative Court also confirmed that the supervisory authority correctly determined the duration of the personal data protection infringement – i.e., from the date the GDPR entered into force until the date the controller obtained certification (July 22, 2020). The court agreed with the President of the Personal Data Protection Office (UODO) that the company was required to have solutions in place to regularly test, measure, and assess the effectiveness of personal data processing security measures as early as the date the GDPR entered into force (May 25, 2018).
Data protection in The Netherlands

- Supervisory authorities, the police and the Public Prosecution Service are calling for a European ban on ‘AI nudify apps and websites’
The Netherlands Authority for Consumers & Markets (ACM), the Authority for Online Terrorist and Child Pornographic Material (ATKM), the Autoriteit Persoonsgegevens (AP), the Dutch data protection authority, the Dutch Media Authority, the Public Prosecution Service (OM) and the police have expressed their support for a European ban on nudify tools. According to current plans, however, these apps are still permitted if someone gives consent for creating nude images. Supervisory authorities, the police and the Public Prosecution Service want this ban to be without exceptions, as this would hinder an effective approach to these tools.
Nudify tools are apps and websites that can be used for digitally undressing people in photos. The images are often used to blackmail or extort victims or force them to send sexually explicit images of themselves. Supervisory authorities, the police and the Public Prosecution Service are deeply concerned about this because of the severe impact on victims.
Recently, they jointly investigated how these tools can be addressed using existing powers. All legal options were explored. Under current legislation, action can primarily be taken against individual perpetrators who create and distribute such images. This does not provide a structural solution to the underlying problem.
Monique Verdier, Vice-Chair of the Dutch DPA: ‘There are currently no options for taking action against nudify tools. That is why the plans for a European ban are a step in the right direction. But these plans do not go far enough. We call for a complete ban on nudify tools. Including in cases where the person in the image is said to have given consent for creating such images. If this does not happen, such a ban will add little to the current, inadequate regulations.’
What the ban will look like exactly and when it will come into force is not yet clear. This is still being negotiated in Europe. In the meantime, the joint supervisory authorities, the police and the Public Prosecution Service are obviously taking their responsibilities seriously by enforcing the law within the current framework and working closely together in doing so.
- AP asks for input on explanations in automated decision-making
The Autoriteit Persoonsgegevens (AP), the Dutch data protection authority, develops tools for how organisations should explain automated decision-making. In order to ensure that these tools fit in well with practice, the AP asks organisations, experts and stakeholders for input through a consultation.
Organisations are increasingly switching to automated decision-making to make certain decisions. Consider the assessment of a credit application or online applications. Organizations often use algorithms and artificial intelligence (AI) for automated decision-making.
Right to an explanation of an automated decision
If an organisation automatically makes a decision about someone, and that decision has serious consequences for them, that person is entitled to an explanation of this decision. So that they can understand the reasons behind the decision and, if necessary, defend themselves against the decision.
The mandatory explanation also forces organisations to understand how their own decision-making processes work.
What an explanation contains
In the explanation, the organisation must state:
• whether automated decision-making was used for the decision;
• the expected impact and importance of the decision;
• the underlying logic of the decision;
• what rights the person in question has and how they can exercise those rights.
The explanation should not be vague or complicated. The explanation must also be complete.
Organisations that make automated decisions should provide general information about the decision-making process. They must provide that general information to all data subjects (the people whose personal data they process). The organisation must also provide personal explanations if requested by the person about whom an automatic decision has been made.
Thinking about explanations in advance is essential
Explaining can be complicated. For example, when the system that made the decision is not immediately transparent. When organisations work with algorithms that can't be explained, they can't tell the individual why a particular decision was made. That is why it is essential to think about explanations when choosing the system and the layout.
Some systems are in itself transparent to people. Other systems that need additional techniques to make them transparent. In addition, there are systems that cannot (yet) be explained properly.
Tools give practical help
The AP provides examples and practical help to organisations to make their explanations understandable. The AP also discusses what an organization should do if other interests would be affected by the explanation, such as the right to data protection of another person or a trade secret.
The tools are an extensive reference work for those who need to arrange explanations within an organization, and for people who receive an explanation and want to know what they are entitled to.
