Posts

Decision No. 284 of April 17, 2026, by the Italian Data Protection Authority addresses a technically invasive and legally significant phenomenon. A commendable intervention that nonetheless raises two systemic questions: the relationship between the consent model designed by the Guidelines and the principle of privacy by design, and its compatibility with the specificity and granularity requirements for consent established by the EDPB.

A practical checklist that translates each obligation under Article 26 of the AI Act into concrete actions, assigned responsibilities and required documentation for deployers of high-risk AI systems — covering Art. 26(1)–(12), Art. 27 (FRIA) and Art. 49(3).

Article 4 of the AI Act has been in force since February 2025, yet it remains the least understood obligation. A 30-day implementation plan, role-competence matrix, evidence checklist and common mistakes to avoid.

AI agents and personal data: legal basis, automated decisions under Art. 22, data controller qualification, and the Digital Omnibus Art. 88c proposal. Three practical scenarios for businesses and professionals.

The EDPB has published a harmonised DPIA template, now open for public consultation until 9 June 2026. The template introduces a clear methodological distinction between risks inherent in the processing design and risks arising from non-default events. An analysis of its structure and implications for practitioners.

AI agents under the AI Act: when customisation, integration or rebranding triggers reclassification from deployer to provider under Article 25. Decision table, compliance checklist and first 5 actions.

The European Commission celebrates the milestones of the AI Continent Action Plan. But beyond the AI Factory numbers, the credibility of the European model depends on making the Trustworthy AI pillar truly operational.

A comparative legal analysis of major video conferencing platforms — Zoom, Microsoft Teams, Google Meet, Jitsi, and Proton Meet — from the standpoint of personal data protection, third-country transfers, and end-to-end encryption.

Misinformation is circulating about deployer obligations. This post sets the record straight: definition of deployer (Art. 3(4)), actual obligations (Art. 26 for high-risk only), official materials on transparency (Art. 50), the Commission’s position on AI agents (AI Act Service Desk FAQ), correct deadlines (Art. 113), actual penalties (Art. 99) and an operational framework for businesses and professionals.

Proton launches Born Private: parents can reserve an encrypted email address for their children, protected for up to 15 years. A commentary on children’s digital identity, GDPR, and privacy by design.