In 2025, the CNIL (the French supervisory authority for data protection) confirmed a clear underlying trend:sanctions do not target isolated technical shortcomings alone, but rather everyday operational practices — visible, repeated, and yet entirely avoidable.
The GDPR recognizes consent as one of the six legal bases for processing personal data (Art. 6).In theory, it might seem sufficient: if a person agrees to the use of their biometric data (e.g., fingerprints, facial recognition), why should that be a problem?
The European Union adopted the AI Act in 2024. It is the world’s first cross-sector regulation aimed at overseeing the use of artificial intelligence, with progressive implementation through 2027.
Entered into force on January 11, 2024, the Data Act becomes applicable as of September 12, 2025.
This summer, a major cyberattack targeted Clinical Diagnostics NMDL, the laboratory in charge of cervical cancer screening in the Netherlands. Between 3 and 6 July 2025, hackers affiliated with the group Nova gained access to a massive amount of sensitive personal data. According to initial reports, the personal data of nearly 485,000 women who underwent these screenings may have been exposed, including names, addresses, dates of birth, social security numbers (BSN), test results, and some data relating to healthcare professionals.
The rapid evolution of information technologies, combined with the widespread adoption of remote work and the constant interconnection of systems, has significantly reshaped the digital risk landscape.
In recent years, deepfakes have emerged as one of the most alarming threats in the digital era. These synthetic contents—remarkably realistic imitations of faces or voices—are no longer limited to tech disciplines: they now affect ordinary individuals, sometimes anonymous, whose image or voice is reproduced and disseminated without consent.