When publishing the final guidelines, the AP also publishes a roadmap for organisations and an overview for data subjects. Together with researchers from Utrecht University, the AP is also researching the effectiveness of different forms of communication in explaining algorithmic decision-making.
- AP fines taxi app Yango €100 million
The Autoriteit Persoonsgegevens (AP), the Dutch data protection authority, has fined MLU B.V. €100 million for transferring personal data to Russia. MLU is the company behind the European version of the Yango taxi app and is based in the Netherlands.
People in Norway and Finland use Yango to book taxi rides with affiliated drivers. Yango then transfers the personal data of taxi drivers and customers to companies in Russia. In doing so, MLU fails to ensure adequate data protection. This is shown by an investigation into Yango conducted by the AP in collaboration with the Norwegian and Finnish data protection authorities.
Joint investigation
The AP launched an investigation at the end of 2023. The AP was involved in the investigation because MLU is based in the Netherlands, whereas the other two supervisory authorities were involved because the case relates to personal data of people from Norway and Finland.
The investigation shows that the taxi app collected and stored a significant amount of personal data of both customers and drivers on servers in Russia, including sensitive data. This concerns, for example, scans of driving licenses, home addresses, contact details, account numbers, precise locations, trip data, images, the content of chat conversations and social security numbers.
Risks
In Europe, the protection of personal data is regulated by the General Data Protection Regulation (GDPR). Companies are only allowed to transfer personal data outside Europe if the personal data is equally well protected there as in Europe, for example by means of appropriate safeguards.
AP Chair Aleid Wolfsen: “In Russia, personal data is not as well protected as in Europe. This may allow the Russian government to gain access to this data. The sensitive data of both customers and drivers should therefore have been extra well protected, especially given the absence of an independent data protection authority in Russia. We observed that this was not done properly. That is very serious. For example, because it can pose safety risks to people.”
Cease transferring personal data with immediate effect
MLU must immediately cease the transfer of personal data of people from Norway and Finland to Russia via the Yango app. The AP is imposing a fine of €100 million for the violations committed by MLU to date.
All data protection authorities in Europe calculate the amount of fines for businesses in the same manner. When determining the fine for MLU, the AP took into account the turnover of the (parent) company. MLU is part of the Yandex group. Yandex had a worldwide turnover of around €12 billion in 2024.
MLU may object to the fine.
- From 1 July, the AP will check the registration of scan cars in the algorithm register
From 1 July 2026, the Autoriteit Persoonsgegevens (AP), the Dutch data protection authority, will check whether municipalities have included the use of scan cars in their algorithm register. A recent thematic study by the AP revealed that, to that date, fewer than half of the municipalities surveyed had done so.
Municipalities are increasingly using scan cars for parking enforcement. In doing so, they use algorithms and process personal data. People must be aware of this: which algorithms does the government use and for what purpose?
A comprehensive algorithm register contributes to that transparency. It also helps municipalities keep track of the functioning, application and impact of the algorithms they use.
More than just scanning number plates
Scan cars combine scanning technology, algorithms and sometimes AI applications in a single process. This is shown by the study. Tegelijkertijd richten gemeenten dat proces allemaal nét even anders in. Dat gebeurt al in het inkoopproces bij de aanbesteding en systeemkeuze, maar ook bij de evaluatie en beheersing van risico’s.
At the same time, municipalities all organise this process slightly differently. This already happens in the procurement process during tendering and system selection, but also during evaluation and when managing risks.
As a result, responsible use of scan cars requires more than just focusing on technology. This presents an important task for data protection officers (DPO's).
According to the AP, there are 3 important points to consider:
1. Include scan cars in the algorithm register
Less than half of the municipalities surveyed have registered the use of scan cars in the algorithm register. Even though municipalities must be transparent about the algorithms they use.
This allows citizens to understand how decisions are made. In addition, a complete register helps municipalities keep track of the functioning, application and impact of the algorithms they deploy. From 1 July 2026, the AP will check whether municipalities have this organised.
2. Your own DPIA is indispensable
Surprisingly, not all municipalities examined were able to submit a DPIA. Some municipalities referred to a DPIA from their parking service provider. That is insufficient.
The municipality remains responsible for processing and must therefore assess and record the privacy risk. This is not just about the risk of a data breach. It also concerns questions such as:
• Which personal data does the municipality process?
• What is the scale of the processing operations?
• What risks does that scale entail?
• How does the municipality inform residents about the use of the scan car?
DPOs have an important supervisory role in this. They can assess whether the DPIA is complete and whether the municipality has sufficiently considered the risks.
3. Prevent goal-shifting
A municipality can use a scan car for parking enforcement. The same technology can later also be used to identify waste placed next to containers or defective street lighting.
However, for each new purpose, the municipality must reassess whether the processing is lawful and what safeguards are required. New applications also bring new privacy risks.
DPOs can help municipalities make this assessment in a timely manner and critically assess whether new applications are in line with privacy legislation.
Critical view from DPOs needed
The use of scan cars shows that responsible use of technology is not just a technical task. It requires governance, transparency and critical dissent. The AP sees an important role for DPOs in this regard. Their independent and critical view helps municipalities identify privacy risks in a timely manner and carefully shape the use of technology.
Data protection in Spain

- The Spanish and Belgian DPAs promote good data protection practices for the video game sector
The Spanish and Belgian data protection authorities publish the document ‘Recommendations and Best Practices for Data Protection in Video Games’, the first one produced by European data protection authorities to promote best practices for ensuring compliance with the General Data Protection Regulation (GDPR) in the design, development and distribution of video games.
The recommendations are specifically aimed at professionals and organisations involved in this ecosystem (developers, studios, publishers, etc.), at the companies that provide services to them (cloud providers, analytics tools, anti-cheat systems, AI providers, etc.) and at the legal teams working in the sector.
The collaboration between the Spanish authority (AEPD) and the Belgian Authority stems from the need to address the needs of a sector with over 3 billion users worldwide, which utilises disruptive technologies such as cloud gaming and Artificial Intelligence. At the same time, 95% of games sales take place online, which drives the growth of platforms and services and fosters the development of new business models, such as those based on subscriptions or digital marketing.
In these online environments, stakeholders in the video games industry may process massive amounts of personal data that go beyond names or email addresses, such as telemetry and behavioural inferences. In fact, the types of information collected make it possible to single out an individual player from others within the context of the game, enabling specific actions or interactions and differentiated treatment. Furthermore, automated decision-making and profiling involve processing personal data to analyse or predict behaviour and act automatically without human intervention.
The document is based on evidence gathered through static analyses (of privacy policies, terms and conditions of service, contracts and SLAs) and dynamic analyses (of real-world execution in online gaming environments, SDKs, launchers, etc.) of current video games. It stands out for its in-depth examination of specific technical and operational aspects of this sector. It analyses the most common personal data processing activities in video games, identifies the threats and risks they entail, and offers recommendations and best practices for each phase of the video game lifecycle and for each stakeholder in the ecosystem (in this case, through checklists in the annexes to the document).
These recommendations serve as a practical tool that adapts the GDPR to the sector’s technical language, avoiding generic interpretations. It finds the balance between compliance and competitiveness, as it enables all stakeholders in this ecosystem to innovate without jeopardising the rights and freedoms of users.
Data protection in Mexico

- Prohibition of Misuse of Personal Data in Hiring Processes
The bill introduced by Senator Saúl Monreal Ávila, a member of the Morena Parliamentary Group, proposes amendments to Articles 3 and 133 of the Federal Labour Law in order to establish the obligation for companies to implement fair and transparent policies, provide staff training, and adopt rigorous monitoring and compliance measures, with the aim of eliminating the practice of the so-called labour blacklist.
According to the explanatory statement, there exists in Mexico a practice affecting many workers, known as the labour blacklist, which is commonly used in recruitment processes to mitigate potential hiring risks by relying on candidates past performance and prior disputes; however, in practice, it constitutes a form of labour discrimination.
Notwithstanding that Article 133 of the Federal Labour Law, in its Section IX, explicitly provides that employers may not use any system that “labels, marks, or blacklists workers who leave or are dismissed from employment so as to prevent their re-employment,” a legislative reform is required to further protect workers from such practices, as it has become increasingly common for individuals to be included in such databases. This also entails violations of their personal data, making it more difficult for them to secure future employment. Any database used to create a “blacklist” of workers with the purpose of preventing their hiring is in direct violation of the law.
The sponsoring Senator points out that the labour blacklist violates various legal provisions, not only under the Federal Labour Law but also constitutional provisions, such as Article 5, which guarantees the freedom of individuals to engage in any profession or lawful economic activity of their choice, without undue restriction unless imposed by a judicial ruling.
Article 16 of the Constitution further provides that every person has the right to the protection of their privacy and personal security, and that no authority may interfere in their private or family life without a duly justified judicial order. The inclusion of a worker in a blacklist without legal justification constitutes a clear violation of this fundamental right, as it prevents the free exercise of the right to work.
Furthermore, the labour blacklist contravenes the Federal Law on the Protection of Personal Data Held by Private Parties, as the use of such records is not based on the explicit consent of workers, and their personal data may be shared without authorization for employment-related purposes.
The initiative states that, to prevent this practice, it is essential for companies to implement fair and transparent policies, train their personnel on the matter, and establish rigorous monitoring and compliance measures. A robust and anonymous whistleblowing mechanism may serve as an invaluable tool to identify and eradicate unlawful practices such as the labour blacklist within organizations.
Based on these arguments, it is proposed to amend Articles 3 and 133 of the Federal Labour Law in accordance with the following draft decree:
Single Article. Articles 3 and 133 of the Federal Labour Law are amended as follows:
Article 3.
No conditions may be established that imply discrimination among workers on the grounds of ethnic or national origin, gender, age, disability, social status, health conditions, religion, migration status, opinions, sexual preferences, marital status, or any other factor that undermines human dignity.
It is a matter of public interest to guarantee a work environment free from discrimination and violence, to promote and oversee training, instruction, vocational formation, certification of labour competencies, productivity and quality at work, environmental sustainability, as well as the benefits that these should generate for both workers and employers.
Article 133. — Employers or their representatives are prohibited from:
IX. Using any registry system consisting of the use or dissemination of sensitive personal data, within the meaning of applicable law, concerning workers who leave or are separated from employment, for the purpose of restricting or conditioning access to or continuation in employment.
Entry into Force
This bill was approved by the Senate of the Republic on March 24, 2026. It is currently before the Chamber of Deputies for discussion; if approved, it will be forwarded to the President of the Republic for enactment and publication, to enter into force.
Data protection in India

- India’s DPDP Compliance Deadline Is Approaching: What Businesses Need to Do Before May 2027
India’s DPDP compliance timeline is now taking shape, with Consent Manager-related provisions set to take effect on November 14, 2026, followed by core obligations on consent, data security, breach reporting, vendor governance, and individual rights from May 14, 2027. Businesses should use the transition period to map data flows, update contracts and consent systems, and build India-specific compliance workflows that go beyond GDPR alignment.
With the notification of India’s Digital Personal Data Protection (DPDP) Rules, 2025 and the phased commencement of the DPDP Act, 2023, businesses now have a defined window to prepare their data governance, cybersecurity, consent, and vendor management systems before the core compliance regime takes effect.
For companies operating in India, the DPDP framework requires organizations to understand what personal data they collect, why they use it, where it is stored, how long it is retained, which third parties receive it, and how individuals can exercise their rights.
Further, while multinational companies with global data compliance obligations may be better prepared, their setup will not automatically satisfy India’s DPDP requirements.
What does the DPDP Act require businesses to do?
The Act applies to digital personal data collected in India, as well as offline information that is subsequently digitized. It can also apply to organizations outside India where they process digital personal data in connection with offering goods or services to individuals in India.
The core accountability rests with the “Data Fiduciary” – broadly comparable to a GDPR controller. A Data Fiduciary determines the purpose and means of processing personal data and remains accountable even where processing is outsourced to a Data Processor, cloud provider, technology vendor, call center, or other service partner.
Businesses should prioritize the following compliance areas.
How does DPDP compare with GDPR?
DPDP and the EU’s General Data Protection Regulation (GDPR) share several broad objectives: giving individuals greater control over personal data, strengthening security, and requiring organizations to adopt more accountable governance practices. However, they are not interchangeable frameworks.
Significant Data Fiduciaries: Which businesses should prepare?
A company does not become a Significant Data Fiduciary or SDF automatically because it is large or operates in a regulated industry. India’s Central Government must formally notify a Data Fiduciary or class of Data Fiduciaries based on factors such as the volume and sensitivity of data processed, risk to individuals, and potential implications for public order, security, or national interests.
However, data-intensive businesses should prepare for the possibility of designation. This may include large banks, NBFCs, digital lenders, payment businesses, insurers, credit-information companies, investment platforms, marketplaces, technology platforms, healthcare businesses, telecommunications companies, and major consumer-facing employers.
Significant Data Fiduciaries face additional obligations, including an India-based Data Protection Officer, independent audits, periodic Data Protection Impact Assessments, annual compliance reviews, and due diligence over algorithmic systems that process personal data.
For financial institutions, this is particularly relevant where automated credit scoring, fraud detection, underwriting, risk profiling, digital lending, or behavioral analytics influence customer outcomes.
Data protection in Brazil

- ANPD and UNDP open selection process for specialized consulting firm in regulatory mapping and security incidents
The selection process within the scope of Project BRA/21/004 seeks a professional to conduct research and cross-reference data on sector-specific legislation and best practices, focusing on supporting decisions related to security incidents.
The National Data Protection Agency (ANPD) is hiring Specialized Technical Consulting in the area of research, identification, cataloging and cross-referencing of data related to legislation, sector regulations, certifications and best practices.
The selection process is conducted through Public Notice/Terms of Reference No. 02/2026 from the Security Incident Handling Coordination (TIS/CGF), within the context of the International Technical Cooperation Project BRA/21/004. Signed between the ANPD (National Data Protection Authority) and the United Nations Development Programme (UNDP), the project, entitled "Effectiveness of the Expanded National Personal Data Protection Policy," aims at knowledge transfer and institutional strengthening of the Agency.
The selected consultant will be responsible for mapping the National Classification of Economic Activities (CNAEs) of organizations, relating them to the respective applicable regulations at the federal, state, municipal, and international levels. The ultimate goal is to create a structured database that will serve as technical support for the analysis and decision-making of the ANPD (National Data Protection Authority) in processes related to Security Incident Reports.
The hiring process seeks professionals with a profile compatible with the execution of specialized technical services that allow the Agency to incorporate technology and data intelligence into its oversight activities, ensuring greater accuracy in identifying responsibilities and assessing impacts on data subjects.
Interested parties should submit their applications following the terms established in the call for applications. In addition to the UNDP website , details about the consulting positions within the Cooperation Project can be found on the specific agreements page of the ANPD portal.
This initiative reinforces the Agency's commitment to transparency and the continuous pursuit of technical excellence in the formulation and execution of public data protection policy in Brazil.
- ANPD discusses Guide to Ethical Use of Artificial Intelligence at the Palace of Justice
The project is currently being developed by several entities for public consultation on the document.
The National Data Protection Agency (ANPD) participated in a round table on Friday (10) to contribute to the Public Consultation on the Guide for the Ethical Use of Artificial Intelligence. ANPD was represented by Director Lorena Giuberti Coutinho at the meeting, which also brought together representatives from ministries, civil society organizations and research institutes.
The guide aims to educate the public about how artificial intelligence works, its uses, limitations, risks, and the rights and responsibilities involved in interacting with these technologies, using language accessible to the general public. Therefore, the meeting was conducted to encourage discussion and gather contributions from the public for the document, both through in-person participation and simultaneous online transmission.
- ANPD and MEC establish partnership to promote data protection in the educational environment.
The Technical Cooperation Agreement establishes the exchange of information and the implementation of joint educational actions to raise awareness within the school community and ensure information security in public education policies.
The National Data Protection Agency (ANPD) and the Ministry of Education (MEC) formalized, on Monday (11), a strategic partnership to strengthen the culture of privacy in the educational environment. The director-president of ANPD, Waldemar Gonçalves, signed a Technical Cooperation Agreement (ACT) with the Secretary of Information Management, Innovation and Evaluation of Educational Policies (Segape) of MEC, Evânio Antônio de Araújo Júnior.
This is the third Technical Cooperation Agreement signed by ANPD in 2026, consolidating the Agency's strategy of working together with sectoral bodies to disseminate the guidelines of the General Data Protection Law (LGPD).
The central objective of the ACT is to carry out educational activities and technical meetings on the protection of personal data in the education sector. The partnership provides for institutional support and the exchange of information in areas of common interest, as well as the establishment of effective communication mechanisms between the Agency and the Ministry.
Mutual cooperation aims, above all, to promote guidance actions and the sharing of technical knowledge, ensuring that the processing of data from students, teachers, and administrators occurs in accordance with the principles of transparency and security.
With the signing of the document, the institutions hope to promote awareness-raising events and knowledge building. The main focus is the dissemination of best practices related to data protection and information security, adapted to the challenges of digital transformation in schools and universities.
- Agreement between ANPD and the European Union strengthens the protection of children and adolescents in the digital environment
The partnership aims to promote the exchange of knowledge, technology, and regulatory mechanisms that will make the internet safer in the signatory countries.
The National Data Protection Agency (ANPD) has gained further support in the development of measures to monitor and protect children and adolescents on the internet. This Friday (12), the agency signed an agreement with the Directorate-General for Networks, Communications, Content and Technologies (DG CONNECT) of the European Commission. The signing of the document took place at the Itamaraty Palace, in Brasília.
The Administrative Arrangement was signed by the acting CEO of ANPD, Miriam Wimmer, and the deputy director-general of DG CONNECT, Renate Nikolay. According to Miriam, the agreement was possible due to the already established relationship between Brazil and the European Union (EU). "Both parties recognized that there is an equivalent legal and institutional framework, and this facilitates cooperation agreements like the one we are signing today," she explained.
Cooperation between Brazil and the European Union will enable the exchange of knowledge, technology, and regulatory mechanisms that will make the internet safer in the signatory countries. The expected result is that children and adolescents will develop under the protection of measures that prevent them from accessing inappropriate digital content.
According to the director of ANPD, Iagê Miola, the expectation is that ANPD and DG-CONNECT will hold technical meetings to exchange experiences on topics jointly defined within the scope of protecting children and adolescents in the digital environment. “Other relevant agents may be involved as the topics discussed progress, such as regulatory authorities from EU countries and Brazilian bodies with related competencies, depending on the specific agendas that emerge from the cooperation.”
The Superintendency of Institutional and International Relations (SRII) of the ANPD is the area responsible for establishing and seeking mutual collaboration between the agency and other national and international entities such as the European Commission. “This cooperation will be implemented through concrete mechanisms, such as technical dialogues between experts, joint training, shared studies, and coordinated research projects,” detailed the superintendent of the SRII, Eduardo Gomes Salgado, who emphasized that the agreement comes at a time when the ANPD is increasing its competencies as a regulatory agency.
Brazil-European Union Digital Partnership
Prior to the formalization of the Administrative Arrangement between ANPD and DG CONNECT, the signing of the Brazil-European Union Digital Partnership also took place at Itamaraty. The Minister of Management and Innovation in Public Services, Esther Dweck, representing the Brazilian government, signed the agreement with the Executive Vice-President of the European Commission for Technological Sovereignty, Security and Democracy, Henna Virkkunen. The document in question deals more broadly with the exchange of technology and data protection practices.
If you have any questions, please send us an email to datasecurity@catts.eu
Tags
Share
How can we help?
CATTS is your dedicated partner for comprehensive data protection and compliance solutions. From strategic guidance and customized training to data security assessments and regulatory monitoring, we empower businesses for ethical success in the digital age. Whether it's GDPR compliance, Privacy Impact Assessments, or incident response, CATTS ensures tailored strategies to your unique data protection needs.
Contact Us